Archiv für den Monat Juli 2024

The Catch of Temu in Europe – July 2024

Kommentar verfassen

The Catch of Temu in Europe

Temu, the Chinese e-commerce platform, offers products at remarkably low prices, which raises concerns about its business practices. One significant issue is the undervaluation of parcels entering the EU. Estimates suggest that around 65% of parcels are deliberately undervalued in customs declarations to avoid tariffs, which undermines local businesses and creates an uneven playing field [1]. Additionally, Temu employs a direct-to-consumer model, sourcing products directly from manufacturers in China, allowing them to benefit from bulk discounts and reduced shipping costs [2].

Benefits for the Chinese State

The low pricing strategy of Temu serves multiple purposes for the Chinese state. Firstly, it helps expand China’s influence in global e-commerce by increasing the market share of Chinese companies abroad. This can lead to greater economic ties and dependency on Chinese goods. Secondly, by facilitating the export of low-cost products, Temu contributes to the Chinese economy by boosting manufacturing and logistics sectors. Lastly, the data collected from users can be leveraged for insights into consumer behavior, which may benefit Chinese businesses and potentially the state itself in terms of economic planning and strategy [1].

Overall, while Temu’s low prices attract consumers, they also raise significant regulatory and ethical concerns in Europe, prompting scrutiny from authorities regarding compliance with local laws and standards.

Deeper Analysis of Future Benefits for the Chinese State

Temu’s aggressive pricing strategy in Europe not only serves immediate commercial interests but also aligns with broader strategic goals of the Chinese state. Here are several potential future benefits for China:

  1. Economic Expansion and Market Penetration:
    By establishing a strong foothold in European markets through low prices, Temu can facilitate the expansion of Chinese goods into new territories. This not only increases sales volume but also enhances brand recognition and loyalty among European consumers. As more consumers become accustomed to purchasing Chinese products, it could lead to a long-term shift in buying habits, favoring Chinese brands over local alternatives.
  2. Strengthening Supply Chains:
    Temu’s model emphasizes direct sourcing from manufacturers, which can help streamline supply chains. This efficiency can be replicated across various sectors, allowing China to become a dominant player in global supply chains. By controlling more aspects of production and distribution, China can mitigate risks associated with international trade tensions and disruptions, ensuring a more resilient economic structure.
  3. Data Collection and Consumer Insights:
    The platform’s operations will generate vast amounts of consumer data, which can be analyzed to gain insights into European consumer behavior. This data can inform not only marketing strategies but also product development, allowing Chinese manufacturers to tailor their offerings to meet the specific preferences of European consumers. Such insights can enhance competitiveness and drive innovation within Chinese industries.
  4. Geopolitical Influence:
    By increasing its economic presence in Europe, China can leverage its commercial relationships to enhance its geopolitical influence. Economic ties often translate into political goodwill, which can be beneficial in negotiations on various fronts, including trade agreements and international policies. This strategy aligns with China’s broader goal of expanding its influence globally, as outlined in its recent political resolutions emphasizing the importance of state power and common prosperity.
  5. Promotion of Technological Advancements:
    As Temu grows, it may invest in technology to improve logistics, customer service, and user experience. This could lead to advancements in e-commerce technologies that can be exported back to China, enhancing domestic capabilities. Moreover, the emphasis on technology aligns with China’s ambitions to become a leader in areas such as artificial intelligence and data analytics, as highlighted in its national strategies.
  6. Cultural Exchange and Soft Power:
    By making Chinese products more accessible and appealing to European consumers, Temu can facilitate a form of cultural exchange. As consumers engage with Chinese brands, they may also become more receptive to Chinese culture and values, enhancing China’s soft power. This cultural integration can help counter negative perceptions and foster a more favorable view of China in the long term.

In conclusion, Temu’s low pricing strategy is not merely a tactic for market entry; it is a multifaceted approach that can yield significant long-term benefits for the Chinese state. By enhancing economic ties, gathering valuable consumer data, and promoting technological advancements, China positions itself to strengthen its global influence and economic resilience in an increasingly competitive landscape.

A hack nearly gained access to millions of computers. Here’s what we should learn from this.

Kommentar verfassen

The internet is far less secure than it ought to be.

https://www.vox.com/future-perfect/24127433/linux-hack-cyberattack-computer-security-internet-open-source-software

One of the most fascinating and frightening incidents in computer security history started in 2022 with a few pushy emails to the mailing list for a small, one-person open source project.

A user had submitted a complex bit of code that was now waiting for the maintainer to review. But a different user with the name Jigar Kumar felt that this wasn’t happening fast enough. “Patches spend years on this mailing list,” he complained. “5.2.0 release was 7 years ago. There is no reason to think anything is coming soon.”.

