Linux XZ backdoor attack was due to not-open-source code
Posted On: Apr 13, 2024 23:39:34 GMT
Leon Grad likes this
Post by ellesardragon on Apr 13, 2024 23:39:34 GMT
Recently most news outlets around the world have been constantly talking about the recent Linux backdoor attack in the XZ software.
while some of the info is correct most newsoutlets also spread severe misinformation which can be very harmfull for security if people where to follow it.
so here are the actual facts, first what they had right, after that what they had wrong and how that actually is.
and lastly I will have a dedicated section speciffically for the main big and dangerous mistake they made/the misinformation they spread.
the XZ backdoor attack:
be very carefull against social engineering people might not notice it but this XZ case is actually extra relevant since around between half a year to a year ago, a group of potential badguys had also targeted the federation of pangaea itself, I noticed this early on and actuall made a somewhat detailed rapirt to the board even though it was hard to explain since I had no examples to show it of against and it was instead based more on a lot of different deeper things, tactics, manipulation and psychology and experience surrounding figuring out and tracking down organized crime, most of those things are to complex to just reffer to, to someone who doesn't have much experience with such things, so had to try and explain it in different ways.
however with the XZ case I now do have a example since the criminals behind the XZ case actually used the same tactics as the group whic tried to infiltrate and corrupt the federation(note that they actually where around longer and where trying to get in Leon(Ark) actually already hindered them and their plan early on through some means while I am not certain if he knew about them and what they where doing, he did actually already have a feeling that some bad actors where trying to harm the federation and took extra precautions because of that .
I quite rapidly also figured this out and managed to find multiple people afiliated with this and informed the board, even the complete board of the federation surrounding atleast one of them and a second back then potentially involved person I made sure to tell it in a less direct way as to not make people react to wrong. wile the true complete case itself stays up to the ministry of security and those directly involved in the case since generally the normal people do not need to know all such things and many such things they might not even like to know about since many people rather live in the delusion that all is fine than to know that actually there is some bad guy trying to harm us and us doing a lot of work from the background to counter them.
note that I did actually already take care of them well not completely 100% so might be they try to come back if I/when I leave but will let some people know then, I made sure to come up with a solution also using psychology which let them and only those people know I was onto them, and if they continued they would be taken on hard.
I actually did this publickly and didn't use any direct names or examples or such, the announcement is still online in the same form as it was but to most normal people it will seem rather normal but it was a direct message aimed at them as well next to being a statement so they knew that if they didn't I would take more serious action(since I tend to give people many chances to prove themselves).
just know that we did actually have people trying to take over/corrupt/harm the federation like that for quite a while as they have been working on if for long before I became president, their entire goal roughly described is to corrupt the federation to kind of become the opposite of it's true goals.
we did take ation against them despite people not noticing it since I made sure to design a proper plan, which is effective yet also silent enough despite also being rather open.
if people wana figure it out, actually since all still is publick you can look into this video of the xz case: odysee.com/@alphanerd:8/the-xz-backdoor-almost-compromised-every:0 that video is about the xz case, but it explains the way they worked, I reffered to the timeframe, as well as that I took action, that action was succesfull and can still be found, meaning that if you aproach it properly you would be able to find it all out and can even find out atleast one of those people.
I will not name names here now however just like I didn't back then, but if you really want to be into such things or actually did your own personal research to figure such tings out then please let me know what you managed to find, perhaps if you found enough I might give you more info due to seeing you are the kind of person who can handle such things properly. also one thing they mostly where active on discord during that timeframe, even though my action was on these official forums and later linked through in discord.
while some of the info is correct most newsoutlets also spread severe misinformation which can be very harmfull for security if people where to follow it.
so here are the actual facts, first what they had right, after that what they had wrong and how that actually is.
and lastly I will have a dedicated section speciffically for the main big and dangerous mistake they made/the misinformation they spread.
the XZ backdoor attack:
- was really there, in version 5.6.0 and 5.6.1
- almost noone was affected since in general most distros both rolling and even experimental ones tended to all still use a way older version, in general the systems affected where those speciffically set up to use the latest version of XZ.
