Inside the failed attempt to backdoor SSH globally that got caught by chance
Open Source vs Proprietary Security
- Debate over whether open source is safer than closed source:
- Pro-open-source: backdoors and vulnerabilities can be spotted by anyone; example NSA-related key in Windows mentioned; this xz backdoor was ultimately caught in the open.
- Skeptical view: “enough eyeballs” is misleading; you need the right (often scarce, expensive) eyeballs. Source availability also helps attackers find bugs.
- Counterpoint: proprietary software can hide backdoors indefinitely; reverse engineering and fuzzing help, but visibility is worse than with OSS.
Systemd, libsystemd, and Attack Surface
- Some blame systemd’s breadth (“does too much,” increases attack surface; libsystemd dragged xz into sshd).
- Others counter:
- The problematic link to libsystemd was a downstream OpenSSH patch in Debian/Fedora, not required by OpenSSH.
- Many systemd services don’t link libsystemd; its dependency tree is small compared to glibc.
- Even without systemd, any widely used library could have been targeted.
Detection, Tooling, and Security Industry
- The backdoor was found via performance anomalies in sshd.
- Automated tools (e.g., valgrind in distro pipelines) had already flagged odd behavior, but warnings were effectively ignored or not investigated deeply.
- Some criticize the security industry for focusing on complex, low-probability issues while missing huge supply-chain holes; others note similar attacks (e.g., SolarWinds) were detected far later.
Maintainers, Abuse, and Funding
- Recurrent theme: critical infrastructure relies on small, often unpaid projects with burnout-prone maintainers.
- Corporate users frequently contribute nothing back; some call this “parasitic,” others argue wide adoption itself has value.
- Suggested remedies:
- Companies sponsoring maintainers or funding foundations.
- Dedicated teams (via Linux Foundation–style bodies) to maintain “deep stack” dependencies that individual firms won’t fund directly.
- Concerns that money can skew priorities and turn volunteer projects into stressful jobs.
Liability, Regulation, and Licensing
- Proposal: introduce legal liability and insurance for critical OSS components, driving funding via risk reduction.
- Strong pushback: would chill free contributions, is hard to implement fairly, and clashes with “no warranty” norms and free speech.
- EU Cyber Resilience Act is cited as moving in this direction; some fear it will drive small projects and solo developers out of business.
Sandboxing, OS Design, and Isolation
- Several argue current Unix/Windows-style models are outdated:
- Point to SELinux, app sandboxing (macOS, iOS, Android, ChromeOS), QubesOS-style compartmentalization.
- Frustration that most desktop/server software doesn’t sandbox itself, even when mechanisms exist.
- Others note sandboxing can limit functionality and tooling is poor, so many apps stay unsandboxed.
Prevalence of Similar Backdoors / Threat Actors
- Worry that this sophisticated, long-term xz compromise implies more undiscovered backdoors.
- Counter: such an operation is extremely hard; the fact it was caught relatively quickly suggests this might be rare.
- Debate over “nation-state” vs “bored kid”:
- Some see the patience and complexity as clearly state-level.
- Others say young, highly skilled individuals could also do this; attacker identity doesn’t change the defense posture.
Distributions, Monoculture, and Impact
- Distros that patched sshd to use systemd notifications (Debian, Fedora) were closer to being affected; rolling/testing branches actually shipped malicious xz for a short time.
- Arch shipped the malicious xz but wasn’t vulnerable because its sshd wasn’t patched that way; BSDs and non-systemd distros generally unaffected.
- This is used both:
- As a critique of “Linux + systemd” monoculture.
- And as a caution about downstream patching of security-critical software.
Social Engineering and Contributor Identity
- The attacker gained maintainer status via sustained social engineering and fake community pressure.
- Several commenters call for better “social tooling”:
- Visibility into contributor history, activity patterns, and cross-project presence.
- Stronger norms around trusting new maintainers and scrutinizing unusual build/test changes.