A month later, he followed up: “Over 1 month and no closer to being merged. Not a suprise.” [sic]

And a month after that: “Is there any progress on this?” Kumar stuck around for about four months complaining about the pace of updates and then was never heard from again.

A few weeks ago, the world learned a shocking twist. “Jigar Kumar” does not seem to exist at all. There are no records of any person by that name outside the pushy emails. He — along with a number of other accounts — was apparently part of a campaign to compromise nearly every Linux-running computer in the world. (Linux is an open source operating system — as opposed to closed systems from companies like Apple — that runs on tens of millions of devices.)

That campaign, experts believe, was likely the work of a well-resourced state actor, one who almost pulled off an attack that could have made it possible for the attackers to remotely access millions of computers, effectively logging in as anyone they wanted. The security ramifications would have been huge.

How to (almost) hack everything

Here’s how events played out: In 2005, software engineer Lasse Collin wrote a series of tools for better-compressing files (it’s similar to the process behind a .zip file). He made those tools available for free online, and lots of larger projects incorporated Collin’s work, which was eventually called XZ Utils.

Collin’s tool became one part of the vast open source ecosystem that powers much of the modern internet. We might think that something as central to modern life as the internet has a professionally maintained structure, but as an XKCD comic published well before the hack shows, it’s closer to the truth that “all modern digital infrastructure” rests on “a project some random person in Nebraska has been thanklessly maintaining since 2003.” XZ Utils was one such project — and yes, you should find it a little worrying that there are many of them.

Starting in 2021, a user going by the name “Jia Tan” — he, too, doesn’t seem to exist anywhere else — started making contributions to the XZ project. At first, they were harmless small fixes. Then, Tan started submitting larger additions.

The way an open source project like this one works is that a maintainer — Collin, in this case — has to read and approve each such submission. Effectively, Tan was overloading Collin with homework.

That’s when “Kumar” showed up to complain that Collin was taking too long. Another account that doesn’t seem to exist joined the chorus. They argued that Collin clearly wasn’t up to the task of maintaining his project alone and pushed for him to add “Jia Tan” as another maintainer.

“It seems likely that they were fakes created to push Lasse to give Jia more control,” engineer Russ Cox writes in a detailed timeline of the incident. “It worked. Over the next few months, Jia started replying to threads on xz-devel authoritatively about the upcoming 5.4.0 release.” He’d become a trusted “maintainer” who could add code to XZ Utils himself.

Why does any of this matter? Because one of the many, many open source tools that happened to incorporate XZ Utils was OpenSSH, which is used to remotely access computers and is used by millions of servers around the world.

“Tan” carefully added to XZ Utils some well-disguised code that compromised OpenSSH, effectively allowing the creators to log in remotely to any computer running OpenSSH. The files containing the (heavily disguised) code were accepted as part of the larger project.

Fortunately, almost all of the millions of potentially targeted computers were not affected because it’s routine for such a new update to first be released as “unstable” (meaning expected to have some bugs), and most administrators wait for a subsequent “stable” release.

Before that happened, “Jia Tan”’s work got caught. Andres Freund, a software engineer at Microsoft, was off work and doing some testing on a computer that had the “unstable” new release. Under most circumstances, the hack ran seamlessly, but under the circumstances he was testing in, it slowed down SSH performance. He dug deeper and quickly unraveled the whole scheme.

Which means that, thanks to one Microsoft engineer doing some work off-hours, your computer remains secure — at least, as far as I know.

Can we do better than getting lucky?

There was nothing inevitable about this hack getting discovered. Lots of other people were running the unstable new build without noticing any problems. What made Freund suspicious in the first place wasn’t the suspicious code but a bug that had been accidentally introduced by “Jia Tan.”

If the “Jia Tan” team had avoided that error, they might well have pulled this off. Catching the suspicious code “really required a lot of coincidences,” Freund said later on Mastadon.

No one wants to believe that modern computer security essentially relies on “a lot of coincidences.” We’d much rather have reliable processes. But I hope this narrative makes it clear just how hard it is to reliably defend the jury-rigged internet we have against an attack like this.

The people behind “Jia Tan” spent more than two years building the access they needed for this attack. Some of the specifics have to do with the dynamics of open source software, where decades-old projects are often in a quiet maintenance stage from which, as we saw, an aggressive actor can seize control. But with the same resources and dedication that were behind “Jia Tan,” you could get hired at a software company to pull off the same thing on closed-source software too.

