from Hacker News

Backdoor in XZ Utils That Almost Happened

by room505 on 4/11/24, 11:43 PM with 10 comments

  • by geoelectric on 4/12/24, 12:50 AM

    I find it unfortunate that Schneier chose to underline the XZ maintainer’s mental health issues (literally—he linkified it) as the reason he’d slowed down on the project, which then led to being open to taking on the malicious co-maintainer.

    Schneier then follows that linkified fact up immediately with a parenthetical that Collin isn’t to blame. But then why call out that very potentially stigmatic thing at all, with sources to boot?

    That explanatory note from Collin was buried in a mailing list and was at most a footnote to this story. Now it’s going to be part of the public accounting pushed by a famous security pundit with international reach, and with very little other context given to mitigate.

    Either Schneier was trying to make a point of some kind, in which case he sure wheedled around it, or he should’ve been considerably more careful with essentially the only personal fact he chose to highlight about Collin. Either way, I’m disappointed.

  • by ChrisMarshallNY on 4/12/24, 1:04 AM

    > The market economy rewards this sort of insecurity.

    That's the money quote, right there. As long as people are willing to pay for shit, there will be people willing to produce and sell shit.

    Why bother doing due diligence, if skipping it, means an extra lambo in the garage?

  • by jijji on 4/12/24, 12:51 AM

    changing the code by one character making it have an int overflow would have been more elegant.... no and the reason I even bring this point up is in early days of hacking into developers machines sometimes you find unpublished integer overflow exploits...

  • by 1vuio0pswjnm7 on 4/12/24, 1:20 AM

    "Everything you use contains dozens of these libraries: some commercial, some open source and freely available."

    "Everything". Really. I use numerous programs that do not "contain dozens of libraries".

    How could he improve the sentence. Perhaps something like

    "Many programs link to dozens of these libraries..."

    "Everything most people use contains dozens of these libraries..."

    And so on.

    I am typing this comment in textmode using a text-only browser that is statically-linked to less than five libraries, including libc. I'm not using any commercial libraries. I have no idea what comprises "everything" anyone reading it is using or whether each of those things is linked to "dozens of libraries". How would I. And neither does this author.

    How difficult is it for an author to verify the accuracy of each sentence in an article. Perhaps it is more difficult when you rely on software developers as sources and they tell you a story full of hyperbole, exaggeration and biased, selective disclosure of facts.

    The article in japantimes.co.jp someone submitted was absolutely cringeworthy.