<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<span style="white-space: pre-wrap">
</span>
<blockquote type="cite"
cite="mid:CA+TuoW0xyNcst12y8XynE4EV0aY_z22DK88SfwZTKGZvTgVoDQ@mail.gmail.com">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I'd love to see what kind of pattern in a build process has been (ab)used, but repos are inaccessible.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
It is in Andres Freund's overview of the problem, which Jason and
myself linked to in previous emails.
The link that I found and posted here has detailed analysis of the
files that add the malicious code.
Here it is again.
<a class="moz-txt-link-freetext" href="https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/">https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/</a>
A short summary of that is in the "Design" section here
<a class="moz-txt-link-freetext" href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27</a>
</pre>
</blockquote>
<p>Let's quote from comment
<a class="moz-txt-link-freetext" href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5006224#gistcomment-5006224">https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5006224#gistcomment-5006224</a></p>
<p>"""</p>
<p>Relevant technical fact is that this exploit isn't on a level
with information security skills of an average developer. Not only
it uses smart tactic to hide itself from the commit inspection
with autoconf, but also has a sophisticated payload nature, which
we still can't reverse after 16 hours past the incident.<br>
</p>
<p>"""<br>
</p>
<p>... this exploit isn't on a level with information security
skills of an average developer. ...</p>
<p><br>
</p>
<p>Hm-m. Complexity is riding on an existing sea of complexity in a
build process. Implying that attacker is bright leaves no hope and
is counter-productive.</p>
<p>Attacker chooses time of an attack. Defender chooses possible
places, by virtue of designing and coding all places where attack
may be done. Attacker can't attack in a vacuum.<br>
</p>
<p>This brings us back to complexity being a firm foundation for an
attack. And it brings us back to mirrors: who creates complexity,
why, and how, and what about clearing it up?</p>
<p>Gosh. How many millions of devs are there on the planet? How many
100K's of security professionals? How many views are there onĀ "The
Lazy Programmer's Guide to Secure Computing" <a
class="moz-txt-link-freetext"
href="https://www.youtube.com/watch?v=eL5o4PFuxTY">https://www.youtube.com/watch?v=eL5o4PFuxTY</a>
? </p>
</body>
</html>