- it was found out by a single microsoft employee who in it's own words isn't even a security expert.
What the news forgot to mention:
for people not into tech, propetairy software is what normal people call normal software, or in other words software which is made by a company or such and also isn't open source.
in this case a big network of criminals worked together to infiltrate the XZ development team.
yes they needed many people and resources and multiple years to infiltrate that team, many people think that propetairy is safe since it comes from a company and open source is opensource.
but while everyone can see the code of opensource software and make their own versions you also need to specifically be allowed to make changes in such software in many cases even as far as needing to send your changes to someone who will check them and then if they see them as good will let them in.
in proprietary closed source software it is much more easy to get in since often if you are in the network you can edit those projects, with open source projects the teams are far closer and smaller and much more aware of what happens in general.
the main difference between proprietary and opensource however is that in open source you are allowed to make your own versions as well a that anyone can see the code to make sure nothing shady is going wrong, making open source software fundamentally many times safer.
- most of them also forgot to mention one person without a security background found it, even though more technical news sources did actually note that.
- these backdoor kinds of attacks are actually very common these last days, but most of the time they target propetairy software or as normal people call it normal software/non-open-source software since in those it is much more likely to remain undetected as well as much more easy to get in generally seen.
- it was actually a big multi year operation lead by a entire team whose entire goal was to infiltrate and get that stuf into that speciffic software.
- it was actually found out insanely rapidly especially concidered how much work the bad guys had done to hide it.
- AND MOST IMPORTANTLY: IT WAS LITTERALLY NOT THE FAULT OF OPEN SOURCE, instead it was the opensource part which prevented it from doing much more damage. I will describe this better in the next paragraph, but in simple words the backdoor came from propetairy software and not from open source software.
Correcting the misinformation (AKA. The Important Part(if you don't want to read the rest of the message))
in the case of the XZ backdoor it actually wasn't the fault of the open source but it was the fault of a propetairy software which was added/linked in.for people not into tech, propetairy software is what normal people call normal software, or in other words software which is made by a company or such and also isn't open source.
in this case a big network of criminals worked together to infiltrate the XZ development team.
yes they needed many people and resources and multiple years to infiltrate that team, many people think that propetairy is safe since it comes from a company and open source is opensource.
but while everyone can see the code of opensource software and make their own versions you also need to specifically be allowed to make changes in such software in many cases even as far as needing to send your changes to someone who will check them and then if they see them as good will let them in.
in proprietary closed source software it is much more easy to get in since often if you are in the network you can edit those projects, with open source projects the teams are far closer and smaller and much more aware of what happens in general.
the main difference between proprietary and opensource however is that in open source you are allowed to make your own versions as well a that anyone can see the code to make sure nothing shady is going wrong, making open source software fundamentally many times safer.
once they managed to get 1 person in that person abused that in order to add in a closed source binary blob, and yes this binary blob was actually build from proprietary code and not open source so was proprietary software("normal software"), essentially see it like adding in the entire fault surrounding the open source part was 1: the didn't fully follow the GNU principles. 2: they allows a binary blob to be added without knowing what it was or what it did, next to that to make it worse this binary blob actually was closed source proprietary software, this proprietary software also was the backdoor.
Conclusion
XZ just proved why open source is so important and so much more secure as it literally wasn't even the fault of opensource but the fault of proprietary software in the form of a binary closed source blob, the only fault on the open source side was not noticing directly someone added proprietary software into it.
however it literally got figured out and fixed rather rapidly despite being very well hidden.
thanks to that one microsoft employee asking questions when something behaved odd, and thanks to it being opensource so this employee actually could know how it was supposed to behave and look into the code to notice someone had secretly added proprietary software in it.
