https://www.openwall.com/lists/oss-security/2024/03/29/4Apparently one of the maintainers have been adding backdoors to xz/liblzma for who knows how long. Because it was coming from a "trusted" source (upstream), nobody noticed it until now. Does this mean the end of the open-source security myth?
>>23937Took a bit to find it again:
https://electric.marf.space/@trysdyn/statuses/01HT5Q220WERVFVZKYPN0332KJThey don't link to anything, so may just be telephone gamed, sorry about that.
>>23948Because that is an overly simplistic, liberal friendly approach to what actual materialist analysis accomplishes more precisely.
Not every conspiracy involves making a monetary transaction, and not every monetary transaction is a conspiracy.
>>23952It's not the only factor. Personally I think people are putting too much trust in the Linux Foundation, but there are already maintained forks of the kernel, Linux will survive without the foundation if it decides to begin the rent seeking phase, just as it survived when ubuntu did so.
I hold firm that "company donates to project it relies on so it doesn't lose an important logistical component of it's operations / that component can improve = project is psyop" is braindead and ignores structure.
>>23957The CIA considering a communist party critical to it's continues operations would be a whole different beast than a company that relies on computers having standardized software donating to the upkeep of said software.
Like, would you think it's "suspicious" for an animation studio to donate to Krita?
>>23941>>23955Very interesting.
Given everything shown, it is likely the culprit is working in Europe. Could be some German intelligence, a lone wolf, or an Israeli-German cyber-security company.
My bets are on it being a single person with no backing.
>>23955First-level: seems obvious (Jia Cheong Tan is not a real Chinese name) that it's NSA trying to frame MSS.
Second-level: Maybe it's FSB / GRU trying to frame the NSA as trying to frame MSS?
Third-level: MSS / PLASSF got bored.
Fourth-level: there is no Nash equilibrium so we can stop guessing and go home. Obviously someone's glow-op, but good luck figuring out who.
>>23978>the analysis of his git commit timestampsLMFAO, those are so fucking trivial to fake, the faking is built into git itself. There's a git command argument to supply a custom timestamp for a commit, I've done this myself.
Glowies (or anyone else) will try to mask their operations by even including foreign language in their code, even if it serves no technical purpose. It's just there to give false leads.
I'm pretty certain the author of those commits is NOT from the timezone of those commits. If they are competent enough to develop a backdoor then they sure as fuck will have the absolute basic knowledge about hiding their traces.
>>23982Hear is the thing, the developer had a Chinese sounding name but a timestamp that aligns with Eastern europe/Israel.
So which of these things is fake and which is genuine and whatever is fake, what was the intention behind the obfuscation?
>>23987You can't tell who it is, it could be Five Eyes trying to frame Chinese / Russians, Russians trying to frame Chinese, or Chinese trying to frame Russians, or Russians / Chinese trying to frame Five Eyes trying to frame Chinese / Russians.
It's no point; vs spooks it's very hard to figure out who did what unless they were sloppy.
>>24033Boost, equally curious myself.
>>24042The plot glows more and more, though this seems intentionally misleading- From what I have gathered, the backdoor has been in the works for years, why put such little-effort into a pseudo-identity?
>>24052i imagine that the greatest challenge comes from the sneaky-sneaky glowies digging years old rabbit holes to push backdoors into code. due to the open source nature of xz, malicious code must be very well hidden, difficult for the ai to detect, see
>>23973 for a tl;dr of the very lengthy process. plus, its not like you can just grep the source code and find a boolean response to some given string whether its malicious or not. although i imagine these aren't huge limitations, as the plot was foiled pretty easily by, of all people, a Microsoft dev and I would imagine after this fiasco more effort will be concentrating on ravaging through rabbit-holes for malicious code.
Unique IPs: 25