tycoon

If I understand correctly, this hack wasn't discovered by auditing any source code, right? I heard the Microsoft guy just had a weird feeling about SSH executing his command for a few too many CPU cycles and was curious enough to investigate. Does anyone knows if it could've been easy to spot this by reading the source code or if it's hidden very well?

@LowLevelLearning Please revisit 2:36

Are there more videos to come on the topic?

is there a specific version of liblzma.so.5 or liblzma5.4.1 ?

The problem is this attack was done during the build process.... so you need the source to build it to verify it ... but its tainted ... so .... its valid? yea... this one was a wild one

@@mitchellmnr This is what the comment is talking about. The source of the build script must be part of the git repo.

@@khai96x they are .... The way this attack works is when it runs tests on the source...

at that point, you should generate the binary on the fly. not that that would help when the build process itself is infected

It's a decent idea but what do you mean in practice? Do you run your build in a way that refuses to give it access to any of the test data? That's not too crazy. Is it enough? Do you verify that others can produce your build without any of the test data? How do you ensure that the build process doesn't have a side channel running in both cases introducing other logic? What i'm saying is this idea has to be mapped to concrete practices and tools.

yeah its really sad :(

How's Jia doing these days?

@@TKing2724we don't know that Jia is one person or an identity being used by a group of people coordinating the attack

​@@channelgogrvk I'd guess, it's the latter...

@@eight-double-three NSA, Google, CIA … ?

We all know who it is, we just can't say who it is.

​@@zirizevoldemort?

@@zirize Three letter agency funded by a big brother?

​@@zirizeit's not the NSA they have Intel management engine and AMD PSP

@@saddish2816 Why would they stop at a hardware backdoor? Ideally you want to control every step of the computer's stack from bare metal to the user

Pretty much. I dont think it could of even been hidden any better. The main reason anything was looked into, is because someone noticed their SSH login taking half a second longer lol.

Except arch (due to how arch doesn’t patch sshd to connect to systemd-notificationd.)

@@draken5379 Oh but it could be... What if your billion, no trillion $ chip - board makers are embedding hidden algorithms as such but as undetectable hardware roms that the OS, the user, etc. doesn't know about. Then with that only a handful of elite personnel coming from these giant corps as well as limited personnel within some government agencies have direct remote access into these hidden systems. Think of it this way; some of these newer systems you can load the entire Original Doom Source Code and Assets directly into Modern Cache and never have to go back out to RAM or to the Hard Drive. If you go back to the days of the sneakernet with the good ole floppy disks, people used to sneak malicious code into their 512 byte boot sectors. They can literally miniaturize a 6502, and 8086, or even a basic Pentium these days into a chip so small it would look like a little controller on the motherboard or even onto some peripheral card that one would have no idea what it is or was truly designed, intended for. This doesn't even account for modern UEFI systems compared to obsolete CMOS Bios type systems. And now with the advancement of A.I. and designated A.I. chips showing up... The sky's the limit. Well, skynet is the limit according to some... They can always hide it somewhere that is least expected. How about within a button on your polo shirt? You have to realize that we aren't just in the age of digital we are also in the early stages of Quantum Processing, A.I. Systems sure, but we are also on the stage of Nanotechnology. They can literally make programmable machines that are 1,000th the width of one strand of your hair. You can't even see them with your eyes. So if they truly want to hide something they surely can! And they can hide it just about almost anywhere they want. Even in the foods you eat and the liquids you drink! And this is not science fiction either!

His name is Andres Freund

...that feels like a paranoia syndrome waiting to happen because their fears have been proven so much more horrifically right than they thought. That's going to mark them, considering you already have to be pretty paranoid to check code over half a second. ​@@draken5379

It's frustrating because I deal with people every day who don't like Open Source, but have no problems using SolarWinds!

Imagine this happening with a closed source company. Somebody applies, silently checks this in with the binary files, and there's nobody outside of the company that even has a chance at catching these backdoors. How many of these backdoors already exist in commercial software? How many does the company owning the code know of?

@@dascandy THIS. Every time i see somebody talking about how this is "an issue with open source", i think this exact thing. What if this happened in a closed source software? AT LEAST with open-source you're able to find out. With closed-source there's a good possibility that piece of code will never be looked at again because "it just works".