How to prevent, what to do and what we've learned
first check if your system has been affected and if so remove/fix it(note commands reffer to debian since backdoor targeted debian and redhat based distros probably aimed at compromising servers and big datacenters and such, if this backdoor wasn't noticed companies like google and microsoft, amazon and such likely where in very big trouble, as well as most smaller companies who have online servers or such, actually if it wasn't detected all your favorite restaurants, stores, hospitals, and such would also be destroyed obviously those people didn't care about ethics if they inject closed source malware into open source software so they wouldn't care if they killed many people by making the hospital systems chrash or such could even give them acces to all army systems and such including controll over their weapons if this hack wasn't fixed in time. )
however it literally got figured out and fixed rather rapidly despite being very well hidden.
thanks to that one microsoft employee asking questions when something behaved odd, and thanks to it being opensource so this employee actually could know how it was supposed to behave and look into the code to notice someone had secretly added proprietary software in it.
How to prevent, what to do and what we've learned
first check if your system has been affected and if so remove/fix it(note commands reffer to debian since backdoor targeted debian and redhat based distros probably aimed at compromising servers and big datacenters and such, if this backdoor wasn't noticed companies like google and microsoft, amazon and such likely where in very big trouble, as well as most smaller companies who have online servers or such, actually if it wasn't detected all your favorite restaurants, stores, hospitals, and such would also be destroyed obviously those people didn't care about ethics if they inject closed source malware into open source software so they wouldn't care if they killed many people by making the hospital systems chrash or such could even give them acces to all army systems and such including controll over their weapons if this hack wasn't fixed in time. )
- on your computer open the terminal(if you aren't in it already) on a graphical Desktop Environment typically pressing the crtl+alt+T key will open the terminal, you can also just type terminal in the programbar or use some other way to open it.
in the terminal type the following line and press enter:
xz -V
make sure -V is with a capitol V this will return the version of xz(if it is installed) if it fails xz is not installed, otherwise it will give a number or such.
if the number is not 5.6.0 or 5.6.1 you are safe, if it is one of those however you are compromised,
so if you have version 5.6.0 or 5.6.1 installed try to run the following line:
sudo apt-get update && sudo apt-get upgrade
in the terminal this will update your local repositories list and then upgrade/update all software including xz.
after that check the version of xz again using the same command as before,
if you still have one of the affected versions you should manually downgrade thw version to a older version.
you can find enough ways online, this thread while I have not tested it does have a method in the bottom: forums.linuxmint.com/viewtopic.php?t=416996
next to that you should also be able to manually unistall xz using sudo apt remove xz, and then reinstalling a proper version manually if you really have no other option left, if your system was just set up however you might want to just fully reinstall it if you really want to be safe. - the backdoor seems to depend mostly on ssh, meaning that if you don't have it set up(if you don't use it as a server which is managed remotely) then you shouldn't be affected as much, still best to not have any of the versions with the backdoor since it is propetairy closed source software so people don't exactly know what it fully does yet.
Now Open Source is the only way to actually be safe or atleast push for it, even with open source you aren't completely safe(especially since hardware can also have a backdoor like how in most electric cars there is a backdoor and with the tesla cars they even already figured out how to use that to remote take over those cars, all normal computers which are not based on RISC-V also have that very same backdoor build into the hardware itself in the form of a "security processor" which actually is a hardwarebased backdoor someone once thought would be smart to add into processors.
going for open source will help you be a lot safer however.
if you truly care about security you actually should go fully GNU, GNU is kind of like a more pure version of open source as it does littearally not allow those propetairy blobs to be added in by default since doing so would make it no longer GNU software. going with fully GNU software generally is the safest option, and if you really want to add non gnu software then be very careful as for what to add and if you trust those. see gnu.org .
now be aware those are options for if you truly want security.
as a matter of fact most users are used to very terrible security without knowing it.
they just live in the delusion of security while in reality there is none, since most people depend on propetairy closed source software by default and even use closed source hardware as well, closed source propetairy software however is the biggest security threath there s in the world of computers.
protocols like git and platforms like github could add in tools which check updates for the adding in of propetairy software or binairy blobs,while this will not fix the issue, it stays true that in basically all cases where bad code found it's way into a open source software it was because of propetairy closed source modules /binairy blobs, seeing them and when they where added will be a extra security thing also so people can figure out how much reason it has to be there and can easily notice when such things where added.
