Salta al contenuto principale

mastodon - Collegamento all'originale

Unfolding now: news.ycombinator.com/item?id=3…

- openwall.com/lists/oss-securit…
- github.com/tukaani-project/xz/…

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- github.com/tukaani-project/xz/…
- bugs.debian.org/cgi-bin/bugrep…
- github.com/jamespfennell/xz/pu…

The timeline on this is going to take so long to unravel

#security #linux


feat: update vendored xz to 5.6.1 by jaredallard · Pull Request #2 · jamespfennell/xz

Updates the vendored version of xz to be 5.6.1. Also updates the vendor script to support the addition of SPDX-License-Identifier headers into some files.
GitHub
#Linux #security #backdoor
Questa voce è stata modificata (8 mesi fa)

reshared this

in reply to Evan B🥥ehs

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs

boehs.org/node/everything-i-kn…

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Everything I know about the XZ backdoor

Please note: This is being updated in real time. The intent is to make sense of lots of simultaneous discoveries
boehs.org
#Linux #security #xz
Questa voce è stata modificata (8 mesi fa)
in reply to Evan B🥥ehs

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
Holy shit.
So it turns out JiaT75 begins contributions 3 days after someone asks to add another maintainer
in reply to Evan B🥥ehs

Glyph
mastodon - Collegamento all'originale
Glyph
I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka…

Re: [xz-devel] XZ for Java

www.mail-archive.com

reshared this

in reply to Glyph

Glyph
mastodon - Collegamento all'originale
Glyph
"I never thought a sophisticated APT would backdoor *my* volunteer-maintained infrastructure that I got for free" sobs entire industry who voted for the "volunteer-maintained infrastructure that I get for free with no defense against sophisticated APTs" party

reshared this

in reply to Glyph

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)
@glyph please note that we are ALSO no fans of the "subsume free software into capitalism" solution that corporate and statist rhetoric has been pushing for a couple years now
@Glyph
in reply to Irenes (many)

Peter Brett
mastodon - Collegamento all'originale
Peter Brett

@irenes @glyph It's tricky to avoid the challenge that arises from the problem that (1) producing free software is work and (2) the workers live in a capitalist society and (3) the workers therefore need to pay for food and shelter.

Verily, there is no ethical consumption under capitalism.

@Glyph @Irenes (many)
in reply to Peter Brett

mia
iceshrimp - Collegamento all'originale
mia
alas, there is no ethical compression under capitalism

reshared this

in reply to Peter Brett

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)
@krans @glyph sure. well, so the reason we personally call the thing we do "free software" is precisely to highlight the point that our own goal in publishing stuff without charge is very much to work towards a world without that problem, by creating something that exists as far outside it as we can manage (not all the way - obviously we have the free time to do that because of our other privileges)
@Glyph @Peter Brett
in reply to Irenes (many)

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)
@krans @glyph people publish their work without financial cost for a long list of reasons, we don't speak for anyone but ourselves (Irenes) here
@Glyph @Peter Brett
in reply to Irenes (many)

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@krans@me.uk @glyph It's free like freedom, not like beer, and I can relate. I'm not dependent on donations for my livelyhood, but I put like ~5-10 hours into this today, it costed me $5.30 in hosting fees, and not one of the 35000 viewers donated. That's ok, I didn't have donations till recently, but this is what happens in the FOSS community. People like to be paid for their work, that just doesn't always happen. The fact people put free stuff out doesn't mean they don't want funding.
@Glyph
Questa voce è stata modificata (8 mesi fa)
in reply to Evan B🥥ehs

lou.
mastodon - Collegamento all'originale
lou.

not free as in free speech but free as in free association of equal producers.

If some extract all the value produced that's not free association of equal producers.

Questa voce è stata modificata (8 mesi fa)
in reply to Irenes (many)

Peter Brett
mastodon - Collegamento all'originale
Peter Brett

@irenes @glyph I thought it was called "free software" because users are allowed to do whatever they want to with it including modifications, not because it's provided free of charge.

