I learned about the XZ Utils backdoor around 2 hours after it was published on YCombinator.
Around 5 hours after it was published, I did a quick Google News search for terms related to it — “xz utils,” “Linux,” “cybersecurity” — and got nothing.
Only after around 8 hours did I actually see a semi-mainstream publication write about it: Ars Technica. As of publication time, they are the largest publication I’ve seen write about what may be the worst out-and-about software vulnerability we see this year, with startling implications for national cybersecurity.
- It has a base CVE score of 10, the absolute maximum rating a vulnerability can receive;
- It was slowly and steadily implanted into a widely-used library depended on by the most popular Linux init system (by far), using obfuscation techniques both in the code itself and in its distribution (such as being absent from the source and only existing in the tarballs used for building system packages) to execute what has been rightly described as “the best executed supply chain attack we’ve seen described in the open” and “a nightmare scenario”;
- The library used to stage the attack only came into the possession of the attackers after what was described as a manufactured “hostile takeover” of the maintainership for that library. Before it was taken offline by GitHub, I looked at the repository for this incredibly widely-used tool: it had less than a hundred stars. One of the most widely used implementations of a favorite compression algorithm had less than a hundred GitHub stars, but major distributions pulled from that repository - again, as a dependency for a required system utility. It makes me wonder how many other major libraries have almost no reputation and oversight but are still getting pulled into major distributions.
This is the biggest supply chain attack since SolarWinds, but the largest publication to talk about it so far has been Ars Technica, even though this was discovered 2 days ago already.
This isn’t just some technical babble that the cybersecurity community is going on about. This is a very real and dangerous threat that (while we’re in the process of mitigating) could affect up to possibly 30% of extant Linux servers. Even more worrying than the immediate problem is the set of circumstances that allowed it to occur: the blind and naive trust given to a library with almost no oversight or reputation, the lack of testing done on systems before deployment (the backdoor in this case was only discovered after an ordinary user benchmarked a completely different tool, not because Linux distribution maintainers caught it), the ability for a compression library to inject code into a remote server administration tool… and so on.
At some point I’d like to write more about that last point, because of how plainly absurd it is for a compression tool to have this kind of effect at all. But for now what baffles me is that mainstream press is just not talking about it.
Is it because they don’t know how to? I doubt it — something among the lines of “hacker plants virus into widely-used server software” would do the trick pretty well for an entirely un-technical audience. Is it because they don’t find it newsworthy? Again, if the high-end estimate of compromised servers is 30%, that sounds pretty newsworthy to me! SolarWinds received tons of news coverage, which makes this even more surprising because depending on what happens in the next few months, this could be worse than SolarWinds! After all, SolarWinds’s customers were primarily government (which was why they were targeted), but Debian and Fedora’s customers are everyone. While the vulnerability is only confirmed present in the unstable versions of both, that doesn’t mean the others don’t have that vulnerability — actually, it makes it more likely. The malicious maintainer who uploaded these backdoors has had access for a long while. What if a different vulnerability is in the other versions, or what if the tarballs for those versions were retroactively infected by this malicious maintainer?
My guess is that mainstream outlets just don’t have the staff or bandwidth in their coverage for this kind of news. It seems to me like the same problem befalling educational institutions: however much these places pay their staff, it will never compare to how the industry itself pays the same kind of staff. I could become a high school Computer Science teacher or a college Cybersecurity professor making somewhere between $60-$80,000 a year, or I could work in a SOC for a 6-figure starting salary. I imagine the same is true for reporting.
This lack of security coverage leads directly to the mystification of the “hacker” as a kind of techno-magician that can take over large swaths of society’s computing power at will, and subsequently leads to a sort of learned helplessness among the general public. People believe that there’s nothing we can do to stop hackers; that everyone’s personal information will be inevitably leaked; and that it’s worthless to try and stop it. None of these things are true! But a person who believes in these falsehoods will inevitably not try to prevent their predictions from coming about, leading to a self-fulfilling prophecy. This could be changed if better security coverage existed to educate the general public about the true nature of cybersecurity and of cyber-attacks, but without competitive pay in the reporting industry I doubt that will happen anytime soon.