[Discuss] Debian 12 in the Cloud

Rich Pieri richard.pieri at gmail.com
Mon Jun 3 17:46:23 EDT 2024 

On Mon, 3 Jun 2024 15:58:57 -0400
Steve Litt <slitt at troubleshooters.com> wrote:

>> >Numbers of lines of code does not correlate with attack surface.  
> That's exactly what I said, except I used the word correlate.

You said there is a correlation even if it's not 1:1.

I said that no such correlation exists. It's a myth.

Because all other things are *not* equal. Smaller and simpler can be
easier to understand, test, and debug; but being easier to understand,
test and debug is not a function of size. A large, well-written program
can be easier to understand, etc., than a small, poorly-written program.

The Linux kernel vs. systemd. The kernel is ~15 times larger than
systemd in terms of lines of code, yet the attack surface is much
smaller due to better design and better coding practices.

I need to amend your timeline because systemd is getting better. The
developers have been removing potentially insecure external
dependencies, including XZ, so the timeline really looks like this:

* systemd incorporates XZ into itself [basic Unix philosophy of reusing
  existing tools/libraries]

* Long game evil SOB tortures unpaid, volunteer XZ maintainer [not
  underpaid; unpaid]

* SOB begins preparations for inserting their backdoor into XZ code

* Two years of SOB slowly and carefully implementing their payload
  delivery scheme [backdoor is not here, yet]

* systemd crew announce forthcoming removal of XZ dependency [disaster
  for SOB]

* SOB, now under severe time constraints, quickly commits obfuscated
  backdoor code into the 5.6.0 and 5.6.1 tarballs, hidden from the
  github repo using .gitignore.

* SOB asks Red Hat and Debian to accept the 5.6.0/5.6.1 releases into
  their testing/rolling releases which they do. Other rolling distros
  and development releases follow suit. [common practice for developers
  wanting their latest and greatest included in the latest and greatest
  distro releases] [backdoor is now live on a relatively small number
  of systems -- including two of mine running Tumbleweed, though
  neither exposed to the public network and therefore not exploitable]

* Andres Freund identifies an anomaly, tracks it to the backdoor
  [*very* lucky us]

-- 
\m/ (--) \m/

More information about the Discuss mailing list