XZ Exploit - Computerphile

preview_player
Показать описание
The XZ Exploit was an incredible near miss. Dr Richard G Clegg of Queen Mary University London explains how a seemingly helpful contributor hid some code in part of a ubiquitous piece of software.

This video was filmed and edited by Sean Riley.

  1. Computerphile
  2. computers
  3. computerphile
  4. computer
  5. science
Рекомендации по теме
XZ Exploit - 0:14:41

XZ Exploit - Computerphile

eXploit X : 0:11:37

eXploit X : 'Give Me Root' - Computerphile

Running a Buffer 0:17:30

Running a Buffer Overflow Attack - Computerphile

Exploiting the Tiltman 0:25:33

Exploiting the Tiltman Break - Computerphile

how do hackers 0:08:25

how do hackers exploit buffers that are too small?

Securing Stream Ciphers 0:09:24

Securing Stream Ciphers (HMAC) - Computerphile

Dirty Cow Demo 0:03:13

Dirty Cow Demo - Computerphile

How The Self-Retweeting 0:06:17

How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter

What are Digital 0:10:17

What are Digital Signatures? - Computerphile

Hacking Out of 0:25:52

Hacking Out of a Network - Computerphile

What's Behind Port 0:14:06

What's Behind Port Smash? - Computerphile

Breaking RSA - 0:14:50

Breaking RSA - Computerphile

How Signal Instant 0:09:44

How Signal Instant Messaging Protocol Works (& WhatsApp etc) - Computerphile

Cracking Windows by 0:11:13

Cracking Windows by Atom Bombing - Computerphile

The Shellshock Bug 0:04:30

The Shellshock Bug In About Four Minutes

Spectre & Meltdown 0:13:45

Spectre & Meltdown - Computerphile

Hacking Websites with 0:08:59

Hacking Websites with SQL Injection - Computerphile

Secure Copy Vulnerability 0:09:37

Secure Copy Vulnerability (SCP) - Computerphile

Slow Loris Attack 0:08:25

Slow Loris Attack - Computerphile

Reverse Engineering - 0:19:49

Reverse Engineering - Computerphile

Double Ratchet Messaging 0:11:39

Double Ratchet Messaging Encryption - Computerphile

End to End 0:08:12

End to End Encryption (E2EE) - Computerphile

TETRA Vulnerability (TETRA:BURST) 0:18:43

TETRA Vulnerability (TETRA:BURST) - Computerphile

EXTRA BITS: More 0:03:38

EXTRA BITS: More on Barcodes - Computerphile

Комментарии
Автор

It is incredible that Andres Freund was able to stop this because he noticed a benchmark took 0.807s instead of 0.299s and decided to investigate. I've heard experts say that if not for him, this could have backdoored every major Linux distribution for a long time.

Winsane
Автор

The attack was very, very well thought out. It took years for Jia Tan to get accepted as a maintainer, during which time they submitted quite a lot of real improvements, they clearly knew a lot about compression. Moreover they didn't even put the backdoor in the official repository but only in a release tarball. How many people test that the tarball signed by the maintainers is the same as the open source code that everyone can see? And how it got from the test file into the release binary was also very clever. Also AFAIK they were only focusing on Red Hat Linux and possibly also people who compile from sources (like an intelligence agency may do), it got into Debian by accident, Debian normally builds software from official repositories but in the case of xz, they were unusually building it from the release tarball.

NyanSten
Автор

worth noting the gaslighting and social engineering aspect of the attack used to get the maintainer to accept Jia Tan as a team member that preceded the backdoor for years!

SArthur
Автор

makes you wonder how much stuff is planted out there without getting caught and quietly exploited.

JeffBilkins
Автор

This highlights to me how dysfunctional the economics of vulnerability research is, open source devs are making some of the most critical code (even Microsoft relies on it for Xbox) but as passion projects while living on baked beans, never seeing fair recompense. Reporting vulnerabilities often a waste of time too, many vendors don't care or don't pay bounties. Vulnerability research is not being funded properly.

foobarf
Автор

It was a Microsoft engineer benchmarking Postgres and saw that the connection times were slower.

konga
Автор

xkcd 2347 is one of my favourites - it kind of describes me for the last 30 years too!

ahaveland
Автор

If somebody is wondering why this did not show up at code review, they hid the payload in the testing file and it was only incorporated into the finished binary, which was uploaded to the package servers, so if you would have build this package from source you would not have been susceptible to the attack.

Also the libxc was overriding code from the sshd when beeing loaded as a static library, there where plans to change the sshd to dynamic library loading, which also would have prevented this attack

tobitei
Автор

Xzutils was being loaded only on linux distros, not on openssh itself. It was relied by patches applied to ssh to work with systemd, afaik

franciscopena
Автор

This reminds me of Clifford Stoll's story about tracking down an extra $0.75.

TheRealInscrutable
Автор

I was hoping for a deep-dive into the obfuscation. Do anyone know if some youtube channel has done an analysis of this yet?

Lorkin
Автор

I can’t imagine if some infrastructure sites like pip, npm, or docker went down, the world would grind to a halt

racvets
Автор

We went from zero days to patiently, over a long timespan, intentionally planting in vulnerable code to construct a reliable attack vector in another program that relies on this program to be able to hack into all our computers and we are non the wiser...
This genuinely scares me...

thogameskanaal
Автор

Insofar as this affects software projects, this can also affect hardware. Imagine a person dedicating this time measured in years getting embedded in a CPU development team and, say, working on a phone SoC or one of the newest microprocessors, injecting nefarious code into the design description.

JasonDoege
Автор

Wasn't that comic strip inspired by the leftpad 'incident'?

piratpl
Автор

Dr Clegg has such an unusual way of speaking, fascinating story!

jme_a
Автор

This guy gave me motion sickness.
I thought maybe it was the videography, but no its how fidgetty he was. 😂

jamess
Автор

Could the backdoor be prohibited by App Armor or SE Linux?

Serhii_Volchetskyi
Автор

What concerns me is, is this the first time they have done this? What about other libraries and other platforms? Hmmm.
I feel like this would be way harder to find in Windows.

ProsperousPlanet
Автор

Is there any system that would be able to flag this kind of unauthorized access if it happened in the wild? Couldn't you have another process that tries to match successful logins to authorized keys for that login (say you've disabled password login) and goes nuts if they don't match?

petergerdes