@@justacat3639Thinking back to some part of Windows NT4 shipping with a thing called "NSAKEY" (en.wikipedia.org/wiki/NSAKEY) and nobody knowing what it does or how it got there.

@@justacat3639It is the well known selection bias.

While I agree with you in spirit, if you're running RHEL and paying for it, IBM isn't giving the maintainers of xz a cut of it, so just paying for FOSS in a corporate setting doesn't exactly solve the problem either.

I totally agree. Corps generate hundreds of dollars per tool used, but they don't even donate a dollar. Then we get a core-js or faker.js situation and people lose their minds

To be fair, a lot of exploitable code generates errors in valgrind. It's good that there's that sort of rigor put in to release software at some point. Not a perfect catch-all, but certainly a point where some funny business could be caught. Or just to help catch truly accidental bugs in general.

I'm sure I'm not the only one who was reminded of Clifford Stoll's "The Cuckoo's Egg" (1989), where a 75-cent computer usage accounting error ultimately revealed a remote attacker with superuser access.

to be fair the attacker had to disable and ignore several address sanitization features and test checks. Hence why stuff like valgrind was already setup to catch stuff out for this particular project.

so it does make me wonder how many of these backdoors are already out there, just not discovered?

And the attacker was working with one distro contributor to help fix the valgrind errors. And the said contributor, AFAIK, was helping in good faith.

The real question now is: how many times have we not gotten so lucky?

just curious.... why would large organizations be using operating systems that get updates from open source git repositories? maybe im understanding this attack wrong just curious if you dont mind educating me

@@Noname23489 A sizable portion of servers on the internet run some version of Linux. There's no good data, but I've seen stats that are well over 50%. And everything based on Linux is at least partially relying on open-source code.

/cries/ I use arch BTW :(

@@Noname23489Everything in the world runs on open source. Every major company relies on open source for the foundations of everything. Every operating system, every router, every protocol, everything you know as "technology" is, at it's foundation, open source with few exceptions. Except windows, and that's only half true. The idea is simple - instead of thousands of compression libraries, we maintain a few in open source and everyone uses them. They'll be magnitudes better than anything in house because every major company, every hobby project, everything that needs that library uses it. Problems are solved once, for everyone, once. This means that some open-source projects have 40 years of optimizations behind them - you couldn't make anything better behind closed doors without spending millions. Apply that logic not just for compression - but for *everything*. Modern websites are 98% open source libraries, and 2% actual code. That's basically every modern website - built on the back of NPM. That runs on an open source webserver, that runs on an open source operating system, that sends data over routers using open source utilities using open source protocols made by Request-For-Comment public domain submissions. Welcome to the actual internet - where smart people made utopia without the stupidity of corporations or the meddling of shareholders. Linux is 98% of the internet. Yeah, 98%. Major companies use them because windows is well, shit. Linux can run everything from routers to servers, but Windows servers suck hard - because yeah, of course they would, they haven't benefited as much from decades of open source contributions.

My takeaway is that open source is only as strong as its weakest link. So many projects go to the graveyard because of the lack of maintainers, and there's a lack of maintainers because people need to eat, need a roof over their heads, so they work their 9-5 as software engineers, which is draining in of itself. So when a crucial piece of software has a solo maintainer, it's a prime target for attacks. If there was more compensations for open source maintainers, maybe some of them could afford to maintain the software full time, and as a result would not burn out and be less prone to social engineering attacks. Or we could just create a foundation for those crucial projects, so that there are always developers able to maintain the software, and need to reach a consensus before anything gets merged.

@@Dogeek I think all the companies that used open source software in their commercial projects on a massive scale that command massive profits should be obligated to divert a fraction of a percentage towards maintaining these things. Or better yet when there's a massive fork and that fork goes on to make billions of dollars, leaving the original project in the dust and penniless there should be something that allows maintainers to continue doing what they love to do. I love open source but the (un)ethics of business undermines such a great ethos it really becomes disgusting. Sucks to see such openness taken advantage of again and again, and even more now since technology companies rule as the market leaders in today's world.

Not even that, he knew the attacker for YEARS before he let him into the project. nearly 4 years. And the guy was nothing but nice and helpful until a month ago. Nobody, not a single person on this planet, would have not trusted him by that point.

