Risky Business cover image

Risky Business

Risky Business #743 -- A chat about the xz backdoor with the guy who found it

Apr 3, 2024
Andres Freund, the Postgres developer, talks about discovering a backdoor in the xz Linux compression library. The podcast delves into the SSH backdoor issue, Microsoft's security vulnerabilities, Ukraine hacking Russia, and push-notifications vs Apple. They also discuss the implications of the supply chain attack in Linuxland and explore the technical aspects of the backdoor issue.
57:41

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

  • Andres Freund discovered a sophisticated SSH backdoor in the XZ compression library, allowing root access via SSH servers.
  • Microsoft faced criticism from the CSRB for security lapses in handling a major hack affecting government organizations.

Deep dives

Complex Backdoor in XZ Compression Library

A detailed discussion in the podcast highlighted a sophisticated backdoor implanted in the XZ compression library, affecting Unix systems. The backdoor allowed pre-authenticated access to SSH servers, enabling malicious actors to execute commands as root. The infiltration involved a bogus maintainer, G. A. Tan, who gained trust within the open-source ecosystem, escalating the attack as a response to impending changes in Linux. The backdoor was part of release versions of XZ, targeting vulnerable systems running developer releases of Linux distributions.

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
App store bannerPlay store banner