The Linux Hack was an inside job…
Summary
TLDR在最新发现的安全漏洞中,Linux广泛使用的压缩工具XZ utils被曝存在后门。开发者Andres Frey在进行基准测试时发现加密登录使用大量CPU资源,进而揭露了该问题。幸运的是,恶意代码在进入主要Linux发行版之前被发现。此外,亚马逊放弃了其无人收银系统,转向使用Dash购物车。谷歌同意删除通过Chrome的隐身模式收集的数据,并更新隐私政策。高通发布了新的Snapdragon X Elite处理器,性能优于英特尔和AMD的产品。最后,台积电在台湾地震后迅速恢复生产,凸显了台湾在全球芯片供应链中的重要性。
Takeaways
- 🕒 微软开发者Andres Frey发现了Linux中广泛使用的压缩工具XZ utils的安全后门,并及时进行了标记。
- 🔍 安全后门是在Easter长周末的微观基准测试中被发现的,因为加密的登录在使用xed compression库时消耗了大量CPU资源。
- 🚪 该后门可能允许未授权的远程访问,通过在SSH认证期间注入代码。
- 🔐 恶意代码似乎是由XZ utils的主要开发者之一GIA(aka GIA75)引入的,他自2021年以来一直定期为XZ项目做出贡献。
- 🤔 尽管GIA75的行为引起了怀疑,但目前还没有证据表明他在开源社区之外有任何存在。
- 🛒 亚马逊正在放弃其无人收银系统'Just Walk Out',因为该系统并非完全自动化,而是依赖于海外工人远程监控和审查交易。
- 🏪 亚马逊的44家Fresh商店中有27家采用了'Just Walk Out'系统,但据2022年的数据显示,约70%的交易需要人工复审。
- 🤖 亚马逊声称,复审人员的主要职责是为改善机器学习算法而注释视频,并非取代人类收银员。
- 📄 谷歌同意删除其在Chrome浏览器的隐身模式下收集的大量网络数据,并更新其隐私政策以明确告知用户公司将继续收集数据。
- 🔐 谷歌正在测试一种绑定会话凭据的方法,以防止恶意行为者通过窃取和克隆用户的会话凭据来访问敏感账户。
- 📈 高通发布了新的基准测试,显示其即将推出的ARM架构的Snapdragon X Elite笔记本电脑处理器在性能上超过了英特尔的Meteor Lake Core Ultra芯片。
Q & A
发现Linux中广泛使用的压缩工具存在安全后门的开发者是谁?
-发现Linux中广泛使用的压缩工具存在安全后门的开发者是Andres Frey,他在微软工作,并在业余时间维护PostgreSQL。
Andres Frey是如何注意到xed压缩库存在问题的?
-Andres Frey在进行微型基准测试时注意到加密登录到xed压缩库的部分使用了大量CPU资源,这引导他发现了xed utils中的后门。
发现的安全后门可能会带来什么样的后果?
-如果这个安全后门没有及时被发现,可能会带来潜在的灾难性后果,因为它允许通过SSH认证注入代码,从而允许未经授权的远程访问。
恶意代码是如何被引入到XZ utils中的?
-恶意代码似乎是由XZ utils的两位主要开发者之一,GIA(也称为G t75)引入的。他自2021年以来一直在定期为XZ项目做出贡献。
GIA(G t75)的行为引起了哪些怀疑?
-GIA(G t75)的行为引起了怀疑,因为他在几周内反复联系其他人讨论他们的新修复,并可能通过真正的代码贡献和通过sock puppets对原始开发者Lassie Colin进行压力运动,以获取更多侵入性的权限。
XZ utils的恶意代码在哪些Linux发行版中被发现?
-XZ utils的恶意代码在Fedora Rawhide、Debian的beta版本以及Arch Linux的稳定版本中被发现。
亚马逊为何放弃在其连锁生鲜杂货店使用无收银员结账系统?
-亚马逊放弃使用无收银员结账系统,因为这个系统并不是真正的无收银员,而是依赖于海外超过一千名工人监控和审查交易视频。
Google同意删除其收集的大量网络数据的原因是什么?
-Google同意删除其收集的大量网络数据是为了解决一项集体诉讼,该诉讼指控Google在Chrome的隐身模式下收集用户数据。
高通发布的新处理器与Intel和AMD的处理器相比如何?
