My heart breaks when hearing all this new info about Lasse Collin. His companions betrayed him and now he is there alone, unable to trust anyone, battling mental issues and still trying to clean up one of the biggest security fiascos of the decade :(

What's the lesson here? Don't get between a DB engineer and performance.

Gladly TempleOS is doing just fine.

Hot take: Everyone has been saying that this is proving the short comings of OSS, I think the opposite. If some idiot got themself a job at MS and did something like this, you would see that PS-Remote or perhaps RDP takes an extra half a second and say "what did MS do now??" and move on with your day. The beauty of OSS, the ability for someone to look at the code did what it needed to do: Someone who had nothing to do with the project was able to look at the code and sound the alarm.

the scariest part is the social engineering did on Lasse. this person was manipulated for YEARS and the team (probably) behind it saw the opportunity and exploited it. exploiting Lasse's mental health, trust and desire to pass on the torch. this is actually evil

Freund isn’t even a security engineer (disclaimer at the end of the post on openwall). Man is just that big of a gigachad.

It took me over an hour to realize that this wasn't an April fools.

This whole situation just feels like a movie. The fact that this is real is insane. And I can't decide what's more impressive - developing this backdoor or finding the backdoor ... this just shows me how little I actually know. I feel vulnerable ... just let me cry...

There's an episode of The Sopranos where the FBI spends the entire ep putting a bug into a desk lamp and then planting the lamp in Tony's basement where he talks business with his associates. They only capture a single conversation, of Tony talking to a plumber about his water heater, before the whole scheme is undone by Meadow grabbing the lamp and taking it to her dorm room. Feels like a good metaphor for this guy's exploit getting caught so quickly.

Saved by some random engineer benchmarking postgres which 99.9% of SE engineers won't even have time to do :D

I don't know how developers are so smart that they can find this shit. Blows my mind

You and lowlevellearning have really good energy together. Great video. More collabs please.

I think this backdoor ultimately is going to do more good than harm, because now people are on the lookout for backdoors in tests and similar wild exploits.

The pushing might be because there are 2 other things happening that are each likely to kill the attack chain. 1. openssh was already working on their own method for calling systemd-notify without linking it (upto now they did not link it due to them being very careful on dependency checking). Debian, Fedora and OpenSuse were patching sshd to do this linking. This is how liblzma got linked to openssh at all, this wouldn't be done anymore. 2. systemd is looking at better isolating and reducing their dependencies, especially for more critical parts of the system themselves and liblzma is looking to be dropped as a dependency. Given these things, this backdoor may have been on a sudden clock where it is get it in next release or it is likely to be several years of setup for nothing.

I got hit with skill issue every line of the article

28:25 The obvious reason for the rush is probably a branch+ticket+PR in systemd repo to switch the library loading to runtime and be optional, and this looks almost ready. Just imagine, the hard work of many years to be flushed down the sink.

Imagine all the potencial back doors we still dont know about

NSA must be pissed right about now, months of planning gone to waste

Where is the 13% accurate guy who was going to solve Open Source Issues, weren't he supposed to take our jobs??

I'm an industry veteran of 15 years. I understand some of these words.

My speculation is that the person is not Chinese. The information that the name had mixes of Mandarin and Cantonese makes it sound more likely that it’s a non-Chinese person attempting to create a Chinese identity. I think it’s a very clever ploy to leave digital breadcrumbs that align with people’s existing beliefs. People want it to be a big grand Chinese cyberattack, so by intentionally choosing a Chinese sounding username people will immediately jump to that conclusion. We obviously can’t rule out the potential of it being a state sponsored cyberattack and perhaps even a CCP coordinated attack. But I think it’s important to be aware of our existing confirmation bias

Having extremely complicated bash scripts that modify files during the build step is kind of wild in 2024. I'm not sure why you'd even set a build system up like this, seems like hell to work with, let alone audit for security.

For me, the big problem that this has exposed is the vulnerability inherent to the OSS / Linux / GNU building and packaging systems. It's an arcane mess of Makefiles, Bash scripts, ad hoc patches, and tar-ballz inside tar-ballz. It's long overdue for some security to be built into all that, like properly sandboxing builds versus tests, and having verifiable steps. In this particular exploit, it looks like a crazy mess of bash magic, but ultimately it's scary because of how easy it was.

All major security agencies should be after the perpetrator(s). The caliber is HUGE. If those guys aren't caught and the whole thing is silenced then it must have been state sponsored.

Attackers didnt have much time left, as xz dependency was about to be removed/lazy loaded from libsystemd, breaking the backdoor. Might be the reason why they pushed for it.

Almost definitely a nation state. Lots of carefully crafted obfuscation & social engineering. I think over all this is a very strong argument for reducing our reliance on shit build systems

"I'm receiving 16$ a week from my patrons, my goal is 20$ a week". Open source culture right there.

“Reproduce the binary via the source code.” Npm just a giant binary basically at this point. Needs to be compiled by an independent source.

*laptop bag with stickers all over it lid opens* How do you do fellow open source maintainers?

