Ask HN: What's the worst that could have happened had xz gone unnoticed?
Like many, I've been reading about the deviousness of the xz exploit and understand it would give the author the ability to run arbitrary code on machines that had it installed.
Had this gone unnoticed, over, say, the next 12-36 months, what could have occurred if a maximally malicious actor did their worst? (assuming a variety of motivations - e.g. desire to attack rival state(s) a la stuxnet, greed, pure vandalism, other)
I suspect without additional exploits to get through other security layers on critical infrastructure, things like launching nukes from silos/submarines, running carriers ashore, mass deleting icloud/google drive/onedrive would be out of the question. (that's a guess).
It's not known who's responsible, nor their motivations, but at least in theory, what are some of the worst cases that could have happened had the exploit gone unnoticed?
13 comments
[ 0.25 ms ] story [ 37.4 ms ] threadThere are wonderfully colorful podcasts about this. Darknet Diaries is pretty decent, and entertaining, for public consumption.
Can't (easily) be replayed with a network capture against a different host or with a different payload, and can't be triggered without a specific key. Truly laser-like in focus.
My personal theory for "next step" would be: if uncompressing.contains( "linux" || "curl" ) => $extra.payload()
With such a skilled attack, and the potential to _deeply_ reach arbitrary public systems, imagine the chaos of "ssh github.com && pwn( curl, gzip, git, node, ... )"
...each stealthier than the last. Most SHA-sums are against the archive, not the individual file contents. An untrustable archiver or network transfer tool (especially in combination!) is terrifying...
Worse yet, an attempted exploit doesn't have any easily detectable network signature. It just looks like a login attempt with an RSA key.
Is it? Did we have any conclusive evidence yet? Honest question.
What freaks me out is the idea of every android on the planet being compromised overnight. Since you can’t effectively opt out of updates these days, and since decompression tools are going to be involved with elevated privileges, it feels like we were pretty close to that kind of worst case
DC and Cloud takeover due to hitting an ssh bastion host.
Infecting codebases via compromised sshd+git. We really should be signing all of our commits.