-高通发布的新处理器Snapdragon X Elite在性能上比Intel的Meteor Lake Core Ultra芯片和AMD的Ryzen 9 7940 HS以及Apple的M3快约50%,同时功耗更低。
澳大利亚如何处理车辆撞击大型动物的问题?
-澳大利亚正在尝试使用虚拟围栏来解决车辆撞击大型动物的问题,虚拟围栏通过接近的车头灯激活,使用闪烁的灯光和高频警报声来吓跑动物。
台湾地震对全球芯片供应链有何影响?
-台湾地震后,TSMC的工人在24小时内恢复了工作,70%的芯片制造操作在地震后10小时内恢复。由于台湾负责全球80%到90%的高端芯片生产,这对防止全球芯片价格上涨起到了关键作用。
Outlines
🔍 安全漏洞发现与Linux压缩工具问题
本段落主要讲述了Linux系统中一个广泛使用的压缩工具被发现存在严重的安全后门问题。这个问题是由微软的开发者Andres Frey在进行微型基准测试时发现的,他注意到使用exed压缩库的加密登录异常消耗大量CPU资源。这个后门存在于xed utils中,可能导致未授权的远程访问。幸运的是,这个恶意代码在被添加到主要Linux发行版之前被发现。受影响的发行版包括Fedora Rawhide、Debian以及Arch Linux的稳定版。初步调查显示,这个后门可能是由XZ utils的主要开发者之一GIA引入的,他自2021年以来一直在向XZ项目贡献代码。目前,研究人员尚未找到GIA存在的其他证据。
📱 移动通信发展与高通新处理器
这部分内容涉及移动通信行业的发展,特别是T-Mobile公司提供的无限数据计划,以及高通公司发布的新处理器。T-Mobile的无限计划提供了包括免费国际通话、免费热点和无限制的2G数据等多项优惠,价格优惠且无需合同束缚。另一方面,高通公司发布的新Snapdragon X Elite处理器在性能上超越了Intel和AMD的竞争对手,甚至超过了Apple的M3芯片,这预示着未来在微软Surface系列产品中的应用将更加引人注目。
🌐 科技新闻杂谈与未来展望
这个段落是一个科技新闻的杂谈,提到了Google因Chrome浏览器的隐私模式问题同意删除大量用户数据,并更新隐私政策。同时,Google Podcasts服务即将关闭,而澳大利亚则在尝试使用虚拟围栏技术来防止汽车撞击野生动物。最后,提到了一个奇异的事件,一块来自国际空间站的金属物品坠落在佛罗里达州的一户人家中,这可能是日本太空局的责任。
Mindmap
Keywords
💡安全后门
💡Linux
💡开发者
💡SSH认证
💡恶意代码
💡开源
💡亚马逊
💡无收银系统
💡谷歌
💡隐私政策
💡高通
Highlights
Linux中广泛使用的压缩工具XZ utils存在严重的安全后门
开发者Andres Frey在进行微基准测试时发现了该后门
该后门可能导致未经授权的远程访问
XZ utils几乎适用于所有Linux发行版
在主要发行版中发现恶意代码,包括Fedora Rawhide、Debian和Arch Linux
XZ utils的两位主要开发者之一GIA(gian AKA GIA)可能涉及恶意代码的引入
亚马逊放弃了其在连锁新鲜杂货店的无收银员结账系统
该系统名为'Just Walk Out',依赖于摄像头和传感器来跟踪顾客
亚马逊声称,70%的Just Walk Out销售需要人工审核
亚马逊将转向使用Dash Carts,一种购物车和自助结账的结合体
谷歌同意删除大量通过Chrome的隐身模式收集的网络数据
谷歌还将更新其隐私政策和隐身模式登陆页面,明确告知用户公司继续收集数据
高通发布了新的基准测试,显示其即将推出的ARM-powered Snapdragon X Elite笔记本电脑处理器性能优于英特尔的Meteor Lake Core Ultra芯片
谷歌警告说,Google Podcast服务将很快停止服务
台积电在台湾发生25年来最强烈的地震后不到24小时就恢复了工厂运营
澳大利亚正在尝试使用虚拟围栏来防止车辆撞击袋鼠
一块来自国际空间站的金属圆柱体坠落在佛罗里达州那不勒斯的一个家庭中
Transcripts
that's right you know what time it is a
fact I'm going to rely on as I do not
have a watch but I trust you a serious
security back door and a widely used
compression utility for Linux has come
to light after being discovered and
flagged by developer Andres Frey who
works for Microsoft by day and maintains
postgress SQL by night just like Batman
Ry only noticed because he was making
the best of his Easter Long Weekend by
doing some micro benchmarking when he
noticed that encrypted logins to part of
the exed compression Library were using
a ton of CPU which led him to discover
the back door in xed utils God you're
saying Zed did we say Zed in Canada I'll
I'll stop now I'll say it normal had it
not come to light when it did it could
have been potentially disastrous XZ
there you go utils is available for
almost every distribution of Linux but
luckily the malicious code was spotted
before it could be added into the
production release of a major drro it
was however founded beta releases for
Fedora Rawhide and and Debian as well as
a stable release of Arch Linux and the
arch users will inform you of that the
back door apparently works by injecting
coat during SSH authentication thereby
allowing unauthorized remote access
bizarrely this malicious code seems to
have been introduced by one of XZ utils
two primary developers giaan AKA GIA
t75 one of the earlier Terminators who
had been contributing to the XZ project
regularly since 2021 while it's possible
that their system was compromised G t75
is account engaged in suspicious
activity over the course of several
weeks including repeatedly contacting
others about their new fixes several
notable contributors to the project have
therefore theorized the G t75 is
involvement in XZ has been part of a
long con intended to get more and more
invasive permissions through both
genuine code contributions and a
pressure campaign conducted through sock
puppets against its original developer
Lassie Colin for faster development so
far researchers have yet to find any
evidence that gean exists Beyond his
presence in open- Source circles which
honestly isn't all that different from
other Linux users stop browsing the web
using a text editor and go outside your
family misses you you have to see your
family to tell them you use
Arch Amazon is abandoning its
cashierless checkout system at its chain
of fresh grocery stores in part because
it wasn't really cashierless and instead
