• 0 Posts
  • 433 Comments
Joined 1 year ago
cake
Cake day: July 29th, 2023

help-circle










  • Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it’s “great new features”. We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.

    He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

    Damn. I would love to see a full post mortem on this compromise.








  • I get where you’re coming from but is he managing his risk or not?

    Does he understand the risk? If yes, good. No? Bad.

    Is he ignoring the risk? If yes, bad. No? Good.

    Is he weighing the risks against the benefits he receives of using these apps and taking appropriate steps to mitigate those risks? If yes, then good. No? Bad.

    Cyber security isn’t “lock everything down at all costs”. Otherwise I would insist you throw your phone in an incinerator along with all your computers, live in a bunker reinforced against nuclear attack with a small army to guard you, never leave it, never talk to anyone… Etc.

    It is enabling one to achieve their goals with a tolerable amount of risk. That level of tolerable risk is different for everyone.