Backdoor found in OpenSSH

in #life9 months ago

Just a quick heads up for folks that like to stay aware of these things.

https://www.openwall.com/lists/oss-security/2024/03/29/4

The discussion there well explains the situation, and why you're likely not at risk (the code wasn't widely in use yet).

"Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
distributions, and where they have, mostly in pre-release versions."

So, if you can benefit from reading a thorough discussion of linux code in upstream tarballs, and have considered running - or have run - some pre-release Debian lately you should have a looksee so you know who to craft a voodoo doll of and torment with pins under their fingernails, or at least which code not to run.

I'm really happy linux is open source, and good honest people forthrightly discuss it.

Just think if the CIA was open source, and anyone good or honest was involved, how much a better place the world would be.

openwall.png
IMG source - Openwall.com

Edit: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

re-Edit: https://hachyderm.io/@danderson/112185746000358589

New discoveries.

re-re-Edit: https://gynvael.coldwind.pl/?lang=en&id=782

Discussion of the obfuscation, which is pretty interesting, and how the sploit functions.

#news #informationwar #pob #vyb #linux #openssh #backdoor #oss #security
9 months ago in #life by
100%
    11.04 VYB
    • Past Token Payouts 11.03930203 VYB
    • - Author 5.51965568 VYB
    • - Curator 5.51964635 VYB
    76 votes
    5
    Sort:  
  • Trending
    • [-]
     9 months ago 

    Imagine if all government was open source! What a world that would be.

    Thanks for this!

    100%
      0.11 VYB
      • Past Token Payouts 0.11255942 VYB
      • - Author 0.05627972 VYB
      • - Curator 0.05627970 VYB
      2 votes
      [-]
       9 months ago 

      They can't stop the signal as long as we keep each other in the loop.

      Thanks!

      100%
        0.00 VYB
        • Past Token Payouts 0.00109762 VYB
        • - Author 0.00054881 VYB
        • - Curator 0.00054881 VYB
        1 vote
        [-]
         9 months ago 

        Dear @valued-customer !
        I assumed you were claiming that Google hacks personal information!
        Do you recommend using Linux?

        100%
          0.11 VYB
          • Past Token Payouts 0.11361579 VYB
          • - Author 0.05680790 VYB
          • - Curator 0.05680789 VYB
          2 votes
          [-]
           9 months ago 

          Fakebook does. I bet Goolag does too.

          "Do you recommend using Linux?"

          Yes.

          100%
            0.01 VYB
            • Past Token Payouts 0.00715936 VYB
            • - Author 0.00357969 VYB
            • - Curator 0.00357967 VYB
            2 votes
            [-]
             9 months ago 

            Update: Lietu has taken a closer look at what other things might be affected by the malicious code in the xz package, and it's pretty extensive, so I thought to include it.

            LietuComment.png

            Take action as necessary to secure such of these common utilities and features you may be using.

            100%
              0.00 VYB
              • Past Token Payouts 0.00110631 VYB
              • - Author 0.00055316 VYB
              • - Curator 0.00055315 VYB
              1 vote
              [-]
               9 months ago 

              I hope there will be accountability, similar to if an employee at the bank leaves the back door open. Did he accidentally forget to secure it, or was it intentional? Is there a place for law to get involved? You cannot say, "All is good, we caught it this time." Next time it might not be caught as soon or without damage.

              100%
                0.11 VYB
                • Past Token Payouts 0.11405850 VYB
                • - Author 0.05702926 VYB
                • - Curator 0.05702924 VYB
                2 votes
                [-]
                 9 months ago 

                Seems deliberate

                100%
                  0.11 VYB
                  • Past Token Payouts 0.11341804 VYB
                  • - Author 0.05670903 VYB
                  • - Curator 0.05670901 VYB
                  2 votes
                  [-]
                   9 months ago 

                  Folks looking have found several more exploits in Jia Tan's commits, and no one is suggesting these are just bugs. I keep editing the post, and I added a reply with more information that turned up, trying to provide comprehensive notice of the threat, as there may have been some pre-release installations people might be compromised by.

                  100%
                    0.00 VYB
                    • Past Token Payouts 0.00111384 VYB
                    • - Author 0.00055692 VYB
                    • - Curator 0.00055692 VYB
                    1 vote
                    [-]
                     9 months ago 

                    Injecting exploits into oss code is, I believe, a crime. 'Jia Tan' is likely an alias, and one login as 'Jia Cheong Tan' is suspected to be a diversion. There's been speculation that the h4x0r is unlikely to be a state actor, because they are unlikely to create backdoors like this, since when they're found they raise a foul stench that causes great distrust of the state discovered doing it, so they just buy exploits from the ebil h4x0rs that sell them when they need to achieve a particular goal.

                    I dunno about any of that. It seems to me to be speculation without much basis. One interesting thing about police investigation is jurisdiction. The internet isn't confined to any one jurisdiction, which make crimes committed online sort of outside all jurisdictions. Since no one seems to have been hit by this attempt, most LEA's don't have much motivation to go after this guy.

                    The more I read about it, however, the more impactful people that know say it would have been if it had been rolled out. Overall, then, the fact a guy investigating a slowdown looking for a random bug in oss code found this instead is a great advertisement for oss software, and a dire warning about blobs like m$, Apple, and etc. sell. If linux was proprietary, this hack would have potentially very severely compromised possibly millions of systems, people, and commercial and government entities, as many have before.

                    Hurray for oss!

                    Thanks!

                    100%
                      0.00 VYB
                        [-]
                         9 months ago 

                        I only use Linux distributions, mainly in the Ubuntu realm. In my student years in my IT-focused university I worked more with Debian. Thanks for this input.

                        100%
                          0.11 VYB
                          • Past Token Payouts 0.11263415 VYB
                          • - Author 0.05631708 VYB
                          • - Curator 0.05631707 VYB
                          2 votes
                          [-]
                           9 months ago 

                          We are really fortunate to have open source software, and the free speech that makes it possible. I try to keep an ear to the ground, just because I can.

                          Thanks!

                          100%
                            0.09 VYB
                            • Past Token Payouts 0.09016954 VYB
                            • - Author 0.04508477 VYB
                            • - Curator 0.04508477 VYB
                            1 vote