The Linux Hack was an inside job…

TechLinked
3 Apr 202410:28

Summary

TLDRThe video discusses a serious security back door discovered in a widely used Linux compression utility, XZ utils, by developer Andres Frey. The malicious code, which could allow unauthorized remote access, was detected before causing widespread issues. Additionally, the video covers Amazon's decision to abandon its cashierless checkout system in favor of Dash Carts and Google's agreement to delete a large store of web data collected via Chrome's incognito mode, updating their privacy policy to better inform users of data collection practices.

Takeaways

  • 🔍 A serious security back door was discovered in a widely used compression utility for Linux, XZ utils, by developer Andres Frey from Microsoft.
  • 🕵️‍♂️ The vulnerability was found by chance during micro benchmarking, which revealed excessive CPU usage with encrypted logins related to the exed compression library.
  • 🚨 The malicious code was present in beta releases for Fedora Rawhide, Debian, and a stable release of Arch Linux, but was caught before widespread exploitation.
  • 💡 The back door functioned by injecting code during SSH authentication, potentially allowing unauthorized remote access.
  • 👤 The code appears to have been introduced by one of XZ utils' primary developers, giaan AKA GIA, who had been contributing since 2021.
  • 🤔 It is theorized that GIA's involvement may have been part of a long-term scheme to gain increasingly invasive permissions within the project.
  • 🛒 Amazon is discontinuing its cashierless checkout system, 'Just Walk Out', in its fresh grocery stores due to reliance on human oversight.
  • 👁️ Amazon's system required an estimated 70% of sales to be reviewed by human monitors, contrary to the fully automated impression the company had given.
  • 📃 Google has agreed to delete a large cache of web data collected while users browsed in Chrome's incognito mode as part of a class action lawsuit settlement.
  • 🔒 Google will also update its privacy policy and incognito mode landing page to clarify that data collection continues regardless of browsing mode.
  • 🏅 Qualcomm's new Snapdragon X Elite laptop processors have outperformed Intel's Meteor Lake Core Ultra chips in benchmarks, showing 50% faster performance at half the power consumption.

Q & A

  • What security issue was discovered in a widely used compression utility for Linux?

    -A serious security back door was discovered in the XZ utils, a compression utility for Linux, which could potentially allow unauthorized remote access by injecting code during SSH authentication.

  • Who discovered the security back door in XZ utils and how did they notice it?

    -Andres Frey, a developer who works for Microsoft by day and maintains PostgreSQL by night, discovered the security back door. He noticed the issue while doing micro benchmarking during his Easter Long Weekend and observed that encrypted logins to part of the XZ utils compression library were using an unusually high amount of CPU.

  • Which distributions of Linux were found to have the malicious code in their beta releases?

    -The malicious code was found in beta releases for Fedora Rawhide, Debian, and a stable release of Arch Linux.

  • What is the speculated motive behind the introduction of the malicious code in XZ utils?

    -It is theorized that one of the primary developers of XZ utils, giaan AKA GIA (also known as t75), may have introduced the malicious code as part of a long con to gain increasingly invasive permissions through genuine code contributions and a pressure campaign against the original developer, Lassie Colin.

  • What was the original purpose of Amazon's cashierless checkout system, 'Just Walk Out'?

    -The 'Just Walk Out' system was designed to allow customers to scan in at the door, take the items they want, and automatically be charged for them upon exiting the store without the need for a cashier.

  • How accurate was the portrayal of Amazon's 'Just Walk Out' system being fully automated?

    -The portrayal was inaccurate as an estimated 70% of 'Just Walk Out' sales required a human review. The system relied on a small army of over a thousand overseas workers to monitor and review transaction footage.

  • What has Google agreed to do as part of a settlement in a class action lawsuit?

    -Google has agreed to delete a massive store of web data collected while users browsed using Chrome's incognito mode. They have also agreed to update their privacy policy and the incognito mode landing page to explicitly notify users that data is still collected from third-party sites and apps, regardless of the browser mode.

  • What new security feature is Google testing to prevent unauthorized access to sensitive accounts?

