Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Research

What can be done to protect open source devs from next xz backdoor drama?

What happened, how it was found, and what your vultures have made of it all

Iain Thomson Sat 6 Apr 2024  //  16:12 UTC

Kettle It's been about a week since the shock discovery of a hidden and truly sophisticated backdoor in the xz software library that ordinarily is used by countless systems.

An infected machine would have allowed someone with knowledge of the backdoor to gain remote control over the box via its SSH daemon. Though the dependency – poisoned by a rogue contributor – made its way into some bleeding-edge or to-be-officially-released Linux distros, such as Debian Unstable, Fedora 40, and Fedora Rawhide, it was spotted and thwarted before being widely deployed, which could have been a disaster.

Is this an example of open source fragility or strength? What can we do about securing popular bits of code that end up in tons of applications and servers? Do multi-billion-dollar corporations that feed off free work done by others need to step up and help here? Our Kettle series is back for our journos to discuss exactly this, which you can watch below.

Joining the show this week is Thomas Claburn, who covered the xz near-fiasco for us; The Register's cybersecurity editor Jessica Lyons; our editor Chris Williams; and your host Iain Thomson. This episode was produced by Brandon Vigliarolo.

As well as replaying our chat in the player above, you can listen via your favorite podcast distributor: RSS and MP3, Apple, Amazon, Spotify, and YouTube. And feel free to share your views too in the comments. ®
Send us news
93 Comments

Rust for Linux maintainer steps down in frustration with 'nontechnical nonsense'

Community seems to C Rust more as a burden than a benefit

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

Microsoft hosts a security summit but no press, public allowed

CrowdStrike, other vendors, friendly govt reps…but not anyone who would tell you what happened

Linux Deepin 23: A polished distro from China that Western desktops could learn from

A glimpse into the rapidly advancing world of Chinese open source

Double Debian update: 11.11 and 12.7 arrive at once

But Bullseye's days are numbered and it's time to think about upgrading

Brace for glitches and GRUB grumbles as Ubuntu 24.04.1 lands

Now the Numbat has been neatened, you can replace your Jellyfish – if you dare

Microsoft's Patch Tuesday borks dual-boot Linux-Windows PCs

Plus: Three-year-old ProxyOracle flaw added to CISA's exploited bugs list

Security biz Verkada to pay $3M penalty under deal that also enforces infosec upgrade

Allowed access to 150K cameras, some in sensitive spots, but has been done for spamming

CockroachDB scurries off to proprietary software land

As VC-owned fauxpen source biz yells 'show me the money,' more may follow to the peril of the community

White House thinks it's time to fix the insecure glue of the internet: Yup, BGP

Better late than never

CrowdStrike's meltdown didn't dent its market dominance … yet

Total revenue for Q2 grew 32 percent

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure