A week ago a developer in San Francisco named Andres Freund found a backdoor in SSH which would grant some shadowy figure access to Linux machines running the latest version of a library called liblzma.  Even more incredibly, there were various semi-anonymous figures clamoring for inclusion of this compromised version of liblzma into the latest version of various Linux distros. 

This entire scheme had been underway for over three years before it fell apart under Freund's scrutiny and attention from the broader software industry.

This week Mike gives us a breakdown of the exploit and we talk about the fallout from this backdoor which took advantage of an overworked and vulnerable open-source maintainer. 

As Mike puts it, the story is "bonkers".

To read more about it, check out these articles: 

• The Verge: “How one volunteer stopped a backdoor from exposing Linux systems worldwide” 
• Wired: “The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind” 
• TuxCare: “A Deep Dive on the xz Compromise” 
• Timeline from Boehs.org: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Send us a text