Grafik

Community der Java Anwender in Mannheim und Rhein Neckar Dreieck

© 2025. All rights reserved.

XZ: The day the internet (almost) died

27 Mar 2025

Wir sind zurück mit einem weiteren spannenden Vortrag. Die Firma andrena objects heißt uns freundlicherweise in ihren Räumlichkeiten in Mannheim-Eastsite willkommen und wird auch Getränke und einen Snack bereitstellen. Außerdem verlosen wir unter allen Anwesenden eine Freikarte für die diesjährige JAX-Konferenz Anfang Mai in Mainz!

Die beiden Sprecher Reinier Zwitserloot und Roel Spilker haben uns schon in der Vergangenheit besucht und einen spannenden und kurzweiligen Vortrag abgeliefert, die Erwartungen an ihren Vortrag XZ: The day the internet (almost) died sind also hoch :-)

Der Vortrag erfolgt auf Englisch.

Anmeldung

Zur besseren Planung freuen wir uns über eure Anmeldung (optional und unverbindlich) auf unserer Meetup-Seite.

Termin

Der Vortrag findet am 27.03.2025 um 19:00 Uhr bei andrena objects statt. EASTSITE ELYSIUM, Konrad-Zuse-Ring 23, 68163 Mannheim

Abstract

A curious blip in a timing test made Andres Freund (a PostgreSQL developer) raise an eyebrow and investigate. Little did he know he would uncover one of the most elaborate hacking attempts known to date using an open source project.

A team of Russian hackers had been working for over a year on infiltrating an open source project called XZ utils (also known as LZMA utils). They came eerily close to having a compromised version shipped as part of the ‘stable’ releases of various linux distributions, including debian. You know: The stuff that 90% of the internet runs on. It would have allowed the hackers to log in as root to virtually all machines running linux and having ssh open, anywhere on the planet.

This talk is for the programmers. We’ll show you exactly how the hackers compromised XZ, and which James Bond-like shenanigans they used to mislead the maintainer. Can you spot the error in a pull request that was put there intentionally to disable a security feature? Do you know how one sneaks a binary executable into a project build, when linux maintainers ordinarily demand all can be built from source?

As maintainers of Lombok, we’ll also give some advice to those who maintain or rely on open source software.

WARNING: You will leave the room in awe of the games the attackers played. You will be scared witless too; how close we came to disaster and how none of the current safety measures that aim to prevent supply side attacks would have been able to stop this attack.

Eine Veranstaltung des iJUG e.V., organisiert durch die JUG Mannheim (majug).

Related Posts