@mosseri hi from the internet! how‘s EU support coming along? I still can’t reach most of the people I want to reach.

@mosseri hi from the internet! how‘s EU support coming along?

@altstore My first mission is actually to install the #Pebble app because my Pebble has been drifting out of sync for months.

@altstore is installed! Beautiful! Thanks for all the work, AltStore team and EU!
Now to install my own app I still need "notarization" (Apple still having a hand in distribution, which I wish was illegal).
Is that possible without paying the 100€/year that App Store distribution would require? If so, I might actually become interested in iOS development.

Europe’s coolest alternative app marketplace is HERE!

Introducing AltStore PAL — an Apple-approved version of AltStore exclusive to the EU

Download now from our website for just €1.50/year (+ VAT) 🇪🇺 https://altstore.io

Some aspects of this #xz / #liblzma #sshd #backdoor remind me of Ken Thompson's 1984 lecture "Reflections on trusting trust". This is a practical implementation of a similar attack for a modern world. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf #infosec #cybersecurity

I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.

Really required a lot of coincidences.

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4

After seeing how the XZ maintainer's burnout and mental health decline was exploited to the potential detriment of the whole world, we're totally going to be supporting our developers more, right guys? We're totally going to fund critical OSS and pay maintainers enough to hire on other maintainers to take the burden off of them and reduce burnout, right? Right?

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.

The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.

Let me state that again. Any quality assurance, security checks, etc., failed to catch this.

This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.

This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.

A couple more weeks, and it would have been in many major distributions without any of us knowing about it.

The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.

It was luck.

That's it. We got lucky this time.

So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?

And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.

Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.

I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.

(I also hope they run down any and all packages this person had the signing key for....)

#infosec #hacking #cve #cve20243094 #linux #FOSS

The #liblzma supply chain attack is really, really scary.
However, luckily, most production systems should be unaffected.
That doesn't make it less scary on a broader level, but at least the world isn't immediately on fire as much as one might fear reading the news.

For some reason [XKCD 2347](https://xkcd.com/2347/) is looking real hot right now. #liblzma

@grifferz damn

Audience question: "Is there any conflict between GPL v2 and Red Hat's policy of not distributing source?"

"I don't think so and neither do our lawyers." - Scott McCarty, Red Hat

#FOSDEM

@Commander_KEEN Die Maus treibt die Leute nicht zu Meta, sondern holt sie da ab, wo sie bereits sind. Natürlich bin ich voll für die Fedimaus.

Die Maus ist raus.

#37c3
v i b e s

Which FOSS projects do you think nail #UX?
#c3ux #FossUX #37c3