​@@ichigo_nyankoI wouldn't trust him until I saw how he handled LE or drugs/alcohol. Being internet based, I don't trust nobody.

Many projects do not need active contributors. Just stop adding more features.

Yeah even going through their commits the majority of them are benign improvements... And then this, with the seeds having been planted in the test files ages ago

More like a snake you sheltered finally showing its true color and biting you to the ground

@@demolish_united_nations nah, the contributer, before the backdoor, was only ever helpful and nice. If you knew someone for years and they were only ever lovely to you - and it turned out they were a serial killer - it would be a horrible thing for people to imply it was only ever obvious (they were a snake, you let them in) when it wasn't.

@@ichigo_nyankothe shit you nerds say lol.

​@@atticus2274 Nerd calling a Nerd a Nerd is peak irony.

Agree 100% with this, the fact that open source code is evaluated and run by so many independent people is a strength that leads to things like this being found. If this change was to a closed-source tool it could sit in a repo for a decade and no one would notice :/

It was more luck and that the new version caused half a second delay that a person was doing performance tests at the time most other people probably wouldn't have noticed unless they was doing performance testing, this was pure luck as it wasn't that Mutiple people picked up on this it was just 1 person if they fixed the delay part it wouldn't have been noticed until a couple of years later on when some high profile targets got compromised and don't know how

systemd was transitioning to dlopen

It does some really complicated/shady things like altering the Global offset table and character recognition, I wonder if we ever get to find out who was behind this

What's that and how is it relevant to the topic?

@@smnomad9276you should read it. It’s about “how can you trust your own trust chain” and what can happen if that trust chain is broken. “You can not trust code you did not compile yourself”.

@@smnomad9276 go read about it, you have the entirety of the internet at your hands.

@@smnomad9276 A famous speech/presentation he gave as part of an award acceptance speech. It's basic premise is "what if I maliciously modified the compiler included with the UNIX system to do two things - 1) if compiling a system component, insert a backdoor that allows me full access, and 2) if compiling a compiler, modify the output compiler to perform these two steps." Basically saying, "how far do you trust what's been given to you?"

Trusting Trust is a much deeper concept, and the reaction to it was the practice of Diverse Double Compiling. This trust gap is way easier to deal with, and more analogous to the use of nothing-up-my-sleeve numbers in cryptography. Distributing binary blobs alongside source code should be treated with great suspicion. Let test data be programmatically constructed, and therefore auditable the same as code, or by some other means be provably incapable of hiding machine code (e.g. pi).

phosphorescent, even

Stop being antisemitic

@@GelatinousSSnake i thought glowing is a fed reference, what does it have to do with semitism

@@GelatinousSSnake Glow = government agent, not anything relating to ethnicity.

@@GelatinousSSnake wtf 😂

Oh? You mean how this backdoor didn't affect any LTS distributions used in servers or production environments but only affected rolling release and testing distributions? That scale? In other words, only desktop users who are stupid and naive were affected.

@@adibemaxwell6111 what are you talking about? the only ones that wouldn't have been affected would have been arch or other unpopular distros, if you used debian based distros (almost all), you were screwed. in other words, this is 9/11 of coding

@@adibemaxwell6111 My dude, what do you think 90% < of the internet runs on?

@@adibemaxwell6111 It targeted all Debian based distributions. The only reason only rolling distro's were affected is because that Freund dude just so happen to be benchmarking his PostgreSQL databases and therefore end up noticing the backdoor. If he didn't it could have been planted in LTS distro's as well after some time. Also, the bad actor has been committing to the repository for a few years and it's still being investigated if there's more malicious or at least sketchy code in there, which if there is it could mean that even older versions of the libraries could be compromised in some way, which would also mean compromised LTS releases. You have to be short sighted to think these sort of attacks is solely an issue for people running rolling release distro's...

​@@adibemaxwell6111 If it hadn't been discovered, it would be on like 80% of servers within 6 months. The only reason it didn't is because some Microsoft employee noticed high CPU usage from sshd and looked into it.

You could also mandate that test data must live in a separate repo, and must only be used while running the tests (in an isolated sandbox). Also the build system should be less flexible so that any weird stuff really stands out. But all of that is moot if it's the maintainer doing bad things and no one else actually reviews any of it.

