83
'xz utils' Software Backdoor Uncovered in Years-Long Hacking Plot
(unicornriot.ninja)
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
Yeah, supply chain attacks can happen. There was that infamous SolarWinds supply chain attack recently. But I think that there are some important mitigating factors there.
Proprietary software companies -- unless they're using something open-source like xz upstream in their supply chain, as it's not just a "proprietary software world" and "open-source software world" -- tend to have someone's personal information if they're employed by them. They're not gonna hire and pay some random name who they know only as a GitHub account through a VPN, certainly not make them maintainer of their software.
Many -- not all -- proprietary software companies mandate that employees work locally. I's likely that if I'm working for a US company, a person is also subject to US law enforcement. In contrast, if you have a state-backed group, they're probably targeting people elsewhere. Whoever the people from the Jia Tan group are, my guess is that it's good odds that they will probably aim to avoid being in a country that they are targeting. Even if we expose their identities, they probably aren't going to be directly-impacted by law enforcement. Open source projects hypothetically could do that, I suppose, but normally they're pretty border-agnostic.
That is, I think that this is going to be specially a challenge for the open-source world, as the attacks are targeting some things that the open-source community is notable for -- border-agnosticism, a relatively-low bar to join a project, and often not a lot of personal identity validation.
Yeah, that's kinda what I was thinking, but you put it more-frankly.
It seems like there's a lot of potential for this to be corrosive to the community.