Getting a backdoor into open source software: 1. Start making useful contributions, 2. write mean messages to push for shared maintainership, 3. step in as savior, 4. build trust as competent contributor over years, 5. add overly convoluted testing system, 6. insert payload into repo, 7. make your first release as co-maintainer with untracked release script that compiles in backdoor, 8. nag distros to use the new version, 9. get caught in prerelease by german dev that notices the backdoor delays logins by 0.3s and decompiles your code to figure out why. Getting a backdoor into proprietary software: 1. knock on CEO's office door, 2. present secret court order, 3. work with devs to add your backdoor.
Exactly! This is precisely why the xz backdoor does not weaken or invalidate open source, it's pretty interesting how it is being spun as the sky is falling for OSS. Which is total FUD.
This was shockingly good & interesting. It is making me think about how a talk can be steered by posing an unusual audience - in this case, some college kids who just learned about linkers but can’t necessarily be assumed to know broadly what someone would typically know if they had that specialist knowledge. 5 stars, and your competition are the folks who’ve explained things from the internet worm thru stuxnet and beyond.
This was a really interesting and detailed overview of the backdoor. I followed many of the discussions while it was being discovered, like how it was implemented, how it got compiled into the binary and what effect it had on sshd, but this lecture presented the actual effects on the system. After reading the different discussions, seeing code examples and the details about the social engineering aspect, this video helped me see how the backdoor actually loaded itself into memory. This reveals a lot more of the sophistication behind the backdoor and the layers of obfuscation wasn't really obvious to me before now. Extremely helpful!
This won't blow up like it should because you have 97 subscribers ... but the amount of depth you went into and the ease with which you explained a ton of very complicated concepts stretched out over 1+ hr is pretty absurd to me given that you are 20? years old. Damn bro. You know computers.
This is much needed presentation - thank you! Gripes: the audio is OK but could be better, but most of all - and this can't be said too often - all presenters (all the time, in all venues) when taking audience questions need to *REPEAT THE FSCKING QUESTIONS* before answering them....
Yes. Primarily rolling / experimental Linux released were affected (Debian Sid, Kali-Rolling, etc.) and only during a few days, so very few installs were affected. It had no special persistence / root kit capabilities found so far, reverting to older / newer package removed it. There is a very good write up from OpenSUSE - they went all in on assume everything compromised. Did the Thompson reflection on trusting trust exercise. Eventually the reverse engineering seemed to prove this mostly was a sshd backdoor “only”, and not a super-breaking distribution breaker infinite rootkit. But the scope of the backdoor was not fully understood in early days. So distros reverted all builds that had even been touched by xz. Apparently they had fun times with lots of work… and suspect the timing of the backdoor push to distros might have been timed to slow down security response. Apparently most maintainers and cultures has some holidays around end of march.
Hey, this was a good video, thanks. I can't hear all of the questions though, it would have been good if you had repeated the questions that were being asked. Some of them became clear due to your answers, others less so. This can sometimes be an issue in the auditorium too.
What's the target audience that watches a talk about the details of the backdoor but doesn't know what SSH is or how the open-source community works? Nice talk anyway!
Yeah it’s a bit of an odd assumption for the real world, but since this was a lecture given to a specific class I could assume people knew linker stuff in a lot of depth, since we taught it. On the other hand, students don’t necessarily know about other more ‘basic’ concepts like OSS development.
@@ancbi It does mean what I think it means? It's when a speaker uses rising inflection at the end of declarative sentences? Which makes them sound like interrogative sentences?
@@felipec Thanks for clarifying. Then it's more likely that I just didn't pick up the upspeaks because it's too subtle for me as I'm not a native English speaker. Or because I have only just watched the leading parts.
Getting a backdoor into open source software: 1. Start making useful contributions, 2. write mean messages to push for shared maintainership, 3. step in as savior, 4. build trust as competent contributor over years, 5. add overly convoluted testing system, 6. insert payload into repo, 7. make your first release as co-maintainer with untracked release script that compiles in backdoor, 8. nag distros to use the new version, 9. get caught in prerelease by german dev that notices the backdoor delays logins by 0.3s and decompiles your code to figure out why.
Getting a backdoor into proprietary software: 1. knock on CEO's office door, 2. present secret court order, 3. work with devs to add your backdoor.
