Meanwhile others have suggested this is good motivation for moving off XZ/liblzma to alternatives such as using Zstd.
Announcement
Collapse
No announcement yet.
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
Collapse
X
-
Originally posted by StarterX4 View PostIt is. Time to switch to Zstd and ditch legacy libraries and standards.
Still, sadly, just not gonna happen.
Why?
For normal users and rolling distributions that claim is plausible and perhaps even desirable.
But as soon as any commercial side comes walking in, they will ask long(er) term support. You cannot give long term support on future software so you get long term support on - then current - software. Which will go outdated during the support term. And that is what promoted the existence of old legacy crap that still has to be supported. It's always a commercial - and financial - reason. And if that support is too long it becomes a technical debt reason too which in turn promotes even longer term support as flipping the switch to something new brings too many unknown.
Funny how the world works huh
Comment
-
Originally posted by avis View Post
Any hacked parties though?
Originally posted by avis View PostIn 40 years there must be thousands if not millions, right?
Originally posted by avis View PostGod damn it, why can't you talk facts?
Originally posted by avis View PostI don't care about your abbreviations, neither "timing attacks against AES". Why is the whole world still using AES if it's so insecure? Where are all the banks and people hacked left and right because of it? Where are hot tabloid stories? Wait, nothing? Lies and conspiracies. The Linux community. Or should I say a cult?
Reference [9] from the above:
and
Also: https://arxiv.org/pdf/1901.01759.pdf
Our results show that we are able to extract TLS keys after a handshake in less than 15.5 seconds in the median on lower load levels and in no more than about 32.7 seconds in the median on our highest evaluated load level. The extraction of the FDE key after a disk write event took between less than 7.4 seconds and 12.3 seconds in the median. The extraction phase for SSH keys after an SSH handshake took about 0.8 to 1.35 seconds in the median.
If you read the publicly available 'Capability Packages' made available by the U.S. National Security Agency, you will see that AES is approved for data-at-rest up to Top Secret: https://www.nsa.gov/Portals/75/docum...sonI-Now%3d%3d
but AES alone is not approved for data in transit - two separate layers of encryption are required: https://www.nsa.gov/Portals/75/docum...0Package%20v2_ 5_1.pdf?ver=A0d5WxyVN23HYsYlTiYo2g%3d%3d
and there are some restrictions on the endpoint devices (EUDs), not least that they need to be under continuous physical control at all times. AES encrypted data is pretty secure: running the encryption algorithm is not because of the opportunities for 'cheating' and extracting the key by 'eavesdropping' on the encryption process. This is partly down to the use of S-boxes in the design.
As for why AES is used: it's a mandated standard if you follow FIPS (which a lot of people do).
Originally posted by avis View PostAgain, I can tell you my IP address and open/forward all standard Windows ports for your pleasure. Go hack me. Prove your worth.
You cannot afford my pen-testing services, and we don't have a proper legal agreement.
- Likes 6
Comment
-
This is why I think Linux packaging is a failure right now. The constant "Just fork it!" nature of Linux is spreading resources too thin. Too many different package managers. Too many different software repositories with overworked packagers trying to keep up with the thousands of applications a distro might have. Too many different distributions that are all largely the same except for some very superficial differences.
So as a result, no one is actually taking the time to double check and review things. XZ is a critical core component of many distributions and software packages. If a critical component, and an otherwise stable feature-complete application gets an update, it should be scrutinized to the fullest extent.
Instead of we have spread-thin package maintainers that just vacuum it up without a second thought.
I get that it's difficult to understand what someone else's code is doing, but that's why the KML requires certain standards and comments that clearly explain what the code is trying to do.
For critical components like XZ, maintainers should just flat out reject updates without clear comments that carefully explain what each new addition is doing.Last edited by AmericanLocomotive; 30 March 2024, 01:44 PM.
- Likes 2
Comment
-
Originally posted by avis View Post
Please hack my Windows. I dare you. I can forward all its ports to the Internet and tell you my IP address.
Microsoft is patching a serious flaw in various versions of Windows today after the National Security Agency (NSA) discovered and reported a security vulnerability in Microsoft’s handling of certificate and cryptographic messaging functions in Windows. The flaw, which hasn’t been marked critical by Microsoft, could allow attackers to spoof the digital signature tied to pieces of software, allowing unsigned and malicious code to masquerade as legitimate software.
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.
This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).
http://https://krebsonsecurity.com/2...patch-tuesday/Last edited by Volta; 30 March 2024, 01:54 PM.
- Likes 1
Comment
-
Originally posted by AmericanLocomotive View PostThis is why I think Linux packaging is a failure right now
So as a result, no one is actually taking the time to double check and review things. XZ is a critical core component of many distributions and software packages. If a critical component, and an otherwise stable feature-complete application gets an update, it should be scrutinized to the fullest extent.
I get that it's difficult to understand what someone else's code is doing, but that's why the KML requires certain standards and comments that clearly explain what the code is trying to do.
For critical components like XZ, maintainers should just flat out reject updates without clear comments that carefully explain what each new addition is doing.
- Likes 3
Comment
-
Originally posted by emansom View PostGood call to not trust any code of the developer and/or xz itself until further investigation. Bad call to disable all access, it was a central point to discuss. Welp, guess there's Hacker News still.
As some distros suggested, they might go back ~2 years, before Jia Tan started to contribute to XZ, and start a fork from that point.
Comment
-
It seems the author of the backdoor also contributed suspicious code to the, the more widely integrated, libarchive.
Added the error text when printing out warning and errors in bsdtar when untaring. Previously, there were cryptic error messages when, for example in issue #1561, the user tries to untar an archive...
- Likes 3
Comment
-
Originally posted by mSparks View Post
you going to have to explain that more, because right now you sound like a malware author complaining that github deleted their shit.
- Likes 2
Comment
Comment