Manchurian Candidate Vibes

gbcox · March 30, 2024, 7:55pm

I’ve already started changing my scripts away from xz. The way this whole thing has unfolded is just bizarre. Too many Manchurian Candidate vibes for me. At this point I don’t see a compelling reason to stick with xz since there are a number of excellent alternatives. That said, I did find an interesting article that seems to echo the state sponsored theory. Of course, the jury is still out…

Technologist vs. spy

ilikelinux · March 30, 2024, 8:49pm

Let’s talk about them.

It always looks bad when a wide spread software project looses the attention and is (almost) overtaken by a single developer. So discussing alternatives always makes sense, that is the way how Opensource works.

As an alternative, people should also read the other side of the coin:
XZ Utils backdoor

gbcox · March 30, 2024, 10:49pm

Exactly. Although we still don’t know all the facts, if the timeline is accurate, it seems unlikely (though not impossible) that this is a lone wolf exploit - which makes it all the more concerning.

I did find another site that had a good summary of events: xz backdoor summary

And another discussing the fallout and blast radius.

I believe it will just be a matter of time to track down the person responsible. Not only do you have regular netizens looking into it, but I wouldn’t at all be surprised if the NSA got involved (and they probably already are looking into it).

hamrheadcorvette · April 3, 2024, 2:48pm

I don’t trust anything Facebook makes/does. So we’ll have to see how this all shakes out. Zstd might/not be a way forward. Also, a ton of eyes are on the projects now ( which is a good thing ) .

Everything they do has some type of hidden agenda, They’re recently unsealed court documents prove this.

boredsquirrel · April 4, 2024, 9:48am

Added #xz

boredsquirrel · April 4, 2024, 9:52am

I honestly dont think they will embed anything in there.

I hate Facebook and Google too, but the opensource stuff that they do is often good.

They make money moving data between servers, farms, clouds etc. Having an efficient compression algorithm is a good reason why they would develop this.

I like to have an explanation “why is this software developed” and maybe I dont understand FOSS but i understand way better why Meta, Alphabet and Microsoft are developing stuff like that, than some random developer developing xz for free.

jakfrost · April 4, 2024, 11:26am

For a lightweight compression/decompression library. It started out as LZMA and was originally from a group that made a Slackware based distro. It is used in the Linux Kernel … XZ data compression in Linux — The Linux Kernel documentation

I don’t see where you’re going with the question, it was developed because the developer at the time saw a need for it I would think.

hamrheadcorvette · April 4, 2024, 2:01pm

Fair point my friend, but I do take a bit of issue with this statement due in part because of the abuse and pressure the Original Developer Lasse Collins of XZ underwent which ultimately ended in this exploit.

" Soon after, Jigar Kumar begins pressuring Lasse Collin to add another maintainer to XZ. In the fallout, there is much to learn about mental health in open source.

Three days after the emails pressuring Lasse Collin to add another maintainer, JiaT75 makes their first commit to xz: Tests: Created tests for hardware functions.. Since this commit, they become a regular contributor to xz (they are currently the second most active). It’s unclear exactly when they became trusted in this repository."

A good thing to note here is also how the Open Source community will recommend software in a flippant manner. “It’s Open Source ! ” without doing the research into the project. I say this because I embarked on such a journey in january of this year with the Thorium Browser.

A friend asked me to look into this for them, due in part because YouTuber Chris Titus was heavily recommending it on his channel. It turns out the Browser had easter eggs that could be deemed offensive, and also the development was shaky at best.
Which lead me into the research of containerizing and locking down software easily for layman users. Hopefully developing a system to accommodate the curiosity of Users to New FOSS projects.

The Open Source community is far too reliant on someone else checking if code is good or not. If a project is secure or not. It almost feels like, Well, It’s Opens Source. . . There’s many eyes on it so I’ll use it. While I think this XZ issue will blow off and this incident is actually a good representation of Open Source communities looking out for things, We need to do a better job of surveying the code we use. The Meta/Facebook example is a good way of representing the malicious ways companies weaponize software, and add to my example here.

Hooray for Open Source.

Topic		Replies	Views
XZ almost happened again The Water Cooler tech-talk	3	433	April 16, 2024
Commblog post idea: Let no cookies go waste! Project Discussion commops-team	6	336	April 3, 2020
Creating Fedora security incident organization: Deriving from XZUtils lessons learned, security(-dedicated?) SIGs, and information flows (with some incentives from research) Project Discussion server-wg , engineering , workstation-wg , security-sig	8	204	May 31, 2024
Understanding the "xz" security vulnerability's implications The Water Cooler tech-talk	8	1902	April 14, 2024
Welcome everyone! Project Discussion program-management-team	9	692	December 15, 2022

Manchurian Candidate Vibes

Related topics