    -Google is testing Vice bound session credentials, a form of encryption that ties authentication cookies to the user's PC, to block malicious actors from accessing sensitive accounts by stealing and cloning a person's session credentials.

  • How did TSMC respond to the strongest earthquake in 25 years in Taiwan?

    -Workers at TSMC returned to factories less than 24 hours after the earthquake. Within 10 hours of the earthquake, 70% of TSMC's chip operations had recovered.

  • What is Australia's solution to the problem of large animal detection systems failing to detect kangaroos?

    -Australia is turning to virtual fences, which are activated by approaching headlights and use flashing lights and high-pitched alarms to scare animals away from roadsides.

  • What unusual event occurred in Naples, Florida, allegedly related to the International Space Station?

    -A 2B piece of cylindrical metal, allegedly part of a 2.9-ton cargo pallet containing nine batteries that was tossed from the ISS three years ago, ripped through the roof and two floors of a home in Naples, Florida.

Outlines

00:00

🔍 Security Flaw in Linux Compression Utility

A serious security back door was discovered in a widely used compression utility for Linux, called xed utils, by Andres Frey, a developer at Microsoft. The vulnerability was found during micro benchmarking over Easter Long Weekend, when an unusually high CPU usage was detected during encrypted logins. The back door was present in xed utils, which is available for almost every Linux distribution. Fortunately, the malicious code was identified before being integrated into a major distribution's production release. It was detected in beta releases for Fedora Rawhide, Debian, and a stable release of Arch Linux. The back door functions by injecting code during SSH authentication, potentially allowing unauthorized remote access. The malicious code is suspected to have been introduced by one of the primary developers of XZ utils, giaan AKA GIA, who had been contributing to the project since 2021. Researchers are yet to find any evidence of gean's existence beyond his involvement in open-source circles.

05:01

🛒 Amazon's Cashierless Checkout System and Google's Privacy Update

Amazon is discontinuing its cashierless checkout system, 'Just Walk Out', across its chain of fresh grocery stores due to its reliance on a large number of overseas workers to monitor transactions, contrary to the fully automated impression it gave. The system used a network of cameras and sensors to track customers and charge them for items upon exiting the store. However, an estimated 70% of these sales required human review. Amazon disputes this figure, stating that reviewers primarily annotated videos for machine learning improvements. In a separate development, Google has agreed to delete a vast amount of web data collected through Chrome's incognito mode as part of a class action lawsuit settlement. Google will also update its privacy policy and the incognito mode landing page to clarify that data is still collected from third-party sites and apps, regardless of browsing mode. This follows Google's initial argument that users had implicitly consented to data collection in incognito mode because they were warned that their activity might still be visible to visited websites.

10:03

🚀 Tech Innovations and Updates

Qualcomm has released new benchmarks for its upcoming ARM-powered Snapdragon X Elite laptop processors, showing impressive performance and power efficiency, outperforming Intel's Meteor Lake Core Ultra chips, AMD's Ryzen 9 7940 HS, and even Apple's M3. This comes ahead of the processors' anticipated arrival in Microsoft's new Surface lineup. In other news, Google Podcasts will be discontinued, with users outside the US able to access podcasts until June 24th. TSMC, a major chip manufacturer responsible for 80-90% of the world's high-end chips, quickly resumed operations after a strong earthquake in Taiwan, with 70% of chip operations recovered within 10 hours. Australia is considering virtual fences to address issues with vehicle large animal detection systems, particularly with kangaroos, which have proven difficult to calibrate. Finally, a piece of space debris, allegedly from the International Space Station, crashed through a house in Naples, Florida, raising questions of liability for damages.

Mindmap

Keywords

💡Security Backdoor

A security backdoor refers to a hidden method or vulnerability in a computer system or software that allows unauthorized access or bypasses normal security measures. In the context of the video, a serious security backdoor was discovered in a widely used compression utility for Linux, which could have potentially disastrous consequences if exploited.

