Home Forums Hunting & Shooting Hunter's Campfire Linux experts please chime in

I use Unbuntu on a limited basis. I am mainly using Macs at home and PCs at work. Macs are my preferred platform for my uses because of limited offerings on the Unbuntu side, but Unbuntu appealed to me for the safety aspect. Until now. This has made me question whether it is a safe as I have been led to believe. Is this article something that is endemic?

https://finance.yahoo.com/news/1-why-near-miss-cyberattack-151035964.html


UPDATE 1-Why a near-miss cyberattack put US officials and the tech industry on edge

WASHINGTON, April 5 (Reuters) - German software developer Andres Freund was running some detailed performance tests last month when he noticed odd behavior in a little known program. What he found when he investigated has sent shudders across the software world and drawn attention from tech executives and government officials.

Freund, who works for Microsoft out of San Francisco, discovered that the latest version of the open source software program XZ Utils had been deliberately sabotaged by one of its developers, a move that could have carved out a secret door to millions of servers across the internet.

Security experts say it’s only because Freund spotted the change before the latest version of XZ had been widely deployed that the world was spared a digital security crisis.

“We really dodged a bullet,” said Satnam Narang, a security researcher with Tenable who has been tracking the fallout from the find. “It is one of those moments where we have to wipe our brow and say, ‘We were really lucky with this one.’”

The near-miss has refocused attention on the safety of open source software – free, often volunteer-maintained programs whose transparency and flexibility mean they serve as the foundation for the internet economy.

Many such projects depend on a tiny circle of unpaid volunteers fighting to get out from under a pile of demands for fixes and upgrades.

XZ, a suite of file compression tools packaged into distributions of the Linux operating system, was long maintained by a single author, Lasse Collin.

In recent years, he appeared to be under strain.

In a message posted to a public mailing list in June 2022, Collin said he was dealing with "longterm mental health issues" and hinted that he working privately with a new developer named Jia Tan and that “perhaps he will have a bigger role in the future.”

Update logs available through the open source software site Github show that Tan’s role quickly expanded. By 2023 the logs show Tan was merging his code into XZ, a sign that he had won a trusted role in the project.

But cybersecurity experts who’ve scoured the logs say that Tan was masquerading as a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.

Collin didn’t return messages seeking comment and said on his website that he would not respond to reporters until he understood the situation well enough to do so.

Tan did not return messages sent to his Gmail account. Reuters has been unable to ascertain who Tan is, where he is, or who he was working for, but many of those who've examined his updates believe Tan is a pseudonym for an expert hacker or group of hackers -- likely one working on behalf of a powerful intelligence service.

“This is not kindergarten stuff,” said Omkhar Arasaratnam, the general manager of the Open Source Security Foundation, which works to defend projects like XZ. “This is incredibly sophisticated.”

‘WE LUCKED OUT’

Tan could easily have gotten away with it had it not been for Freund, the Microsoft developer, whose curiosity was piqued when he noticed the latest version of XZ intermittently using an unexpected amount of processing power on the system he was testing.

Microsoft declined to make Freund available for an interview, but in a publicly-available email and posts to social media, Freund said a series of easy-to-miss clues prompted him to discover the backdoor.

The find “really required a lot of coincidences,” Freund said on the social network Mastodon.

Microsoft CEO Satya Nadella congratulated Freund over the weekend, saying in a post to the social network X that he loved seeing how the developer, “with his curiosity and craftsmanship, was able to help us all.”

In the open source community, the discovery has been sobering. The volunteers who maintain the software that underpins the internet aren't strangers to the idea of little pay or recognition, but the realization that they were now being hunted by well-resourced spies pretending to be Good Samaritans was “incredibly intimidating,” said Arasaratnam, of the Open Source Security Foundation.

Government officials are also weighing the implications of the near-miss, which has underlined concerns about how to protect open source software. Assistant National Cyber Director Anjana Rajan told Politico that “there’s a lot of conversations that we need to have about what we do next” to protect open source code."

The Cybersecurity and Infrastructure Security Agency (CISA) says it has been leaning on U.S. companies that use open source software to plow resources back into the communities that build and maintain it. CISA adviser Jack Cable told Reuters the burden was on tech companies not just to vet open software but to “contribute back and help build the sustainable open source ecosystem that we get so much value from.”

It’s not clear that software companies are properly incentivized to do so. Online open source mailing lists are teeming with complaints about tech giants demanding that volunteers troubleshoot issues with open source software those companies use to make billions of dollars.

Whatever the solution, almost everyone agrees the XZ episode shows something has to change.

“We got unreasonably lucky here,” said Freund in another Mastodon post. “We can't just bank on that going forward.” (Reporting by Raphael Satter, Editing by Chris Sanders and Nick Zieminski)

I don't think any of the LT releases were/are affected. At least Debian bases ones. Not sure if SSH is enabled out of the box? I use it on some home made NAS boxes inside my home network, checked those versions and they were unaffected.

Its open source, you generally get way more than you pay for.

And its not like closed source OS have no issues.....

