SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Probably virtual-machine encryption of modern CPUs partly defeats these attacks.
Less solid defenses may include process isolation, seccomp and so on. BTW, These should have proven that moving from C to Rust is unnecessary. Ridiculous that Linux developed the Rust infrastructure which is practically not used.
Lennart with systemd is just for commercial benefit and possibly also for personal credit. Exactly the same motive as this Jia TAN.
The only difference is that Lennart is more straightforward. He aims at making the operating system more error prone so that he can earn more from providing commercial support. This is obvious.
While Jia TAN shows love and loyalty to the state ("love the state not the people", a concept mostly advocated by the chinese and u.s. politicians), it is actually as selfish as Lennart is.
Trust is a fragile thing. During the McCarthy era in America, there actually were some people in the public eye who were communist apologists and sympathisers. Because of that, McCarthy's accusations seemed reasonable at first. But they ended up ruining the careers and lives of a lot of completely innocent people. Once the witch hunt started, it couldn't be stopped.
To a great extent, how trustworthy someone is depends on his/her motivation.
In post #55 I copied an extract that points out that the sophistication of this backdoor points to a state sponsored hacking group. The link to the article is in post #54. Suitably motivated people will do their job and get their pay, even if it means making life difficult for others. The U.S. had no scruples about targeting the firmware on Iran's nuclear centrifuges. I'm sure the people who programmed that were themselves 'programmed' to see it as a good thing to do. We have already met incoming "products" from hacking groups. I'm sure the people who programmed them were also 'programmed' to see hacking the Western powers as a good thing to do.
And I imagine that Jia Tan was simply a front man for whatever group it was. The sophistication indicates that his commits could have been perfected in group sessions. The group certainly would have thought long and hard to try and find a way around disabling a compile feature. You just wonder how many 'sleepers' are in other OSS projects.
Some of the most sophisticated "black hat" groups are in North Korea. It seems weird that such a backward medievalised nation could excel in cracking computer systems but they recruit them young and train them carefully.
Rather than the link posted in post#54, I prefer the link posted in post#11 (from which I draw subsequent references).
Quote:
We do not want to speculate on the people behind this project in this document. This is not a productive use of our time, and law enforcement will be able to handle identifying those responsible.
Personally, I am not so convinced on "law enforcement will be able to handle identifying those responsible". The trail back is thin. In hindsight, the targeting of xz, a widely used project with a leader lacking support, appears very deliberate. To me, this is the basis of the attack on trust that we find so hurtful.
The sophistication of the attack from the analysis to date is undeniable. The co-option of the build system to incorporate the object file containing the malware code is evil genius.
OK, the backdoor works by targeting a weakness in patching sshd for use with systemd. Slackware dodged the bullet. But that is no reason for complacency or personal attacks. Lennart Poettering is working for Microsoft these days, but has been actively involved in addressing this abuse of the OSS ecosystem. It will take a united coalition to repel this sustained and co-ordinated subversion of our beloved Linux operating systems.
I think that people or companies who use free software, xz for example, but also frmpeg, x264, ... to make money, should be much more involved than they are in supporting these projects.
Some of the most sophisticated "black hat" groups are in North Korea. It seems weird that such a backward medievalised nation could excel in cracking computer systems but they recruit them young and train them carefully.
I have read nearly all of them work abroad, where they don't show as North Korean. I imagine all have their CS degree from abroad, and perhaps are embassy staff. NK's internet infrastructure is rudimentary and tiny.
This story is interesting and developing, and analysis appears to be a work in progress. What struck me is that even the kernel could be vulnerable. Any chunk of kernel code is thoroughly vetted, I am sure. But these guys have the time and patience to assemble one piecemeal, between various common existing user space binaries and kernel options.
Last edited by business_kid; 04-03-2024 at 01:09 PM.
But addressing his point that you don't need to link libsystemd to send the messages over the socket or whatever pathway there is for these notifications, seems like Damian Miller and friends are already on top of it: https://bugzilla.mindrot.org/attachm...09&action=edit
(Sorry if this has been posted already. It's a long thread, but feel free to yell at me for bad form laziness on that note.)
Oh, and am I reading it correctly that the need for all those extra libraries comes down to writing 7 characters down a socket?
Nah pandora's box was opened decades ago. But now all of a sudden people who weren't paying attention are realizing what has always been possible. Kind of like those people who waited 50 years to get upset about climate change.
I'll note here that some people can't help but to self-sabotage, as per this article published merely days after details of the xz vulnerability were publicised: https://linuxconfig.org/enable-ssh-r...n-linux-server
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.