It has been reported that Microsoft engineer found a serious hack in
Linux OS and now the authorities around the world are concerned about this.

Some State actors are involved (Russia is suspected) but it is still
being investigated.

Read the article just published two days ago on Wikipedia
<https://en.wikipedia.org/wiki/XZ_Utils_backdoor>

There are videos on YouTube and other reputable news media websites
about this. You can search for XZ backdoor Hack in Google if you are
interested in this.

This is still a developing story and more will follow in the coming days
when OS community had chance to analyse the implications. Most servers
around the world are affected by this.
<https://youtu.be/0pT-dWpmwhA?si=mlnovDmvFDU6yPyM> <https://youtu.be/D0AN0u

On Wed, 17 Apr 2024 23:45:00 -0400, Jia Tan <noreply@wubuntu.wubuntu> wrote:

> It has been reported that Microsoft engineer found a serious hack in
> Linux OS and now the authorities around the world are concerned about this.
>
> Some State actors are involved (Russia is suspected) but it is still
> being investigated.
>
> Read the article just published two days ago on Wikipedia
> <https://en.wikipedia.org/wiki/XZ_Utils_backdoor>
>
> There are videos on YouTube and other reputable news media websites
> about this. You can search for XZ backdoor Hack in Google if you are
> interested in this.
>
> This is still a developing story and more will follow in the coming days
> when OS community had chance to analyse the implications. Most servers
> around the world are affected by this.
> <https://youtu.be/0pT-dWpmwhA?si=mlnovDmvFDU6yPyM> <https://youtu.be/D0AN0u

Trying to spread fear is pointless, as is forging the id of the person who
tried to introduce the backdoor.

While the method used will cause all projects, to be much more careful, the
situation has been handled.

The same thing can happen with closed source software, so the advice to be
careful about the supply chain attacks applies to all software development.

While the backdoor did get into some distribution's development builds, it
was found and removed before it could be widely spread.

Regards, Dave Hodgins

On 18/04/2024 06.15, David W. Hodgins wrote:
> On Wed, 17 Apr 2024 23:45:00 -0400, Jia Tan <noreply@wubuntu.wubuntu>
> wrote:
>
>> It has been reported that Microsoft engineer found a serious hack in
>> Linux OS and now the authorities around the world are concerned about
>> this.

Keep in mind that microsoft windows would also be a possible target in
the long run as it too integrates openssh with it's dependencies.

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui

>> Some State actors are involved (Russia is suspected) but it is still
>> being investigated.

I think the main suspect was CCP China, but sure it could have been any
actor from the Axis powers.

> Trying to spread fear is pointless, as is forging the id of the person who
> tried to introduce the backdoor.

This always been a thing of hard core closed source supporters, to
discredit the competition without mentioning about real threats to their
favorite operating system like CVE-2024-26234 and CVE-2024-29988.

Sure the actor of the fear post just missed the fact that the main OS
nowadays used by microsoft is Linux.

> While the method used will cause all projects, to be much more careful, the
> situation has been handled.
>
> The same thing can happen with closed source software, so the advice to be
> careful about the supply chain attacks applies to all software development.

Many closed source projects owners tend to not be transparent with
issues regarding to their supply chain, so we may not hear about them
all, while open source supply chain attacks we will always hear about.

> While the backdoor did get into some distribution's development builds, it
> was found and removed before it could be widely spread.

And the distributions didn't wait a month to push out fixes, it they
were affected (quite small portion of distros were and then just
experimental versions).

--
//Aho

On 4/18/2024 2:31 AM, J.O. Aho wrote:

> This always been a thing of hard core closed source supporters, to
> discredit the competition without mentioning about real threats to their
> favorite operating system

That seems like a sound strategy, representative of a long
and hallowed Linux tradition: Fix a Linux bug by blurting out
that Windows is worse. :)

On 18/04/2024 13.12, Newyana2 wrote:
> On 4/18/2024 2:31 AM, J.O. Aho wrote:
>
>> This always been a thing of hard core closed source supporters, to
>> discredit the competition without mentioning about real threats to
>> their favorite operating system
>
>     That seems like a sound strategy, representative of a long
> and hallowed Linux tradition: Fix a Linux bug by blurting out
> that Windows is worse. :)

Then lets look hastily at the XZ "backdoor", it depends on two other
opensource projects, openssh (the application they wanted to affect,
this is the same source code that microsoft uses in ms-windows), the
injection was utilized by systemd (only system with the right version of
systemd would be fully affected, so a subset of all Linux
distributions), of course the machine has to have a running sshd and
started by the systemd.

