top | item 47167020

(no title)

coldpie | 4 days ago

This is IMO one of the coolest tech stories to ever happen, seriously amazing spycraft & hacking skills, but I haven't been keeping up with new developments from this story since it broke. Last I heard, the best guess at what happened was some state-sponsored actor worked very hard to get this merged, and it was caught luckily at the last minute. But no one had any smoking gun as to who did it or why or who they were targeting. Any new developments since then? Are we still just totally in the dark about what was going on here?

discuss

tokyobreakfast|3 days ago

> and it was caught luckily at the last minute

This isn't correct at all. The changes were merged into xz and made it into testing branches of major Linux distros.

It was caught at T plus a few minutes only because a neurotic Microsoft employee performing debugging noticed an obscure performance issue.

You can literally say Microsoft saved Linux that day. Imagine thinking this 25 years ago.

It's the difference between something really bad which happened, and something really, really, really, really bad: a malicious actor having RCE credentials to every new Debian and Red Hat box on planet Earth.

ApolloFortyNine|3 days ago

Redhat actually stumbled on the bug separately with valgrind errors triggering, so it's days were likely numbered regardless. Probably saved them a lot of debugging but the writing was on the wall.

nerevarthelame|4 days ago

Still no smoking gun, but possibly Russia. From the video https://youtu.be/aoag03mSuXQ?t=2883:

> A lot of the aliases, like Jia Tan, they sound like Asian names, and the published changes are all timestamped in UTC+8, Beijing time. So the signs point to China. And that's why it's probably not China. I mean, why would they make it that obvious? Every other part of the operation has been so meticulous, so cautious.

> And they also worked on Chinese New Year, but not on Christmas. And over the years, there were nine changes that fall outside of the Beijing time into UTC+2, which is a time zone that includes Israel and parts of Western Russia. That's why some experts have speculated that this could be the work of APT29, a Russian-state-backed hacker group also known as Cozy Bear. But again, do we know? No, of course we don't know who it is, and we likely will never know.

lrasinen|3 days ago

UTC+2 isn't very convincing as an argument for Russia. Only the Kaliningrad exclave uses that timezone, and if I were in a state-backed group, I'd live in one of the big cities.

Also quick search suggested UTC+3 was seen during the summer, and Russia doesn't do DST either.

Edit: some of the UTC+2/3 times are attributable to being differences in git committer and author dates (e.g. email patches)

gosub100|4 days ago

Russians don't celebrate Christmas on the 25th.

ginko|3 days ago

>And that's why it's probably not China. I mean, why would they make it that obvious?

That's just what they want you to think!

mc32|4 days ago

Those anecdotes don’t mean anything. If I were China and wanted plausible deniability I would work on CNY and take off on foreign holidays. Of course that leaves Beijing time as a weird oversight though it’s always Beijing time anywhere in China.

leonidasv|3 days ago

Stuxnet is also another mindblowing case. Wired write-up on it is a recommended reading: https://web.archive.org/web/20141028182107/http://www.wired....