new post xz

src/pages/posts/083-xz.md

@@ -0,0 +1,47 @@
+---
+title: "Q and A with a security researcher about XZ exploit"
+date: 2024-04-08
+author: "socraticDev"
+image: ../../images/xz.png
+tags:
+  - security
+  - interview
+---
+
+_< your FirstName LastName or IrcNickname >_ is a Southern California based Software
+engineer with a solid background in application security. From deep learning to
+web development to program analysis to eBPF kernel hacking.
+
+### setup - CVE-2024-3094 is a supply-chain attack
+
+Supply-chain hacks like
+[Solarwinds](https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/)
+and now [xz](https://nvd.nist.gov/vuln/detail/CVE-2024-3094). From my naive
+perspective of a hands-on devops engineer, this sort of attacks mesmerize me:
+they seem so big, clever, and unexpected. At the end of the day, it seems like
+regular tech people like me are pretty much helpless against them.
+
+> In a supply chain attack, hackers exploit vulnerabilities in a trusted supplier or partner to infiltrate a target's systems. Rather than attacking the target directly, they compromise the supplier's software, hardware, or services to gain unauthorized access. This allows them to bypass the target's defenses and potentially steal sensitive information or disrupt operations.
+>
+> <quote>chatgpt, "can you explain in 3 sentences what a supply chain attack is?"</quote>
+
+### is the `xz exploit` such a big deal?
+
+question 1: how would you grade the severity of `xz exploit` (CVE-2024-3094)? are we playing chicken little and exagerrating its importance or is it really a big deal for the security of our computer systems?
+
+### is it realistic to believe that software engineers and devSecOps specialists can protect their organizations against such advanced threats?
+
+question 2: I'm a big fan of "shifting left" on security during the Software Development Lifecyle. For example, at the organization I work for, developers are explicitely taught basic principles of secure programming. On top of adopting programming best practices, devops and dev tooling teams are integrating security into the software delivery pipeline with automated security scans and scheduled patching, is it even possible for software engineer to protect their systems against supply-chain attacks?
+
+### Advanced persistent threat and AI
+
+> "An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals."
+>
+> <quote>Wikipedia.org, "Advanced persistent threat"</quote>
+
+question 3: the `xz exploit` was discovered by sheer luck by
+a researcher. This leads me to believe there could be many more zero-day
+exploits undetected in the wild. Combined with the power of AI, it seems like we are
+becoming more and more unable to protect ourselves against unknown threats.
+
+Do you share this sentiment?