Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?
This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux
Joe Cooper /
npub1u3…0xlpg
2024-03-29 21:10:09
Author Public Key
npub1u36rqkvjju6f6dtzahkp005qrl9y4qamu8j3rpme4df4d6ry6l8qu0xlpgPublished at
2024-03-29 21:10:09Event JSON
{
"id": "e31fc2f9b3229b1c5bdde7dc4fc150b4f636d70f40a3a517339d5e7682d5ee2a",
"pubkey": "e47430599297349d3562edec17be801fca4a83bbe1e5118779ab5356e864d7ce",
"created_at": 1711746609,
"kind": 1,
"tags": [
[
"t",
"Linux"
],
[
"t",
"xz"
],
[
"proxy",
"https://mas.to/users/swelljoe/statuses/112181025807936080",
"activitypub"
]
],
"content": "Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?\n\nThis was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux",
"sig": "7f6cf84a84943b0e79b20c5614dcad47017bd3923b6dbe7f19dfd3442b883c42b4092c50fc817e18a342c86fa0c34f0d53617b93d8314a6ad7d45830479f6b60"
}