25.03.2025
XZ: The day the Internet (almost) died
Wir sind zu Gast bei QAware im Coworking Space SleevesUp.
Abstract
A curious blip in a timing test made Andres Freund (a PostgreSQL developer) raise an eyebrow and investigate. Little did he know he would uncover one of the most elaborate hacking attempts known to date using an open source project.
A team of Russian hackers had been working for over a year on infiltrating an open source project called XZ utils (also known as LZMA utils). They came eerily close to having a compromised version shipped as part of the ‘stable’ releases of various linux distributions, including debian. You know: The stuff that 90% of the internet runs on. It would have allowed the hackers to log in as root to virtually all machines running linux and having ssh open, anywhere on the planet.
This talk is for the programmers. We’ll show you exactly how the hackers compromised XZ, and which James Bond-like shenanigans they used to mislead the maintainer. Can you spot the error in a pull request that was put there intentionally to disable a security feature? Do you know how one sneaks a binary executable into a project build, when linux maintainers ordinarily demand all can be built from source?
As maintainers of Lombok, we’ll also give some advice to those who maintain or rely on open source software.
WARNING: You will leave the room in awe of the games the attackers played. You will be scared witless too; how close we came to disaster and how none of the current safety measures that aim to prevent supply side attacks would have been able to stop this attack.
Speakers
Reinier Zwitserloot is co-founder and development lead at Zorg op Orde, helping general practitioners, bridging the gap between medical researchers and the waiting room. Together with Roel Spilker he is the inventor of Project Lombok, a compiler/IDE plugin to bring the java programming language into the next decennial.
Roel Spilker is a technology evangelist at TOPdesk. He’s been a professional java programmer and teacher since 1999. Roel has been a fan of compile-time checking. Together with Reinier Zwitserloot he is the inventor of Project Lombok, a compiler/IDE plugin to bring the java programming language into the next decennial.
Sponsor
Die Firma QAware stellt uns die Räumlichkeiten zur Verfügung und sorgt für unser leibliches Wohl. Vielen Dank dafür. Der übliche Abstecher in den Hotzenplotz nach dem Vortrag entfällt somit - wir bleiben einfach vor Ort!
Anmeldung
Zur besseren Planung bitten wir um eine unverbindliche Anmeldung mit Vor- und Zunamen und E-Mail Adresse. Das ermöglicht uns, bei Änderungen kurzfristig mit Euch in Kontakt zu treten. Wir geben Eure Daten nicht weiter!
Wer sich bis 24 Stunden vor dem Vortrag anmeldet und bei der Veranstaltung anwesend ist, nimmt an unserer Verlosung teil. Gewinnen kann man Bücher, Software-Lizenzen, Zeitschriften-Abos und manchmal auch Freikarten zu lokalen Konferenzen. Der Rechtsweg ist hierbei ausgeschlossen.