19:26 "fork yourself" lol. new insult dropped

This opens up a whole new world of attack vectors. Even just the proliferation of this one aside, we have no way of knowing just how broad the compromise is. Scary shit.

Exploit discovered because some guy on the internet didn't like the noise his fans were making. Head cannon.

Potential State Actor behind this attack

Suspending the original maintainer with appropriate explanation could be net positive regardless of if he was intentionally involved. Sometimes a forced break from things is good (also might keep him from getting hate mail while things are hot)

Compression algorithms do a lot of data deduplication so a real test file will have duplicated data to prove that the algorithm actually works. Files with high entropy don’t benefit much from compression. Just noting this as it would be expected for test files on a compression library to have that kind of repeated/duplicated data. If I were an attacker I might theorise that adding data to a test file would be less conspicuous if the added data compressed effectively 🧐

Flip is my favorite editor.

It’s because it’s open source that we’ve discovered this. Had it been hidden, we would’ve never known about it

Where was Devin when we needed him?!!!?

after watching for 56 minutes i was already at " i am too stupid for this " however hearing the priameagean say it made me LoL

low level learning is lock picking lawyer of software, they would a neat team

I love prime’s content recently I’m just so friggin happy! ❤

Would isolating the build and test environments (ie via containers) limit this class of attack? Might take longer to build, but if the test suites can't touch the binary that is going out, then the injection should be impossible, no?

The sudden rush to get it done after taking 3 years to set it up sounds a lot like management interference, like there's a boss demanding results.

Exploiter: i would have gotten away with it if it weren't for those meddling Microsoft guys

If this happened inside of a large proprietary C/C++ code base, for example a foreign independent contractor with a fake identity at Microsoft or Riot Games was compromised and committed a malicious tar ball, most of the country would be compromised and almost no one would have the ability to find the issue. I don't think businesses are immune from attacks as sophisticated as this. At least with open source we have a chance to find the backdoors.

This has been happening for some time. There was a case where a group at a university tried to sneak in a backdoor into the Linux Kernel and got dang close before someone found it and Linus then went back and pulled ALL code that came from that University and banned them from any and all commits going forward. It was much more complex than this condition, but interesting it wasn't as popular because it wasn't on the twitters.

0:44 welcome to Costco I love you

Question: would the backdoor still be relevant if SSH is disabled? Most linux Desktop users do not have SSH enabled, so this would mean the target was entirely servers.

This episode of yours is so damn interesting! I'm really enjoying it. Thanks

I'm so glad you two tag teamed this bad boy. What a delicious bro AF gigchad exploit lol I absolutely love this, it's a work of art.

imagine someone inject a crypto mining code into you CI pipeline.

12:40 this case may or may not be state affiliated. but it's extremely obvious there are state actors who are intended to deploy subtle bugs into widely used software.

The best demonstration of human intelligence and creativity I've ever seen.

Great analysis, thanks for going through it! This is truly scary stuff! it really makes you think how much stuff is out there actually compromising open source software that we're not aware of... 😢 Consider the following: this was only caught because of increased delay introduced by the exploit code. Now, what would have happened if whatever actors who cooked up this mess added a simple delayed activation logic? The exploit would be everywhere and likely no one would have been the wiser Scary scary shit

Just an FYI: Lasse is pronounced ”Las-eh”, not ”Las”

The guy that discovered the backdoor and "got suspicious" needs approx. $100 million deposited in his account and be bought a beer.

There must be more compromised packages.

LLL got me hip to the importance of C, i friggin love the latest Prime collabs!!!!!!!!!

Because of the number of heads in this command, I've been calling this The Hydra.

amazon,twitch,google ,youtube gotta retro actively pay open source creators going back to at least 95

man jblow really predicted these

There was something about moving to zstd from xz in this video, but looking at what the xz package is required by on my system, zstd is one of them (along with rustup and the base package)... Kinda goes back to being able to scarily run arbitrary code at build time in stuff like build(dot)rs (which I remember Jon Gjengset talking about), I guess being more readable/auditable than some of the arcane build systems is one step, but yeah, some sandboxing, like even having all the features (like network or filesystem access), but having to turn them on one by one as needed, and having to justify turning them on to maintainers... because otherwise it all comes back to trusting upstream. I mean given that they set the scene for themselves, by patching the fuzzing library and what not, could still potentially be bypassed, but the more steps a bad actor would have to go through (so long as it doesn't add much more steps to normal users), the less likely.

I would guess the 5 checks for Linux has something to do with finding where you are in the memory. You land somewhere in the checks, go until you find the last open/close square brackets, and then you know where you are. You could probably find the checks for Linux being passed to the OS for evaluation.

Some binary can't be reproduced with code, like image files for example. Those were never compiled, they were just created. But even an image could have code in it.

Shouldnt `binary_blob | manipulation | eval` be a red flag that could maybe be scanned for somewhat automagically? Not sure if I understand everything here though.

This was wild that they found it!

