The Linux Hack was an inside job…

TechLinked
3 Apr 202410:28

Summary

TLDR在最新发现的安全漏洞中,Linux广泛使用的压缩工具XZ utils被曝存在后门。开发者Andres Frey在进行基准测试时发现加密登录使用大量CPU资源,进而揭露了该问题。幸运的是,恶意代码在进入主要Linux发行版之前被发现。此外,亚马逊放弃了其无人收银系统,转向使用Dash购物车。谷歌同意删除通过Chrome的隐身模式收集的数据,并更新隐私政策。高通发布了新的Snapdragon X Elite处理器,性能优于英特尔和AMD的产品。最后,台积电在台湾地震后迅速恢复生产,凸显了台湾在全球芯片供应链中的重要性。

Takeaways

  • 🕒 微软开发者Andres Frey发现了Linux中广泛使用的压缩工具XZ utils的安全后门,并及时进行了标记。
  • 🔍 安全后门是在Easter长周末的微观基准测试中被发现的,因为加密的登录在使用xed compression库时消耗了大量CPU资源。
  • 🚪 该后门可能允许未授权的远程访问,通过在SSH认证期间注入代码。
  • 🔐 恶意代码似乎是由XZ utils的主要开发者之一GIA(aka GIA75)引入的,他自2021年以来一直定期为XZ项目做出贡献。
  • 🤔 尽管GIA75的行为引起了怀疑,但目前还没有证据表明他在开源社区之外有任何存在。
  • 🛒 亚马逊正在放弃其无人收银系统'Just Walk Out',因为该系统并非完全自动化,而是依赖于海外工人远程监控和审查交易。
  • 🏪 亚马逊的44家Fresh商店中有27家采用了'Just Walk Out'系统,但据2022年的数据显示,约70%的交易需要人工复审。
  • 🤖 亚马逊声称,复审人员的主要职责是为改善机器学习算法而注释视频,并非取代人类收银员。
  • 📄 谷歌同意删除其在Chrome浏览器的隐身模式下收集的大量网络数据,并更新其隐私政策以明确告知用户公司将继续收集数据。
  • 🔐 谷歌正在测试一种绑定会话凭据的方法,以防止恶意行为者通过窃取和克隆用户的会话凭据来访问敏感账户。
  • 📈 高通发布了新的基准测试,显示其即将推出的ARM架构的Snapdragon X Elite笔记本电脑处理器在性能上超过了英特尔的Meteor Lake Core Ultra芯片。

Q & A

  • 发现Linux中广泛使用的压缩工具存在安全后门的开发者是谁?

    -发现Linux中广泛使用的压缩工具存在安全后门的开发者是Andres Frey,他在微软工作,并在业余时间维护PostgreSQL。

  • Andres Frey是如何注意到xed压缩库存在问题的?

    -Andres Frey在进行微型基准测试时注意到加密登录到xed压缩库的部分使用了大量CPU资源,这引导他发现了xed utils中的后门。

  • 发现的安全后门可能会带来什么样的后果?

    -如果这个安全后门没有及时被发现,可能会带来潜在的灾难性后果,因为它允许通过SSH认证注入代码,从而允许未经授权的远程访问。

  • 恶意代码是如何被引入到XZ utils中的?

    -恶意代码似乎是由XZ utils的两位主要开发者之一,GIA(也称为G t75)引入的。他自2021年以来一直在定期为XZ项目做出贡献。

  • GIA(G t75)的行为引起了哪些怀疑?

    -GIA(G t75)的行为引起了怀疑,因为他在几周内反复联系其他人讨论他们的新修复,并可能通过真正的代码贡献和通过sock puppets对原始开发者Lassie Colin进行压力运动,以获取更多侵入性的权限。

  • XZ utils的恶意代码在哪些Linux发行版中被发现?

    -XZ utils的恶意代码在Fedora Rawhide、Debian的beta版本以及Arch Linux的稳定版本中被发现。

  • 亚马逊为何放弃在其连锁生鲜杂货店使用无收银员结账系统?

    -亚马逊放弃使用无收银员结账系统,因为这个系统并不是真正的无收银员,而是依赖于海外超过一千名工人监控和审查交易视频。

  • Google同意删除其收集的大量网络数据的原因是什么?

    -Google同意删除其收集的大量网络数据是为了解决一项集体诉讼,该诉讼指控Google在Chrome的隐身模式下收集用户数据。

  • 高通发布的新处理器与Intel和AMD的处理器相比如何?