I would bet they would also try to get the whole thing to work without
the need of systemd, as this way you would get even more systems that
you could get access to, among those you would see bsd distros, macos
and of course ms-windows, so this is a possible OS-independent
vulnerability and we will see more of these in the future.

--
//Aho

J.O. Aho wrote:

> On 18/04/2024 06.15, David W. Hodgins wrote:
>> On Wed, 17 Apr 2024 23:45:00 -0400, Jia Tan <noreply@wubuntu.wubuntu>
>> wrote:
[snip]
>>> Some State actors are involved (Russia is suspected) but it is still
>>> being investigated.
>
> I think the main suspect was CCP China, but sure it could have been any
> actor from the Axis powers.

China is on the list, yes, as is Russia, but IMO North Korea is pretty high
on the list, as are other government-level bad actors... including
Washington, D.C. The name "Jia Tan" might have been selected as a deliberate
misdirection (although if I were to choose an alias for such purposes, I
wouldn't choose a name suggesting a culture I'm not familiar with; I'd go
with "Bob Smith" or similar.)

(There's also the outside possibility that it *wasn't* a state actor.
Unlikely, but possible.)

Also: Why is this being brought up *now* in this group, when it was the hot
topic a few *weeks* ago in Linux circles? Slow newsday, much?

--
- Kinda thought you'd freak out more about us taking more debt.
- You want a degree, not to join a murder cult.

On 4/18/24 00:15, David W. Hodgins wrote:

> While the method used will cause all projects, to be much more careful, the
> situation has been handled.

THAT's pretty well the size of it.

It did require brains though so I'll be pointing my ears as we approach
finding out whodoneit, meanwhile excluding systemd and N.Korea from my
list of suspects :-)

On Thu, 18 Apr 2024 18:12:54 -0400, bad💽sector <forgetski@_invalid.net> wrote:

> On 4/18/24 00:15, David W. Hodgins wrote:
>
>> While the method used will cause all projects, to be much more careful, the
>> situation has been handled.
>
> THAT's pretty well the size of it.
>
> It did require brains though so I'll be pointing my ears as we approach
> finding out whodoneit, meanwhile excluding systemd and N.Korea from my
> list of suspects :-)

It could have been any nation state, including nato countries, or any
criminal organization that could afford to have someone send a couple
of years building a reputation before even starting to introduce the
changes that when combined included the backdoor.

It could even have been just one individual with skills and time on their
hands.

While the times of commits may be an indication, it could also be someone that
wasn't doing things in normal office hours. Even the ip address could have been
hidden by using a previously hacked system, and/or vpn services.

Speculation on who is behind it is pointless.

Regards, Dave Hodgins

On 4/18/24 18:40, David W. Hodgins wrote:
> On Thu, 18 Apr 2024 18:12:54 -0400, bad💽sector <forgetski@_invalid.net>
> wrote:
>
>> On 4/18/24 00:15, David W. Hodgins wrote:
>>
>>> While the method used will cause all projects, to be much more
>>> careful, the
>>> situation has been handled.
>>
>> THAT's pretty well the size of it.
>>
>> It did require brains though so I'll be pointing my ears as we approach
>> finding out whodoneit, meanwhile excluding systemd and N.Korea from my
>> list of suspects :-)
>
> It could have been any nation state, including nato countries, or any
> criminal organization that could afford to have someone send a couple
> of years building a reputation before even starting to introduce the
> changes that when combined included the backdoor.
>
> It could even have been just one individual with skills and time on their
> hands.
>
> While the times of commits may be an indication, it could also be
> someone that
> wasn't doing things in normal office hours. Even the ip address could
> have been
> hidden by using a previously hacked system, and/or vpn services.
>
> Speculation on who is behind it is pointless.
>
> Regards, Dave Hodgins

I wasn't speculating but will be curious as to the ongoing
investigation. Excluding systemd and N.Korea from MY list of suspects is
based on obvious lack of brains there, both of them imagining that they
could get away with what they're trying to do. The former thinking that
they can get away with challenging kernel jurisdiction in Linuxland, the
latter for thinking that they can intimidate anyone with maybe a dozen,
maybe deliverable, ICBM's. The backdoor took brains and in retrospect
I'll agree that probably a long-term plan as well. "I" would not have
been confident of getting away with it but then there are cultures
teaching the fundamentals of liberalism to their offspring: that
everything is acceptable so long as it can be separated from the
critical element, or so long as you get away with it (same thing).

On 2024-04-17 23:45, Jia Tan wrote:
> There are videos on YouTube and other reputable news media websites
> about this.

Youtube? A reputable news medium? That's hilarious.

