undefined | Better HN

0 pointsbdd8f1df777b1y ago0 comments

> A back door in the same library is not likely.

But libsystemd is not linked to xz only. By removing it, sshd is free of many other potential risks.

0 comments

aborsy1y ago

Correct, I misread.

Still the question remains: what technology could be implemented to mitigate this type of attack (beyond sshd)?

For example, Linux sandboxing is poor, and SeLinux is not usually enforced.

vimax1y ago

Disable calling functions in transitive dependencies, force them to be direct dependencies.

Why should sshd be allowed to call an xz function directly without xz being an immediate dependency.

I'm not sure what all that would entail with the ifunc stuff, but I remember encountering a glibc linking change moving from Red Hat 6 to RH7 that did something similar and broke the build process for some legacy code.

hulitu1y ago

> what technology could be implemented to mitigate this type of attack (beyond sshd)?

UNIX ? (do one thing and do it well).

When your program links with 20 libraries, i have i very hard time to believe that security is one of your goals.

fsflover1y ago

See: Qubes OS.

metalspoon1y ago

I pointed out this weakness the other day on the internet. I got attacked by open source software armies.

ratg131y ago

Maybe it was because you weren't pointing out anything new?

There was a pull request to stop linking liblzma into libsystemd a month before the backdoor was found

https://github.com/systemd/systemd/pull/31550

This was likely one of many things that pushed the attackers to work faster, and forced them into making mistakes.

metalspoon1y ago

No. They couldn't get along with the idea that some open source software packages should also sometimes be cut away, just like all other packages.

They felt threatened by the idea that open source maintenance can ever go wrong and started attacking me. They argued closed source was worse.

That was not my point at all. I was not raising a weakness of open source. I was just pointing out that linking to libsystemd had that kind of problem.

ranger_danger1y ago

FOSS zealots are not always security experts.

flohofwoe1y ago

Please don't throw despicable systemd zealots and honorable open source zealots into the same bucket ;)

baobun1y ago

Please don't bring group-identity politics here.

ikekkdcjkfke1y ago

Plot twist: systemd zealots were all sockpuppets

trust_bt_verify1y ago

Thanks for sharing.

j / k navigate · click thread line to collapse

0 comments

aborsy1y ago

Correct, I misread.

Still the question remains: what technology could be implemented to mitigate this type of attack (beyond sshd)?

For example, Linux sandboxing is poor, and SeLinux is not usually enforced.

vimax1y ago

Disable calling functions in transitive dependencies, force them to be direct dependencies.

Why should sshd be allowed to call an xz function directly without xz being an immediate dependency.

hulitu1y ago

> what technology could be implemented to mitigate this type of attack (beyond sshd)?

UNIX ? (do one thing and do it well).

When your program links with 20 libraries, i have i very hard time to believe that security is one of your goals.

fsflover1y ago

See: Qubes OS.

metalspoon1y ago

I pointed out this weakness the other day on the internet. I got attacked by open source software armies.

ratg131y ago

Maybe it was because you weren't pointing out anything new?

There was a pull request to stop linking liblzma into libsystemd a month before the backdoor was found

https://github.com/systemd/systemd/pull/31550

This was likely one of many things that pushed the attackers to work faster, and forced them into making mistakes.

metalspoon1y ago

No. They couldn't get along with the idea that some open source software packages should also sometimes be cut away, just like all other packages.

They felt threatened by the idea that open source maintenance can ever go wrong and started attacking me. They argued closed source was worse.

That was not my point at all. I was not raising a weakness of open source. I was just pointing out that linking to libsystemd had that kind of problem.

ranger_danger1y ago

FOSS zealots are not always security experts.

flohofwoe1y ago

Please don't throw despicable systemd zealots and honorable open source zealots into the same bucket ;)

baobun1y ago

Please don't bring group-identity politics here.

ikekkdcjkfke1y ago

Plot twist: systemd zealots were all sockpuppets

trust_bt_verify1y ago

Thanks for sharing.

j / k navigate · click thread line to collapse