💡Linux

Linux is an open-source operating system that is widely used across various devices, from servers to embedded systems. In the video, the mention of Linux pertains to the discovery of a security backdoor in a utility used by many Linux distributions, highlighting the importance of open-source security and vigilance in software development.

💡Andreas Frey

Andreas Frey is a developer who works for Microsoft and maintains PostgreSQL, an open-source relational database management system. In the video, he is credited with discovering the security backdoor in the xed utils library, showcasing the role of individual contributors in maintaining the security of open-source projects.

💡SSH Authentication

SSH, or Secure Shell, authentication is a cryptographic network protocol used for secure communication and remote login to a server. In the context of the video, the security backdoor in xed utils is said to inject code during SSH authentication, which could allow unauthorized access to systems that use this protocol.

💡XZ Utils

XZ Utils is a software utility used for file compression on Linux systems. The video discusses a security backdoor found in this utility, which highlights the importance of regular security audits and updates in widely used software to prevent potential exploits.

💡GIA (gian AKA GIA)

GIA, also known as 'gian', is one of the primary developers of XZ Utils. The video suggests that this individual may have introduced the security backdoor, either intentionally or due to their system being compromised, raising concerns about the security of open-source projects and the trust placed in their developers.

💡Amazon Go

Amazon Go is a cashierless checkout system used by Amazon in its chain of grocery stores. The system relies on cameras and sensors to track customers and charge them for items they take. The video discusses the challenges faced by this system, including the need for human review of transactions, which contradicts the initial promise of a fully automated shopping experience.

💡Dash Cart

Dash Cart is a system that combines a shopping cart with self-checkout features. It tallies up items as they are added to the cart. In the video, it is mentioned as the next step Amazon will take to move towards a cashierless shopping experience, following the challenges faced with Amazon Go.

💡Incognito Mode

Incognito mode is a privacy feature in web browsers that aims to prevent the browser from storing information about the user's browsing activity. The video discusses a class-action lawsuit against Google for collecting data while users browse in incognito mode, highlighting the gap between user expectations of privacy and actual data collection practices.

💡Session Credentials

Session credentials are data that authenticates a user's session on a website or application. In the context of the video, Google is testing vice-bound session credentials to prevent unauthorized access by blocking malicious actors from stealing and cloning a person's session credentials, enhancing account security.

💡TSMC

TSMC, or Taiwan Semiconductor Manufacturing Company, is the world's largest dedicated semiconductor foundry, producing high-end chips for various technology companies. The video discusses the resilience of TSMC's operations following a significant earthquake in Taiwan, emphasizing the importance of TSMC to the global chip supply.

💡Virtual Fences

Virtual fences are systems designed to deter animals from entering certain areas, such as roads, by using lights and sounds. In the video, virtual fences are mentioned as a solution to prevent collisions with kangaroos in Australia, which traditional large animal detection systems have struggled to manage effectively.

Highlights

A serious security back door was discovered in a widely used compression utility for Linux.

The security issue was flagged by developer Andres Frey, who works for Microsoft and maintains PostgreSQL.

The back door was discovered during micro benchmarking over the Easter Long Weekend.

Encrypted logins using the exed compression Library were found to be consuming an unusually high amount of CPU.

The malicious code was found in xed utils, which is available for almost every distribution of Linux.

The code was detected before being added to the production release of a major distribution.

The back door was present in beta releases for Fedora Rawhide, Debian, and a stable release of Arch Linux.

The back door works by injecting code during SSH authentication, potentially allowing unauthorized remote access.

The malicious code may have been introduced by one of XZ utils' primary developers, Giaan AKA GIA.

GIA's involvement in XZ has been suspected to be part of a long con to gain more invasive permissions.

Amazon is abandoning its cashierless checkout system at its chain of fresh grocery stores due to reliance on human monitors.

The 'Just Walk Out' system used cameras and sensors to track customers and charge them automatically.

About 70% of 'Just Walk Out' sales required human review, indicating the system was not fully automated.

Google has agreed to delete a large store of web data collected while users browsed in Chrome's incognito mode.

Google will update its privacy policy and incognito mode landing page to better inform users about data collection.

Google was sued in a class action lawsuit for data collection practices in incognito mode.

Qualcomm released new benchmarks showing their upcoming ARM-powered Snapdragon X Elite laptop processors.

The X Elite performed around 50% faster and consumed less power compared to Intel's Core Ultra chips.

TSMC announced that operations recovered quickly after Taiwan's strongest earthquake in 25 years.

Australia is turning to virtual fences to address issues with large animal detection systems in vehicles.

A piece of metal from the ISS hit a home in Naples, Florida, possibly making Japan liable for damages.

Transcripts

00:00

that's right you know what time it is a

00:03

fact I'm going to rely on as I do not

00:05

have a watch but I trust you a serious

00:08

security back door and a widely used

00:10

compression utility for Linux has come

00:12

to light after being discovered and

00:13

flagged by developer Andres Frey who

00:16

works for Microsoft by day and maintains

00:18

postgress SQL by night just like Batman

00:22

Ry only noticed because he was making

00:24

the best of his Easter Long Weekend by

00:26

doing some micro benchmarking when he

00:28

noticed that encrypted logins to part of

00:31

the exed compression Library were using

00:33

a ton of CPU which led him to discover

00:35

the back door in xed utils God you're

00:38

saying Zed did we say Zed in Canada I'll

00:41

I'll stop now I'll say it normal had it

00:43

not come to light when it did it could

00:44

have been potentially disastrous XZ

00:47

there you go utils is available for

00:49

almost every distribution of Linux but

00:51

luckily the malicious code was spotted

00:53

before it could be added into the

00:54

production release of a major drro it

00:56

was however founded beta releases for

00:58

Fedora Rawhide and and Debian as well as

01:01

a stable release of Arch Linux and the

01:03

arch users will inform you of that the

01:05

back door apparently works by injecting

01:07

coat during SSH authentication thereby

01:09

allowing unauthorized remote access

01:12

bizarrely this malicious code seems to

01:14

have been introduced by one of XZ utils

01:16

two primary developers giaan AKA GIA

01:20

t75 one of the earlier Terminators who

01:23

had been contributing to the XZ project

01:25

regularly since 2021 while it's possible

01:28

that their system was compromised G t75

01:31

is account engaged in suspicious

01:33

activity over the course of several

01:35

weeks including repeatedly contacting

01:37

others about their new fixes several

01:40

notable contributors to the project have

01:41

therefore theorized the G t75 is

01:44

involvement in XZ has been part of a

01:46

long con intended to get more and more

01:48

invasive permissions through both

01:50

genuine code contributions and a

01:52

pressure campaign conducted through sock

01:53

puppets against its original developer

01:56

Lassie Colin for faster development so

01:59

far researchers have yet to find any

02:01

evidence that gean exists Beyond his

02:04

presence in open- Source circles which

02:05

honestly isn't all that different from

02:07

other Linux users stop browsing the web

02:09

using a text editor and go outside your

02:11

family misses you you have to see your

02:13

family to tell them you use

02:15

Arch Amazon is abandoning its

02:18

cashierless checkout system at its chain

02:20

of fresh grocery stores in part because

02:23

it wasn't really cashierless and instead

02:26

relied on a small army of over a

02:28

thousand overseas workers monitoring and

02:30

reviewing footage from these

02:32

transactions the program launched in

02:34

2016 under the name just walk out the

02:37

empowering slogan of absent fathers

02:38

everywhere just walk out involves a

02:41

series of cameras and sensors throughout

02:43

the store which track customers after

02:45

they scan in at the door and

02:46

automatically charge them for the items

02:47

they take when they leave 27 of Amazon's

02:50

44 fresh stores have just walk out

02:53

available and while Amazon gave the

02:55

impression that the system was fully

02:57

automated an estimated 70% of just

03:00

walkout sales required a human review as

03:03

of 2022 according to information from

03:06

the information they love that stuff

03:08

they do love information Amazon disputes

03:10

this number and claims that these

03:12

reviewers primary purpose was to

03:14

annotate videos for improved machine

03:15

learning if accurate however this would

03:17

seem to indicate that the company wasn't

03:19

actually replacing human cashiers it was

03:21

just Outsourcing them most likely by

03:23

having an underpaid office worker in

03:25

India watch you while you shop this

03:27

might explain why Shoppers at Fresh

03:28

stores sometimes found it would take

03:30

hours to receive a receipt for their

03:32

purchase Amazon hasn't given up on the

03:34

cashier lless experience though and its

03:35

stores will instead increasingly rely on

03:38

dash carts essentially a combination of

03:40

shopping cart and self checkout which

03:42

tallies up items as they're added to the

03:44

cart although maybe there's actually

03:46

just a tiny little man hiding behind the

03:48

screen who uses a peephole to look

03:49

inside your cart and see what you're

03:50

buying who knows as part of a settlement

03:53

to a class action lawsuit Google has

03:56

agreed to delete a massive store of web

03:58

data that it collects Ed while users

04:00

browsed using Chrome's purportedly

04:02

private incognito mode Google has

04:05

likewise agreed to update their privacy

04:07

policy as well as the incognito mode

04:09

landing page to explicitly notify users

04:12

that the company continues to collect

04:13

data from third party sites and apps

04:16

regardless of what mode their browser is

04:17

in Google originally argued to have the

04:19

case dismissed under the logic that

04:21

users had implicitly consented to have

04:23

their data collected even in incognito

04:25

mode because it warned them that their

04:27

activity might still be visible to

04:28

websites they visit which is a bit like

04:30

saying that your wife consented to your

04:32

affair because you told her there might

04:34

be other women at the company Christmas

04:36

party you know how these parties Go I

04:38

mean I mean you put some scotch in me

04:41

and I put myself in

04:43

women in a silver lining for Google the

04:45

agreement will spare the company from a

04:47

potential $5 billion penalty which is

04:50

good because they need that money to

04:51

invest in their next project preventing

04:53

other people from stealing your browser

04:55

data I don't steal their brand Google is

04:58

testing to Vice bound session

05:00

credentials to block malicious actors

05:02

from accessing sensitive accounts by

05:04

stealing and cloning a person's session

05:06

credentials a form of encryption that

05:08

ties authentication cookies to the

05:10

user's PC something we here at lmg have

05:14

intimate intimate experience with now

05:17

it's time for quick bits brought to you

05:19

by T the mobile company offering more

05:21

data and lowering their prices for every

05:24

single plan T's Unlimited Plan offers a

05:27

host of features like free international

05:29

calls to 60 plus countries free hotspot

05:32

and tethering and unlimited 2G data

05:35

after you've used your 35 GB 4G LTE 5G

05:39

balance all for just 25 bucks a month oh

05:42

and forget those binding contracts with

05:44

t there's no bulk buying no advance or

05:47

annual payment no contracts there's only

05:50

the flexibility to build your own phone

05:52

plan just the way you like it say tell

05:55

to your new phone plan at the link below

05:58

so that's how that goes and now it's

05:59

half past Tech news also known as quick

06:02

bit of clock just some fun Studio lingo

06:04

we all say it it's what we call it yeah

06:07

I totally didn't make that up Qualcomm

06:09

has released new benchmarks showing

06:10

their upcoming arm powerered Snapdragon

06:12

X Elite laptop processors embarrassing

06:15

Intel's recently released meteor Lake

06:17

core Ultra chips compared to Intel's

06:19

core Ultra 9 185h and core Ultra

06:23

755h really cool names the elite

06:26

performed around 50% faster in geekbench

06:29

at around half the power consumption

06:31

also beating out amd's ryzen 9 7940 HS

06:35

and even Apple's M3 qualcomm's regularly

06:38

been bragging about how great the X

06:40

Elite is since October and with the

06:42

month to go until they finally arrive on

06:44

the new Microsoft Surface lineup I think

06:47

it's time to chill for a bit you didn't