Exactly! This is precisely why the xz backdoor does not weaken or invalidate open source, it's pretty interesting how it is being spun as the sky is falling for OSS. Which is total FUD.
This was a great explanation of how it worked on a technical level. Thanks for the lecture + summary!
This was shockingly good & interesting. It is making me think about how a talk can be steered by posing an unusual audience - in this case, some college kids who just learned about linkers but can’t necessarily be assumed to know broadly what someone would typically know if they had that specialist knowledge. 5 stars, and your competition are the folks who’ve explained things from the internet worm thru stuxnet and beyond.
Awesome lecture! I learned a ton and it was super engaging.
This was a really interesting and detailed overview of the backdoor.
I followed many of the discussions while it was being discovered, like how it was implemented, how it got compiled into the binary and what effect it had on sshd, but this lecture presented the actual effects on the system.
After reading the different discussions, seeing code examples and the details about the social engineering aspect, this video helped me see how the backdoor actually loaded itself into memory.
This reveals a lot more of the sophistication behind the backdoor and the layers of obfuscation wasn't really obvious to me before now.
Extremely helpful!
This is amazing thank you so much for this lecture!
This won't blow up like it should because you have 97 subscribers ... but the amount of depth you went into and the ease with which you explained a ton of very complicated concepts stretched out over 1+ hr is pretty absurd to me given that you are 20? years old. Damn bro. You know computers.
Concur
Cool explainer of the linker hacks!
This is much needed presentation - thank you!
Gripes: the audio is OK but could be better, but most of all - and this can't be said too often - all presenters (all the time, in all venues) when taking audience questions need to *REPEAT THE FSCKING QUESTIONS* before answering them....
great vid Denzel - so is it enough to update your XZ install to the "Fixed" packages with Jia's commits removed to fix this system wide?
Yes. Primarily rolling / experimental Linux released were affected (Debian Sid, Kali-Rolling, etc.) and only during a few days, so very few installs were affected. It had no special persistence / root kit capabilities found so far, reverting to older / newer package removed it.
There is a very good write up from OpenSUSE - they went all in on assume everything compromised. Did the Thompson reflection on trusting trust exercise. Eventually the reverse engineering seemed to prove this mostly was a sshd backdoor “only”, and not a super-breaking distribution breaker infinite rootkit. But the scope of the backdoor was not fully understood in early days.
So distros reverted all builds that had even been touched by xz. Apparently they had fun times with lots of work… and suspect the timing of the backdoor push to distros might have been timed to slow down security response. Apparently most maintainers and cultures has some holidays around end of march.
@randomgeocacher gotcha, thanks!
Hey, this was a good video, thanks. I can't hear all of the questions though, it would have been good if you had repeated the questions that were being asked. Some of them became clear due to your answers, others less so. This can sometimes be an issue in the auditorium too.
Lesson learned: dont't fuck around with database engineers unless you want to find out. Classic FAFO
At 4 minutes you said suppository rather than repository. Freudian slip methinks.
😂
backdoor in the repository and suppository in the backdoor. honest mistake
@@brandondabreo5442 haha yes
@@brandondabreo5442 bravo
What's the target audience that watches a talk about the details of the backdoor but doesn't know what SSH is or how the open-source community works?
Nice talk anyway!
new (and not new) developers, new (and not new) cybersecurity staff, and probably a majority of people generally interested in the event
Yeah it’s a bit of an odd assumption for the real world, but since this was a lecture given to a specific class I could assume people knew linker stuff in a lot of depth, since we taught it. On the other hand, students don’t necessarily know about other more ‘basic’ concepts like OSS development.
"Probably not US", the hypocrisy is at same level of the backdoor.
the volume is very low :( hard to hear this
Turn your volume up.
Pretty good, but please no more upspeak.
You don't like it?
I don't think "upspeak" means what you think it means.
@@ancbi It does mean what I think it means? It's when a speaker uses rising inflection at the end of declarative sentences? Which makes them sound like interrogative sentences?
@@felipec Thanks for clarifying.
Then it's more likely that I just didn't pick up the upspeaks because it's too subtle for me as I'm not a native English speaker. Or because I have only just watched the leading parts.