The founders of the Free Software movement were Libertarians, not Socialists (unfortunately).

I guess we were talking at cross purposes — sorry.

@Glyph @Irenes (many)
in reply to Peter Brett

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)
@krans @glyph we're very proactive-death-of-the-author about this. the FSF has failed to provide ideological leadership due to RMS's top-down style, but many of the ideals are good ones and it's the job of the current generation to renew the movement if we want our children to be able to enjoy its fruits the way we did
@Glyph @Peter Brett
in reply to Irenes (many)

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)
@krans @glyph but you're right, of course, it's a valid point. we just don't think trying to coin a new term would be useful, if anything it would be a distraction from the cultural work that matters
@Glyph @Peter Brett
in reply to Irenes (many)

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)

@krans @glyph we see it as important that our work be free-as-in-speech, yes, but it is also very much free as in we absolutely refuse to ever ask for or accept money for it (outside the scope of our day job)

again, yes, serious privilege on our part

@Glyph @Peter Brett
in reply to Irenes (many)

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs

@irenes @krans @glyph > as in we absolutely refuse to ever ask for or accept money for it (outside the scope of our day job)

Speak for yourself lol

@Glyph @Irenes (many) @Peter Brett
in reply to Evan B🥥ehs

Irenes (many)
mastodon - Collegamento all'originale
Irenes (many)
@krans @glyph yes, we are speaking for ourselves (just Irenes, not you). as we already clarified up-thread, in our display name, and in our bio, we are plural.
@Glyph @Peter Brett
in reply to Glyph

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@glyph currently adding iframe infrastructure to embed this toot into my site
@Glyph
in reply to Evan B🥥ehs

Glyph
mastodon - Collegamento all'originale
Glyph
this looks phenomenal, is it open source? I miss embedding tweets and this looks even better than that did
in reply to Glyph

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@glyph Yeah, Mastodon has it's own embeds but I wanted it to fit in with the site. It's DIY and very hastily banged together: github.com/boehs/site/commit/a…

change embed · boehs/site@afd6a4c

🔭 My little corner of the internet (it's cozy). Contribute to boehs/site development by creating an account on GitHub.
GitHub
@Glyph
in reply to Evan B🥥ehs

David Zaslavsky
mastodon - Collegamento all'originale
David Zaslavsky
@glyph Very cool! Any chance you might be willing to share that particular snippet - even just the HTML structure - under a less restrictive license than AGPL? It seems like the kind of thing I would love to use or adapt on my own site, but I don't want to (and probably legally can't) share my site and all the services it uses under that license.
@Glyph
in reply to David Zaslavsky

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs

@diazona @glyph sure. I've licensed this file under MIT

github.com/boehs/site/commit/6…

if you use it commercially consider liberapay.com/e/ but obviously there is no legal obligation here


relicense file under mit per request · boehs/site@613f795

🔭 My little corner of the internet (it's cozy). Contribute to boehs/site development by creating an account on GitHub.
GitHub
@Glyph @David Zaslavsky
in reply to Glyph

Geoffrey Thomas
mastodon - Collegamento all'originale
Geoffrey Thomas
@glyph I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."
@Glyph

reshared this

in reply to Geoffrey Thomas

bignose
mastodon - Collegamento all'originale
bignose

@geofft
> I'm frustrated that big tech's efforts to increase core library security are […] not "here is $100K/year and benefits to keep doing what you're doing at your own pace."

Have you *met* big tech? They're very far down my list of people that I want empowered to make such decisions.

Yes, there are workers I want to get that salary to keep doing demonstrated good work at their own pace.

But you propose Microsoft or Google or Amazon should choose who gets that? Please no!

@glyph @eb

@Glyph @Evan B🥥ehs @Geoffrey Thomas
in reply to bignose

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@bignose @geofft @glyph I think the argument is that if big tech is profiting immensely off the backs of free software developers, those developers should be compensated fairly
@Glyph @bignose @Geoffrey Thomas
in reply to Evan B🥥ehs

bignose
mastodon - Collegamento all'originale
bignose

> those developers should be compensated fairly

I've already agreed to that, yes.

