this post was submitted on 29 Mar 2024
406 points (99.0% liked)

Linux

48143 readers
837 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 50 points 7 months ago* (last edited 7 months ago) (21 children)

I'm genuinely disturbed that a person who was a core developer could just go rogue.

[–] [email protected] 81 points 7 months ago* (last edited 7 months ago) (13 children)

From what I've been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. https://boehs.org/node/everything-i-know-about-the-xz-backdoor

It's an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. https://mastodon.social/@AndresFreundTec/112180406142695845

[–] [email protected] 13 points 7 months ago (11 children)

From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn't operating from California but from another country starting with C. The name is also another hint.

[–] [email protected] 9 points 7 months ago* (last edited 7 months ago)

According to this post, the person involved exposed a different name at one point.

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Cheong is not a Pingyin name. It uses Romanization instead. Assuming that this isn't a false trail (unlikely, why would you expose a fake name once instead of using it all the time?) that cuts out China (Mainland) and Singapore which use the Pingyin system. Or somebody has a time machine and grabbed this guy before 1956.

Likely sources of the name would be a country/Chinese administrative zone that uses Chinese and Romanization. Which gives us Taiwan, Macau, or Hong Kong, all of which are in GMT+8. Note that two of these are technically under PRC control.

Realistically I feel this is just a rogue attacker instead of a nation state. The probability of China 1. Hiring someone from these specific regions 2. Exposing a non-pinying full name once on purpose is extremely low. Why bother with this when you have plenty of graduates from Tsinghua in Beijing? Especially after so many people desperate for jobs after COVID.

load more comments (10 replies)
load more comments (11 replies)
load more comments (18 replies)