There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

umbrella ,
@umbrella@lemmy.ml avatar

did we find out who was that guy and why was he doing that?

intrepid ,

We probably never will.

drwho ,
@drwho@beehaw.org avatar

If we ever do, it’ll be 40 or 50 years from now.

fluxion ,

It was Spez trying to collect more user data to make Reddit profitable

Unyieldingly ,

The CIA will know, we will most likely not.

possiblylinux127 OP ,

Probably a state actor

etchinghillside ,

Any additional information been found on the user?

possiblylinux127 OP ,

Probably Chinese?

Potatos_are_not_friends ,

Can’t confirm but unlikely.

Via boehs.org/…/everything-i-know-about-the-xz-backdo…

They found this particularly interesting as Cheong is new information. I’ve now learned from another source that Cheong isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard) and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses J and especially not Ji). The Tan last name is possible in Mandarin, but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor simply mashed plausible sounding Chinese names together.

jaybone ,

So this doesn’t really tell us one way or the other who this person is or isn’t.

fluxion ,

That actually suggests not Chinese due to naming inconsistencies

ForgotAboutDre ,

Could be Chinese creating reasonable doubt. Making this sort of mistake makes explanations that this wasn’t Chinese sound plausible. Even if evidence other than the name comes out, this rebuttal can be repeated and create confusion amongst the public, reasonable suspicions against accusers and a plausible excuse for other states to not blame China (even if they believe it was China).

Confusion and multiple narratives is a technique carried out often by Soviet, Russian and Chinese government. We are unlikely to be able to answer the question ourselves. It will be up to the intelligence agencies to do that.

If someone wanted to blame China for this, they would take the name of a real Chinese person to do it. There is over a billion real people they could take a name from. It unlikely that a person creating a name for someone for this type of espionage would make a mistake like picking an implausible name accidentally.

fluxion ,

I’m not suggesting one way or another, only that the quoted explanation taken at face value isn’t suggesting China based on name analysis.

There’s also no reason to assume a nation state. This is completely within the realm of a single or small group of hackers. Organized crime another possibility. Errors with naming are plausible just as the initial mistakes with timing analysis and valgrind errors.

Even assuming a nation state, you name Russia as a possibility. Russia has shown themselves to be completely capable of errors, in their hacks (2016 election interference that was traced back to their intelligence base), their wars, their assassination attempts, etc.

And to me it doesn’t seem any more likely that China would point to themselves but sprinkle doubt with inconsistent naming versus just outright pointing to someone else.

It’s all guesses, nothing points one way or another. I think we agree on that.

ForgotAboutDre ,

A big part of it is also letting other people know you did it. China and Russia are big on this. The create dangerous situations, then say they aren’t responsible all while sowing confusion. The want plausible deniability, confusion and credit for doing it.

dan ,
@dan@upvote.au avatar

They’re more likely to be based in Eastern Europe based on the times of their commits (during working hours in Eastern European Time) and the fact that while most commits used a UTC+8 time zone, some of them used UTC+2 and UTC+3: …substack.com/…/xz-backdoor-times-damned-times-an…

drwho ,
@drwho@beehaw.org avatar

Just because somebody picked a vaguely Chinese-sounding handle doesn’t mean much about who or where.

possiblylinux127 OP ,

That’s why I put the question mark

dan ,
@dan@upvote.au avatar

They’re more likely to be based in Eastern Europe based on the times of their commits (during working hours in Eastern European Time) and the fact that while most commits used a UTC+8 time zone, some of them used UTC+2 and UTC+3: …substack.com/…/xz-backdoor-times-damned-times-an…

possiblylinux127 OP ,

It is also hard to be certain as they could be a night owl or a early riser.

dan ,
@dan@upvote.au avatar

Yeah - The post goes into a lot of detail, and they did take that into account. It’s worth reading.

underisk , (edited )
@underisk@lemmy.ml avatar

as long as you’re up to date on everything here: boehs.org/…/everything-i-know-about-the-xz-backdo…

the only additional thing i’ve seen noted is a possibilty that they were using Arch based on investigation of the tarball that they provided to distro maintainers

