Internet Drama Security Drama and xz

[mikeizbicki]

Over the weekend a major security vulnerability was found in the xz library. Here are the details:

1. xz is a standard library installed in almost all linux/mac machines. It handles compression in the xz format.

2. Many tools rely on the xz library. For example, OpenSSH (which is the daemon running on the lambda server for ssh access) uses the xz library.

3. A postgres developer (working at Microsoft) noticed that his OpenSSH connection was slow. (It was responding in ~20ms instead of ~1ms.)

4. The postgres developer traced this behavior back to the xz library, and realized that the library had special code inserted into it that only triggers when used with OpenSSH. It provides a "backdoor" that lets anyone who connect to any ssh server without knowing the username/password.

5. The xz library was maintained from 2005-2021 only by Lasse Collin. In 2021, a new volunteer Jia Tan arrived and started contributing.

6. Most of these contributions were real. But in 2023, Jia Tan slowly began adding this backdoor. It is spread out over many commits and extremely sophisticated. Many people speculate that Jia Tan is a pseudonym for a state-level intelligence agency.

7. This is why the lambda server was moved behind the VPN.