Most of all, it’s very hard to guess whether this attempted attack was unprecedented or unusual simply in that it got caught. Which means we have no idea whether there are other land mines lurking in the bowels of the internet.

Personally, as someone who doesn’t work in computer security, the main thing I took away from this was less a specific policy prescription and more a sense of awe and appreciation. Our world runs on unsung contributions by engineers like Collin and Freund, people who spend their free time building stuff, testing stuff, and sharing what they build for the benefit of everyone. This is inconvenient for security, but it’s also really cool.

I wasn’t able to reach Collin for comment. (His website said: “To media and reporters: I won’t reply for now because first I need to understand the situation thoroughly enough. It’s enough to reload this page once per 48 hours to check if this message has changed.”) But I hope he ultimately comes to think that being personally targeted by this fairly extraordinary effort to make his work on XZ utils feel inadequate is, in fact, a remarkable vindication of its importance.

Motivations behind XZ Utils backdoor may extend beyond rogue maintainer

Kommentar verfassen

Security researchers are raising questions about whether the actor behind an attempted supply chain attack was engaged in a random, solo endeavor.

Source: https://www.cybersecuritydive.com/news/motivations-xz-utils-backdoor/712080/

The attempted supply chain attack against XZ Utils is raising troubling questions about the motivations of the suspected threat actor behind the incident as well as the overall security of the larger open source ecosystem. 

A Microsoft engineer accidentally found obfuscated malicious code installed in the xz library, which could lead to a major supply chain compromise. 

Security researchers and other industry experts are pointing to the suspicion that a longtime contributor is behind what is now considered a multiyear effort to establish themselves as an insider, leading up to the attempted supply chain attack. 

XZ Utils, a data compression software utility found in most Linux distributions, has long been considered a widely trusted project, according to researchers. 

“The most unique and unsettling aspect of this attack is the significant effort and investment made by the attacker in gradually establishing themselves over several years as a credible open-source contributor and carefully advancing their position until they gained trust and the opportunity to maintain and add malicious code into a widely used package,” Jonathan Sar Shalom, director of threat research at JFrog, said via email. 

Researchers point to a Github account @JiaT75, which has since been suspended, as the suspected original source of the backdoor. 

GitHub confirmed that it “suspended user accounts and removed the content” in keeping with its acceptable use policies, however after an investigation the account belonging to @Larhzu was reinstated. 

The @Larhzu account is linked to Lassie Collin, the original and legitimate maintainer of the site. 

What followed was a multiyear effort to gain trust within the community, while at the same time allegedly testing the waters by making subtle changes that failed to raise any immediate alarm bells. 

“Now when we look back at the tale of the tape, what we see is Jia kind of surreptitiously inserted all these little changes over time,” Omkhar Arasaratnam, general manager at the Open Source Security Foundation, said in an interview. “None of them catastrophic, none of them very flashy. But you know, just to see if people were watching.”

Maintainers in focus

The open source community has seen previous cases of maintainers throwing tantrums or using the community as a platform to protest larger issues. But the patience and sophistication of this attack is raising questions for an increasing pool of experts about whether nation-state support is a factor.

“Our analysis suggests that the sophistication and operational security observed in this incident, including the strategic use of email addresses and IP addresses, point to a highly trained and sophisticated adversary,” said Brian Fox, co-founder and CTO of Sonatype, a supply chain management platform. “The lack of tangible evidence of the threat actor’s existence beyond their precise and limited engagements further distinguishes this from the actions of a rogue open source contributor.”

Red Hat on Friday warned that malicious code was present in the latest versions of xz tools and libraries. The vulnerability was assigned CVE-2024-3094 with a CVSS score of 10. 

Users were urged to immediately stop using Fedora Rawhide instances for work or personal use and the Cybersecurity and Infrastructure Security Agency warned developers and users to downgrade to an uncompromised version. 

Andres Freund, a principal software engineer at Microsoft, stumbled upon some anomalous activity last week and publicly disclosed the incident. Freund observed sshd processes using an unusual amount of CPU, however noted that the wrong usernames had been applied. 

“Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier after package updates,” Freund said in a post on Mastodon

Microsoft confirmed his role in discovering the attack and released guidance on how to respond, with a list of impacted Linux distributions. 

Jake Williams, a faculty member at IANS Research, said the incident highlights the need for defense in depth, including the need to have properly staffed vulnerability intelligence teams and proper investments in tooling.

“Organizations with strict firewall rules preventing access to their SSH servers limited exploitation opportunities, even for vulnerable deployments,” Williams said via email. “Some [cloud security posture management systems] had scans for vulnerable instances released the same day this was detected.”