EmperorHenry ,
@EmperorHenry@discuss.tchncs.de avatar

At least microsoft is honest enough to admit their software needs protection, unlike apple and unlike most of the people who have made distros of linux. (edit: microsoft is still dishonest about what kind of protection it needs though)

Even though apple lost a class action lawsuit for false advertising over the claim “mac can’t get viruses” they still heavily imply that it doesn’t need an antivirus.

any OS can get infected, it’s just a matter of writing the code and finding a way to deliver it to the system…Now you might be thinking “I’m very careful about what I click on” that’s a good practice to have, but most malware gets delivered through means that don’t require the user to click on anything.

You need an antivirus on every computer you have, linux, android, mac, windows, iOS, all of them. There’s loads of videos on youtube showing off how well or not so well different antivirus programs work for windows and android.

possiblylinux127 OP ,

A “antivirus” tends to be a proprietary black box. Such “antivirus” programs could not of detected the XZ backdoor

EmperorHenry ,
@EmperorHenry@discuss.tchncs.de avatar

But a good whitelisting antivirus could’ve stopped it.

possiblylinux127 OP ,

What?

EmperorHenry ,
@EmperorHenry@discuss.tchncs.de avatar

Prevention and detection

Most of the time, detection also means prevention, but with a whitelisting antivirus, prevention often means that the threat isn’t detected, it was just prevented from running.

A whitelisting application has a list of what it knows it bad AND what it knows in advance to be good.

Anything it can’t identify on the spot is treated as unknown and not allowed to run, not deleted, not quarantined, just blocked from running until the user can upload it to things like virustotal and other services like it to figure out if its safe.

upload it to virustotal, if it wasn’t already known, do a re-scan a few hours later to see if it’s malicious, if it was already known, do a re-scan to see if anything has figured out if its malicious.

which is why I think it’s borderline criminal that most antivirus programs don’t work that way.

possiblylinux127 OP ,

That would do nothing for liblzma as it was trusted.

EmperorHenry ,
@EmperorHenry@discuss.tchncs.de avatar

who was it trusted by? There’s whitelisting applications that indiscriminately block everything that isn’t already installed too.

possiblylinux127 OP , (edited )

The developer of XZ. What your describing is package verification which already happens in many cases

Portable4775 ,

A whitelisting application has a list of what it knows it bad AND what it knows in advance to be good.

How would it know this? Is this defined by a person/people? If so, that wouldn’t have mattered. liblzma was known in advance to be good, then the malicious update was added, and people still presumed that it was good.

This wasn’t a case of some random package/program wreaking havoc. It was trusted malicious code.

Also, you’re asking for an antivirus that uploads and uses a sandbox to analyze ALL packages. Good luck with that. (AVs would probably have a hard time detecting malicious build actions, anyways).

EmperorHenry ,
@EmperorHenry@discuss.tchncs.de avatar

Also, you’re asking for an antivirus that uploads and uses a sandbox to analyze ALL packages. Good luck with that. (AVs would probably have a hard time detecting malicious build actions, anyways).

three different antivirus programs already do that. Comodo for example has a built in sandbox to do that.

Portable4775 ,

It places unknown/new software in a sandbox. You want an AV that tests all pre-existing packages in a sandbox.

z00s ,

All it took was one set of nerd eyeballs

expr ,

This whole situation just emphasizes the fact that rebasing >>>>>>>>>> merge squashing.

Farnsworth ,

The tukaani github repos are gone, is there a mirror somewhere?

fluxion ,

Tukaani main website

TheFadingOne , (edited )

Though unfortunately (or I guess for most use-cases fortunately) you can’t find the malicious m4/build-to-host.m4 file on there afaik. The best way to find that now, should you really want to, is by looking through the commit history of the salsa.debian.org/debian/xz-utils repository which is, as far as I understand it, the repository that the debian packages are built from and consequently also what the compromised packages were built from.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •