this post was submitted on 31 Mar 2024
10 points (55.7% liked)
Linux
48634 readers
1192 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I like your last statement.
I agree that users should take responsibility for their system, I myself learned to fully encrypt my Linux with luks2 and things about secure boot, tpm2 or so.
That's why I'm making assumption of the need for non-tech savvy users, like most Windows users if they come to Linux world.
The xz attack was not a clown show. It's a well orchestrated attack, with a lot of clever techniques to slip a payload into something that is supposed to be fully open and readable source code. Somebody recognized a difference between what people think ssh&systemd's dependency graph looks like, and what it actually was. Fuckery went into disabling some technical defenses (a single dot was snuck into an autoconf file! Try to find it.) and SE went into disabling others. The best malware reversers in the world have been shooting caffeine into their eyeballs for 2 days, trying to make sense of latter-stage payloads.
This attack was damn good. They either got unlucky, or there is a small possibility that our spies out-spied them and dropped the dime. Another angle is that they were running out of time - systemd developers were getting nervous about their own surface area and were working to cut that back. The attacker took the chance on running their play before it was fully bulletproofed, because it was in greater danger of becoming an obsolete exploit.