Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

The XZ Backdoor Story: How a Supply Chain Attack Nearly Compromised SSH Servers

DEFCONConference via YouTube

Overview

Dive into a DEF CON 32 conference talk exploring the dramatic discovery and investigation of a critical backdoor in the XZ/liblzma library that threatened SSH servers worldwide. Follow the timeline from the initial alert by Microsoft engineer Andres Freund to OSS security, through the unraveling of a complex undercover operation involving a mysterious maintainer named Jia Tan. Learn about the technical intricacies of how the backdoor was implemented and could be exploited, the coincidental nature of its discovery, and the methodical process of how trust was gained within the project. Examine the broader implications for open-source security, including crucial lessons learned and potential improvements for preventing similar incidents in the future. Uncover the complete story behind this significant security incident that put the entire internet at risk and the fortunate circumstances that helped avoid a potentially devastating outcome.

Syllabus

On Fri, 29 Mar 2024, at exactly , OSS security received a message from Andres Freund, a software engineer at Microsoft, stating he had discovered a backdoor in upstream xz/liblzma that could compromise SSH servers. The open-source project XZ, specifically the liblzma library, has been compromised by a mysterious maintainer named Jia Tan, putting the entire internet at risk. Fortunately, this discovery helped us avoid the worst.

Taught by

DEFCONConference

Reviews

Start your review of The XZ Backdoor Story: How a Supply Chain Attack Nearly Compromised SSH Servers

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.