The xz sshd backdoor rabbithole goes quite a bit deeper
Access to the Twitter thread & “open web” debate
- Many can’t read the original thread due to Twitter/X login walls; workarounds include Nitter (“twiiit” trick) and threadreaderapp, though Nitter instances are rate‑limited and fragile.
- Some refuse to create Twitter accounts on principle (privacy, mental health, “self‑respect”), even if it means missing useful info.
- Others argue mirroring “closed” content into the open web is good, and that refusing to read Twitter is effectively choosing ignorance.
- Several complain that technical disclosures should be blog posts or gists, not tweet threads, both for openness and readability.
How the xz backdoor worked and was detected
- The backdoor affects sshd via liblzma/xz and libsystemd; it ultimately supports auth bypass, not just RCE.
- It hooks sshd at startup using ifunc / audit‑style symbol interception, doing heavy symbol matching early (before
main()), causing noticeable slowdown. - Discovery came from someone benchmarking, noticing sshd’s high CPU and 2–3× slower logins, even for non‑existent users.
- Valgrind/gdb issues tied to frame‑pointer settings helped surface it, but the discoverer notes the slowdown itself was already significant.
- Full reverse‑engineering of the payload and obfuscation (test blobs, tries, anti‑debug, encrypted‑looking data in “test files”) is still incomplete.
Professionalism vs sloppiness of the backdoor
- Commenters find a striking mix: long‑term social infiltration, sophisticated obfuscation, but also bugs, crashes, and measurable performance regressions.
- A key theory: attackers rushed once a systemd change (dlopen of liblzma) threatened to neuter the sshd path, trading stealth for speed.
- Some think the performance regression would inevitably be noticed; others view its early discovery as largely luck.
Who might be behind it
- Possibilities discussed: single skilled individual, small criminal group, “APT”/state actor, compromised or bought maintainer account, or multiple personas sharing one identity.
- Timezone patterns, holiday activity, and commit‑time shifts are analyzed but deemed too flimsy to localize the attacker.
- Consensus: attribution is highly uncertain; “we don’t know” is repeatedly emphasized.
Broader supply‑chain and security implications
- Concern that similar long‑game infiltrations may already exist undetected; survivorship bias is raised.
- Debate over how common backdoors really are compared to long‑lived vulnerabilities.
- Suggestions: more systematic random code review, verifying tarballs against signed git tags, and rethinking dependencies like libsystemd for trivial features.
- Signal/F‑Droid debate illustrates tensions between centralized “official” builds vs independent reproducible builds and their respective backdoor risks.