@@villesyrjala3354Also inspect binary blobs before they are uploaded to a repo.

Large developers that depends on smaller OSS projects needs to contribute to maintain all the projects they depend on. Either man-power or money.

I LOVE openttd. didnt realize it uses xz D:

S**t just got serious - no-one is touching my OpenTTD! 🤪

That's it!! I freaking knew I recognised xz from some ancient memory!

Not sure how OpenTTD would ever be affected, even if using xz with a backdoor, since it replaces RSA decryption function, and gets the payload from RSA key supplied to SSH.

@@DVSoftware OpenTTD may not be vulnerable to xz itself, but it certainly is vulnerable to GitHub taking down xz's repo and users getting pissed about potential malware being included with the game.

That's because everyone is under the impression that these kinds of things are rigurously checked by someone else, therefore no one checks them. This should be a wake up call.

Who would win: A multibillion dollar government agency, or one giganerd noticing his ssh takes 0.5 sec longer to log in? That's a W for the nerds, boys.

@@TheOzumat Obsessive optimisation is the root of all evil - and that is why it also naturally finds it. Dude wanted to optimise performance and probably spent days untangling the mess he ran into - just because he wanted a near unnoticeable improvemet.

Everyone's calling it a W, but imagine all the projects that aren't being autistically benchmarked by someone with a unique problem.

It wasn’t a few milliseconds, iirc it was 500ms

he didn't investigate because of slow down, "FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins."

Little do you know that riscv could also have a backdoor. mwahahahaha. You must create a completely custom architecture and custom silicon to be sure.

and also blackjack and hookers

@@mineton1293oh but then there's backdoors built into your circuit design tools as well, so have fun arranging logic gates entirely by hand

​@@mineton1293 Easy AF, I'm taking my soldering iron and going to work :P

Small OSS projects like this usually have a very high bar for performance to meet, and they usually meet them no problem, so it makes sense that the valgrind performance anomalies were the reason why this one got discovered. Now imagine trying to discover "performance anomalies" in commonly used proprietary software...

what do you think happens when you download an installer from say microsoft? the "scary" looking download text is obscured from you

Dependency graphs give us the tools to fix problems once instead of over and over and over. They also allow us to be more effective and efficient in our work. They also let risks and failures cascade through our ecosystems in astonishing ways. Not all of the problems are even malicious. left-pad in nodejs was just someone unpublishing his work and it took down tons of sites. What's the answer? i have no idea. But if we focus on practical situations we can perhaps come up with practical mitigations that reduce harm, and improve.

@@_devilfish303 The point is Linux in its current state doesn't provide better protection than Windows. The slogan "you can always recompile everything locally to make sure the binary matches the source code" doesn't work anymore. Because every single Linux library is dependent on dozens of others. It's physically impossible to recompile everything on your own. And even if it was possible it would still give no guarantee as this attack was built directly with a hook to inject the binary malware during the compilation process without altering the source files. Yes Microsoft is not better. But it's not worse either. And this is the true issue here. Why bother with all the hassle of securing your linux if anyone can trash all your efforts with a single commit in some obscure source repo you never heard of?

curl | sudo is the one that terrifies me. Literally random code from internet run as root. Multiple attack vectors there from ip / DNS hijacking through to just straight up blobs in the install script... Plus potentially no evidence of what you just downloaded

​@@christianbarnay2499microsoft is not worse? If such a backdoor was installed in windows, it wouldnt get discovered EVER. Even a simple babckdoor wouldnt ever get discovered, which wouldnt even get merged if it was open source. Security isnt black and white. No system is ever completely secure. Its about reducing the attack vector. And the attack vector in open source or linux is extremely small compared to proprietary.

this was found by chance more than anything, it's only because someone tried to get a good baseline for their system that they noticed that sshd was doing more work than it should and dug into it If that didn't happen then this would never have been found

Well yeah. But a lot of bad actors are now fear mongering so that people get scared of open source projects. We should doubt every project, for sure, but we have the ability to look at code and the whole build process and catch such exploits. But of course, as this example showed, there are simply too many projects for people to realistically screen with every commit. But we have to start being more cautious, starting with the most critical packages would be a good beginning.