    -高通发布的新处理器Snapdragon X Elite在性能上比Intel的Meteor Lake Core Ultra芯片和AMD的Ryzen 9 7940 HS以及Apple的M3快约50%,同时功耗更低。

  • 澳大利亚如何处理车辆撞击大型动物的问题?

    -澳大利亚正在尝试使用虚拟围栏来解决车辆撞击大型动物的问题,虚拟围栏通过接近的车头灯激活,使用闪烁的灯光和高频警报声来吓跑动物。

  • 台湾地震对全球芯片供应链有何影响?

    -台湾地震后,TSMC的工人在24小时内恢复了工作,70%的芯片制造操作在地震后10小时内恢复。由于台湾负责全球80%到90%的高端芯片生产,这对防止全球芯片价格上涨起到了关键作用。

Outlines

00:00

🔍 安全漏洞发现与Linux压缩工具问题

本段落主要讲述了Linux系统中一个广泛使用的压缩工具被发现存在严重的安全后门问题。这个问题是由微软的开发者Andres Frey在进行微型基准测试时发现的,他注意到使用exed压缩库的加密登录异常消耗大量CPU资源。这个后门存在于xed utils中,可能导致未授权的远程访问。幸运的是,这个恶意代码在被添加到主要Linux发行版之前被发现。受影响的发行版包括Fedora Rawhide、Debian以及Arch Linux的稳定版。初步调查显示,这个后门可能是由XZ utils的主要开发者之一GIA引入的,他自2021年以来一直在向XZ项目贡献代码。目前,研究人员尚未找到GIA存在的其他证据。

05:01

📱 移动通信发展与高通新处理器

这部分内容涉及移动通信行业的发展,特别是T-Mobile公司提供的无限数据计划,以及高通公司发布的新处理器。T-Mobile的无限计划提供了包括免费国际通话、免费热点和无限制的2G数据等多项优惠,价格优惠且无需合同束缚。另一方面,高通公司发布的新Snapdragon X Elite处理器在性能上超越了Intel和AMD的竞争对手,甚至超过了Apple的M3芯片,这预示着未来在微软Surface系列产品中的应用将更加引人注目。

10:03

🌐 科技新闻杂谈与未来展望

这个段落是一个科技新闻的杂谈,提到了Google因Chrome浏览器的隐私模式问题同意删除大量用户数据,并更新隐私政策。同时,Google Podcasts服务即将关闭,而澳大利亚则在尝试使用虚拟围栏技术来防止汽车撞击野生动物。最后,提到了一个奇异的事件,一块来自国际空间站的金属物品坠落在佛罗里达州的一户人家中,这可能是日本太空局的责任。

Mindmap

Keywords

💡安全后门

安全后门是指在软件或系统中故意留下的一个隐蔽入口,允许开发者或黑客绕过正常安全措施进行访问。在视频中,提到了一个广泛使用的Linux压缩工具被发现存在安全后门,这个后门可能导致未经授权的远程访问,对用户的数据安全构成严重威胁。

💡Linux

Linux是一个开源的操作系统内核,广泛用于服务器、超级计算机和嵌入式设备中。它由Linus Torvalds于1991年首次发布,是当今世界上最流行的操作系统之一。

💡开发者

开发者是指那些专门从事软件、应用程序或系统开发的专业人员。他们通常具备编程语言和软件开发工具的深厚知识,能够设计、编写、测试和维护软件产品。

💡SSH认证

SSH认证是指通过安全外壳协议(Secure Shell)进行身份验证的过程,它提供了一种加密的方式来安全地访问远程服务器。SSH认证可以防止未授权访问,并确保数据传输的安全性。

💡恶意代码

恶意代码是指专门设计用来对计算机系统、网络或用户造成损害的软件或程序代码。它可以包括病毒、蠕虫、特洛伊木马等,通常用于未经授权地访问、破坏或窃取信息。

💡开源

开源指的是一种软件的开发和发布模式,其源代码对公众开放,允许任何人自由使用、修改和分发。开源软件鼓励社区合作和透明度,有助于提高软件的质量和安全性。

💡亚马逊

亚马逊是全球最大的电子商务平台之一,同时也提供云计算服务、流媒体服务等。它以其广泛的产品选择、便捷的购物体验和创新的技术解决方案而闻名。

💡无收银系统

无收银系统是一种零售技术,允许顾客在没有传统收银员的情况下购物和支付。这种系统通常依赖于自动化的扫描、追踪和支付技术,如亚马逊的'Just Walk Out'技术。

