[mdlug] info about the xz backdoor

[Jonathan Billings]

On Mar 31, 2024, at 10:11, Dark Star <dark58star at gmail.com> wrote:
> 
> Isn't this the the reason they switched to using systemd instead of initd.
> Another shining example of "fix it until it's broke".
> Maybe we should be thanking those experts over at IBM.
> First the Linux Blue Screen of Death, and now a backdoor.
> It sounds like the work of Microsoft.

Not sure what IBM has done to earn your ire regarding systemd. 

While it was the inclusion of systemd’s notification into OpenSSH (which improves service automation) that brought in the library, I suspect blaming systemd is probably beside the point, the author of the backdoor would have just attacked a different subsystem. Anyway, I bet this will prompt them to make OpenSSH use a direct implementation of sd_notify() directly rather than using systemd’s notify library. 

For what it’s worth, it was a Microsoft employee who discovered the initial backdoor, and shared it with investigators. 

-- 
Jonathan Billings