Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 31-Mar-2024 19:15:00 JST Kevin Beaumont

   I don’t agree with all the doom saying about XZ incident.

   You just know orgs are going to return after Easter and panic about it unnecessarily (they’re likely still on Redhat 6). It doesn’t impact them as it was caught super early.

   Regarding the narrative that there’s nothing that can be done about these type of attacks - I also don’t agree. There’s already a change in the pipeline to systemd which would have prevented it.

   The thing needs rational, calm reaction and response.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 31-Mar-2024 19:30:32 JST Kevin Beaumont

     in reply to

     Before anybody points it out, I know I am in the wrong industry if I want rational calm response - LinkedIn in still full of people saying the boat got ‘cyber attacked’, and governments are busy trying to solve supply chain risks by banning HUAWEI.

     The industry is basically powered by people running into a crowded theatre and shouting CYBER. Then when people point out there’s no cyber, they’re like ‘yes.. but there COULD be cyber’. Thanks, very helpful.

     clacke likes this.
     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     0x6B757261 (kura@noc.social)'s status on Sunday, 31-Mar-2024 19:36:08 JST 0x6B757261

     in reply to

     @GossiTheDog it was depressing watching some people on the XZ IRC the 36ish hours I was lurking.

     You had a small group of people trying to get hold of Lasse Collin, and get an FAQ and write-up done. A few trying to analyse the vuln.

     And then people just joining to wildly speculate and draw insane conclusions like claiming Jia Tan means Come Home or some shit like that.

     And then also another handful that kept trying to impersonate Jia Tan.

     clacke likes this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 31-Mar-2024 19:49:52 JST Kevin Beaumont

     in reply to

     For those asking what systemd change, easy write up: https://github.com/systemd/systemd/issues/32028

     It was in train before the XZ issue was discovered, which may be why the threat actor sped up, started making mistakes and started begging distros to upgrade XZ.

   • Embed this notice
     Pär Björklund (paxxi@hachyderm.io)'s status on Monday, 01-Apr-2024 00:42:45 JST Pär Björklund

     in reply to

     @GossiTheDog these proposed changes don't protect against a similar attack though. They do reduce the attack surface making it harder to pull off.

     Just moving to dlopen depends a lot on the implementation and how easy it is to trigger the loading of a vulnerable library

   • Embed this notice
     mroszko (mroszko@mastodon.social)'s status on Monday, 01-Apr-2024 01:27:29 JST mroszko

     in reply to

     @GossiTheDog The systemd change would have sealed off the ssh attacker vector. But liblzma is linked into plenty of other libraries. Just using rdepends even python,tor has a depend on it. So they could have still had value in alternate attack vectors, just not ssh which may have been more universal.

     Heck libxml2 depends on liblzma5, so there are even more attack targets like postgres, ruby, php, etc

     Kind of a waste to rush, but it may be why they added a plugin system for additional payloads.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 01-Apr-2024 16:01:25 JST Rich Felker

     in reply to

     @GossiTheDog Are they deprecating the sd notify library call so that all the programs gratuitously linking libsystemd for socket notification will instead have to read the spec and write the 5 lines of code needed to do it by the spec rather than by a library function? This would help so much to undo the damage systemd did to dependency creep.

     clacke likes this.