Message boards :
Politics :
Computers & Technology 4
Message board moderation
Previous · 1 . . . 28 · 29 · 30 · 31 · 32 · 33 · 34 . . . 35 · Next
Author | Message |
---|---|
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
Millions of eyeballs, but it still gets a commit https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
Millions of eyeballs, but it still gets a commit Wow... Thanks for that one. That is one devious piece of obfuscation, aided and abetted by some incomplete security on the GitHub sources repository, and enabled by the overly obscure all-encompassing mess that is Systemd... ... Unfortunately, Systemd is here to linger on, just like Microsoft Windows... Note the good comment here about the unusual dependencies that compromised Systemd with the xz library. Notably, non-Systemd systems are not workably compromised in that the xz backdoor remains inert. This example will tighten the security of the source code repository for xz, and hopefully also prompt a check for the configs controlling other repositories. So, the eyeballs did indeed stumble across this one. But in far faster time than certain other proprietary systems suffer! Happy secure computing!! Martin ps: I can stay smug: 1: I avoid the use of the unhealthy mess that is Systemd; 2: My system is using the xzlibs 5.4.2; 3: The later releases are disabled, see the following note...
Newer releases were signed by a potentially compromised upstream maintainer. There is no evidence that these releases contain malicious code, but masked out of an abundance of caution. See bug #928134. See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
What a move! Seeing is believing: Linus Tech Tips - It’s Time to Downsize - New Studio Tour Also, full geek-out kudos for being a world first with Kiribati... Enjoy this time of year!! Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
Is privacy Dead? https://phys.org/news/2024-04-breakthrough-prime-theory-primes.html |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 993 Credit: 1,674,173 RAC: 54 |
Is privacy Dead?Integer factorization and thus RSA will be weakened eventually. I don't see where this simplifies solving discrete logarithms (DH, ECC). Privacy can (still?) be maintained. There's already research on post-quantum cryptography, which assumes that at some point there will be usable, powerful quantum computers, so that integer factorization and discrete logarithms (e.g. eliptic curves) will no longer be a hard problem. |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
All change again: German state ditches Windows, Microsoft Office for Linux and LibreOffice wrote: 'Complete digital sovereignty' ... sounds familiar... Interesting freedoms loving times! IT is very much what we make it... Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
Well it finally came out. There were only 4 eyeballs and half of them belonged to the bad actor. Of all the places to inject, the makefile! Is that all that stands between open source and open terror? One has to wonder now, is this the first attempt for this kind of vector or only the first time it has been spotted? And why is Micto$oft the security force for Linux? |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
What details have you seen? The reports I'm following show this attempted exploit to be very determinedly to have taken YEARS to incrementally place the pieces together, for some fantastic obfuscation, to then be undone by the keen eye of a tester who happens to work for Microsoft. His keen eye was on the test results of some automated performance testing. The rest is his time and diligence in following up the unexpected test results. (Don't know if his time was paid or not.) The live exploit never got beyond testing. So... Yes, a close call that could have been oh so different... There's a lot of questions there for the consequences for all the software we depend upon... Commercial pressure in the present form of commercial profitable haste doesn't help... IT is what we make it... Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
rob smith Send message Joined: 7 Mar 03 Posts: 22384 Credit: 416,307,556 RAC: 380 |
Is this news from Amazon be a warning flag to those who have invested heavily in employing "cloud services" for their company & personal IT services? https://www.bbc.co.uk/news/business-68729318 Another "victim" of this move looks to be the stores without check-outs (to me these sounded like a shoplifter's paradise). Bob Smith Member of Seti PIPPS (Pluto is a Planet Protest Society) Somewhere in the (un)known Universe? |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 993 Credit: 1,674,173 RAC: 54 |