⁠​⁠​⁠@@ratchet1freakBut on the other hand, if the library hadn't been open source, he wouldn't have been about to look into it as deeply as he did. He likely would've had to conclude that the developer introduced a bug, and at most reach out to them, which would've only served to tip the bad actor off that their backdoor was still too detectable. So overall, open source did "win" here.

​@@helipad_huck1543as it happens, someone else actually did exactly that from my understanding, and that was the patches that the second version of the backdoored version of xz fixed, some valgrind issues that were found by a maintainer of a different distro, so that's xz 5.6.1 :P

That, or install an uncompromised xz on that server instead.

They spent years setting all this up, too.

And yet they managed to calmly disappear once it was discovered, instead of yelling insults at the xz mailing list. True professionals!

@@Uerdue As opposed to when they were setting this up where they (presumably this was them) were quite rude.

I have a feeling that it's not just a simple uber haxor kid, this is too big and the setup is too perfect in the way it was being set up slowly. I don't want to sound like a conspiracy theorist but I just have a feeling that the guy who we all saw as a co-maintainer is not the sole brain behind this attack. It had to be a group who would greatly benefit from having this backdoor available.

@@Cavi587I think most people consider a state-level actor (like some intelligence agency) the most likely behind this. It's not just the amount of time/work spent on it, it's also the likelihood of failing which was too high for the average cyber criminal without government funding to risk so many resources on it. What if systemd drops its xz dependency 2 years into the project? Or another contributor shows up who likes to do his own improvements to the tests or build system (that touches your manipulated files, so you have to turn down all of their PRs for made-up reasons)? Or the original maintainer is just stubborn and says "no binary blobs of unknown source as test files, period"? Or some person simply finds the backdoor before it makes its way to stable distros? There are so many ways for such an operation to go wrong. You either have to be able to scale it, working on a bunch of these in parallel and hoping for one to succeed - or you have to just be ok with the operation failing and the only thing gained from it being the insight that it's quite a hard thing to pull off successfully.

how do people come up with such ideas

@@7DuRd3n In the shower

I've heard something like that, I thought it was common

@@7DuRd3n geniuses that have specific domain knowledge sharing ideas with others in their domain knowledge. this most likely was a state operation. you think this is wild, imagine the concepts and ideas in modern mathematics where you are not constrained by physical limitation. everything is abstracted and abstracted.

Guy? Or guys, plural? Or … state sponsored? NSA, CIA, ((Washington)), etc.?

@@franzlyonheart4362 its always a government conspiracy, eh?

@@marblecar1162 It does make sense in this case though

@@marblecar1162For you it's never one

@franzlyonheart4362 why is everyone in these comment sections assuming it's got to be an American agency? My money would be on China, Russia, or Mossad. Hell, Mossad's bread and butter is this kind of diabolical social-engineering into unnoticeable attack vector.

more likely the chinese

As if that was the only attempt - it's the only one that failed, but numerous others have succeeded

Yeah, this isn't a lone actor. It shows you how much more complicated it is to compromise an open source project.

@@outtakontroll3334 both

Would the NSA really be silly enough to try and backdoor an open-source project?

Just so impractical :( I just want to use my system and write things that jave some power to alter things. A big stack of sandboxes and passwords is so frustrating

@@kapytanhook then we need to make that easier. I hated the idea of 100s of passwords (for example), but a password manager has made that easy.

@@hellowill yeah, honestly. But this is deeper, it's that you can't trust your own machine or things running on it. People put backdoors in everything. We need well funded open source hardware and software but we are moving away from that

All thanks to a bored and curious Microsoft engineer who was running a timing test on the SSH login process. The time difference between a normal and infected login was less than 500 milliseconds , and that's what tipped him off. It's pretty remarkable.

@@BillAnt That's a story of human evolution haha.

Without question. This was a well-funded state-level attack, likely one of the 1st-world governments.

the latter is very viable, given that there are botnets pinging every single public IP address right now in hopes of hitting something

Attacker prob patiently waiting for their code to be published with stable release then do crazy stuff. Remember it got exposed just because of 1 dude noticed ~500ms delay on his ssh connection.

After the hard part is done, the attacker just hopes the biggest targets are infected.

