Backdoor in upstream xz/liblzma leading to SSH server compromise

You know what's really interesting in that timeline? It seems the (about 4) attackers are all completely anonymous, share similar e-mail addresses, and have otherwise left no trace on the internet, EVER. That's kind of a red flag in an of itself.

But what is even more funny, in a wonderfully woke way, is their names: Jia Tan, Jigar Kumar, Dennis Ens, and Hans Jensen. This is like a Hollywood movie that carefully selects actors from each major geography, to make sure the movie sells well internationally.
 
Yeah, I don't like Facebook or other social networking sites - but it really looks like trust and privacy are two sides of the same coin - if you value privacy, no one will trust you. If someone does trust you, you have no privacy. 😩
 
I'm not sure I would ever trust someone I only know from Facebook. With enough effort, anyone can put together a convincing life story, timeline, and set of pictures.

Let me jokingly propose a new rule: For open source projects that are relevant to critical infrastructure (such as "the internet", whatever that might mean), we have to perform a background check. And that background check implies that an investigator sits with them for two hours, person-to-person, and talks to them. No, not virtually, but in a room (could be a bar if you are into that kind of thing). I know this would be completely impractical after the fact (supposedly there are several thousand people who have contributed to the Linux kernel, and that was years ago); but in retrospect, it would have been a good idea.
 
ralphbsz said:
Let me jokingly propose a new rule: For open source projects that are relevant to critical infrastructure (such as "the internet", whatever that might mean), we have to perform a background check. And that background check implies that an investigator sits with them for two hours, person-to-person, and talks to them. No, not virtually, but in a room (could be a bar if you are into that kind of thing). I know this would be completely impractical after the fact (supposedly there are several thousand people who have contributed to the Linux kernel, and that was years ago); but in retrospect, it would have been a good idea.
Click to expand...
Actually this is something quite natural that people would do by themselves: sit together and talk. When I started to learn unix, people would gather at my place every friday evening, we would look into what's current, and then have some dinner.

Now, today is a sad day for me, because the last of the forums i am interested in has just died. There are a bunch of forums concerning topics that are not computer-related, they concern different topics which are not as dry and sterile as computer technology, and have rather some nurturing effect for my soul. During the last 10-20 years these forums have slowly died away, and today the last of them did suddenly go offline.

So my question is rather a social one: what has happened, why are people no longer interested in getting to know one another?

25 years ago, when meeting somebody in an online discussion and sharing interesting thoughts, one would just figure out where the other is located, then if possible grab an occasion, hop onto a train and meet.
10 years ago, however, when meeting someone in an online discussion and sharing interesting thoughts, people would go to great lenghts to make sure one cannot figure out their identity or their whereabouts, and if only one would ask for an e-mail, they would get a throwaway one extra for that communication. And mark well:that's not about anything discrete or sophisticated concerned, just leasure talk about philosophy or religion when sharing similar viewpoints. Then when you ask them what that paranoia is all about, you get told what dangerous place the network is, and how full of criminals, and one must not trust anybody, etc.etc.etc.

So, completely unrelated to this backdoor issue, I would really like to understand what is happening to people in general.

Because, whoever is behind this backdoor operation, they just follow the rules of the game. If the game is to stay anonymous and protect your privacy over all, they act accordingly. If the game is different, they act differently - this one was also discovered only by accident: https://en.wikipedia.org/wiki/Günter_Guillaume
 
PMc said:
10 years ago, however, when meeting someone in an online discussion and sharing interesting thoughts, people would go to great lenghts to make sure one cannot figure out their identity or their whereabouts, and if only one would ask for an e-mail, they would get a throwaway one extra for that communication. And mark well:that's not about anything discrete or sophisticated concerned, just leasure talk about philosophy or religion when sharing similar viewpoints. Then when you ask them what that paranoia is all about, you get told what dangerous place the network is, and how full of criminals, and one must not trust anybody, etc.etc.etc.
Click to expand...
Well, there are plenty of horror stories involving making offline contact with someone you met online. An underage kid getting tricked into running away; Law enforcement mistaking your identity; Your identity getting stolen to access all of your money, and more. And even on dating sites, it's quite possible to pose as someone else to gain the other person's trust...

A lot of times, it may turn out that the conversations were only enjoyable when online, and meeting offline, you discover that you can't stand the other person otherwise. This is the fallout of making the Internet accessible to far more people than ever before. Back when it was a niche thing, you could count on the other user to turn out to be from 'your crowd'. Chances of that are much lower today.
 
PMc said:
what has happened, why are people no longer interested in getting to know one another?
Click to expand...
The world has become smaller. 25 years ago, between 90% and 99% of all the human interactions, even within wealthy western countries, were within walking or bicycling distance. Sure there were exceptions: pen-pals, remote relatives on other continents, emigration and immigration leading to having family in other places. But the bulk were people where you could meet for pizza or beer.

