[K-Dog]

'xz utils' software backdoor uncovered. 

Machines can be fully compromised, and the code could have eventually found itself onto this computer had it not been discovered.  A fascinating story.  The backdoor got into the widely used Debian Linux distribution (pre-release) branch, but not into the stable release.

What does this have to do with censorship?  The short answer is everything.  But a guy who wrote his own code so that Big Brother 'SHOULD' not have access to it, would find this to be a big deal.  And I do.  Funny this news is not mainstream.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience.

This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it.

We're reasonably sure the following things need to be true for your system to be vulnerable:

•     You need to be running a distro that uses glibc (for IFUNC)
•     You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.

We know that the combination of systemd and patched openssh are vulnerable but pending further analysis of the payload, we cannot be certain that other configurations aren't.

While not scaremongering, it is important to be clear that at this stage, we got lucky, and there may well be other effects of the infected liblzma.

[K-Dog]

Since I went down the rabbit hole to find out about 'xz utils' I know who did it and how.  The details of that I did not post.  Since then I found a New York Times article about the backdoor.  (By way of Surly's newsletter)

The NYT article is a distortion.  The 'Thankless Guy from Nebraska' had in real life been helped by the individual who wrote the backdoor.  I don't want to hunt for the names just to prove a point.  The doer of the dirty deeds has a Chinese name.

The NYT article totally butchered the facts and have the 'Microsoft Engineer' who found the exploit as the 'Thankless Guy from Nebraska' which is a bogus buggery of actual facts.  The 'Thankless Guy from Nebraska'  is a victim who was used by the author of the backdoor.

And the real guy is not actually in Nebraska.  The cartoon has been around for years.  For all we know the Chinese perpetrator could have been an American alphabet agency.

And the NYT will be where the cover story will appear.

[K-Dog]

The Trump Administration's Data-Sharing Initiative with Palantir.

The New York Times revealed that the Trump administration is collaborating with Palantir Technologies, on a federal data-sharing initiative which will consolidate personal information on nearly every American into a big-brother database. This system will significantly expand presidential surveillance capabilities.

Palantir, co-founded by billionaire and Trump backer Peter Thiel, specializes in advanced data integration for government and private-sector clients.

That means they make war software.  The company has a history of securing lucrative federal contracts, including a $795 million deal with the Department of Defense, and partnerships with agencies like Homeland Security, and Health and Human Services. Thiel, a prominent conservative donor who bankrolled Trump's 2016 campaign and mentored Senator J.D. Vance, has deepened Palantir's hooks onto the government feed trough. Palantir's Foundry tool will merge disparate datasets.  Tax records, medical histories, immigration status, and social media activity all into unified searchable profiles, and accessible to the king.

Palantir's involvement in controversial programs, such as aiding ICE deportations and supporting Israel's military.  Has fueled criticism. The company's motto, "We don't mind being the bad guys," floods the zone with shit, and underscores Palantirs' willingness to operate in ethically fucked areas.  They be doin the "Golden Dome" don'tcha know.  Palantir is a key partner in Trump's $175 billion "Golden Dome" missile defense system modeled after Israel's Iron Dome.

Which apparently we need more than medical care, affordable homes, safe food to eat, safe skies to travel in, and generally everything else that really matters as Trump replaces all these things with hate for other people.

The initiative promises massive payouts for contractors. Since Trump's return to office, Palantir has received over $13 million in federal funding, with its software already deployed across multiple agencies.

Earlier this year, Trump signed an executive order streamlining data-sharing between agencies, for surveillance consolidation. Political repression is coming to your world. The dystopian surveillance state is already here, but King Trump turns up the volume.

Should the U.S. government wield the power to profile its citizens so comprehensively?

That is a question you don't get to ask.






Not what you voted for?    Oh yes it is.  If you did.