oss-sec mailing list archives
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git
From: Solar Designer <solar () openwall com>
Date: Wed, 10 Apr 2024 18:28:13 +0200
On Wed, Apr 10, 2024 at 05:16:52AM +0200, Alejandro Colomar wrote:
I've been researching xz.git to learn about this malicious actor, and who he might have worked for.
As a moderator, I reluctantly let this through out of respect for Alejandro's time and knowing that many readers will find it interesting. However: This is almost off-topic for oss-security and it risks provoking further speculation and potentially hatred in follow-ups. Related analyses, including not only of timezones but also of commit times, were already posted elsewhere (e.g., a Wired story). So let's please limit the follow-ups to (1) corrections of any factual errors or major omissions (to the extent of being misleading) there might be in Alejandro's postings and (2) observations that more directly help us identify or prevent more compromises like this (if any can be made based on this analysis, which I doubt). One major omission I'd like to point out is that timezones can be faked - we have no reliable way to know which of these, if any, actually correspond to where Jia Tan was. Note that other recent threads in here about search for code patterns similar to Jia Tan's and even for PGP keys similar to Jia Tan's are more relevant to oss-security, because they're aimed to uncover potential related backdoor code in other projects. In contrast, identifying who Jia Tan is or what country/ies they're from doesn't obviously help. At best, it may give us guesses on where the presumed targets are, but then what? We need to protect the whole ecosystem regardless of who/where the current attackers are, and we need to develop means to detect such attacks everywhere, not only at currently likely targets. Alexander P.S. Let's also not spam distro security teams with this (CC's dropped). I'm sure they don't want tickets auto-created for such analyses, like they would for vulnerability reports. And I certainly don't want to spend time removing more ticket auto-replies from our moderation queue.
Current thread:
- Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Joey Hess (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Vegard Nossum (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Solar Designer (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 11)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 11)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 12)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 12)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 13)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 11)