Ask HN: What's the worst that could have happened had xz gone unnoticed?
Like many, I've been reading about the deviousness of the xz exploit and understand it would give the author the ability to run arbitrary code on machines that had it installed.
Had this gone unnoticed, over, say, the next 12-36 months, what could have occurred if a maximally malicious actor did their worst? (assuming a variety of motivations - e.g. desire to attack rival state(s) a la stuxnet, greed, pure vandalism, other)
I suspect without additional exploits to get through other security layers on critical infrastructure, things like launching nukes from silos/submarines, running carriers ashore, mass deleting icloud/google drive/onedrive would be out of the question. (that's a guess).
It's not known who's responsible, nor their motivations, but at least in theory, what are some of the worst cases that could have happened had the exploit gone unnoticed?
All of the above, stealing of money, secrets, AI model weights, destruction, access to crypto passphrases, spam, impersonation, blackmail ... maybe not directly to systems with good security, but its like picking a lock, every bit of progress helps, security exists in layers, and one weak layer compromises the next... ssh is a pretty fundamental technology, and highly trusted.
There are wonderfully colorful podcasts about this. Darknet Diaries is pretty decent, and entertaining, for public consumption.
Any other podcast recommendation? I usually listen to darknet diaries and recently discovered hacked.
Risky Business is also great. Along with Malicious Life and Modem Mischief.
ya darknet diaries is very well done
DnD drives me nuts, how the host resummarizes everything every guest says in a fluffy emotional way that adds no new info. It’s like a podcast where every sentence is said twice.. kinda hard to listen to
Now that we’ve run out of truly interesting hacks, the later episodes really aren’t too interesting. Fav episode is Knaves Out.
The attacker would probably want to keep the exploit hidden, thus probably restricting themselves to data exfiltration rather than outright obvious attacks. Considering that’s it’s a state actor, perhaps people arrested and dark web sites shut down.
> Considering that’s it’s a state actor,
Is it? Did we have any conclusive evidence yet? Honest question.
Just an assumption. There are very little reasons for a person to carry out such an attack but it’s still possible
SSH access is scary of course but lots of the machines involved would probably still be inaccessible in private networks. Other payloads for exfil scare me more.
What freaks me out is the idea of every android on the planet being compromised overnight. Since you can’t effectively opt out of updates these days, and since decompression tools are going to be involved with elevated privileges, it feels like we were pretty close to that kind of worst case
Massive worm that would be nearly impossible to shutdown.
DC and Cloud takeover due to hitting an ssh bastion host.
Infecting codebases via compromised sshd+git. We really should be signing all of our commits.
The "payload" was devious in that it basically said: if $ssh_key && $payload.sig && $host.sig
Can't (easily) be replayed with a network capture against a different host or with a different payload, and can't be triggered without a specific key. Truly laser-like in focus.
My personal theory for "next step" would be: if uncompressing.contains( "linux" || "curl" ) => $extra.payload()
With such a skilled attack, and the potential to _deeply_ reach arbitrary public systems, imagine the chaos of "ssh github.com && pwn( curl, gzip, git, node, ... )"
...each stealthier than the last. Most SHA-sums are against the archive, not the individual file contents. An untrustable archiver or network transfer tool (especially in combination!) is terrifying...
> Can't (easily) be replayed with a network capture against a different host or with a different payload, and can't be triggered without a specific key.
Worse yet, an attempted exploit doesn't have any easily detectable network signature. It just looks like a login attempt with an RSA key.