undefined | Better HN

0 pointsmrb2y ago0 comments

I would presume it's a state actor. Generally in the blackhat world, attackers have very precise targets. They want to attack this company or this group of individuals. But someone who backdoors such a core piece of open source infrastructure wants to cast a wide net to attack as many as possible. So that fits the profile of a government intelligence agency who is interested in surveilling, well, everything.

Or it could in theory be malware authors (ransomware, etc). However these guys tend to aim at the low hanging fruits. They want to make a buck quickly. I don't think they have the patience and persistence to infiltrate an open source project for 2 long years to finally gain enough trust and access to backdoor it. On the other hand, a state actor is in for the long term, so they would spend that much time (and more) to accomplish that.

So that's my guess: Jia Tan is an employee of some intelligence agency. He chose to present an asian persona, but that's not necessarily who he truly represents. Could be anyone, really: Russia, China, Israel, or even the US, etc.

Edit: given that Lasse Collin was the only maintainer of xz utils in 2022 before Jia Tan, I wouldn't be surprised if the state actor interfered with Lasse somehow. They could have done anything to distract him from the project: introduce a mistress in his life, give him a high-paying job, make his spouse sick so he has to care for her, etc. With Lasse not having as many hours to spend on the project, he would have been more likely to give access to a developer who shows up around the same time and who is highly motivated to contribute code. I would be interested to talk to Lasse to understand his circumstances around 2022.

0 comments

hk__22y ago

> I haven't lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things. Recently I've worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future, we'll see.

https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.h...

2 more replies

occamsrazorwit2y ago

Given the details from another comment [1], it sounds like both maintainers are suspicious. Lasse's behavior has changed recently, and he's been pushing to get Jia Tan's changes into the Linux kernel. It's possible both accounts aren't even run by the original Lasse Collin and Jia Tan anymore.

Edit: Also, Github has suspended both accounts. Perhaps they know something we don't.

[1] https://news.ycombinator.com/item?id=39865810#39866275

gamer1912y ago

Where does that comment mention the other maintainer (Lasse Collin)?

occamsrazorwit2y ago

Whoops, I linked the wrong comment. I meant to link this one [1]. Anyway, seems like there's potentially a whole trail of compromised and fake accounts [2]. Someone in a government agency somewhere is pretty disappointed right now.

[1] https://news.ycombinator.com/item?id=39867593

[2] https://news.ycombinator.com/item?id=39866936

salamandar2y ago

According to Webarchive, https://tukaani.org/contact.html changed very recently (between 11/02/2024 and 29/02/2024) to add Lasse Collin's PGP key fingerprint. That timing is weird, considering his git activity at that time is almost non existent. Although, i checked, this key existed back in 2012.

Denvercoder92y ago

> considering his git activity at that time is almost non existent

Are you looking at the same repositories I am? He's made 88 commits to xz in that time period, two-thirds of the total.

Delk2y ago

> I wouldn't be surprised if the state actor interfered with Lasse somehow

People could also just get tired after years of active maintainership or become busier with life. Being the sole maintainer of an active open source project on top of work and perhaps family takes either a lot of enthusiasm or a lot of commitment. It's not really a given that people want to (or can) keep doing that forever at the same pace.

Someone then spots the opportunity.

I have no idea what the story is here but it might be something rather mundane.

janc_2y ago

Or they have just one or a small number of targets, but don’t want the target(s) to know that they were the only target(s), so they backdoor a large number of victims to “hide in the crowd”.

I agree that this is likely a state actor, or at least a very large & wealthy private actor who can play the long game…

fullstop2y ago

If anyone here happens to know Lasse, it might be good to check up on him and see how he's doing.

Repulsion95132y ago

> Generally in the blackhat world, attackers have very precise targets

Lol, what

> wants to cast a wide net to attack as many as possible. So that fits the profile of a government intelligence agency

That's quite backwards. Governments are far more likely to deploy a complex attack against a single target (see also: Stuxnet); other attackers (motivated primarily by money) are far more likely to cast a wide net.

1 more reply

dist-epoch2y ago

According to top comment he committed multiple binary files to xz for the last two years.

Most likely this is not the first backdoor, just the first one to be discovered, so it wasn't two years of work until there were results.

But I still agree that he's probably a state actor.

bombcar2y ago

Don't forget that you could have state actors who are otherwise interested in open source code, and working to actually improve it.

In fact, that'd be the best form of deep cover. It'll be interested to watch as people more knowledgable than I pour over every single commit and change.

hobobaggins2y ago

(not to be overly pedantic, but you probably meant pore, not pour: https://www.merriam-webster.com/grammar/pore-over-vs-pour-ov... )

apitman2y ago

If you have a backdoor in a specific piece of software already, what is the purpose of trying to introduce another backdoor (and risk it getting caught)?

dgacmu2y ago

There are two general attack targets I'd use if I had access to a library/binary like xz:

(1) A backdoor like this one, which isn't really about its core functions, but about the fact that it's a library linked into critical code, so that you can use it to backdoor _other things_. Those are complex and tricky because you have to manipulate the linking/GOT specifically for a target.

(2) Insert an exploitable flaw such as a buffer overflow so that you can craft malicious .xz files that result in a target executing code if they process your file. This is a slightly more generic attack vector but that requires a click/download/action.

Not every machine or person you want to compromise has an exposed service like ssh, and not every target will download/decompress a file you send to them. These are decently orthogonal attack vectors even though they both involve a library.

(Note that there's as yet no evidence for #2 - I'm just noting how I'd try to leverage this to maximum effect if I wanted to.)

dist-epoch2y ago

This backdoor targeted only sshd.

There could be other backdoors for other targets.

Bulat_Ziganshin2y ago

xz is a data compression tool, so it's natural to have compressed files for (de)compression tests.

these files are also useful to check that the library we just built works correctly. but they aren't necessary for installation.

we may have more sophisticated procedures that will allow us to use some parts of distribution only for tests. This may significantly reduce an attack vector - many projects have huge, sophisticated testing infrastructure where you can hide the entire Wikipedia.

jnxx2y ago

> They want to attack this company or this group of individuals. But someone who backdoors such a core piece of open source infrastructure wants to cast a wide net to attack as many as possible.

The stuxnet malware, which compromised Siemens industrial controls to attack specific centrifuges in uranium enrichment plants in Iran, is a counterexample to that.

mrbOP2y ago

Stuxnet wasn't similar to this xz backdoor. The Stuxnet creators researched (or acquired) four Windows zero-days, a relatively short-term endeavor. Whereas the xz backdoor was a long-term 2.5 years operation to slowly gain trust from Lasse Collin.

But, anyway, I'm sure we can find other counter-examples.

Repulsion95132y ago

If a government wants to cast a wide nest and catch what they can, they'll just throw a tap in some IXP.

If a government went to this much effort to plant this vulnerability, they absolutely have targets in mind - just like they did when they went to the effort of researching (or acquiring) four separate Windows zero-days, combining them, and delivering them...

jhugo2y ago

> a long-term 2.5 years operation to slowly gain trust from Lasse Collin

Couldn't the account that committed the backdoor have been compromised recently?

Havoc2y ago

Bit much speculating about mistresses and poisoned spouses with well anything to go on...

Muntzer2y ago

Adding some unreadable binary to the source code is a really dangerous thing to do. We also need tools to quickly detect the addition of indentation symbols that can be easily overlooked.

BYW,I had a classmate who used to play DOTA1(on war3) under this name at the University of Science and Technology of China a long time ago, and this was his first girlfriend name (maybe) . His father was a high-ranking official. Then he joined the parent department of the Internal Security Detachment, a secret service that has gained a lot of power in the last few years. I hope I'm not awake . lol.

ibic2y ago

Yes, I believe it's an state actor, and the intention of choosing a typical Chinese name Jia Tan is intentially and malicious.

pyrolistical2y ago

Literally this https://xkcd.com/2347/

2OEH8eoCRo02y ago

It's ridiculous to think it's the US as it would be an attack on Red Hat a US company and an attack on Americans. It's a good way to be dragged in front of Congress.

