24-April 06

WEEKLY NEWSLETTER 08 - 13 APRIL, 2024

Hello and Welcome,

DAYLIGHT SAVING ENDS THIS WEEKEND

Do clocks go back or forward in April?

It's time to turn back the clocks as daylight saving comes to an end.

After enjoying longer days during summer, many Aussies will get an extra hour of sleep with the end of daylight saving at 3 am on Sunday, April 7.

— Ed.

Meeting This Week

2024/04/09 — 18:00-20:00 — April, Tue — Programming

Meetings Next Week

2024/04/16 — 10:00-12:00 — April, Tue — Tuesday Group

2024/04/20 — 14:00-16:00 — April, Sat — Web Design

Schedule of Current & Upcoming Meetings

First Tuesday  18:00-20:00 — Main Meeting

First Saturday 13:00-14:00 — Penrith Group

Second Tuesday 18:00-20:00 — Programming

Third Tuesday  10:00-12:00 — Tuesday Group

Third Saturday 14:00-16:00 — Web Design

----------

Go to the official Sydney PC Calendar for this month's meeting details.

----------

Penrith meetings are held every 2nd month on the 1st Saturday from 1-2 pm.
The next scheduled meetings are in May, July and September 2024.

ASCCA News:Tech News:

What we know about the xz Utils backdoor that almost infected the world

See the ArsTechnica article by DAN GOODIN — 1/4/2024, 5:55 pm.

Malicious updates to a ubiquitous tool were a few weeks away from going mainstream.

Backdoor in Compression Utility

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two most significant distributions of Linux when an eagle-eyed software developer spotted something fishy.

Researchers have spent the weekend gathering clues. Here's what we know so far.

What is xz Utils?

xz Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. xz Utils provides critical functions for compressing and decompressing data during various operations. xz Utils also supports the legacy .lzma format, making this component even more crucial.

What happened?

Andres Freund, a developer and engineer working on Microsoft's PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with Valgrind, a utility for monitoring computer memory.

Through sheer luck and Freund's careful eye, he eventually discovered the problems resulting from updates to xz Utils. On Friday, Freund took to the Open Source Security List to disclose that the updates resulted from someone intentionally planting a backdoor in the compression software.

It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, published a graphic on Mastodon that helps visualize the sprawling extent of the nearly successful endeavour to spread a backdoor with a reach that would have dwarfed the SolarWinds event from 2020.

What does the backdoor do?

Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified how the software functions. The backdoor manipulated sshd, the executable file, to make remote SSH connections. Anyone possessing a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has seen the code uploaded, so it's unknown what code the attacker planned to run. Theoretically, the code could allow for almost anything, including stealing encryption keys or installing malware.

Wait, how can a compression utility manipulate a process as security-sensitive as SSH?

Any library can tamper with the inner workings of any executable it is linked against. Often, the developer of the executable will establish a link to a library that's needed for it to work correctly. OpenSSH, the most popular sshd implementation, doesn't link to the liblzma library. Still, Debian and many other Linux distributions add a patch to link sshd to systemd, a program that loads various services during the system bootup. Systemd, in turn, links to liblzma, allowing xz Utils to exert control over sshd.

How did this backdoor come to be?

It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open-source project. In retrospect, the change to the libarchive project is suspicious because it replaced the safe_fprint function with a variant that has long been recognized as less secure. No one noticed at the time.

The following year, JiaT75 submitted a patch over the xz Utils mailing list, and almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn't been updating the software often or fast enough. With the support of Dennis Ens and several other people who had never had a presence on the list, Kumar pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to xz Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in xz Utils affairs. For instance, Tan replaced Collins' contact information with their own on oss-fuzz, a project that scans open-source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz turn off the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to xz Utils.

In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of xz Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into the following releases, according to security firm Tenable:

Can you say more about what this backdoor does?

[ Five pages of very detailed explanations — Ed. ]

What more do we know about Jia Tan?