relied on a small army of over a
thousand overseas workers monitoring and
reviewing footage from these
transactions the program launched in
2016 under the name just walk out the
empowering slogan of absent fathers
everywhere just walk out involves a
series of cameras and sensors throughout
the store which track customers after
they scan in at the door and
automatically charge them for the items
they take when they leave 27 of Amazon's
44 fresh stores have just walk out
available and while Amazon gave the
impression that the system was fully
automated an estimated 70% of just
walkout sales required a human review as
of 2022 according to information from
the information they love that stuff
they do love information Amazon disputes
this number and claims that these
reviewers primary purpose was to
annotate videos for improved machine
learning if accurate however this would
seem to indicate that the company wasn't
actually replacing human cashiers it was
just Outsourcing them most likely by
having an underpaid office worker in
India watch you while you shop this
might explain why Shoppers at Fresh
stores sometimes found it would take
hours to receive a receipt for their
purchase Amazon hasn't given up on the
cashier lless experience though and its
stores will instead increasingly rely on
dash carts essentially a combination of
shopping cart and self checkout which
tallies up items as they're added to the
cart although maybe there's actually
just a tiny little man hiding behind the
screen who uses a peephole to look
inside your cart and see what you're
buying who knows as part of a settlement
to a class action lawsuit Google has
agreed to delete a massive store of web
data that it collects Ed while users
browsed using Chrome's purportedly
private incognito mode Google has
likewise agreed to update their privacy
policy as well as the incognito mode
landing page to explicitly notify users
that the company continues to collect
data from third party sites and apps
regardless of what mode their browser is
in Google originally argued to have the
case dismissed under the logic that
users had implicitly consented to have
their data collected even in incognito
mode because it warned them that their
activity might still be visible to
websites they visit which is a bit like
saying that your wife consented to your
affair because you told her there might
be other women at the company Christmas
party you know how these parties Go I
mean I mean you put some scotch in me
and I put myself in
women in a silver lining for Google the
agreement will spare the company from a
potential $5 billion penalty which is
good because they need that money to
invest in their next project preventing
other people from stealing your browser
data I don't steal their brand Google is
testing to Vice bound session
credentials to block malicious actors
from accessing sensitive accounts by
stealing and cloning a person's session
credentials a form of encryption that
ties authentication cookies to the
user's PC something we here at lmg have
intimate intimate experience with now
it's time for quick bits brought to you
by T the mobile company offering more
data and lowering their prices for every
single plan T's Unlimited Plan offers a
host of features like free international
calls to 60 plus countries free hotspot
and tethering and unlimited 2G data
after you've used your 35 GB 4G LTE 5G
balance all for just 25 bucks a month oh
and forget those binding contracts with
t there's no bulk buying no advance or
annual payment no contracts there's only
the flexibility to build your own phone
plan just the way you like it say tell
to your new phone plan at the link below
so that's how that goes and now it's
half past Tech news also known as quick
bit of clock just some fun Studio lingo
we all say it it's what we call it yeah
I totally didn't make that up Qualcomm
has released new benchmarks showing
their upcoming arm powerered Snapdragon
X Elite laptop processors embarrassing
Intel's recently released meteor Lake
core Ultra chips compared to Intel's
core Ultra 9 185h and core Ultra
755h really cool names the elite
performed around 50% faster in geekbench