> if big tech is profiting immensely off the backs of free software developers

There you get closer to where I think the problem is.

I definitely don't want any private for-profit big tech firms deciding who gets compensated (and, necessarily, who does not get fair compensation) for work that benefits us all.

@geofft @glyph

@Glyph @Geoffrey Thomas
Questa voce è stata modificata (8 mesi fa)
in reply to Geoffrey Thomas

David Zaslavsky
mastodon - Collegamento all'originale
David Zaslavsky
@geofft @glyph I'm certainly not disputing that it's a real problem that that doesn't happen more often, but isn't there some precedent for big tech companies hiring people to work on specific open source projects? So it's not totally unheard of
@Glyph @Geoffrey Thomas
in reply to David Zaslavsky

Luis Villa
mastodon - Collegamento all'originale
Luis Villa
@diazona @geofft @glyph there’s a lot of precedent for hiring maintainers of top-level programs whose brand (for lack of a better term) has reached the level of awareness of a C-level with a hiring budget. Collectively pooling money to help the projects C-levels have never heard of… has a much weaker track record. We’ve been trying to tackle it at Tidelift for a while and suffice to say I’ve definitely had a lot of “but it can’t happen to me” conversations.
@Glyph @David Zaslavsky @Geoffrey Thomas
in reply to Luis Villa

Geoffrey Thomas
mastodon - Collegamento all'originale
Geoffrey Thomas
@luis_in_brief @diazona @glyph Yeah that resonates with my experience. People like GvR get hired (which is great!) but there's a whole dependency stack underneath. Their maintainers often have a strong résumé to get hired for a normal big tech job at a company that uses the language/ecosystem/etc. but not necessarily for maintaining the project as their job. Sometimes the job is even "build something similar for an internal non-OSS ecosystem."
@Glyph @Luis Villa @David Zaslavsky
in reply to Geoffrey Thomas

Glyph
mastodon - Collegamento all'originale
Glyph
@geofft @luis_in_brief @diazona there are layers and layers to this. Famous maintainers get hired more than critical maintainers. And maintenance is important but how do you pay for the commons of *new* projects? The tidelift model gets us part of the way there, because these costs need to be aggregated and there needs to be some kind of oversight, but even if they were universally adopted (and that is far from true) there are so many missing pieces
@Luis Villa @David Zaslavsky @Geoffrey Thomas
in reply to Glyph

Luis Villa
mastodon - Collegamento all'originale
Luis Villa
@glyph @geofft @diazona “Famous maintainers get hired more than critical maintainers.” Owwwwwwww.
@Glyph @David Zaslavsky @Geoffrey Thomas
in reply to Luis Villa

Sumana Harihareswara
mastodon - Collegamento all'originale
Sumana Harihareswara

@luis_in_brief @glyph

I am way overdue in finishing and publishing my negative review of Eghbal's "Working in Public" but one of my critiques is that she basically concludes that maintainers need to become famous and use Substack/Patreon to crowdfund (from individual donors) in order to sustain their work. Which really doesn't fit what we have found in critical FLOSS infrastructure IMO.

@geofft @diazona @eb

@Glyph @Luis Villa @David Zaslavsky @Evan B🥥ehs @Geoffrey Thomas
in reply to benwis 🦀

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@benwis @brainwane @luis_in_brief @glyph @geofft @diazona @djc there’s some website (I forget what it is) that basically you pay x amount of dollars and it audits your entire dependency tree and attempts to pay maintainers proportionally. Unfortunately iirc it was kinda flawed but I think it’s a solid idea
@Glyph @Sumana Harihareswara @Dirkjan Ochtman @Luis Villa @David Zaslavsky @benwis 🦀 @Geoffrey Thomas
in reply to Evan B🥥ehs

Luis Villa
mastodon - Collegamento all'originale
Luis Villa

@benwis @brainwane @glyph @geofft @diazona @djc you’re thinking of Back Your Stack, probably.