going for open source will help you be a lot safer however.
if you truly care about security you actually should go fully GNU, GNU is kind of like a more pure version of open source as it does littearally not allow those propetairy blobs to be added in by default since doing so would make it no longer GNU software. going with fully GNU software generally is the safest option, and if you really want to add non gnu software then be very careful as for what to add and if you trust those. see gnu.org .
now be aware those are options for if you truly want security.
as a matter of fact most users are used to very terrible security without knowing it.
they just live in the delusion of security while in reality there is none, since most people depend on propetairy closed source software by default and even use closed source hardware as well, closed source propetairy software however is the biggest security threath there s in the world of computers.
protocols like git and platforms like github could add in tools which check updates for the adding in of propetairy software or binairy blobs,while this will not fix the issue, it stays true that in basically all cases where bad code found it's way into a open source software it was because of propetairy closed source modules /binairy blobs, seeing them and when they where added will be a extra security thing also so people can figure out how much reason it has to be there and can easily notice when such things where added.
be very carefull against social engineering people might not notice it but this XZ case is actually extra relevant since around between half a year to a year ago, a group of potential badguys had also targeted the federation of pangaea itself, I noticed this early on and actuall made a somewhat detailed rapirt to the board even though it was hard to explain since I had no examples to show it of against and it was instead based more on a lot of different deeper things, tactics, manipulation and psychology and experience surrounding figuring out and tracking down organized crime, most of those things are to complex to just reffer to, to someone who doesn't have much experience with such things, so had to try and explain it in different ways.
however with the XZ case I now do have a example since the criminals behind the XZ case actually used the same tactics as the group whic tried to infiltrate and corrupt the federation(note that they actually where around longer and where trying to get in Leon(Ark) actually already hindered them and their plan early on through some means while I am not certain if he knew about them and what they where doing, he did actually already have a feeling that some bad actors where trying to harm the federation and took extra precautions because of that .
I quite rapidly also figured this out and managed to find multiple people afiliated with this and informed the board, even the complete board of the federation surrounding atleast one of them and a second back then potentially involved person I made sure to tell it in a less direct way as to not make people react to wrong. wile the true complete case itself stays up to the ministry of security and those directly involved in the case since generally the normal people do not need to know all such things and many such things they might not even like to know about since many people rather live in the delusion that all is fine than to know that actually there is some bad guy trying to harm us and us doing a lot of work from the background to counter them.
note that I did actually already take care of them well not completely 100% so might be they try to come back if I/when I leave but will let some people know then, I made sure to come up with a solution also using psychology which let them and only those people know I was onto them, and if they continued they would be taken on hard.
I actually did this publickly and didn't use any direct names or examples or such, the announcement is still online in the same form as it was but to most normal people it will seem rather normal but it was a direct message aimed at them as well next to being a statement so they knew that if they didn't I would take more serious action(since I tend to give people many chances to prove themselves).
just know that we did actually have people trying to take over/corrupt/harm the federation like that for quite a while as they have been working on if for long before I became president, their entire goal roughly described is to corrupt the federation to kind of become the opposite of it's true goals.
we did take ation against them despite people not noticing it since I made sure to design a proper plan, which is effective yet also silent enough despite also being rather open.
if people wana figure it out, actually since all still is publick you can look into this video of the xz case: odysee.com/@alphanerd:8/the-xz-backdoor-almost-compromised-every:0 that video is about the xz case, but it explains the way they worked, I reffered to the timeframe, as well as that I took action, that action was succesfull and can still be found, meaning that if you aproach it properly you would be able to find it all out and can even find out atleast one of those people.
I will not name names here now however just like I didn't back then, but if you really want to be into such things or actually did your own personal research to figure such tings out then please let me know what you managed to find, perhaps if you found enough I might give you more info due to seeing you are the kind of person who can handle such things properly. also one thing they mostly where active on discord during that timeframe, even though my action was on these official forums and later linked through in discord.