at around half the power consumption
also beating out amd's ryzen 9 7940 HS
and even Apple's M3 qualcomm's regularly
been bragging about how great the X
Elite is since October and with the
month to go until they finally arrive on
the new Microsoft Surface lineup I think
it's time to chill for a bit you didn't
see apple chasing people around on the
street with PowerPoint presentations
about how the M1 is going to
revolutionize the industry please please
they left it to the boardrooms all of
them last year Google warned that the
Google podcast service would soon Google
perish and for sooth it has now come to
Google pass how do they know users
outside of the US will still be able to
listen to podcasts until June 24th but
after that everyone will have to get
their fix somewhere else like on app
that Google hasn't killed yet YouTube
music hopefully you don't go looking on
that app for Google's Z made by Google
podcast though because YouTube music
doesn't have it Google if if you're
going to kill so many apps it would be
nice to have more of a plan than the
Star Wars sequels no why did don't
mention it oh it hurts tsmc has
announced that workers are already
returning to factories less than 24
hours after Taiwan was hit by its
strongest earthquake in 25 years as a
reporting the Quake killed nine and
injured more than 1,000 people 70% of
tsmc's chipm operations had recovered
within 10 hours of the earthquake and
that is unfortunately important because
Taiwan is responsible for 80 to 90% of
the world's high-end chips but I think I
speak for the world when I say hey tsmc
come here new chips are nice and all but
so is taking a single day off after your
country was devastated by an earthquake
having said that um thanks for
preventing a domino effect that would
inflate the price of basically
everything on Earth even further so back
to work Australia is turning to Virtual
fences after mult mulle car companies
have tried and failed to calibrate their
onboard large animal detection systems
to kangaroos they already had large
animal detection systems Volvo for
example has had a system that detects
pedestrians cyclists and various sunry
Beasts of the forest since 2016 but
kangaroos have proven a bit of a problem
in part because the average pedestrian
can't run at 44 mph or launch themselves
10 ft into the air not with that
attitude according to Volvo Australia's
Tech technical lead David picket
kangaroos tend to move unpredictably and
when it's Airborne you lose the point of
reference for where it actually is
terrifying instead Australia will be
experimenting with virtual fences which
are activated by approaching headlights
and use flashing lights and high-pitched
alarms to scare animals away from
roadsides installation is unfortunately
expensive but on the other hand a
kangaroo hitting your windshield is both
expensive and bad for the kangaroo does
that mean that driving down a highway in
Australia will sound
like a piece of metal discarded from the
International Space Station apparently
ripped through the roof and two floors
of a home in Naples Florida and if you
felt relieved after I specified which
Naples it was you're a bad person the 2B
piece of cylindrical metal that hit the
home of Alejandro Otero is alleged to be
part of a 2.9 ton cargo pallet
containing nine batteries tossed from
the ISS 3 years ago apparently Japan may
be liable for the damages since their
space agency sent the now discarded
structure into space so congratulations
to whoever had Florida man Su Japan
after extraterrestrial attack on their
2024 bingo card but if you've got more
Tech news on your bingo card just come
back on Friday when we post the next
episode if you don't play Bingo very
simple you should instead come back on
Friday when we post the next episode
don't do the other one don't mix them up
5.0 / 5 (0 votes)
Microsoft's New PHI-3 AI Turns Your iPhone Into an AI Superpower! (Game Changer!)
Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]
How to Optimize Performance in Unreal Engine 5
Best AI Music Generator in 2024 - SUNO vs UDIO
Linux got wrecked by backdoor attack
【人工智能】中国大模型行业的五个真问题 | 究竟应该如何看待国内大模型行业的发展现状 | 模型 | 算力 | 数据 | 资本 | 商业化 | 人才 | 反思