06:48

see apple chasing people around on the

06:50

street with PowerPoint presentations

06:52

about how the M1 is going to

06:54

revolutionize the industry please please

06:56

they left it to the boardrooms all of

06:58

them last year Google warned that the

07:01

Google podcast service would soon Google

07:03

perish and for sooth it has now come to

07:06

Google pass how do they know users

07:09

outside of the US will still be able to

07:10

listen to podcasts until June 24th but

07:13

after that everyone will have to get

07:15

their fix somewhere else like on app

07:17

that Google hasn't killed yet YouTube

07:19

music hopefully you don't go looking on

07:22

that app for Google's Z made by Google

07:24

podcast though because YouTube music

07:26

doesn't have it Google if if you're

07:29

going to kill so many apps it would be

07:31

nice to have more of a plan than the

07:33

Star Wars sequels no why did don't

07:36

mention it oh it hurts tsmc has

07:40

announced that workers are already

07:41

returning to factories less than 24

07:44

hours after Taiwan was hit by its

07:46

strongest earthquake in 25 years as a

07:49

reporting the Quake killed nine and

07:51

injured more than 1,000 people 70% of

07:54

tsmc's chipm operations had recovered

07:57

within 10 hours of the earthquake and

07:59

that is unfortunately important because

08:02

Taiwan is responsible for 80 to 90% of

08:05

the world's high-end chips but I think I

08:08

speak for the world when I say hey tsmc

08:11

come here new chips are nice and all but

08:13

so is taking a single day off after your

08:15

country was devastated by an earthquake

08:17

having said that um thanks for

08:19

preventing a domino effect that would

08:20

inflate the price of basically

08:22

everything on Earth even further so back

08:25

to work Australia is turning to Virtual

08:28

fences after mult mulle car companies

08:30

have tried and failed to calibrate their

08:32

onboard large animal detection systems

08:34

to kangaroos they already had large

08:36

animal detection systems Volvo for

08:39

example has had a system that detects

08:42

pedestrians cyclists and various sunry

08:44

Beasts of the forest since 2016 but

08:47

kangaroos have proven a bit of a problem

08:49

in part because the average pedestrian

08:51

can't run at 44 mph or launch themselves

08:54

10 ft into the air not with that

08:56

attitude according to Volvo Australia's

08:59

Tech technical lead David picket

09:01

kangaroos tend to move unpredictably and

09:03

when it's Airborne you lose the point of

09:06

reference for where it actually is

09:09

terrifying instead Australia will be

09:11

experimenting with virtual fences which

09:14

are activated by approaching headlights

09:16

and use flashing lights and high-pitched

09:18

alarms to scare animals away from

09:20

roadsides installation is unfortunately

09:22

expensive but on the other hand a

09:24

kangaroo hitting your windshield is both

09:26

expensive and bad for the kangaroo does

09:28

that mean that driving down a highway in

09:30

Australia will sound

09:32

like a piece of metal discarded from the

09:35

International Space Station apparently

09:37

ripped through the roof and two floors

09:39

of a home in Naples Florida and if you

09:42

felt relieved after I specified which

09:43

Naples it was you're a bad person the 2B

09:47

piece of cylindrical metal that hit the

09:48

home of Alejandro Otero is alleged to be

09:51

part of a 2.9 ton cargo pallet

09:54

containing nine batteries tossed from

09:56

the ISS 3 years ago apparently Japan may

10:00

be liable for the damages since their

10:02

space agency sent the now discarded

10:04

structure into space so congratulations

10:07

to whoever had Florida man Su Japan

10:10

after extraterrestrial attack on their

10:12

2024 bingo card but if you've got more

10:15

Tech news on your bingo card just come

10:17

back on Friday when we post the next

10:18

episode if you don't play Bingo very

10:21

simple you should instead come back on

10:23

Friday when we post the next episode

10:25

don't do the other one don't mix them up

Rate This

5.0 / 5 (0 votes)

Verwandte Tags
Linux SecurityAmazon RetailGoogle DataTech InnovationsCybersecuritySoftware DevelopmentConsumer PrivacyRetail TechnologyLegal SettlementIndustry News
Benötigen Sie eine Zusammenfassung auf Deutsch?