Without question, the most drastic news event in the past two weeks was, of course, the backdoor in XZ Utils’ liblzma, which implements a backdoor in SSH daemons. As you know, an SSH-daemon runs on virtually every Linux server, allowing remote administration. About 20 million IPs on the internet are known to have a publicly open SSH port. For a thorough explanation of the event I found this page on git-hub to be the most comprehensive source of information.
Many people in the open source community are fascinated by the technical details related to the execution of the attack and how the social engineering of Lasse transpired. There is some interesting speculation about which time zone the author of the attack (pseudonym: Jia Tan) might be based.
I also find myself fascinated and have spent far too many hours reading about it. We, the Linux community, are fortunate that the attack was discovered relatively quickly. As an open-source enthusiast, I am confident that Andres Freund uncovered the extent of it, as he had all the source codes available. This attack has me thinking about a handful of other scenarios. It seems to me that uncovering such an attack would have been a lot more difficult in a closed-source environment. I am also contemplating the extent of damage to a commercial entity could have incurred had Jia Tan accepted a job offer at any given company. If Jia Tan were the pseudonym of a state-run organization, that country would have much more powerful measures to force something into a closed-sourced product if the vendor is located in that same country.
Another question that has come to my mind is whether anyone will prosecute Jia Tan. I assume he broke the laws of many countries, but in which country should he be held accountable? Which country is in charge of an open source project? For the attack on an open source project?
I can imagine that if the backdoor was used and someone suffered damage from it, the victim could open a case in his home legal system. But there are no victims. Will anyone follow up from a legal point of view? Could one of the foundations (like Linux Foundation, Apache Foundation, or OpenBSD Foundation) step up? To my understanding, one of the purposes of the foundations is to give open-source projects a legal entity. If that is the case, it seems the OpenBSD Foundations would step up.
I am eager to see if we will learn more about the background of the XZ-SSH backdoor in a few years, much like how we have learned more details about Stuxnet 14 Years after it was discovered.
Back to LINBIT-related news, we’re moving our forum from Slack to the website, so feel free to take a look. As a proud open source company, we believe in community and open channels of communication between users, developers, administrators, integrators, and others involved with LINBIT storage software solutions.
We welcome all levels of ability and interest. It doesn’t matter if you have used LINBIT software for decades or you are just learning about LINBIT software – this is the place to ask questions, collaborate on solutions, make connections, and build better experiences together.
Moving over to the LINBIT blog, LINBIT Software Used In an Academic Research Clustering Project sheds light on a collaborative research project between 45drives, a data storage solutions company built on open source, and Nova Scotia Community College (NSCC) in Canada.
10 Things You Can Do With LINSTOR & Proxmox is an excellent follow-up to our popular video, How to Setup LINSTOR on Proxmox VE. In the latest video, we share potential use cases that include, installing LINSTOR for free, unlocking high availability, and using multiple tiers of storage. Watch the full video to learn about the seven other use cases.
Regarding new software updates, linstor-server 1.27.0 is a new minor release that introduces the ability to specify passphrases for encryption volumes and also modify them. We also released python-linstor/linstor-client 1.22.0, which has changes fitting to the linstor-server 1.27.0 release.
Additionally, LINSTOR Operator v2.5.0 contains updated LINSTOR, CSI driver, and HA Controller versions, plus support for ZFS storage pools configured directly with LinstorSatelliteConfiguration resources.
PS: I am already thrilled about the next DRBD release. It will come out on April 29, with its release candidate on April 22.
