logo
episode-header-image
Aug 2024
44 m

SE Radio 630: Luis Rodríguez on the SSH ...

se-radio@computer.org
About this episode

Luis Rodríguez, CTO of Xygeni.io, joins host Robert Blumen for a discussion of the recently thwarted attempt to insert a backdoor in the SSH (Secure Shell) daemon. OpenSSH is a popular implementation of the protocol used in major Linux distributions for authentication over a network. Luis describes how a backdoor in a supporting library was recently discovered and removed before the package was published to stable releases of the Linux distros. The conversation explores the mechanism of the attack through modifying a function table in the runtime; how the attack was inserted during the build; how the attack was carefully staged in a series of modifications to the lz compression library; the nature of “Jia Tan,” the entity who committed the changes to the open source project; social engineering that the entity used to gain the trust of the open source community; what forensics indicates about the location of the entity; hypotheses about whether criminal or state actors backed the entity; how the attack was detected; implications for other open source projects; why traditional methods for detecting exploits would not have helped find this; and lessons learned by the community.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Up next
Jul 1
SE Radio 675: Brian Demers on Observability into the Toolchain
Brian Demers, Developer Advocate at Gradle, speaks with host Giovanni Asproni about the importance of having observability in the toolchain. Such information about build times, compiler warnings, test executions, and any other system used to build the production code can help to ... Show More
47m 41s
Jun 25
SE Radio 674: Vilhelm von Ehrenheim on Autonomous Testing
Vilhelm von Ehrenheim, co-founder and chief AI officer of QA.tech, speaks with SE Radio's Brijesh Ammanath about autonomous testing. The discussion starts by covering the fundamentals, and how testing has evolved from manual to automated to now autonomous. Vilhelm then deep dives ... Show More
49m 49s
Jun 18
SE Radio 673: Abhinav Kimothi on Retrieval-Augmented Generation
In this episode of Software Engineering Radio, Abhinav Kimothi sits down with host Priyanka Raghavan to explore retrieval-augmented generation (RAG), drawing insights from Abhinav's book, A Simple Guide to Retrieval-Augmented Generation. The conversation begins with an introducti ... Show More
55m 55s
Recommended Episodes
May 24
From English Literature to Cybersecurity: A Journey Through Blockchain and Security
LINKS: https://distrust.co/software.html - Software page with OSS software Linux distro: https://codeberg.org/stagex/stagex Milksad vulnerability: https://milksad.info/ In this episode of Cybersecurity Today on the Weekend, host Jim Love engages in a captivating discussion with A ... Show More
54m 36s
Jan 2025
Crypto client or cyber trap? [Research Saturday]
Karlo Zanki, Reverse Engineer at ReversingLabs, discussing their work on "Malicious PyPI crypto pay package aiocpa implants infostealer code." ReversingLabs' machine learning-based threat hunting system identified a malicious PyPI package, aiocpa, designed to exfiltrate cryptocur ... Show More
24m 2s
Jul 7
Ingram Micro Ransomware Attack and the Rise of Linux SSH Server Compromises
In this episode of Cybersecurity Today, host David Shipley discusses the recent Safe Play ransomware attack on technology distributor Ingram Micro, exploring its impact and ongoing recovery efforts. The script also examines a new campaign targeting misconfigured Linux servers to ... Show More
10m 41s
Jun 14
Hiding in plain sight with vibe coding.
This week, Dave is joined by ⁠Ziv Karliner⁠, ⁠Pillar Security⁠’s Co-Founder and CTO, sharing details on their work on "New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents." Vibe Coding - where developers use AI assistants like GitHub Copilot and ... Show More
21m 49s
Apr 4
146: When AI Attacks
We're joined by Xe Iaso, who discusses a creative solution to relentless AI bots and the unexpected delights of running an outrageously overpowered homelab. Special Guest: Xe Iaso. 
47m 30s
Feb 2025
Two Vulnerabilities Compromised OpenSSH Safety: Cyber Security Today for February 20, 2025
Cyber Security Today: OpenSSH Vulnerabilities and Black Stash's Stolen Cards In this episode, host Jim Love discusses two significant OpenSSH vulnerabilities that risk man-in-the-middle and denial-of-service attacks. The hacker group Black Stash has released 4 million stolen cred ... Show More
6m 55s
Feb 2025
SN 1011: Jailbreaking AI - Deepseek, "ROUTERS" Act, Zyxel Vulnerability
Why was DeepSeek banned by Italian authorities? What internal proprietary DeepSeek data was found online? What is "DeepSeek" anyway? Why do we care, and what does it mean? Did Microsoft just make OpenAI's strong model available for free? Google explains how generative AI can be a ... Show More
3h 1m
Apr 17
Turing Award Special: A Conversation with Martin Hellman
Martin Hellman is an American cryptographer known for co-inventing public-key cryptography with Whitfield Diffie and Ralph Merkle in the 1970s. Their groundbreaking Diffie-Hellman key exchange method allowed secure communication over insecure channels, laying the foundation for m ... Show More
41m 3s
Apr 2024
The role of Real Time Defense in Cloud Security
In this episode from KubeCon Paris 2024, we spoke to Loris Degioanni, Co-Founder and CTO of Sysdig about Open Source Project, Falco that celebrated its graduation this year at KubeconEU, Loris shared with us this proud moment and journey from writing the 1st lines of code to its ... Show More
21m 35s
Listen to millions of songs and podcasts on Anghami