It is extremely little at the moment, especially for someone entrusted to steward a piece of software as ubiquitous and sensitive as xz Utils. This developer persona has touched dozens of other pieces of open source software in the past few years. At the moment, it's unknown if there was ever a real-world person behind this username or if Jia Tan is a wholly fabricated individual.

Additional technical analysis is available from the Bluesky thread from Valsorda, researcher Kevin Beaumont, and Freund's Friday disclosure.

Is there a CVE tracking designation?

Yes, it's CVE-2024-3094.

How do I know if the backdoor is present on my device?

There are several ways. One is this page from the security firm Binarly. Based on behavioural analysis, the tool detects the implementation of IFUNC and can automatically detect invariants if a similar backdoor is implanted elsewhere.

There's also a project called xzbot. It provides the following:

honeypot: fake vulnerable server to detect exploit attempts

ed448 patch: patch liblzma.so to use our own ED448 public key

backdoor format: format of the backdoor payload

backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

Read More »

Apple 'Still Not Playing Fair' for In-App Fees

See the InfoPackets article by John Lister on April 1 2024, at 12:04 pm EDT.

Major tech companies, including Microsoft and Meta, say Apple is trying to weasel out of a court ruling on how it handles app payments. They've weighed in on a court dispute about how to enforce a judgment against Microsoft.

The case centres on in-app payments, where people who've already installed an app give extra money to the app developers. Common examples include subscriptions to a digital service or payments for additional game content.

Apple demands a cut of either 15 or 30 per cent of such payments made through its payment handling services. Critics, including games maker Epic, said this was an unfair monopoly because Apple also banned app makers from including links or other facilities to make a payment outside of Apple's system.

Apple rejected this argument saying that even if it controls the market for iPhone and iPad apps, developers can choose to release their games on other mobile systems instead.

New Fees Apply

Epic successfully sued Apple, obtaining a court order that Apple must let developers take payments outside the app store. Apple later announced it would do so but with a catch: it would charge developers a new fee of 12 or 27 per cent of any money they collected this way. In other words, the developers would barely be better off than before the ruling.

Epic has now returned to court to ask the judge to enforce her ruling in full and require Apple to allow payments outside of the app store with no commission fee. Tech companies including dating service Match, Meta (owner of Facebook), Microsoft and X (formerly Twitter) have now filed an amicus brief in the case. That's a statement that the court can consider even though it's made by somebody who isn't a direct participant in the case.

Tech Giants Unimpressed

According to the statement, the new fee completely undermines the point of the original court ruling. It notes that even the slightly lower fee could mean app developers pay more as the three per cent "discount" would be wiped out by the processing costs.

It added that, "Apple's new restrictions are designed to render alternatives to Apple's [in-app purchases] impractical for developers, and inaccessible and unappealing to consumers, thus circumventing both the spirit and underlying goals of the injunction." (Source: courtlistener.com)

Apple says it has fully complied with the original court order and that it is necessary to protect users from visiting "unregulated external payment links." (Source: theverge.com)

What's Your Opinion?

Is Apple breaking the spirit of the court order? Should courts consider Apple's control of iOS apps a monopoly or look at the context of all mobile apps? How often do you make in-app purchases?

Read More »

How to Fix: Revert Chrome UI and Right Click Menu (2024)

See the InfoPackets article by Dennis Faas on April 3, 2024, at 12:04 pm EDT.

Infopackets Reader Steve T. writes:

"Dear Dennis,

I use Chrome as my web browser, and when I right-click on a web page, I often use the option to 'View page source' to copy its contents and edit the HTML using another program. The problem is that in 2023, Google released an update to Chrome that changed the right-click menu. Now, I am forced to scroll through the menu to get to the 'View page source' option. This is painful and time-consuming since I do it many times a day. Last year, I came across a few articles that suggested going to 'chrome://flags/' via the web address bar in Chrome, then I searched for 'Chrome Refresh 2023' and turned it off. This reverted my right-click menu for a few months. However, a recent update has once again screwed it up. Any ideas on how to fix this? I want to revert Chrome to its previous UI."

My response:

I asked Steve if he would like me to look into this issue using my remote desktop support, and he agreed.

Below, I will discuss my findings.

How to Fix: Revert Chrome UI and Right Click Menu (2024)

It appears Google has made some recent changes to disable the Chrome Refresh 2023 (i.e. reverting Chrome's user interface), which initially caused the right-click menu to change in Chrome.

Here's what you need to do to get the right-click menu back (as well as reverting Chrome's UI):

Launch Chrome, and in the web address bar, type in "chrome://flags".

On the chrome://flags screen, type in "Refresh 2023" in the search field, and then disable "Chrome Refresh 2023" and "Chrome WebUI Refresh 2023".

Now, search for "Customize Chrome Side Panel" and turn that off. The most recent changes to Chrome (as of March 2024) require you to disable "Customize Chrome Side Panel" in addition to the above flags in order for the changes to stick.

Relaunch Chrome.

Voilà — your right-click menu should be back to its previous state, and the user interface will also look the same.

I hope that helps.

About the author:

Dennis Faas is the CEO and owner of Infopackets.com. Since 2001, Dennis has dedicated his entire professional career to helping others with technology-related issues through his unique writing style in the form of questions and answers; click here to read all 2,000+ of Dennis' articles online at this site. In 2014, Dennis shifted his focus to cyber crime mitigation, including technical support fraud. Dennis has received many accolades during his tenure.

Read More »

Fun Facts:

2560 CUDA Cores!

See the Wikipedia article about Nvidia's CUDA technology.

Compute Unified Device Architecture (CUDA) is a parallel computing platform and application programming interface (API) that allows software to use certain types of graphics processing units (GPUs) for accelerated general-purpose processing, an approach called general-purpose computing on GPUs (GPGPU). CUDA API and its runtime: The CUDA API is an extension of the C programming language that adds the ability to specify thread-level parallelism in C and also to specify GPU device specific operations (like moving data between the CPU and the GPU). CUDA is a software layer that gives direct access to the GPU's virtual instruction set and parallel computational elements for the execution of compute kernels. In addition to drivers and runtime kernels, the CUDA platform includes compilers, libraries and developer tools to help programmers accelerate their applications.

CUDA is designed to work with programming languages such as C, C++, Fortran and Python. This accessibility makes it easier for specialists in parallel programming to use GPU resources, in contrast to prior APIs like Direct3D and OpenGL, which required advanced skills in graphics programming. CUDA-powered GPUs also support programming frameworks such as OpenMP, OpenACC and OpenCL.

CUDA was created by Nvidia in 2006. When it was first introduced, the name was an acronym for Compute Unified Device Architecture, but Nvidia later dropped the common use of the acronym and no longer uses it.

Created in 2006! That's 18 years ago.

Have a look at the Amazon page(s) on Nvidia video cards with THOUSANDS of CUDA cores. Forget 16-core CPUs!

See the Nvidia CUDA card on Amazon.

CUDA on Amazon

This card, even though it's refurbished (and at $988.18), has 2560 CUDA cores!

Have a look: There are many interesting YouTube video Tutorials on the Nvidia/CUDA card.

Amazing — Ed.

Meeting Location & Disclaimer

Bob Backstrom
~ Newsletter Editor ~

Information for Members and Visitors:

Link to — Sydney PC & Technology User Group
All Meetings, unless explicitly stated above, are held on the
1st Floor, Sydney Mechanics' School of Arts, 280 Pitt Street, Sydney.
Sydney PC & Technology User Group's FREE Newsletter — Subscribe — Unsubscribe
Go to Sydney PC & Technology User Group's — Events Calendar
Are you changing your email address? Would you please email your new address to — newsletter.sydneypc@gmail.com?
Disclaimer: We provide this Newsletter "As Is" without warranty of any kind.
The reader assumes the entire risk of accuracy and subsequent use of its contents.