Goodpods logo
Goodpods

Log in

goodpods headphones icon

To access all our features

Open the Goodpods app
Close icon
The New Stack Podcast - Linux xz and the Great Flaws in Open Source

Linux xz and the Great Flaws in Open Source

06/27/24 • 12 min

The New Stack Podcast

The Linux xz utils backdoor exploit, discussed in an interview at the Open Source Summit 2024 on The New Stack Makers with John Kjell, director of open source at TestifySec, highlights critical vulnerabilities in the open-source ecosystem. This exploit involved a maintainer of the Linux xz utils project adding malicious code to a new release, discovered by a Microsoft engineer. This breach demonstrates the high trust placed in maintainers and how this trust can be exploited. Kjell explains that the backdoor allowed remote code execution or unauthorized server access through SSH connections.

The exploit reveals a significant flaw: the human element in open source. Maintainers, often under pressure from company executives to quickly address vulnerabilities and updates, can become targets for social engineering. Attackers built trust within the community by contributing to projects over time, eventually gaining maintainer status and inserting malicious code. This scenario underscores the economic pressures on open source, where maintainers work unpaid and face demands from large organizations, exposing the fragility of the open-source supply chain. Despite these challenges, the community's resilience is also evident in their rapid response to such threats.

Learn more from The New Stack about Linux xz utils

Linux xz Backdoor Damage Could Be Greater Than Feared

Unzipping the XZ Backdoor and Its Lessons for Open Source

The Linux xz Backdoor Episode: An Open Source Myster

Join our community of newsletter subscribers to stay on top of the news and at the top of your game.

plus icon
bookmark

The Linux xz utils backdoor exploit, discussed in an interview at the Open Source Summit 2024 on The New Stack Makers with John Kjell, director of open source at TestifySec, highlights critical vulnerabilities in the open-source ecosystem. This exploit involved a maintainer of the Linux xz utils project adding malicious code to a new release, discovered by a Microsoft engineer. This breach demonstrates the high trust placed in maintainers and how this trust can be exploited. Kjell explains that the backdoor allowed remote code execution or unauthorized server access through SSH connections.

The exploit reveals a significant flaw: the human element in open source. Maintainers, often under pressure from company executives to quickly address vulnerabilities and updates, can become targets for social engineering. Attackers built trust within the community by contributing to projects over time, eventually gaining maintainer status and inserting malicious code. This scenario underscores the economic pressures on open source, where maintainers work unpaid and face demands from large organizations, exposing the fragility of the open-source supply chain. Despite these challenges, the community's resilience is also evident in their rapid response to such threats.

Learn more from The New Stack about Linux xz utils

Linux xz Backdoor Damage Could Be Greater Than Feared

Unzipping the XZ Backdoor and Its Lessons for Open Source

The Linux xz Backdoor Episode: An Open Source Myster

Join our community of newsletter subscribers to stay on top of the news and at the top of your game.

Previous Episode

undefined - How Amazon Bedrock Helps Build GenAI Apps in Python

How Amazon Bedrock Helps Build GenAI Apps in Python

Suman Debnath, principal developer advocate for machine learning at Amazon Web Services, emphasized the advantages of using Python in machine learning during a New Stack Makers episode recorded at PyCon US. He noted Python's ease of use and its foundational role in the data science ecosystem as key reasons for its popularity. However, Debnath highlighted that building generative AI applications doesn't necessarily require deep data science expertise or Python.

Amazon Bedrock, AWS’s generative AI framework introduced in September, exemplifies this flexibility by allowing developers to use any programming language via an API-based service. Bedrock supports various languages like Python, C, C++, and Java, enabling developers to leverage large language models without intricate knowledge of machine learning. It also integrates well with open-source libraries such as Langchain and llamaindex. Debnath recommends visiting the community AWS platform and GitHub for resources on getting started with Bedrock. The episode includes a demonstration of Bedrock's capabilities and its benefits for Python users.

Learn More from The New Stack on Amazon Bedrock:

Amazon Bedrock Expands Palette of Large Language Models

Build a Q&A Application with Amazon Bedrock and Amazon Titan

10 Key Products for Building LLM-Based Apps on AWS

Join our community of newsletter subscribers to stay on top of the news and at the top of your game/

Next Episode

undefined - What’s the Future of Distributed Ledgers?

What’s the Future of Distributed Ledgers?

Blockchain technology continues to drive innovation despite declining hype, with Distributed Ledgers (DLTs) offering secure, decentralized digital asset transactions. In an On the Road episode of The New Stack Makers recorded at Open Source Summit North America, Andrew Aitken of Hedera and Dr. Leemon Baird of Swirlds Labs discussed DLTs with Alex Williams.

Baird highlighted the Hashgraph Consensus Algorithm, an efficient, secure distributed consensus mechanism he created, leveraging a hashgraph data structure and gossip protocol for rapid, robust transaction sharing among network nodes. This algorithm, which has been open source under the Apache 2.0 license for nine months, aims to maintain decentralization by involving 32 global organizations in its governance. Aitken emphasized building an ecosystem of DLT contributors, adhering to open source best practices, and developing cross-chain applications and more wallets to enhance exchange capabilities. This collaborative approach seeks to ensure transparency in both governance and software development. For more insights into DLT’s 2.0 era, listen to the full episode.

Learn more from The New Stack about Distributed Ledgers (DLTs)

IOTA Distributed Ledger: Beyond Blockchain for Supply Chains

Why I Changed My Mind About Blockchain

Join our community of newsletter subscribers to stay on top of the news and at the top of your game.

If you like this episode you’ll love
ITSPmagazine Podcasts

ITSPmagazine Podcasts

Joomla Beat Podcast | Web design, development, online marketing, social media & website management

Joomla Beat Podcast | Web design, development, online marketing, social media & website management

The Why And The What – Product Management Podcast

The Why And The What – Product Management Podcast

Sunday Sitdown with Willie Geist

Sunday Sitdown with Willie Geist

Your Undivided Attention

Your Undivided Attention

Episode Comments

Generate a badge

Get a badge for your website that links back to this episode

Select type & size
Open dropdown icon
share badge image

<a href="https://goodpods.com/podcasts/the-new-stack-podcast-389222/linux-xz-and-the-great-flaws-in-open-source-57473471"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to linux xz and the great flaws in open source on goodpods" style="width: 225px" /> </a>

Copy