On a more sustainable (read: commercial) basis, I co-founded tidelift.com to do exactly this.


Tidelift | Reduce security risk from bad open source packages

Reduce security risk from bad open source packages and ensure the packages you rely on keep getting better.
tidelift.com
@Glyph @Sumana Harihareswara @Dirkjan Ochtman @David Zaslavsky @benwis 🦀 @Geoffrey Thomas
in reply to Luis Villa

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@luis_in_brief @benwis @brainwane @glyph @geofft @diazona @djc oh that’s sick, it’s so funny that you never know who you’re speaking to on here lol. Congrats on how successful tidelift has been :)
@Glyph @Sumana Harihareswara @Dirkjan Ochtman @Luis Villa @David Zaslavsky @benwis 🦀 @Geoffrey Thomas
in reply to Evan B🥥ehs

Luis Villa
mastodon - Collegamento all'originale
Luis Villa

@benwis @brainwane @glyph @geofft @diazona @djc Thanks! admittedly on a day like today, mostly I'm focused on how many projects we can't yet cover.

So, yeah, send people our way!

@Glyph @Sumana Harihareswara @Dirkjan Ochtman @David Zaslavsky @benwis 🦀 @Geoffrey Thomas
in reply to Glyph

paul
mastodon - Collegamento all'originale
paul
@glyph god, imagine how betrayed Lasse Collin (maintainer) must be feeling rn
@Glyph
in reply to paul

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@trespaul @glyph it's 2am in finland right now. I do hope they made it to sleep before they saw this
@Glyph @trespaul
in reply to paul

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
friendica - Collegamento all'originale
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

@paul Yeah, wow.

"Recently I've worked off-list a bit with Jia Tan on XZ Utils and
perhaps he will have a bigger role in the future, we'll see."

That's two years ago and I'm assuming it's the Jia Tan that contributed the exploit this month.

mail-archive.com/xz-devel@tuka…
/via mastodon.social/@glyph/1121809… @Glyph

@Evan Boehs

Glyph

2024-03-29 20:43:59


I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka…

Re: [xz-devel] XZ for Java

www.mail-archive.com
@Glyph @Evan B🥥ehs @paul
in reply to Evan B🥥ehs

fraggle
glitchsoc - Collegamento all'originale
fraggle
so is there any evidence that "Jigar Kumar" is a real person? He certainly doesn't hold back from laying on the guilt tripping
mail-archive.com/xz-devel@tuka…

Re: [xz-devel] XZ for Java

www.mail-archive.com
in reply to fraggle

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@fraggle He's not. Like beyond reasonable doubt. Just guilt tripped and ran off into the sunset
@fraggle
in reply to Evan B🥥ehs

gamer191
mastodon - Collegamento all'originale
gamer191

I kinda doubt Dennis Ens is either. He initially opened the thread, likely to plant the idea that xz needs a new maintainer. He then came back to guilt trip "I am sorry about your mental health issues, but...the community desires more"

EDIT: I initially misread "desires" as "deserves". I think my point still stands though

Questa voce è stata modificata (8 mesi fa)
in reply to Evan B🥥ehs

MaineC
mastodon - Collegamento all'originale
MaineC

is anyone in touch with the original maintainer?

Given the pressure they were subjected to I don't want to imagine what the story that unfolded in the past view hours does to them.

in reply to Evan B🥥ehs

PG&E Delenda Est
mastodon - Collegamento all'originale
PG&E Delenda Est
great work on this timeline. Here's Jai Tan's account trying to get xz 5.6.1 into ubuntu lts 24.04 yesterday. Beta freeze is on Monday. bugs.launchpad.net/bugs/205941…

Bug #2059417 “Sync xz-utils 5.6.1-1 (main) from Debian unstable ...” : Bugs : xz-utils package : Ubuntu

Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release.
Launchpad
in reply to Evan B🥥ehs

njsg
mastodon - Collegamento all'originale
njsg
(Can you - if it's not too hard - also show the "last updated" timestamp in UTC?)
in reply to njsg

