Discovering the XZ Backdoor with Andres Freund

Andres Freund joined Bryan and Adam to talk about his discovery of the xz backdoor. It’s an incredible story… so great to get into the details with Andres. We started by ranting about the coverage in the New York Times… coverage that explicitly refused to dig into the details! It’s all the more shocking because the big story here is how Andres’ penchant for digging into the details is what saved us all from what would have been a pervasive and damaging attack!

In addition to Bryan Cantrill and Adam Leventhal, we were joined by special guest Andres Freund.

Our research for this episode:

• Andres' initial public disclosure
• New York Times: Did One Guy Just Stop a Huge Cyberattack? by Kevin Roose
• Kevin Roose
• New York Times front page from April 4th, 2024
• How I got started as a developer with Andres Freund & Heikki Linnakangas | Path To Citus Con Ep08
• The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind | WIRED
• How one volunteer stopped a backdoor from exposing Linux systems worldwide - The Verge
• Linux backdoor was a long con, possibly with nation-state support, experts say - Nextgov/FCW
• research!rsc: Timeline of the xz open source attack
• Brian Krebs thread on mastodon
• Xz/liblzma: Bash-stage Obfuscation Explained
• A Microcosm of the interactions in Open Source projects
• Risky Business #743 -- A chat about the xz backdoor with the guy who found it (podcast)
• Risky Biz News: F-Droid narrowly avoided XZ-like incident in 2020 (podcast)
• What we know about the xz Utils backdoor that almost infected the world | Ars Technica
• Everything I know about the XZ backdoor
• LINUX Unplugged 556: The xz Backdoor Exposed 🚨 (podcast)

If we got something wrong or missed something, please file a PR! Our next show will likely be on Monday at 5p Pacific Time on our Discord server; stay tuned to our Mastodon feeds for details, or subscribe to this calendar. We'd love to have you join us, as we always love to hear from new speakers!

Recorded April 8th, 2024