💡谷歌

谷歌是一家全球知名的科技公司,以其搜索引擎起家,现在提供广泛的互联网相关服务和产品,包括广告技术、云计算、硬件和软件等。

💡隐私政策

隐私政策是公司或组织用来告知用户其如何收集、使用和保护用户个人信息的法律声明。它是用户了解和期望其个人数据如何被处理的重要依据。

💡高通

高通是一家全球领先的无线通信技术公司,专注于开发和提供先进的芯片和相关技术,用于智能手机、平板电脑、物联网设备等。

Highlights

Linux中广泛使用的压缩工具XZ utils存在严重的安全后门

开发者Andres Frey在进行微基准测试时发现了该后门

该后门可能导致未经授权的远程访问

XZ utils几乎适用于所有Linux发行版

在主要发行版中发现恶意代码,包括Fedora Rawhide、Debian和Arch Linux

XZ utils的两位主要开发者之一GIA(gian AKA GIA)可能涉及恶意代码的引入

亚马逊放弃了其在连锁新鲜杂货店的无收银员结账系统

该系统名为'Just Walk Out',依赖于摄像头和传感器来跟踪顾客

亚马逊声称,70%的Just Walk Out销售需要人工审核

亚马逊将转向使用Dash Carts,一种购物车和自助结账的结合体

谷歌同意删除大量通过Chrome的隐身模式收集的网络数据

谷歌还将更新其隐私政策和隐身模式登陆页面,明确告知用户公司继续收集数据

高通发布了新的基准测试,显示其即将推出的ARM-powered Snapdragon X Elite笔记本电脑处理器性能优于英特尔的Meteor Lake Core Ultra芯片

