undefined | Better HN

0 pointstux31y ago0 comments

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

0 comments

It's important to focus on people, not just code, when suspecting an adversary. Now, I have no idea if this is the right account, and if it has recently been compromised/sold/lost, or if it has always been under the ownership of the person who committed the backdoor. But IF this is indeed the right account, then it's important to block any further commit from it to any project, no matter how innocuous it seems, and to review thoroughly any past commit. For the most security-conscious projects, it would be a good idea to even consider reverting and re-implementing any work coming from this account if it's not fully understood.

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

tux3OP1y ago

I agree we should look at the account and its contributions, I make a distinction between the account and the person.

Sometimes the distinction is not meaningful, but better safe than sorry.

tsimionescu1y ago

Oh, agreed then.

kevin_b_er1y ago

They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

I would now presume this person to be a hostile actor and their contributions anywhere and everywhere must be audited. I would not wait for them to cry 'but my bother did it', because an actual malicious actor would say the same thing. The 'mob' should be pouring over everything they've touched.

Audit now and audit aggressively.

b1121y ago

My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:

$ host xz.tukaani.org

host xz.tukaani.org is an alias for tukaani-project.github.io.

And originally it was not:

$ host tukaani.org

tukaani.org has address 5.44.245.25 (seemingly in Finland)

It was moved there in Jan of this year, as per the commit listed in my prior post. By this same person/account. This means that instead of Lasse Collin's more restrictive webpage, an account directly under the control of the untrusted account, is now able to edit the webpage without anyone else's involvement.

For example, to make subtle changes in where to report security issues to, and so on.

So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?

pja1y ago

This account changed the instructions for reporting security issues in the xz github as their very last commit:

    commit af071ef7702debef4f1d324616a0137a5001c14c (HEAD -> master, origin/master, origin/HEAD)
    Author: Jia Tan <jiat0218@gmail.com>
    Date:   Tue Mar 26 01:50:02 2024 +0800

        Docs: Simplify SECURITY.md.

    diff --git a/.github/SECURITY.md b/.github/SECURITY.md
    index e9b3458a..9ddfe8e9 100644
    --- a/.github/SECURITY.md
    +++ b/.github/SECURITY.md
    @@ -16,13 +16,7 @@ the chance that the exploit will be used before a patch is released.
     You may submit a report by emailing us at
     [xz@tukaani.org](mailto:xz@tukaani.org), or through
     [Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
    -While both options are available, we prefer email. In any case, please
    -provide a clear description of the vulnerability including:
    -
    -- Affected versions of XZ Utils
    -- Estimated severity (low, moderate, high, critical)
    -- Steps to recreate the vulnerability
    -- All relevant files (core dumps, build logs, input files, etc.)
    +While both options are available, we prefer email.

     This project is maintained by a team of volunteers on a reasonable-effort
     basis. As such, please give us 90 days to work on a fix before

Seems innocuous, but maybe they were planning further changes.

1 more reply

mxmlnkn1y ago

The website change reminds me a bit of lbzip2.org https://github.com/kjn/lbzip2/issues/26#issuecomment-1582645... Although, at the moment, it only seems to be spam. The last commit was 6 years ago, so I guess that's better than a maintainer change...

buildbot1y ago

> tukaani.org has address 5.44.245.25 (seemingly in Finland)

Hetzner?

2 more replies

mort961y ago

If the owner of the account is innocent and their account was compromised, it's on them to come out and say that. All signs currently point to the person being a malicious actor, so I'll proceed on that assumption.

londons_explore1y ago

Does the person exist at all? Maybe they're a persona of a team working at some three letter agency...

Citizen83961y ago

Probably not. I did some pattern of life analysis on their email/other identifiers. It looks exactly like when I set up a burner online identity- just enough to get past platform registration, but they didn't care enough to make it look real.

For example, their email is only registered to GitHub and Twitter. They haven't even logged into their Google account for almost a year. There's also no history of it being in any data breaches (because they never use it).

Burn the witch.

2 more replies

bonzini1y ago

Or for some three letter party.

j / k navigate · click thread line to collapse

0 comments

simiones1y ago

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

tux3OP1y ago

I agree we should look at the account and its contributions, I make a distinction between the account and the person.

Sometimes the distinction is not meaningful, but better safe than sorry.

tsimionescu1y ago

Oh, agreed then.

kevin_b_er1y ago

They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

Audit now and audit aggressively.

b1121y ago

My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:

$ host xz.tukaani.org

host xz.tukaani.org is an alias for tukaani-project.github.io.

And originally it was not:

$ host tukaani.org

tukaani.org has address 5.44.245.25 (seemingly in Finland)

For example, to make subtle changes in where to report security issues to, and so on.

So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?

pja1y ago

This account changed the instructions for reporting security issues in the xz github as their very last commit:

    commit af071ef7702debef4f1d324616a0137a5001c14c (HEAD -> master, origin/master, origin/HEAD)
    Author: Jia Tan <jiat0218@gmail.com>
    Date:   Tue Mar 26 01:50:02 2024 +0800

        Docs: Simplify SECURITY.md.

    diff --git a/.github/SECURITY.md b/.github/SECURITY.md
    index e9b3458a..9ddfe8e9 100644
    --- a/.github/SECURITY.md
    +++ b/.github/SECURITY.md
    @@ -16,13 +16,7 @@ the chance that the exploit will be used before a patch is released.
     You may submit a report by emailing us at
     [xz@tukaani.org](mailto:xz@tukaani.org), or through
     [Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
    -While both options are available, we prefer email. In any case, please
    -provide a clear description of the vulnerability including:
    -
    -- Affected versions of XZ Utils
    -- Estimated severity (low, moderate, high, critical)
    -- Steps to recreate the vulnerability
    -- All relevant files (core dumps, build logs, input files, etc.)
    +While both options are available, we prefer email.

     This project is maintained by a team of volunteers on a reasonable-effort
     basis. As such, please give us 90 days to work on a fix before

Seems innocuous, but maybe they were planning further changes.

1 more reply

mxmlnkn1y ago

buildbot1y ago

> tukaani.org has address 5.44.245.25 (seemingly in Finland)

Hetzner?

2 more replies

mort961y ago

londons_explore1y ago

Does the person exist at all? Maybe they're a persona of a team working at some three letter agency...

Citizen83961y ago

Burn the witch.

2 more replies

bonzini1y ago

Or for some three letter party.

j / k navigate · click thread line to collapse