wild stuff re: xz/liblzma backdoor news.ycombinator.com/item?id…

Mar 29, 2024 · 5:45 PM UTC

14
374
71
1,626
i must admit tho it is slightly refreshing to see something like this again
4
88
it’s amazing isn’t it
blasty
 @bl4sty
29 Mar 2024
Replying to @bl4sty
you gotta appreciate the way they shipped the backdoored object file. added some "test" data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in.. awk script and the result gets unxz'd again
2
4
89
Replying to @zer0pwn
It's fucking crazy. This part was my favorite. "I'm not really a security researcher or reverse engineer but here's a complete breakdown of exactly how the behavior changes." You only get this kind of humility when you're working with absolute wizards on a consistent basis.
1
15
1
262
Replying to @zer0pwn
I would love to know more about this person who created this vulnr
1
Replying to @zer0pwn
Wild indeed. Ken called it years ago in his Turing award speech: cs.cmu.edu/~rdriley/487/pape…
1
2
30
Replying to @zer0pwn
Look very closely and you will see feds all the fuck over large open source projects. Open source is the way, but so is being real about spooky people being spooky
1
16
Replying to @zer0pwn
We have industry standards. Can we have industry interrogators? Bring him in and waterboard the versions out of him.
1
11
Replying to @zer0pwn
I'd like to necropost about a much older bad vuln for a moment. Remember ancient Debian OpenSSL 15 years ago? The guy who did that didn't get kicked out of Debian but was promoted to run Debians build servers.
1
4
Replying to @zer0pwn
What's ZX/liblzma? ZX/liblzma backdoor Eheh
1
1
Replying to @zer0pwn @richgel999
git.tukaani.org/?p=xz.git
Replying to @zer0pwn
the old ways aren't always best. i wouldn't be surprised if lots of gnu was shaky
Replying to @zer0pwn
There was an embargo that got broken?