The XZ Backdoor - report from our side, retrospection and looking forward
supply chain challenges
Marcus Meissner
Marcus was born in 1973. He studied computer science in Erlangen, Germany and finished with Diploma. He worked for Caldera from 1999 until the closure of Caldera Linux Business in 2002. He is working for SUSE since 2002, and in the security team since 2004. He has lead the team until begin of 2013 and is now the security project manager. He also is part of the openSUSE Maintenance team and works on a lot of openSUSE packages. In his spare time he is a gphoto (digital camera access library) and Wine developer.
Johannes Segitz
Security engineer at SUSE.
Since my time as a teenager in the 90s I was interested in IT security. After visiting my first CCC congress I got hooked and never looked back. In the last ten years I am a member of the SUSE security team and try to make open source software more secure.
No video of the event yet, sorry!
End of March 2024 we faced the biggest supply chain attack we seen so far in the Open Source Ecosystem. A dedicated attacker had launched a multi year effort to backdoor the xz compression library.
openSUSE Tumbleweed contained the backdoor for 3 whole weeks before an outside researcher found it.
We will give a report on this attack, our reaction on it and also go into some future considerations to detect or avoid these kind of sophisticated attacks.
- Date:
- 2024 June 27 - 10:00
- Duration:
- 30 min
- Room:
- Saal
- Conference:
- openSUSE Conference 2024
- Language:
- Track:
- Open Source
- Difficulty:
- Easy
- Value Mapping - Open Source Co-Creation (2h)
- Start Time:
- 2024 June 27 10:00
- Room:
- Seminar Room 2
- openQA - current state and moving forward
- Start Time:
- 2024 June 27 10:00
- Room:
- Gallerie
- Look at my toys!
- Start Time:
- 2024 June 27 10:15
- Room:
- Seminar Room 1