There is absolutely no OS that is safe, none. It just highlights the fact that Linux was under the radar and not in wide spread use except servers and routers (which a major flaw was found in a few years back). Gaining popularity gains incentive to write code to exploit flaws.
Apple which uses UNIX kernel found that out on their app store and also quietly started shipping antivirus in their OS after some bad actors put out a virus specifically for Apple.
Change a few lines of code inside a program and it goes unnoticed you hit the jackpot.

Swifty is the expert here, but note that this was an exploit aimed at severs, not home-user software. Potentially catastrophic, as noted, but mostly because most servers run on Linux. That in turn would affect ALL computer systems, be they Linux, Windows, Mac, or Android. Because they all link to and depend upon internet servers.

As a Linux missionary, I always encourage people to abandon intrusive and controlling systems like Windows and Apple in favor of systems that only you control. But that's a double-edged sword. Linux users over the past few years have ballooned from 1% to about 4% of the entire computer usage numbers. As that continues to grow, Linux will inevitably be targeted more and more by hackers and scammers. Linux developers are already beginning to cope with that forecast, thankfully. Linux is still a great choice for most users and almost all home users.

(I would not, however, recommend pure Ubuntu these days. They've changed in recent years and not for the better. Much better are Ubuntu or Debian-BASED systems without the recent nefarious additives. My top three are Mint, Zorin, and MX, in that order.)

Thanks for the replies and clarification.

It was a pretty sophisticated attack from both how it worked, how it was obfuscated, and how 'they' manipulated the one guy that maintained the xz package into letting someone 'help' him.

One thing that's clear to me is that makefiles (a file that is written in an instruction language that tells a system how to build binaries) is way too complicated and extremely difficult to examine (or debug from my experience). Once you get into kernel development on Linux you're completely dependent on them and rarely does anyone go through the whole build and it's dependencies to see what's going on and where it's getting everything (tarballs, downloads, etc). Add onto that something like Yocto (a linux built tool that allows cross processor specific builds) it gets even more confusing. It's like a lasagna made of lasagna made of spaghetti.

Don't want to get into in too much detail, but...

The perpetrator got the exploit into the kernel via a makefile that linked in a tarball (.tar file that is a binary). The explloit then attacked a portion of the linux kernel by doing what is called a 'double free', or freeing (putting memory back on the stack) the same memory twice. This allows the user access to the first chunk of memory. The attack was on the network socket code. I won't go into it too far, as it's above my pay grade, but I've done some kernel work in my time and I kinda understand it.

Here's a vid that describes the mechanics of the attack:



Suffice it to say to me I think that this was a state actor (see my first line).

Regarding manipulation of the maintainer, it's clear that he was targeted as he was the only guy on the planet working on the XZ code and they basically beat him up until he agreed to allow a specific person to 'help' him.

Also the exploit only allows a person with a very specific security certificate to gain access. So that's another reason why I think it was a state actor.

Open source, while it has MANY benefits, is ripe for exploits.

I disagree with this somewhat. Most of the IOT (Internet of things) things that are built today are based on one form of Linux or another. TVs, android phones (it's a Linux kernel), routers, appliances, etc are all running a version of Linux. The kernel code is quite often shared between systems and is required to be open source per licenses. For the OS there are lots of reasons to use open source for the OS (and kernel), the two biggest are it's free and someone has already done most of the work. This allows the commercial developer to focus on their secret sauce.

Almost all of what these two men are saying is WAY above my head.

The bottom line for the rest of us is that Linux is really at the core of everything, running everything but essentially invisible. Liken it to the deep pilings and foundation of a building. Those of us up here above ground rarely think of it, even though we depend on it every day.

Ancient late 1970s computing language/writing experience and only a smattering of ignorance with the vast developments ever since enable only some effective use of the equipment/internet, building a website, running an accounting program or installing some Linux setups. I have almost no understanding of the details/magnitude of the event described in the OP.

Wishing I had a much clearer picture of the bad behavior and implications. Can anyone here describe it with elementary school terms/examples?

It was an exploit put into a Linux tool that allow a person with a specific credential (think username and password) to remotely access a Linux system. It would have allowed any system with that version of the tool to be accessed and taken over. It would have allowed the exploiter to install code, etc.

Fortunately a person found the issue and alerted the community and it didn't get very far (before official release). But he found it by accident. He was doing benchmarks on tools and found that a tool called ssh (which is used for legitimate remote access) execution time had nearly doubled from the previous release.

Thank you.

As hinted at above, it was likely initiated by one of our three-letter agencies in an attempt to "weaponize" computer servers. Whether that weapon could be used against enemies or us - or both - is the subject of conjecture.

I know where I'm putting my money.

Another good vid on the subject.

Wont disagree with linux due to it being free, but all things internet can trace its roots back to AT&T development of UNIX as a OS. Even the C programming language that is used in some fashion to produce all things internet today. Then there was Pascal and Fortran languages developed for specific functions in UNIX. The internet by the way was around in the 60’s and 70’s as communication for the military, forget the designation of the dedicated world wide phone system but it was there.

I find it interesting to think of the months or years of 'social engineering' the bad actor engaged in so that he could put that payload where he wanted. I'm sure it's a lesson that will be thought about and discussed for a while.