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@njsg I'm updating this manually so unfortunately hmm I can try
@njsg
in reply to Evan B🥥ehs

Ed Maste
mastodon - Collegamento all'originale
Ed Maste
comment on the libarchive PR is incorrect. The change does do what it says, in addition to changing safe_fprintf to fprintf. It added a strerror(errno) to the output, to address github.com/libarchive/libarchi…

Confusing warning message when attempting to modify a directory without sufficient permissions · Issue #1561 · libarchive/libarchive

~ ❯❯❯ find bin bin bin/test.c ~ ❯❯❯ tar cf test.tar bin ~ ❯❯❯ tar xf test.tar -C / bin/: Can't restore time bin/test.c: Can't create 'bin/test.c' tar: Error exit delayed from previous errors. It wo...
GitHub
in reply to Evan B🥥ehs

berdario
mastodon - Collegamento all'originale
berdario

It's interesting that JiaT75 commits are logged with +0800 timezone, but their actual Github interactions appear to have been almost completely between 12.00 UTC and 18.00 UTC:

play.clickhouse.com/play?user=…

ClickHouse Query

play.clickhouse.com
in reply to berdario

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@berdario I've received tips about an associated linkedin account where the perpetrator claims to live in california. I've debated about if I feel comfortable publishing this, but I think i will.
@berdario
in reply to Evan B🥥ehs

Dylan
mastodon - Collegamento all'originale
Dylan

Looks like GitHub took down the repo, so some links don’t go anywhere anymore. I’d love to see the diffs if there’s an archive/screenshot ☺️.

Thanks for the write up! This is wild…

in reply to Evan B🥥ehs

endrift
mastodon - Collegamento all'originale
endrift
I should note that Lasse also has some suspicious activity recently, such as github.com/plougher/squashfs-t… --and also may be currently affiliated with Jia in some capacity, as per tukaani.org/about.html

Add RISC-V filter support by Larhzu · Pull Request #276 · plougher/squashfs-tools

This requires liblzma >= 5.6.0. The LZMA2 options are set with the assumption that the RISC-V C extension is in use. I have submitted the RISC-V filter to Linux. It's in the -mm mm-nonmm-unstable b...
GitHub
in reply to endrift

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@endrift This is interesting. I've also heard the absolutely crazy theory this is all Lasse's doing given the timezones roughly match up and I mean I guess it's possible you could orchistrate all this conversation yourself. Would be criminal mastermind level stuff if so, but I want to give them the benefit of the doubt.
@endrift
in reply to Evan B🥥ehs

gamer191
mastodon - Collegamento all'originale
gamer191

@endrift the only thing Lasse would gain out of that is that they'll likely continue to be maintainer now that this has been discovered. I don't think that's close to enough reason for them to orchistrate all the conversations, so I'm not buying that theory tbh

It seems more likely that Lasse got bought out (or convinced) by Jia, after Jia gained his trust

That said, the most likely explanation imo is that Lasse was telling the truth in the PR description and wanted RISC-V filter 1/2

@endrift
in reply to Evan B🥥ehs

olov
mastodon - Collegamento all'originale
olov

thanks for writing this. they tried to change the URL to the xz subdomain on LKML too, see lore.kernel.org/lkml/202403201…

there's an 11-part patch posted at the same time but this specific patch wasn't part of it for some reason.

[PATCH 05/11] xz: Fix comments and coding style - Lasse Collin

lore.kernel.org
in reply to Evan B🥥ehs

Sylvhem
glitchsoc - Collegamento all'originale
Sylvhem

“As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future. He has been helping a lot off-list and is practically a co-maintainer already. :-)”

mail-archive.com/xz-devel@tuka…

This is really sad. I’m feeling bad for Lasse Collin.

