The CISA report is definitely worth a read and so is questioning Microsoft's security posture. Comparing the incident to the xz attack doesn't make a whole lot of sense though.
Yeah, they’re entirely different classes of failure (from a security pov, not personal failing, esp nothing the old xz maintainer did).
Also the only reason the xz attack isn’t overwhelmingly worse than the MS attack is because it was caught (by an MS person as well I think?) before it was deployed.
It was caught by a person on MS payroll, that's true, but it didn't get caught by any security processes institutionalized by Microsoft. So the credit goes to Andres Freund, who was working off-the-clock (according to The Verge) not to Microsoft.
I don't know if off the clock accurate. My job is to work on postgres, I was helping out with the development of a feature (avoid a perf regression in a degenerate case, in a patch improving much more common cases). OTOH, I think it was late at night at that point. What's on/off the clock for an OSS dev...
Would it be fair to say that the perpetrators could have covered their tracks better? Could they for example, have fixed the valgrind errors? And if so, would this backdoor have remained hidden for much longer?
What was the moment like, when you realized you have stumbled upon a backdoor? I mean, it is riveting just to read the various reports of this backdoor!
> Would it be fair to say that the perpetrators could have covered their tracks better? Could they for example, have fixed the valgrind errors? And if so, would this backdoor have remained hidden for much longer?
Yes. Mostly they should have reduced the cost of starting up sshd with the backdoor. A lot of that seems to be due to all the symbol lookups they needed to do, while staying obfuscated. It feels like they started with a reasonable set of features and then just piled on more and more, leading to the noticeable cpu usage.
I think the valgrind warnings were only triggered when using -fno-omit-frame-pointers. Which, at the time they wrote this stuff, wasn't the default anywhere. They got unlucky in that Fedora changed to default to that and that I happened to have that set in my valgrind tests.
> What was the moment like, when you realized you have stumbled upon a backdoor? I mean, it is riveting just to read the various reports of this backdoor!
It was many hours of slowly figuring that out, room for different emotions. Lots of nervous cackling. Thinking I must just be hallucinating. Worry about how to deal with this. And more...
Whether MS deserves credit or not, he's a very senior SW engineer at Microsoft so this should at least provide some reassurance that the company has technical leaders who are looking out for these sorts of security risks...
Oh yeah, I know it wasn’t ms security reporting it or anything, I just found it funny (and ironic I guess? given this report came out a few days later).
Also the only reason the xz attack isn’t overwhelmingly worse than the MS attack is because it was caught (by an MS person as well I think?) before it was deployed.