@@gie4830 500ms is crazy delay, no way this backdoor will come to stable

@@gie4830 I don't know. I'm pretty sure actual big actors don't have SSH servers directly addressable through the public internet, you most likely need to jump through some enterprise VPNs to get access. So the targets were mid-sized. At least now he's vulnerable to getting honeypot'd. Wonder if someone will attempt to catch him like that. Though it would have been easier to not alert everyone if he really was targeting only a few actors.

You can find any arbitrary sequence of digits inside of Pi if you search long enough. Meaning you can find a sequence you like because it's vulnerable, then pretend like you rolled a dice.

That's just silly. They're test files.

@@alexnoman1498 Indeed, which is why you would want to use digits starting from the very beginning. (I think the Wikipedia article on "nothing-up-my-sleeve-numbers" also notes this in one of the first paragraphs.) I just left that part out in the initial comment because it was already long enough. Anyway, my point is: Binary (test) files of which you cannot explain how you created them are inherently suspicious. They may contain a rickroll link stored in low order bits of some pixel values, the mighty flag if you're playing a CTF challenge, or a secret backdoor to-be-extracted by the build script, as in this case.

The starting point would be its own magic number which should be a 'nothing-up-my-sleeve-number'@@alexnoman1498

That concept exists because of stuff like Dual_EC_DRBG (although Blowfish predates it).

LOIC INCOMING

Enjoy your new cupholder *ejects CDROM drive*

You are welcome!

Thanks for watching

Also, code freezing or "don't fix what isn't broken" was not so bad idea after all.

Perhaps the popularity of BSD is about to increase!

This has nothing to do with "simplicity of software" but whatever

@@DaveBucklin I hope, BSD is such a great system

not necessarily. Many OSS projects have only single maintainers, which makes this kind of attack easier. Large software developers have extensive code reviews with many eyes looking over changes before commit, meaning that a malicious actor (other than the company itself) would have to fool or corrupt many developers to sneak in the backdoor. I am not saying that Closed-Source is in any ways better, what I am saying is please don't try and make it seem that OSS is always better able to withstand these attackers. OSS is much better on average than closed source, but lets not get complacent, but try and figure out processes to prevent something like this in OSS in the future.

@@MrSmokinDragon I agree, that this wakeup call should encourage everyone to be more on the lookout for such things. My point is, that you can ONLY do that in open source software. With closed source software, you never know. Sure, large companies also do code review, but not all widely used software is written by large companies with good practices in place. And good practice sometimes get thrown under the bus when time or money is short. If you can't see the git repo, the build scripts, the test files, then you have no way find out why your your program is suddenly slower by a factor of 4, or if some malicious employee committed some questionable binary blobs some time in the past. *shrugs*

@@MrSmokinDragon Yes, but the makers of closed software can put these things in on purpose with no one knowing. We know governments are the biggest cartels in the world and can get your cooperation.

Heard about the nist recommend crypto standards.... Quite a few have mysterious issues. Check out en.m.wikipedia.org/wiki/Nothing-up-my-sleeve_number (the counter examples section). Why subvert the code when you can subvert the committee defining the crypto algorithms everyone has to implement. Espionage predates computers.

No lol ? How exactly are you going to get your code, anywhere near, lets say, KZbin or Photoshop`s source code ? I mean sure, you could try get a job at said place, work your way up, and etc etc. But that is vastly more work/time and secure than letting people who created a github account a week ago to contribute to key aspects of the worlds infrastructure. Like jesus.

It's much worse than that. Jia was a contributor to the xz project for 2 years, and prepared the backdoor through that time.

People reviewed the code, but the backdoor was not inside the code.

But that's, like, every patch.

And openssh comes from the openbsd community. I was thinking of attempting to construct a graph dependcies for anything running as root and/or network accessible. Build some scores for the source repo (number of commiters, frequency of releases, cve reports, static analysis, recent binary blobs added) combine that into some form of help / funding needed dashboard

As I recall, Linus said in an interview that about 50% of commits to the kernel are by one-timers that never come back.

*GCHQ hackers sighing with relief*

I mean sshd can already hand off to libpam for authorization iirc, and realistically, authenticating requests and launching a shell is kinda the whole point of sshd.

sshd _does_ support privilege separation though. I assume the backdoor activates on the secure side of it though (or disables it entirely).

can i haz ldd on macos

He was talking about signing not regular encryption. He got it the right way round!

Not for signatures, he is right.

You could say he is a freund to us all