41:03 One note on chinese name things: many groups do speak multiple dialects of chinese, particularly in areas like Malaysia or Singapore (where the Tan last name would be used in Hokkien communities) or other areas with large dispersed chinese populations. My fiancée’s family, for example, primarily speak Mandarin and pronounce their chinese names in Mandarin, but use the Hokkien anglicization of their surname. So, while it’s a good to look at, it’s not necessarily indicative that the Jia Cheong Tan name is fake.

Read KenThompson's "Reflection on Trusting Trust" next 😁

"The Three Body Problem" is the best sci-fi book I've read in years, hands down. Also, I refused to get the sequels because the first book freaked me out so much, and I know things don't actually get serious until books 2 and 3.

Honestly, seeing how much effort was put into this makes me think the guy who did is simply a madman. Like lots of steps could be skipped with same effect. But guy wanted to prove a point and flex his genius on everyone

This is a very good review. I'm glad you guys are both getting paid and making a profit to do this valuable work.

This hack makes my production code look poor with all of its robustness and future proofing 🤣

I think it was Richard Stallman who warned us about this kind of thing the 1960s!. It’s one of the things that is supposed to make Open Source software more secure than proprietary software. But the price is eternal vigilance.

Could the "I Know About the XZ Backdoor" blog article please be linked too?

Everyone shitting on obfuscated binary files but no one has mentioned the use 'eval'? eval should be an immediate red flag in any language

The ingenuity of humans is amazing and sometimes scary. We did manage to harness the power of the atom in nuclear bombs decades ago after all.

This is so obscure I'm getting paranoid about the guy who even found the bug in the first place... my brain is like, "oh HOW CONVENIENT, you just simply stumbled on that!?" but then just has nothing to put after that. ... like maybe this was a compromised APT that was already under observation and "discovering" the backdoor was just a parallel construction--a way to expose it without exposing that they have a peep-hole into the APT's activities.

8:45 He said he noticed it because of high CPU usage, not because the slowdown

Tom would have caught it without the need to experience a random slowdown.

Tan Jia Cheong is a pretty legit name in Singapore

I get the "no comments in my code" policy, but whenever I see expressions like this -> (49:10) -> it kinda starts falling apart for me... I think in such a case it really starts being nearly crucial to comment. Not even necessarily "what" you're doing, but more importantly "WHY"!

1:02:35 these guys vibe so hard LLL can keep up the tempo by telling a story out of no where. Keep up the good work :D

Being this backdoor so much complex, I highly doubt it is being implemented for the first time. From start to end, everything seems well crafted and maybe improved on the possible previous iterations.

Seeing a lot of commentary on this issue pointing out how catastrophic this *could* have ended if it weren't for Andres' diligence. While that is of course true, the takeaway from this cannot be the story of how one very knowledgeable and detail oriented man saved the world. The discovery of a sophisticated, catastrophic RCE like this *necessarily* requires unlikely circumstances. If the attack was not discovered through these unlikely circumstances, we would never know how sophisticated and catastrophic the attack is. Conversely, if the attack was not sophisticated, it would not require unlikely circumstances to discover. Therefore, it is expected that catastrophic and sophisticated attacks will be discovered through unlikely circumstances. This is something like the anthropic principle for cybersecurity. The real takeaway here is that the more effective and catastrophic an attack is, the more unlikely you are to discover it.

“gaslit by the whole community” it’s literally just one guy bro..

I think that adding the 5 lines on the changes was to make the pad the file length so the exploit can work

This is why I leave my repos on private most of the time. I've never been totally sold on open source; I have been on the bad end of unreasonable expectations too many times.

I don't think this is related to Open source specifically. This could happen even in commercial software. Nothing in the source, everything is split between the tests and the build system!

It is really MOSSAD-ish.

reminds me of obfusacted PHP malware from 5-10 years ago somehow, just the looks of the payload/malware-snippets "de" obfuscated

This video flew by, didn't even feel like an hour+

Others might get scared by this. I, on the other hand, am getting reassured a bit. There's bound to be backdoors, the fact people are finding some, means there's one less backdoor to worry about.

plot twist - the person who found the backdoor is the person who implemented it. He's just after a bonus

This is a very similar approach to NodeJS event-stream backdoor. It's just better obfuscated, hidden in files meant to be garbage for tests. event-stream was more obvious because it had the encrypted payload but no legitimate use for that blob. It was triggered in the build (similar to test) and injected the payload only on a specific target project.

This was a great stream. I missed the last 20 minutes or so because of work

is it possible that the jia guy is also innocent? if all the malicious code was pushed by hansen, then it is possible that jia just didnt look at the request at all and just pushed it in? or he looked at the code and because it was so well obfuscated, he didnt notice? dont know all the details, just trying not to jump on the guy, since i am not fully convinced yet.

it's the NSA

Wondering, when this story (incl. the attackers) will end up in some movie or TV show, like in good old movie days (e.g. "23" about a West German Telekom hacker, who got in trouble with Soviet KGB).

I believe GH repo was blocked so that automatic build systems don't pull tars from there. Despite that Lasse Collin stated that GH repo is unaffected, who knows?

xz -V returns 5.4.1. I love Debian Stable