Same story, but this one adds some more details and other links.
TL;DR: Nothing really new here. They just summarize the social engineering of the attack.
Everyone and their grandmother is writing/blogging about this attack by paraphrasing all the same information.
Need for Clicks 101
deleted by creator
Oh please, the franchise is just getting started, wake me when it reaches 404
Can’t wait for Need for Clicks 2077!
I’m waiting for the one titled I’m a teapot. Heard it’s going to be 418.
You can get my take on it at www.creedthoughts.gov.www\creedthoughts/xz
Fascinating read - interesting that the origin of the hack is not yet known (or at least, released). I wonder what the stats are on these sorts of exploits in OSS - the concept relies so much on trust and individuals.
the concept relies so much on trust and individuals.
Everything does though.
Ken Thompson talked about this back in 1984, his talk/article “Reflections on trusting trust” is a short but scary read.
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
In the end, what can we trust?Ultimately, nothing, unless you built everything yourself from scratch, just about from the silicon up.
Everything is risk management.
World’s biggest backdoor
Puh-lease. At least Heartbleed made it into production at enormous scale.I stand corrected.
A backdoor is very distinct from a vanilla vulnerability. Heartbleed was a vulnerability, meaning the devs made a mistake in the code, introducing a method of attack. XZ was backdoored, meaning a malicious actor intentionally introduced a method by which he could exploit systems.
Both are pretty serious vulnerabilities, but a backdoor, especially introduced so high in the supply chain, would have been devastating had it not been caught so early.
CVE score of heartbleed was 7.5, the score of this XZ backdoor is 10…
Heartbleed was the result of an accidental buffer overread bug, not a backdoor.