Today, I communicate with people on most continents (excluding Africa) every workday. Just as an example: My uncle did have a stroke yesterday, and is hospitalized. I heard from my cousin within hours; we've been calling and chatting. Because he can't speak right now, but is conscious and can hear, I recorded a voice message for him, which my cousin played for him in the hospital room. You guys please don't worry about him, he's in one of the best hospitals in the world ... in São Paulo. At least the time zone difference isn't very big, but the idea of going over and visiting him in the hospital is impractical, as it is a 9 hour flight.

grab an occasion, hop onto a train and meet.
Click to expand...
I tried that recently with a friend who lives in Paris. Somewhere near New York, the train feel into the ocean, and I had to swim back home. The real joke is that I live in California, and there isn't even a viable train connection to get to New York, much less to Paris. If I lived in Frankfurt or Geneva, I could at least take a train to Paris.

If the game is different, they act differently - this one was also discovered only by accident: https://en.wikipedia.org/wiki/Günter_Guillaume
Click to expand...
One of the greatest spies in history, judging by the massive effect he had. But one rare example (and professional spies are very rare) doesn't make a good rule to apply to a large group.
 
Just install what you like and feel you can trust. If it doesn't work right or not at all - is there a problem switching to something else?

Don't like Windows? use FreeBSD. Don't like Office365 - there's LibreOffice available. It's not like you're stuck.

It's different with people, though. You're often stuck with somebody you can't completely trust.
 
PMc said:
Ups that sucks. Sorry for that, its a known bug. Next time please try this patch, it should give nice suborbital flight.
Click to expand...
Considering it's nearly 20 years old by now, it may be time to consider an 11-hour flight from SFO to CDG, which is cheaper than today's suborbital flights (which charge a few million USD a few years ahead). Maybe the Virgin Airlines CEO can pitch in? Funny guy, too. 😏
 
Ralf certainly describes the perfect way to build trust in people. On the negative end of the number line is just getting commits by some throw-away email.

But what is a practical way to have only trusted committers for an open source project? Committers that live all over the world?

Phil Zimmermann's web of trust is that age old idea of recommendations by people you trust.
 
zirias@ said:
Discussing tabs vs spaces is a pretty good match for the current direction of this thread...
Click to expand...
Yeah, I miss the good old flame wars also. Amiga .vs. Atari, all .vs. MSDOS, C .vs. Pascal, Butter .vs. Margarine... Can we get back on productivity, or do we need the bucket of water?
 
ralphbsz said:
The world has become smaller. 25 years ago, between 90% and 99% of all the human interactions, even within wealthy western countries, were within walking or bicycling distance. Sure there were exceptions: pen-pals, remote relatives on other continents, emigration and immigration leading to having family in other places. But the bulk were people where you could meet for pizza or beer.

Today, I communicate with people on most continents (excluding Africa) every workday.
Click to expand...
Zoom in: it is not that the world become smaller, rather the correct word might be "dispersion".

In rural areas people were traditionally rooted in the soil they would feed from, living at the place for generations. Now, an example: a couple, he craftsman she salesclerk. The children need to study, in the capital at least, but better yet in America, because the town-major's son also does so.
People are un-rooted, they no longer have a relation to what life means, what is of value and what is not, or where things belong naturally.
Consciousness has been flooded with an immeasureable amount of new ideas, which are alltogether virtual, synthetic, and not related to practical life (i.e. eat,drink,sleep).

People still have the same desires, like, being respected, being influential - but what does that mean now? In a tribal culture it would mean the number of horses one had. In a rural place the acres of land. But in a virtualized world? The number of followers? The number of commits to wtf? It's all void. To study in America? It's quite arbitrary.

And the same goes for software-projects. Traditionally doing a project, you would collect a team of qualified specialists - like when building a house, you need a bricklayer, plumber, electrician etc. And that was similar with software projects.
But now it is github, and random people from all over the world do random commits to random projects in an arbitrary fashion, no matter who is experienced or qualified in what. That is not how we used to understand engineering or project-work, is it?

ralphbsz said:
Just as an example: My uncle did have a stroke yesterday, and is hospitalized. I heard from my cousin within hours; we've been calling and chatting. Because he can't speak right now, but is conscious and can hear, I recorded a voice message for him, which my cousin played for him in the hospital room. You guys please don't worry about him, he's in one of the best hospitals in the world ... in São Paulo. At least the time zone difference isn't very big, but the idea of going over and visiting him in the hospital is impractical, as it is a 9 hour flight.
Click to expand...
Uh, I'm sorry. But I don't know Your relationship, and such situations did happen earlier, too, when people from Europe migrated to other continents. It might even be better to send voice tapes than to travel there and create additional stirrup.
 
