The xz sshd backdoor rabbithole goes quite a bit deeper

Access to the Twitter thread & “open web” debate

  • Many can’t read the original thread due to Twitter/X login walls; workarounds include Nitter (“twiiit” trick) and threadreaderapp, though Nitter instances are rate‑limited and fragile.
  • Some refuse to create Twitter accounts on principle (privacy, mental health, “self‑respect”), even if it means missing useful info.
  • Others argue mirroring “closed” content into the open web is good, and that refusing to read Twitter is effectively choosing ignorance.
  • Several complain that technical disclosures should be blog posts or gists, not tweet threads, both for openness and readability.

How the xz backdoor worked and was detected

  • The backdoor affects sshd via liblzma/xz and libsystemd; it ultimately supports auth bypass, not just RCE.
  • It hooks sshd at startup using ifunc / audit‑style symbol interception, doing heavy symbol matching early (before main()), causing noticeable slowdown.
  • Discovery came from someone benchmarking, noticing sshd’s high CPU and 2–3× slower logins, even for non‑existent users.
  • Valgrind/gdb issues tied to frame‑pointer settings helped surface it, but the discoverer notes the slowdown itself was already significant.
  • Full reverse‑engineering of the payload and obfuscation (test blobs, tries, anti‑debug, encrypted‑looking data in “test files”) is still incomplete.

Professionalism vs sloppiness of the backdoor

  • Commenters find a striking mix: long‑term social infiltration, sophisticated obfuscation, but also bugs, crashes, and measurable performance regressions.
  • A key theory: attackers rushed once a systemd change (dlopen of liblzma) threatened to neuter the sshd path, trading stealth for speed.
  • Some think the performance regression would inevitably be noticed; others view its early discovery as largely luck.

Who might be behind it

  • Possibilities discussed: single skilled individual, small criminal group, “APT”/state actor, compromised or bought maintainer account, or multiple personas sharing one identity.
  • Timezone patterns, holiday activity, and commit‑time shifts are analyzed but deemed too flimsy to localize the attacker.
  • Consensus: attribution is highly uncertain; “we don’t know” is repeatedly emphasized.

Broader supply‑chain and security implications

  • Concern that similar long‑game infiltrations may already exist undetected; survivorship bias is raised.
  • Debate over how common backdoors really are compared to long‑lived vulnerabilities.
  • Suggestions: more systematic random code review, verifying tarballs against signed git tags, and rethinking dependencies like libsystemd for trivial features.
  • Signal/F‑Droid debate illustrates tensions between centralized “official” builds vs independent reproducible builds and their respective backdoor risks.