Technologist vs spy: the xz backdoor debate
lcamtuf.substack.com
Well — we just witnessed one of the most daring infosec capers of my career. Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of

Thought this was a good read exploring some how the “how and why” including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

  • Karna@lemmy.ml
    1211·
    7 months ago
    • Careful choice of program to infect the whole Linux ecosystem
    • Time it took to gain trust
    • Level of sophistication in introducing backdoor in open source product

    All of these are signs of persistent threat actors aka State sponsor hacker. Though the real motive we would never know as it’s now a failed project.

    • jackpot@lemmy.ml
      336·
      7 months ago

      imagine how pissed they are. or maybe they silently alerted the microsoft guy themselves as they only did it for cash and theyd been paid

      • baseless_discourse@mander.xyz
        24·
        7 months ago

        I am sure most super powers in the world can easily sink 2 years to maintain an obscure project in order to break system as important as openssh.

        I doubt they will be pissed for one failure, and we can only hope there isn’t more vulnerable projects out there (spoiler alert: probably many).