PMc said:
But now it is github, and random people from all over the world do random commits to random projects in an arbitrary fashion, no matter who is experienced or qualified in what. That is not how we used to understand engineering or project-work, is it?
Click to expand...
Reconnecting that one: in the beginning of Linux, there was a paper considering the idease of a "cathedral" versus "bazaar" in software development, with the point that the linux way of doing things in chaotic parallelism instead of orderly project-work, would be more advanced and successful.
I didn't agree with that, because in Linux I usually couldn't figure which software package would be the appropriate one for a task, who would be responsible for that package, and what kind of development was ongoing for that package. And I supposed that some in-between approach would be best - very much like the one that FreeBSD was doing back then.
Because back then there were still people around whom you could ask about what is ongoing.
 
PMc said:
Reconnecting that one: in the beginning of Linux, there was a paper considering the idease of a "cathedral" versus "bazaar" in software development, with the point that the linux way of doing things in chaotic parallelism instead of orderly project-work, would be more advanced and successful.
I didn't agree with that, because in Linux I usually couldn't figure which software package would be the appropriate one for a task, who would be responsible for that package, and what kind of development was ongoing for that package. And I supposed that some in-between approach would be best - very much like the one that FreeBSD was doing back then.
Because back then there were still people around whom you could ask about what is ongoing.
Click to expand...
I read that "Cathedral and Bazaar" paper when I was in college. In a cathedral, it's easier to build a web of trust, because it's a relatively contained place. But in a bazaar, a far more open and chaotic place, it's far easier to get a useful idea from an unexpected place - but that may be just a flash in the pan that has no viability.

My take here is: We can all wax philosophical about costs and benefits of trust here. Lack of trust can be seen as something bad - while being too trusting is not terribly good either. All ideas have limits - if you take an idea too far, it stops being a Good Idea. Trying to strip away and then reassign context to an idea to make a point of making an idea look good or bad... ... it may be a nice conversation fodder, but it's possible to take it so far, it ends up being an exercise in futility. 😩
 
It is also about responsibility.
When you want to get something in, you need to find a person who trusts you and who in turn is trusted by the upper levels - up to someone with the commit bit. In case you accumulated too many bad things, your "cathedral credit" would drop and you would not get things in any more. You were responsible for what you green-lit, and there were penalties associated with that. The bazaar, on the other hand, looks like it is full of crooks, conmen and thieves.
 
Crivens said:
It is also about responsibility.
When you want to get something in, you need to find a person who trusts you and who in turn is trusted by the upper levels - up to someone with the commit bit. In case you accumulated too many bad things, your "cathedral credit" would drop and you would not get things in any more. You were responsible for what you green-lit, and there were penalties associated with that. The bazaar, on the other hand, looks like it is full of crooks, conmen and thieves.
Click to expand...
We can put it the other way round just as well:

To achieve anything, you need approval from higher levels. And we know two effects of hierarchies:
1. one will raise in hierarchy up to the level where one is essentially incompetent. Then one will not raise any further.
2. communication works only among equals: you do not want to tell a superior anything that might show you in a bad light, and consequentially, critical issues are not reported soon enough.
Therefore, hierarchies are inherently dysfunctional.

The bazaar, to the contraray, is basically the communist hippie dream: everybody does what they like and get what they need. Diversity creates abundance.
 
Thinking along further:
Some schemes work, some schemes fail - it is apparently not about which scheme (cathedral versus bazaar versus whatever) is utilized. Rather it might be about the ambition that the people share.

Ambition might be a common goal - or a common enemy. (The trip to the moon mainly successed because USSR was perceived as a common enemy.)

The common ambition with Internet and free software intially was to make this all workable and functional.
But this has changed in the meantime. Now things do work, and now the common ambition is supposed to be to help the mega-corps satisfy their immense greed for money, help them enslave more people and make ever more money - while not getting anything in return.

Apparently not everybody subscribes to that ambition.
 
Yeah, looks like "Responsibility" was the word I was looking for when describing the downsides of bazaar side of things. And yeah, responsibility is the price to pay when trying to earn trust. If you trusted some anonymous email address to make commits, the onus is on you for allowing that. Yeah, you can shift some of the burden onto the one you place trust in, right?
 
I would say FreeBSD is more on the "cathedral side", with just 3 repos (and only a single one for the actual base system), plus at least some kind of governance, with an organizational structure (core, release engineering, security, ...) supporting this. But then, no other FreeBSD committer has ever seen me in person, still I have a "commit bit". It would be just impractical to make this a requirement at a certain scale. What DOES make sense is requiring to get to know the person at least online (of course I've been in touch with quite a few guys) and seeing actual work done. Still there's no perfect immunity against attacks like this. This guy looked for a "weak spot" of course (a "one-man show"), still invested years of work to gain trust.

And then, in ports, the "cathedral" ends where third party upstreams come into play. There's just no other way to offer a really large open-source "software collection" than "bazaar". :rolleyes:
 
You must log in or register to reply here.
Back
Top