Next.js App Router + React Server Components Demo

new
past
show
ask
show
jobs
submit

24 points by ctrlmeta 18 hours ago | 17 comments

LunaSea 18 hours ago [-]

> The Debian development team declined to remove the affected images, stating that they were development builds that should not be used on real systems in place of newer, clean container versions.

Classic Debian security management

BrouteMinou 14 hours ago [-]

Not that I approve the Debian decision here, but calling it "classic" seems a bit of a stretch?

Do you have many more examples to call that a "classic" Debian security behaviour?

LunaSea 9 hours ago [-]

Like this: https://jblevins.org/log/ssh-vulnkey ?

pogopop77 17 hours ago [-]

Given this was backdoor was likely funded by a nation-state actor and very carefully obfuscated, the fact that it was discovered within a month and never rolled out to production releases, shows that the open source process mostly worked. Not saying it couldn't be better.

mingus88 16 hours ago [-]

I kinda disagree. This was luck. A dev on an unrelated project happened upon it and was diligent enough to dig in. A single change to any number of variables would have meant disaster.

I worked at a company that got red teamed. The pen testers were inside the network and were only found by a random employee who happened to be running little snitch and got a weird pop-up

Nobody celebrated the fact that the intrusion was detected. It was pure luck, too late, and the entire infosec leadership was fired as a result.

Like this xv issue, none of the usual systems meant to detect this attack seemed to work, and it was only due to the diligence of a single person unrelated to the project was it not a complete show.

jqpabc123 18 hours ago [-]

This really illustrates a broad security issue with open source development and methodology.

Who vets contributors, maintainers and submissions?

Answer: Unknown in many (if not most) cases. Unless you have the time and expertise to do so yourself; it is purely based on trust.

nwellnhof 17 hours ago [-]

Contributors and their submissions are vetted by maintainers. New maintainers are ideally vetted by existing maintainers. This can obviously break down in undermaintained projects.

jqpabc123 16 hours ago [-]

New maintainers are ideally vetted by existing maintainers

This ideal obviously did not happen here.

And there are no consequences for those who fail to do so.

yjftsjthsd-h 17 hours ago [-]

That's not unique to open source or open development.

jqpabc123 16 hours ago [-]

Anonymity is the unique aspect of open source that opens the door for malicious activity without consequences.

yjftsjthsd-h 16 hours ago [-]

Well, no; there's plenty of proprietary software without a human name attached (let alone a name that you could possibly verify is real), and there are FOSS projects that only take contributions from people who have identified themselves in some capacity.

jqpabc123 14 hours ago [-]

Well, no; there's plenty of proprietary software without a human name

A human name is not required for legal accountability.

A human name is required in order to be legally employed.

None of this applies to open source in many (if not most) cases --- the subject one being an example.

yjftsjthsd-h 11 hours ago [-]

My point was more that there's plenty of software that is not FOSS and is also not published by an identifiable legal entity, traditionally appearing as freeware/shareware for Windows/macOS. And even if there does appear to be some sort of legal entity (human or company), how many people are going to check that a company even exists on paper before installing the random .exe from its website?

Anonbrit 8 hours ago [-]

There's tons of utter garbage commercial software. There's commercial software with intentionally built in backdoors and information stealing. Most of it gets zero accountability, nor do the sites that distribute it, nor the ad networks that find viewers for it.

Just like there's basically no reputational harm anymore for leaking all your users details for most leaks

jmclnx 17 hours ago [-]

>While xz is commonly present in most Linux distributions,

Not Slackware since Slackware does not patch xz or many other utilities. Plus it does not use systemd. From what I remember a patch was put in to give systemd extra functionality and someone used that patch to sneak in the backdoor.

NekkoDroid 17 hours ago [-]

The xz attach happened cuz systemd's library dynamically linked against xz for compression of various tools in systemd and a downstream patch for openssh (IIRC) was used to link against libsystemd to use some founctions for the sd-notify protocol.

This wasn't exactly necessary since the protocol has been stable for external use for ages (since its inception IIRC) and is relatively trivial to implement.

Since the attack happened openssh gained native support for the sd-notify protocol, the sd-notify man page has an example implementation that is freely usable and libsystemd now only loads xz (and most of its other libraries) when explicitly requested by one of the tools via `dlopen`.

flykespice 16 hours ago [-]

The behemoth that is autotools mostly helped to conceal the backdoor (and contributed to the payload)

It's an old legacy technology that needs to die out from all forms of distributions (looking at you GNU)