There are lots of helpful and informative videos on Youtube, but there's
also a lot of pure bunk.

I happened across one just the other day claiming that the US government
was going to start giving out $3000 Social Security benefits every month
as part of a Covid stimulus. Another lays out a case for the 1969 Moon
landing having been faked on a Hollywood back lot. (Neil Armstrong
confessed on his deathbed!) There are several "documentaries" on the
government coverup of what REALLY happened at Roswell, New Mexico.

I could go on and on, but you get the point.

TJ

On 4/18/24 21:37, TJ wrote:
> On 2024-04-17 23:45, Jia Tan wrote:
>> There are videos on YouTube and other reputable news media websites
>> about this.
>
> Youtube? A reputable news medium? That's hilarious.
>
> There are lots of helpful and informative videos on Youtube, but there's
> also a lot of pure bunk.
>
> I happened across one just the other day claiming that the US government
> was going to start giving out $3000 Social Security benefits every month
> as part of a Covid stimulus. Another lays out a case for the 1969 Moon
> landing having been faked on a Hollywood back lot. (Neil Armstrong
> confessed on his deathbed!) There are several "documentaries" on the
> government coverup of what REALLY happened at Roswell, New Mexico.
>
> I could go on and on, but you get the point.
>
> TJ

....and chemtrails!

but I just heard on TV that some state is legislating against chemtrails :-)

On Thu, 18 Apr 2024 20:58:13 -0400, bad💽sector <forgetski@_invalid.net> wrote:
> I'll agree that probably a long-term plan as well. "I" would not have
> been confident of getting away with it but then there are cultures
> teaching the fundamentals of liberalism to their offspring: that
> everything is acceptable so long as it can be separated from the
> critical element, or so long as you get away with it (same thing).

Just regarding the timeline. From https://research.swtch.com/xz-timeline

2021-10-29 A person using the online name Jia Tan submitted a patch for xz
and later joins the project.
2024-02-23 First part of backdoor added to xz
2024-02-24 First release of backdoor version 5.6.0, which is causes crashes
2024-03-09 Working backdoor released as version 5.6.1
2024-03-27 Debian includes the 5.6.1 version in their development version
2024-03-28 Backdoor detected and analysis starts
2024-03-30 Backdoor removed by reverting to a pre Jia Tan version

So three years working to build a reputation, and then get the backdoor
included, only to have it detected and removed 3 days after making it into
one linux distributions development version.

So the three possibilities I see are a nation state, organized crime, or
a single individual with the skills and time on his/her hands to do this.

If it is a nation state, China, and Russia are the most likely based on
timestamps of commits, but it could just as easily be a nato country trying
to get it into Russian and Chinese systems. Simply working hours other then
9 to 5 could explain the timestamps.

Regards, Dave Hodgins

On 4/18/24 23:53, David W. Hodgins wrote:
> On Thu, 18 Apr 2024 20:58:13 -0400, bad💽sector <forgetski@_invalid.net>
> wrote:
>> I'll agree that probably a long-term plan as well. "I" would not have
>> been confident of getting away with it but then there are cultures
>> teaching the fundamentals of  liberalism to their offspring: that
>> everything is acceptable so long as it can be separated from the
>> critical element, or so long as you get away with it (same thing).
>
> Just regarding the timeline. From https://research.swtch.com/xz-timeline
>
> 2021-10-29 A person using the online name Jia Tan submitted a patch for xz
> and later joins the project.
> 2024-02-23 First part of backdoor added to xz
> 2024-02-24 First release of backdoor version 5.6.0, which is causes crashes
> 2024-03-09 Working backdoor released as version 5.6.1
> 2024-03-27 Debian includes the 5.6.1 version in their development version
> 2024-03-28 Backdoor detected and analysis starts
> 2024-03-30 Backdoor removed by reverting to a pre Jia Tan version
>
> So three years working to build a reputation, and then get the backdoor
> included, only to have it detected and removed 3 days after making it into
> one linux distributions development version.

nice work!

> So the three possibilities I see are a nation state, organized crime, or
> a single individual with the skills and time on his/her hands to do this.