谷歌警告说,Google Podcast服务将很快停止服务

台积电在台湾发生25年来最强烈的地震后不到24小时就恢复了工厂运营

澳大利亚正在尝试使用虚拟围栏来防止车辆撞击袋鼠

一块来自国际空间站的金属圆柱体坠落在佛罗里达州那不勒斯的一个家庭中

Transcripts

00:00

that's right you know what time it is a

00:03

fact I'm going to rely on as I do not

00:05

have a watch but I trust you a serious

00:08

security back door and a widely used

00:10

compression utility for Linux has come

00:12

to light after being discovered and

00:13

flagged by developer Andres Frey who

00:16

works for Microsoft by day and maintains

00:18

postgress SQL by night just like Batman

00:22

Ry only noticed because he was making

00:24

the best of his Easter Long Weekend by

00:26

doing some micro benchmarking when he

00:28

noticed that encrypted logins to part of

00:31

the exed compression Library were using

00:33

a ton of CPU which led him to discover

00:35

the back door in xed utils God you're

00:38

saying Zed did we say Zed in Canada I'll

00:41

I'll stop now I'll say it normal had it

00:43

not come to light when it did it could

00:44

have been potentially disastrous XZ

00:47

there you go utils is available for

00:49

almost every distribution of Linux but

00:51

luckily the malicious code was spotted

00:53

before it could be added into the

00:54

production release of a major drro it

00:56

was however founded beta releases for

00:58

Fedora Rawhide and and Debian as well as

01:01

a stable release of Arch Linux and the

01:03

arch users will inform you of that the

01:05

back door apparently works by injecting

01:07

coat during SSH authentication thereby

01:09

allowing unauthorized remote access

01:12

bizarrely this malicious code seems to

01:14

have been introduced by one of XZ utils

01:16

two primary developers giaan AKA GIA

01:20

t75 one of the earlier Terminators who

01:23

had been contributing to the XZ project

01:25

regularly since 2021 while it's possible

01:28

that their system was compromised G t75

01:31

is account engaged in suspicious

01:33

activity over the course of several

01:35

weeks including repeatedly contacting

01:37

others about their new fixes several

01:40

notable contributors to the project have

01:41

therefore theorized the G t75 is

01:44

involvement in XZ has been part of a

01:46

long con intended to get more and more

01:48

invasive permissions through both

01:50

genuine code contributions and a

01:52

pressure campaign conducted through sock

01:53

puppets against its original developer

01:56

Lassie Colin for faster development so

01:59

far researchers have yet to find any

02:01

evidence that gean exists Beyond his

02:04

presence in open- Source circles which

02:05

honestly isn't all that different from

02:07

other Linux users stop browsing the web

02:09

using a text editor and go outside your

02:11

family misses you you have to see your

02:13

family to tell them you use

02:15

Arch Amazon is abandoning its

02:18

cashierless checkout system at its chain

02:20

of fresh grocery stores in part because

02:23

it wasn't really cashierless and instead

02:26

relied on a small army of over a

02:28

thousand overseas workers monitoring and

02:30

reviewing footage from these

02:32

transactions the program launched in

02:34

2016 under the name just walk out the

02:37

empowering slogan of absent fathers

02:38

everywhere just walk out involves a

02:41

series of cameras and sensors throughout

02:43

the store which track customers after

02:45

they scan in at the door and

02:46

automatically charge them for the items

02:47

they take when they leave 27 of Amazon's

02:50

44 fresh stores have just walk out

02:53

available and while Amazon gave the

02:55

impression that the system was fully

02:57

automated an estimated 70% of just

03:00

walkout sales required a human review as

03:03

of 2022 according to information from

03:06

the information they love that stuff

03:08

they do love information Amazon disputes

03:10

this number and claims that these

03:12

reviewers primary purpose was to

03:14

annotate videos for improved machine

03:15

learning if accurate however this would

03:17

seem to indicate that the company wasn't

03:19

actually replacing human cashiers it was

03:21

just Outsourcing them most likely by

03:23

having an underpaid office worker in

03:25

India watch you while you shop this

03:27

might explain why Shoppers at Fresh

03:28

stores sometimes found it would take

03:30

hours to receive a receipt for their

03:32

purchase Amazon hasn't given up on the

03:34

cashier lless experience though and its

03:35

stores will instead increasingly rely on

03:38

dash carts essentially a combination of

03:40

shopping cart and self checkout which

03:42

tallies up items as they're added to the

03:44

cart although maybe there's actually

03:46

just a tiny little man hiding behind the

03:48

screen who uses a peephole to look

03:49

inside your cart and see what you're

03:50

buying who knows as part of a settlement

03:53

to a class action lawsuit Google has

03:56

agreed to delete a massive store of web

03:58

data that it collects Ed while users

04:00

browsed using Chrome's purportedly

04:02

private incognito mode Google has

04:05

likewise agreed to update their privacy

04:07

policy as well as the incognito mode

04:09

landing page to explicitly notify users

04:12

that the company continues to collect

04:13

data from third party sites and apps

04:16

regardless of what mode their browser is

04:17

in Google originally argued to have the

04:19

case dismissed under the logic that

04:21

users had implicitly consented to have

04:23

their data collected even in incognito

04:25

mode because it warned them that their

04:27

activity might still be visible to

04:28

websites they visit which is a bit like

04:30

saying that your wife consented to your

04:32

affair because you told her there might

04:34

be other women at the company Christmas

04:36

party you know how these parties Go I

04:38

mean I mean you put some scotch in me

04:41

and I put myself in

04:43

women in a silver lining for Google the

04:45

agreement will spare the company from a

04:47

potential $5 billion penalty which is

04:50

good because they need that money to

04:51

invest in their next project preventing

04:53

other people from stealing your browser

04:55

data I don't steal their brand Google is

04:58

testing to Vice bound session

05:00

credentials to block malicious actors

05:02

from accessing sensitive accounts by

05:04

stealing and cloning a person's session

05:06

credentials a form of encryption that

05:08

ties authentication cookies to the

05:10

user's PC something we here at lmg have

05:14

intimate intimate experience with now

05:17

it's time for quick bits brought to you

05:19

by T the mobile company offering more

05:21

data and lowering their prices for every

05:24

single plan T's Unlimited Plan offers a

05:27

host of features like free international

05:29

calls to 60 plus countries free hotspot

05:32

and tethering and unlimited 2G data

05:35

after you've used your 35 GB 4G LTE 5G

05:39

balance all for just 25 bucks a month oh

05:42

and forget those binding contracts with

05:44

t there's no bulk buying no advance or

05:47

annual payment no contracts there's only

05:50

the flexibility to build your own phone

05:52

plan just the way you like it say tell

05:55

to your new phone plan at the link below

05:58

so that's how that goes and now it's

05:59

half past Tech news also known as quick

06:02

bit of clock just some fun Studio lingo

06:04

we all say it it's what we call it yeah

06:07

I totally didn't make that up Qualcomm

06:09

has released new benchmarks showing

06:10

their upcoming arm powerered Snapdragon

06:12

X Elite laptop processors embarrassing

06:15

Intel's recently released meteor Lake

06:17

core Ultra chips compared to Intel's

06:19

core Ultra 9 185h and core Ultra

06:23

755h really cool names the elite

06:26

performed around 50% faster in geekbench

06:29

at around half the power consumption

06:31

also beating out amd's ryzen 9 7940 HS

06:35

and even Apple's M3 qualcomm's regularly

06:38

been bragging about how great the X

06:40

Elite is since October and with the

06:42

month to go until they finally arrive on

06:44

the new Microsoft Surface lineup I think

06:47

it's time to chill for a bit you didn't

06:48

see apple chasing people around on the

06:50

street with PowerPoint presentations

06:52

about how the M1 is going to

06:54

revolutionize the industry please please

06:56

they left it to the boardrooms all of

06:58

them last year Google warned that the

07:01

Google podcast service would soon Google

07:03

perish and for sooth it has now come to

07:06

Google pass how do they know users

07:09

outside of the US will still be able to

07:10

listen to podcasts until June 24th but

07:13

after that everyone will have to get

07:15

their fix somewhere else like on app

07:17

that Google hasn't killed yet YouTube

07:19

music hopefully you don't go looking on

07:22

that app for Google's Z made by Google

07:24

podcast though because YouTube music

07:26

doesn't have it Google if if you're

07:29

going to kill so many apps it would be

07:31

nice to have more of a plan than the

07:33

Star Wars sequels no why did don't

07:36

mention it oh it hurts tsmc has

07:40

announced that workers are already

07:41

returning to factories less than 24

07:44

hours after Taiwan was hit by its

07:46

strongest earthquake in 25 years as a

07:49

reporting the Quake killed nine and

07:51

injured more than 1,000 people 70% of

07:54

tsmc's chipm operations had recovered

07:57

within 10 hours of the earthquake and

07:59

that is unfortunately important because

08:02

Taiwan is responsible for 80 to 90% of

08:05

the world's high-end chips but I think I

08:08

speak for the world when I say hey tsmc

08:11

come here new chips are nice and all but

08:13

so is taking a single day off after your

08:15

country was devastated by an earthquake

08:17

having said that um thanks for

08:19

preventing a domino effect that would

08:20

inflate the price of basically

08:22

everything on Earth even further so back

08:25

to work Australia is turning to Virtual

08:28

fences after mult mulle car companies

08:30

have tried and failed to calibrate their

08:32

onboard large animal detection systems

08:34

to kangaroos they already had large

08:36

animal detection systems Volvo for

08:39

example has had a system that detects

08:42

pedestrians cyclists and various sunry

08:44

Beasts of the forest since 2016 but

08:47

kangaroos have proven a bit of a problem

08:49

in part because the average pedestrian

08:51

can't run at 44 mph or launch themselves

08:54

10 ft into the air not with that

08:56

attitude according to Volvo Australia's

08:59

Tech technical lead David picket

09:01

kangaroos tend to move unpredictably and

09:03

when it's Airborne you lose the point of

09:06

reference for where it actually is

09:09

terrifying instead Australia will be

09:11

experimenting with virtual fences which

09:14

are activated by approaching headlights

09:16

and use flashing lights and high-pitched

09:18

alarms to scare animals away from

09:20

roadsides installation is unfortunately

09:22

expensive but on the other hand a

09:24

kangaroo hitting your windshield is both

09:26

expensive and bad for the kangaroo does

09:28

that mean that driving down a highway in

09:30

Australia will sound

09:32

like a piece of metal discarded from the

09:35

International Space Station apparently

09:37

ripped through the roof and two floors

09:39

of a home in Naples Florida and if you

09:42

felt relieved after I specified which

09:43

Naples it was you're a bad person the 2B

09:47

piece of cylindrical metal that hit the

09:48

home of Alejandro Otero is alleged to be

09:51

part of a 2.9 ton cargo pallet

09:54

containing nine batteries tossed from

09:56

the ISS 3 years ago apparently Japan may

10:00

be liable for the damages since their

10:02

space agency sent the now discarded

10:04

structure into space so congratulations

10:07

to whoever had Florida man Su Japan

10:10

after extraterrestrial attack on their

10:12

2024 bingo card but if you've got more

10:15

Tech news on your bingo card just come

10:17

back on Friday when we post the next

10:18

episode if you don't play Bingo very

10:21

simple you should instead come back on

10:23

Friday when we post the next episode

10:25

don't do the other one don't mix them up