====== 2024-W13 reading notes ======

===== XZ Utils backdoor =====

  * [[https://boehs.org/node/everything-i-know-about-the-xz-backdoor|Evan Boehs: Everything I Know About the XZ Backdoor]]
  * [[https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor|Techies vs spies: the xz backdoor debate]]
  * [[https://tukaani.org/xz-backdoor/|XZ Utils backdoor]]

This story is horrifying. There was a 3-year long operation to inject malicious code into XZ Utils package and make it a part of an OpenSSH backdoor. The analysis is still ongoing, but it's already obvious that this wasn't just a "black hat". Current assumption is that this was backed by some government.