(no title)

First they need to gain some credibility. And they also need to obfuscate what they were trying to do. The payoff if they were to succeed is potentially enormous, so it makes sense to do things slowly.

> and why do it in xz?

xz is almost a perfect target- undermaintained, complicated code that isn't well understood by many people, deployed and used widely.

> Or are they also attacking lots of other systems, perhaps under other names?

The answer probably depends who the attacker(s) are, and what sort of funding or other motifivations they have. We can only guess.

> 4. And what can we do about these attacks?

This is a big unanswered question. I haven't seen any great suggestions yet. We were very lucky with this particular attack.

> How can we build a system that isn’t ultimately brought crashing down by one or two bad actors?

The complexity involved in this attack suggests that it was probably a group, IMO.

> 5. Small technical detail I haven’t spotted in writeups: was the attack commands signed in some way so only the attacker can use it and the world can go hunting for a smoking gun cert that matches the attacker?

Yes, sort of. Filippo's thread has a good description: https://bsky.app/profile/filippo.abyssdomain.expert/post/3ko...