Well it finally came out. There were only 4 eyeballs and half of them belonged to the bad actor.... at least three malign actors (supposedly a government) who started this sophisticated attack years ago (social engineering, gaining trust, convincing people to share responsibility). Is that all that stands between open source and open terror?Open Source is not more secure than Closed Source if there is only a single person who maintains a piece of code... who made a good job when he/she was young and had plenty of time for this "hobby". Now one or two decades later with childs, wife, family, job, ... he or she is overworked with being the maintainer of an important open source library. It's surprising that so many billion dollar commercial software businesses crucially depend on a few important open source libraries which are maintained by volunteers without payment. That's not a sustainable company policy. Commercial users of open source software should invest much more in the maintenance and further development of such widely-used libraries and tools. One has to wonder now, is this the first attempt for this kind of vector or only the first time it has been spotted?!!!!!!!!! The only thing which delays such attacks to mainstream enterprise or long term support Linux distributions are conservative policies to only include older, stable versions of apps and libraries, waiting years until including novel ones. And why is Micto$oft the security force for Linux?Pure coincidence! A Microsoft engineer found that a newer SSH version (linking to a newer version of the compression library liblzma) takes half a second longer to establish a SSH session and consumes significant more CPU cycles. That surprised him, so he digged for the cause. It was pure coincidence that this sophisticated attack was discovered and that it was a Microsoft employee of all people. [EDIT to add:] ML1 already explained it (sorry, only read ML1's post later) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
What details have you seen? https://www.inc.com/reuters/the-cyberattack-stopped-by-a-microsoft-engineer-was-scarier-than-we-realize.html XZ, a suite of file compression tools packaged into distributions of the Linux operating system, was long maintained by a single author, Lasse Collin. This is a spy agencies wet dream. To simply be given the keys to nearly every data base on the planet. How much would any nation state invest in such an operation? How much time would a nation state invest in such an operation? What is the value to them? More importantly what has every other nation state's spy agencies learned for their next attempt? Very few understand what an intrusion at the nation state level is versus the far more common criminal level. That is a problem in security. In the open-source community, the discovery has been sobering. The volunteers who maintain the software that underpins the internet aren't strangers to the idea of little pay or recognition, but the realization that they were now being hunted by well-resourced spies pretending to be Good Samaritans was "incredibly intimidating," said Arasaratnam, of the Open Source Security Foundation. BTW 2022 to 2023 isn't plural number of years. And don't forget nation states embed their operatives for decades. |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 993 Credit: 1,674,173 RAC: 54 |
Very few understand what an intrusion at the nation state level is versus the far more common criminal level. That is a problem in security.If so, then hardened, greatly simplified OS must be mandatory there instead of the latest, comprehensive mainstream Linux flavour with fancy convenience features, or Windows. In theory secure crypto systems consists of a publicly known algorithm which was widely discussed and evaluated within a global scientific community. Only the non-derivable secret keys should be crucial for confidentiality. I was told by people who know their business that still today governments maintain and further develop their own, national, top secret (closed source) crypto algorithms which are implemented in all kinds of hardware stuff. In theory the strenght of such crypto systems can't compete with the publicly evaluated ones. But it's somehow the concept of a hidden fallback level in case all publicly known crypto systems turn out to be compromised at some point. Eventually governments should pursue similar concepts for their crucial IT systems? Supposedly, too expensive or unworkable. Government officials are also weighing the implications of the near-miss, which has underlined concerns about how to protect open-source software. Assistant national cyber director Anajana Rajan told Politico that "there's a lot of conversations that we need to have about what we do next "to protect open source code."There is much to be learned from how the aviation industry specifies, develops, and evaluates software that flies on airplanes. There is an endless set of mandatory rules. The protection of “open source code” could be based on such concepts. You can't protect each component. If you try, it would be prohibitively expensive. But the crucial gears should be protected extremely well independent of costs. That is a concept of criticality levels for sub components within an OS which defines the necessary level of "protection". The first question would be: Why was secure remote login (SSH) somehow intertwined with data compression (xz, ... liblzma). Security aware design should prevent such dependencies. Example: The old (1977) DES crypto algorithm mixes two functions: data encryption and data integrity (using parts of the key as a checksum). It's modern successor AES only handles encryption, not integrity. |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
The first question would be: Why was secure remote login (SSH) somehow intertwined with data compression (xz, ... liblzma).In the old old days of dialup compressing the data sent was necessary. The question that needs to be answered by every distro is how many packages that are in your distro have two or fewer maintainers? Or is this attack vector something that is a design fault in the model of FOSS and Github? |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
... Or is this attack vector something that is a design fault in the model of FOSS and Github? Nothing amiss with GitHub other than the users using it... From my lunchtime reading we have this excellent deep-dive summary: XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor wrote: ... compression/decompression algorithms widely used in Unix-based systems, including Linux systems. XZ Utils is used by many operations... And a much lighter summary is on: XZ Utils backdoor wrote: ... While xz is commonly present in most Linux distributions, the backdoor only targeted Debian- and RPM-based systems running on the x86-64 architecture... Significant. Indeed: World-wide significant. On a fundamental level, the various FLOSS licenses encourage free use and redistribution. However... There is no requirement made for financial contribution to keep things working. Hence 'industry' takes a free-of-cost ride?... IT is what we make it! Martin ps: The "an RC4 variant implemented in AWK" is a fantastic piece of obscure obfuscation that is a long way away from where all the eyes will be looking on the source code! AWK is a command-line/script tool that is outside of the source code... See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
... Or is this attack vector something that is a design fault in the model of FOSS and Github? Exactly the design fault of GitHub and FOSS. Neither GitHub or FOSS have any security to prevent bad nation state users from using it. Something tells me this is not the only exploit planted in distros. Because the exploit code had a bug it was detected, Other exploits may not have bugs. Isn't the entire point of FOSS to hang a bunch of customization on a O/S? Aren't those customization allowed to run with root and even supervisory privilege? Ask, it is easier for a nation state to search for a chain of bugs to open the door, or is it easier to simply build the door in the first place. Criminals won't because they have to find a fast way in to feed themselves, nation states draw a salary so years long waits are totally acceptable. Security is what you allow it to be. |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
Fantastic! Fairphone's Fairbuds Are True Wireless Earbuds With Repairable Design, User-Replaceable Batteries There's also the hint there that they could be used also as hearing aids... Way to go! Enjoy!! Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
ML1 Send message Joined: 25 Nov 01 Posts: 20795 Credit: 7,508,002 RAC: 20 |
This shouldn't still be happening: It's 2024 and Intel silicon is still haunted by data-spilling Spectre wrote: Intel CPU cores remain vulnerable to Spectre data-leaking attacks... IT is what we make it... Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30870 Credit: 53,134,872 RAC: 32 |
This shouldn't still be happening:Another Boeing?It's 2024 and Intel silicon is still haunted by data-spilling Spectre To gain the performance users demand, speculative execution was invented. If you don't guess you don't have a performance increase but you don't spill data. Should chips come in two flavors? (1) blazing fast but insecure, (2) snail pace but secure. Which one will you put into your server? Perhaps a processor flag, speculative mode on/off. Perhaps any time in supervisory mode, no speculation? The silicon can support it, but it also has to be baked into the O/S and nation states may not want it to happen. Security is what we allow it to be. |
Dr Who Fan Send message Joined: 8 Jan 01 Posts: 3295 Credit: 715,342 RAC: 4 |
This is a HACKERS DELIGHT waiting for someone to exploit: Truck-to-truck worm could infect – and disrupt – entire US commercial fleet Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 993 Credit: 1,674,173 RAC: 54 |
Intels vision for a post x86 world was the clean IA64 design aka "Itanium". This CPU design was build upon very long instruction words (VLIW) moving the scheduling complexity into the compilers instead of the fancy speculative µOP reordering logic of the contemporary Intel and AMD CPUs. But even with billion dollars investments and ten years of development AMD easily beat IA64 when they proposed their simple AMD64 extension of IA-32 to 64 bit. Intel's expensive Itanium CPUs never achieved to outperform AMD's AMD64 workstation and server CPUs. Intel then copied AMD's approach and developed IA64 and x86_64 in parallel. IA64 was later burried, the largest misinvestment in the history of semiconductors.This shouldn't still be happening:[quote]It's 2024 and Intel silicon is still haunted by data-spilling Spectre To gain the performance users demand, speculative execution was invented.The referred article claimed AMD isn't affected. AMD uses the same, complex x86_64 instruction set architecture than Intel. So it's possible to build CPUs which don't spill data due to speculative 'mode'. Back then when SPECTRE and Meltdown first occured Linus Torvalds raged on the kernel mailing list when someone classified it a "Bug" because it wasn't a Linux bug but... [list of curses and unpleasant words]. He explained one needs to get past x86 and x86_64.... The future needs to be built on a clean ISA. He was hoping for ARM64. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.