Re: [xz-devel] XZ for Java

www.mail-archive.com
in reply to Evan B🥥ehs

Electric Meatball Malfunction
mastodon - Collegamento all'originale
Electric Meatball Malfunction
a friend just shared this with me. (instant follow) Thanks for writing this up. 🕵️
in reply to Evan B🥥ehs

rugk
mastodon - Collegamento all'originale
rugk

aner news, another subtle thing fixed: chaos.social/@danderson@hachyd…

Dave Anderson

2024-03-30 17:10:34


The poor original maintainer of xz is on it now, and has already found another "fun" thing: git.tukaani.org/?p=xz.git;a=co… . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.

git.tukaani.org - xz.git/commitdiff

git.tukaani.org
in reply to rugk

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@rugk that’s already noted, thanks for letting me know though :)
@rugk
in reply to Evan B🥥ehs

rugk
mastodon - Collegamento all'originale
rugk

the kernel news are not, though, or do I miss sth.? chaos.social/@olov@mastodon.wo… chaos.social/@rugk/11218182922…

olov

2024-03-30 08:22:34


thanks for writing this. they tried to change the URL to the xz subdomain on LKML too, see lore.kernel.org/lkml/202403201…

there's an 11-part patch posted at the same time but this specific patch wasn't part of it for some reason.


[PATCH 05/11] xz: Fix comments and coding style - Lasse Collin

lore.kernel.org

in reply to rugk

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@rugk yeah I’ve seen that floating around for a while and I just haven’t had an opportunity to fully understand the implications of it
@rugk
in reply to Evan B🥥ehs

Daniel Lo Nigro 🇦🇺
mastodon - Collegamento all'originale
Daniel Lo Nigro 🇦🇺
it would be useful to replace the commit links with non-Github ones given the Github repo was shut down. The URLs are like this: git.tukaani.org/?p=xz.git;a=co…

git.tukaani.org - xz.git/commitdiff

git.tukaani.org
in reply to Evan B🥥ehs

Ciggy Bringer of Smoke
mastodon - Collegamento all'originale
Ciggy Bringer of Smoke
Why am I the only one wanting to give the actor some roses for sticking to a project for 2 years?
Questa voce è stata modificata (8 mesi fa)
in reply to Evan B🥥ehs

vascorsd
mastodon - Collegamento all'originale
vascorsd
what's really surprising is the same thing not happening more often. Or we are all just very unaware since the pay off to do these kinds of things is so huge specially for state sponsored attacks or others with enough money and effort to put into it.
Unknown parent

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs

@james @trespaul @glyph

I understand why somebody is trying to get in touch with them, and also I'm not sure it's appropriate. The GitHub account is already suspended. The damage has already been done. Now they are being pulled back into something they clearly don't want to engage with

@Glyph @james @paul
in reply to Evan B🥥ehs

Glyph
mastodon - Collegamento all'originale
Glyph

@james @trespaul “somebody” in this case appears to be CISA, and like… that’s a federal agency, there is likely to be a law enforcement consequence or potentially national security response here. I feel very sympathetic to a burnt-out maintainer who had this dropped in their lap but there is an overriding public interest at this point.

People who are just curious should for sure steer clear though, this is likely to be a complete nightmare for everyone involved without extra emails

@james @paul
in reply to Glyph

Evan B🥥ehs
mastodon - Collegamento all'originale
Evan B🥥ehs
@glyph @james @trespaul No I get that, it just sucks. Also mind that "national security" should mean nothing because the author is finnish. I hope the US government kindly asks "what do you know" and then leaves them alone, but we all know that ain't happening
@Glyph @james @paul
in reply to Evan B🥥ehs

Radio Azureus
mastodon - Collegamento all'originale
Radio Azureus
I've read about this a few hours ago. The seriousness was downplayed, luckily you've pointed us to a good source of info. Thank you
in reply to Evan B🥥ehs

Robert Banz
mastodon - Collegamento all'originale
Robert Banz
love how it was buried in m4, a macro language that looks like jibberish on a good day — only well understood by three people that work on Autoconf (everyone else just copypastas), maybe someone in a basement hyper-tuning their sendmail config, and apparently whoever this guy is.