Many multinationals and NGO's have resources far beyond some
nation-states, try Bayer, Exxon or George Soros for starters

> If it is a nation state, China, and Russia are the most likely based on
> timestamps of commits, but it could just as easily be a nato country trying
> to get it into Russian and Chinese systems. Simply working hours other then
> 9 to 5 could explain the timestamps.
>
> Regards, Dave Hodgins

I fall back to my primary algo: the primary suspect always has to be the
primary beneficiary :-)

On 4/18/2024 11:53 PM, David W. Hodgins wrote:
> On Thu, 18 Apr 2024 20:58:13 -0400, bad💽sector <forgetski@_invalid.net> wrote:
>> I'll agree that probably a long-term plan as well. "I" would not have
>> been confident of getting away with it but then there are cultures
>> teaching the fundamentals of  liberalism to their offspring: that
>> everything is acceptable so long as it can be separated from the
>> critical element, or so long as you get away with it (same thing).
>
> Just regarding the timeline. From https://research.swtch.com/xz-timeline
>
> 2021-10-29 A person using the online name Jia Tan submitted a patch for xz
> and later joins the project.
> 2024-02-23 First part of backdoor added to xz
> 2024-02-24 First release of backdoor version 5.6.0, which is causes crashes
> 2024-03-09 Working backdoor released as version 5.6.1
> 2024-03-27 Debian includes the 5.6.1 version in their development version
> 2024-03-28 Backdoor detected and analysis starts
> 2024-03-30 Backdoor removed by reverting to a pre Jia Tan version
>
> So three years working to build a reputation, and then get the backdoor
> included, only to have it detected and removed 3 days after making it into
> one linux distributions development version.
>
> So the three possibilities I see are a nation state, organized crime, or
> a single individual with the skills and time on his/her hands to do this.
>
> If it is a nation state, China, and Russia are the most likely based on
> timestamps of commits, but it could just as easily be a nato country trying
> to get it into Russian and Chinese systems. Simply working hours other then
> 9 to 5 could explain the timestamps.
>
> Regards, Dave Hodgins

I vote for a "Single individual" because of your observation

"which is causes crashes"

Some attacks "send a message". They can be intended to flummox productivity.

Now Linus counts all the <space> and <tab> for example. Like matter and
antimatter, a balance must be struck.

If I was a central organization, I would pay money to "little people"
to take their best shot. While this individual may have thought up
the attack on his or her own, from a payroll perspective, someone
is providing the noodles.

A previous piece of Ubuntu media was delayed by the insertion of
something into the ISO. Now, 24.04 is being delayed by the need
to recompile the tree without the bad version of XZ anywhere near it.
I'm sure this is merest coincidence. Just another day that ends
in "Y".

Paul

On Thu, 18 Apr 2024 23:53:55 -0400, David W. Hodgins wrote:

>
> So the three possibilities I see are a nation state, organized crime, or
> a single individual with the skills and time on his/her hands to do this.
>

It was almost certainly not a single individual.

There was much background research involved. The target was sshd but
only indirectly through the run-time linking with libsystemd which in
turn linked with liblzma.

Why xz-utils (which contains liblzma)? The reason is that xz-utils
contains binary test files, with no generation recipe. These test files
were deemed to be the best place to conceal both the bash injection
scripts and the ELF backdoor itself.

By using the binary test files, no human-readable source code needed
to be modified, and by committing more test files in the future the
backdoor capabilities could be expanded.

It was a brilliant plan.

All of this required considerable knowledge of the Linux linking
process as well as the detailed operation of systemd.

Moreover, the entire backdoor process fortuitously depended upon
a little known and consequently little suspected project known
as xz-utils.

What does a compression tool have to do with network login
authorization? The answer is nothing.

What does systemd have to do with network login authorization?
The answer is also nothing.

But the fact that systemd compresses its logs with liblzma and
the fact that sshd notified its state using systemd means that
a clear path for nefarious exploitation exists.

It is doubtful that a lone individual would search for this
"needle in a haystack" exploitation corridor.

On 2024-04-18, Auric__ <not.my.real@email.address> wrote:
> J.O. Aho wrote:
>
>> On 18/04/2024 06.15, David W. Hodgins wrote:
>>> On Wed, 17 Apr 2024 23:45:00 -0400, Jia Tan <noreply@wubuntu.wubuntu>
>>> wrote:
> [snip]
>>>> Some State actors are involved (Russia is suspected) but it is still
>>>> being investigated.
>>
>> I think the main suspect was CCP China, but sure it could have been any
>> actor from the Axis powers.
>
> China is on the list, yes, as is Russia, but IMO North Korea is pretty high
> on the list, as are other government-level bad actors... including
> Washington, D.C. The name "Jia Tan" might have been selected as a deliberate
> misdirection (although if I were to choose an alias for such purposes, I
> wouldn't choose a name suggesting a culture I'm not familiar with; I'd go
> with "Bob Smith" or similar.)

The name "Jia Tan" has been criticised for mixing Cantonese and Mandarin
phonemes, so perhaps someone did reference a culture that they do not
know, or perhaos this is deliberate misdirection.

--
Jasen.
🇺🇦 Слава Україні