5 more replies

j / k navigate · click thread line to collapse

0 comments

hk__22y ago

https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.h...

2 more replies

occamsrazorwit2y ago

Edit: Also, Github has suspended both accounts. Perhaps they know something we don't.

[1] https://news.ycombinator.com/item?id=39865810#39866275

gamer1912y ago

Where does that comment mention the other maintainer (Lasse Collin)?

occamsrazorwit2y ago

[1] https://news.ycombinator.com/item?id=39867593

[2] https://news.ycombinator.com/item?id=39866936

salamandar2y ago

Denvercoder92y ago

> considering his git activity at that time is almost non existent

Are you looking at the same repositories I am? He's made 88 commits to xz in that time period, two-thirds of the total.

Delk2y ago

> I wouldn't be surprised if the state actor interfered with Lasse somehow

Someone then spots the opportunity.

I have no idea what the story is here but it might be something rather mundane.

janc_2y ago

Or they have just one or a small number of targets, but don’t want the target(s) to know that they were the only target(s), so they backdoor a large number of victims to “hide in the crowd”.

I agree that this is likely a state actor, or at least a very large & wealthy private actor who can play the long game…

fullstop2y ago

If anyone here happens to know Lasse, it might be good to check up on him and see how he's doing.

Repulsion95132y ago

> Generally in the blackhat world, attackers have very precise targets

Lol, what

> wants to cast a wide net to attack as many as possible. So that fits the profile of a government intelligence agency

1 more reply

dist-epoch2y ago

According to top comment he committed multiple binary files to xz for the last two years.

Most likely this is not the first backdoor, just the first one to be discovered, so it wasn't two years of work until there were results.

But I still agree that he's probably a state actor.

bombcar2y ago

Don't forget that you could have state actors who are otherwise interested in open source code, and working to actually improve it.

In fact, that'd be the best form of deep cover. It'll be interested to watch as people more knowledgable than I pour over every single commit and change.

hobobaggins2y ago

(not to be overly pedantic, but you probably meant pore, not pour: https://www.merriam-webster.com/grammar/pore-over-vs-pour-ov... )

apitman2y ago

If you have a backdoor in a specific piece of software already, what is the purpose of trying to introduce another backdoor (and risk it getting caught)?

dgacmu2y ago

There are two general attack targets I'd use if I had access to a library/binary like xz:

(Note that there's as yet no evidence for #2 - I'm just noting how I'd try to leverage this to maximum effect if I wanted to.)

dist-epoch2y ago

This backdoor targeted only sshd.

There could be other backdoors for other targets.

Bulat_Ziganshin2y ago

xz is a data compression tool, so it's natural to have compressed files for (de)compression tests.

these files are also useful to check that the library we just built works correctly. but they aren't necessary for installation.

jnxx2y ago

> They want to attack this company or this group of individuals. But someone who backdoors such a core piece of open source infrastructure wants to cast a wide net to attack as many as possible.

The stuxnet malware, which compromised Siemens industrial controls to attack specific centrifuges in uranium enrichment plants in Iran, is a counterexample to that.

mrbOP2y ago

But, anyway, I'm sure we can find other counter-examples.

Repulsion95132y ago

If a government wants to cast a wide nest and catch what they can, they'll just throw a tap in some IXP.

jhugo2y ago

> a long-term 2.5 years operation to slowly gain trust from Lasse Collin

Couldn't the account that committed the backdoor have been compromised recently?

Havoc2y ago

Bit much speculating about mistresses and poisoned spouses with well anything to go on...

Muntzer2y ago

Adding some unreadable binary to the source code is a really dangerous thing to do. We also need tools to quickly detect the addition of indentation symbols that can be easily overlooked.

ibic2y ago

Yes, I believe it's an state actor, and the intention of choosing a typical Chinese name Jia Tan is intentially and malicious.

pyrolistical2y ago

Literally this https://xkcd.com/2347/

2OEH8eoCRo02y ago

It's ridiculous to think it's the US as it would be an attack on Red Hat a US company and an attack on Americans. It's a good way to be dragged in front of Congress.

5 more replies

j / k navigate · click thread line to collapse