• Possibly linux
    link
    fedilink
    English
    arrow-up
    50
    ·
    edit-2
    8 months ago

    I’m genuinely disturbed that a person who was a core developer could just go rogue.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      81
      ·
      edit-2
      8 months ago

      From what I’ve been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. https://boehs.org/node/everything-i-know-about-the-xz-backdoor

      It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. https://mastodon.social/@AndresFreundTec/112180406142695845

      • Moonrise2473@lemmy.ml
        link
        fedilink
        arrow-up
        16
        arrow-down
        3
        ·
        8 months ago

        From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          40
          ·
          edit-2
          8 months ago

          That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.

          A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).

          Edit: Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.

          • Possibly linux
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            12
            ·
            8 months ago

            Except China is one of the countries involved in cyber warfare

                • interdimensionalmeme@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  6
                  ·
                  8 months ago

                  That’s what states, militaries and other competition-infected minds do. Usually they say they imagine this to protect from it, then it becomes a weapon and “oops all wars”

                  • Possibly linux
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    5
                    ·
                    8 months ago

                    I hate to be the bringer of bad news for you but everyone is “completion minded” as you say. That’s how the world works

            • psmgx@lemmy.world
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              8 months ago

              Heavily, aggressively involved in cyber activities. Previous Chinese attempts were unveiled by similar small gotchas.

              Arguably that’s hard to prove, and it could be NK, India, the NSA, etc., but it’s not hard to believe this was part of another stream of attempts. Low ball, give it to the new guy, sorts of stuff.

              US fed gov loves redhat for example, and getting into Fedora is how you get into RHEL

              • dan@upvote.au
                link
                fedilink
                arrow-up
                1
                ·
                8 months ago

                Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.

        • StarDreamer@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          edit-2
          8 months ago

          According to this post, the person involved exposed a different name at one point.

          https://boehs.org/node/everything-i-know-about-the-xz-backdoor

          Cheong is not a Pingyin name. It uses Romanization instead. Assuming that this isn’t a false trail (unlikely, why would you expose a fake name once instead of using it all the time?) that cuts out China (Mainland) and Singapore which use the Pingyin system. Or somebody has a time machine and grabbed this guy before 1956.

          Likely sources of the name would be a country/Chinese administrative zone that uses Chinese and Romanization. Which gives us Taiwan, Macau, or Hong Kong, all of which are in GMT+8. Note that two of these are technically under PRC control.

          Realistically I feel this is just a rogue attacker instead of a nation state. The probability of China 1. Hiring someone from these specific regions 2. Exposing a non-pinying full name once on purpose is extremely low. Why bother with this when you have plenty of graduates from Tsinghua in Beijing? Especially after so many people desperate for jobs after COVID.

      • Moonrise2473@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        8 months ago

        Unrelated, I really like the idea that the author of that blog post to place the favicon near each link

    • Moonrise2473@lemmy.ml
      link
      fedilink
      arrow-up
      13
      ·
      8 months ago

      I’m kinda hoping it was just that a state sponsored attacker showed up on their door and said “include this snippet or else…” otherwise it’s terrifying thinking of someone planning some long con like this

      We are all relying on the honesty of a few overworked volunteers…

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        2
        ·
        8 months ago

        They could of been working for Russia or someone else

          • Possibly linux
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            8 months ago

            I doubt it. Criminal organizations aren’t normally going around sabotaging things as that would shoot them in there own foot.