Message-ID:

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

devel / sci.crypt / Re: Backdoor in XZ Utils That Almost Happened (Bruce Schneier)

Re: Backdoor in XZ Utils That Almost Happened (Bruce Schneier)

<2024041516543153698-email@domain.com>

http://rslight.i2p/devel/article-flat.php?id=893&group=sci.crypt#893

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx16.iad.POSTED!not-for-mail
From: email@domain.com (xphi)
Newsgroups: sci.crypt
Message-ID: <2024041516543153698-email@domain.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: Backdoor in XZ Utils That Almost Happened (Bruce Schneier)
User-Agent: Unison/2.2
Lines: 51
X-Complaints-To: abuse(at)newshosting.com
NNTP-Posting-Date: Mon, 15 Apr 2024 14:54:31 UTC
Organization: Newshosting.com - Highest quality at a great price! www.newshosting.com
Date: Mon, 15 Apr 2024 16:54:31 +0200
X-Received-Bytes: 3100

by: xphi - Mon, 15 Apr 2024 14:54 UTC

Posted a few hours ago as a comment to

https://www.schneier.com/blog/archives/2024/04/backdoor-in-xz-utils-that-almost-happened.html

but - as at least two times with other comments in the past few years -
it did not make it through "moderation", so posting it here just for fun;
no clue why it would not be have been allowed there, did post occasionally
there in the past, the comment seems pretty rational and also quite neutral
to me, and also a contribution to maybe how improve things...

A "conspiracy theory" and then some thoughts about a maybe similar
approach in the open:

What if the NSA was routinely parsing all software they can get the
source of, using automated tasks (incl. "AI") plus human intelligence,
i.e. doing something that is part of their job, to protect the USA and
even "the free world"? And maybe they would have discovered the xz
vulnerability at some point and it would have been judged too dangerous
to make it into Linux releases, by the NSA and/or related political
gremiums? Given that according to Snowden's documents of 2014, the NSA
was using MS products quite a lot at the time, maybe the easiest path
would have been via someone at MS, maybe even someone who did not have
ties to the NSA before that, to get a plausible story of how the attack
was detected?

Apparently a somewhat similar approach that uses vulnerabilty detection
software is already done automatically with open source projects,
actually apparently had to be disabled for this attack to go unnoticed
at first. Would it be a pragmatically very helpful path to improve such
open source detection software, to invest quite a bit of work and money
there? Similarly to argumentation about closed or open source security
software, open source detection software would have the disadvantage
that attackers would be able to test their attack code for
undetectability, but code could improve more easily in principle if
enough sophisticated people cared about it, so presumably overall still
a net gain in security?

I guess one thing that is not desired in a "free world" is that small
projects (one-person or just a few) would be escewed, because a lot in a
free world comes from being open to individuals to make a difference
without being embedded in something "big" from the start. What is a bit
different online is that it is harder to tell if someone who contacts
you can be trusted, which was also part of the xz attack...

xphi

Subject	Author
Re: Backdoor in XZ Utils That Almost Happened (Bruce Schneier)	xphi