undefined | Better HN

0 pointsAdmiralAsshat1y ago0 comments

Yikes! Do you have any info on the individual's background or possible motivations?

0 comments

mrb1y ago

I would presume it's a state actor. Generally in the blackhat world, attackers have very precise targets. They want to attack this company or this group of individuals. But someone who backdoors such a core piece of open source infrastructure wants to cast a wide net to attack as many as possible. So that fits the profile of a government intelligence agency who is interested in surveilling, well, everything.

Or it could in theory be malware authors (ransomware, etc). However these guys tend to aim at the low hanging fruits. They want to make a buck quickly. I don't think they have the patience and persistence to infiltrate an open source project for 2 long years to finally gain enough trust and access to backdoor it. On the other hand, a state actor is in for the long term, so they would spend that much time (and more) to accomplish that.

So that's my guess: Jia Tan is an employee of some intelligence agency. He chose to present an asian persona, but that's not necessarily who he truly represents. Could be anyone, really: Russia, China, Israel, or even the US, etc.

Edit: given that Lasse Collin was the only maintainer of xz utils in 2022 before Jia Tan, I wouldn't be surprised if the state actor interfered with Lasse somehow. They could have done anything to distract him from the project: introduce a mistress in his life, give him a high-paying job, make his spouse sick so he has to care for her, etc. With Lasse not having as many hours to spend on the project, he would have been more likely to give access to a developer who shows up around the same time and who is highly motivated to contribute code. I would be interested to talk to Lasse to understand his circumstances around 2022.

hk__21y ago

> I haven't lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things. Recently I've worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future, we'll see.

https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.h...

ibic1y ago

That "Jigar Kumar" is like fake and one-time throw-off account, probably from the same state actor to orchestrate the painstakingly prepared supply chain attack (under the sun).

2 more replies

mrb1y ago

Dated June 2022. Good find!

occamsrazorwit1y ago

Given the details from another comment [1], it sounds like both maintainers are suspicious. Lasse's behavior has changed recently, and he's been pushing to get Jia Tan's changes into the Linux kernel. It's possible both accounts aren't even run by the original Lasse Collin and Jia Tan anymore.

Edit: Also, Github has suspended both accounts. Perhaps they know something we don't.

[1] https://news.ycombinator.com/item?id=39865810#39866275

gamer1911y ago

Where does that comment mention the other maintainer (Lasse Collin)?

1 more reply

salamandar1y ago

According to Webarchive, https://tukaani.org/contact.html changed very recently (between 11/02/2024 and 29/02/2024) to add Lasse Collin's PGP key fingerprint. That timing is weird, considering his git activity at that time is almost non existent. Although, i checked, this key existed back in 2012.

1 more reply

Delk1y ago

> I wouldn't be surprised if the state actor interfered with Lasse somehow

People could also just get tired after years of active maintainership or become busier with life. Being the sole maintainer of an active open source project on top of work and perhaps family takes either a lot of enthusiasm or a lot of commitment. It's not really a given that people want to (or can) keep doing that forever at the same pace.

Someone then spots the opportunity.

I have no idea what the story is here but it might be something rather mundane.

janc_1y ago

Or they have just one or a small number of targets, but don’t want the target(s) to know that they were the only target(s), so they backdoor a large number of victims to “hide in the crowd”.

I agree that this is likely a state actor, or at least a very large & wealthy private actor who can play the long game…

fullstop1y ago

If anyone here happens to know Lasse, it might be good to check up on him and see how he's doing.

Repulsion95131y ago

> Generally in the blackhat world, attackers have very precise targets

Lol, what

> wants to cast a wide net to attack as many as possible. So that fits the profile of a government intelligence agency

That's quite backwards. Governments are far more likely to deploy a complex attack against a single target (see also: Stuxnet); other attackers (motivated primarily by money) are far more likely to cast a wide net.

gamer1911y ago

> That's quite backwards. Governments are far more likely to deploy a complex attack against a single target (see also: Stuxnet); other attackers (motivated primarily by money) are far more likely to cast a wide net.

Governments are well known to keep vulnerabilities hidden (see EternalBlue). Intentionally introducing a vulnerability doesn’t seem that backwards tbh

1 more reply

dist-epoch1y ago

According to top comment he committed multiple binary files to xz for the last two years.

Most likely this is not the first backdoor, just the first one to be discovered, so it wasn't two years of work until there were results.

But I still agree that he's probably a state actor.

bombcar1y ago

Don't forget that you could have state actors who are otherwise interested in open source code, and working to actually improve it.

In fact, that'd be the best form of deep cover. It'll be interested to watch as people more knowledgable than I pour over every single commit and change.

1 more reply

apitman1y ago

If you have a backdoor in a specific piece of software already, what is the purpose of trying to introduce another backdoor (and risk it getting caught)?

2 more replies

Bulat_Ziganshin1y ago

xz is a data compression tool, so it's natural to have compressed files for (de)compression tests.

these files are also useful to check that the library we just built works correctly. but they aren't necessary for installation.

we may have more sophisticated procedures that will allow us to use some parts of distribution only for tests. This may significantly reduce an attack vector - many projects have huge, sophisticated testing infrastructure where you can hide the entire Wikipedia.

jnxx1y ago

> They want to attack this company or this group of individuals. But someone who backdoors such a core piece of open source infrastructure wants to cast a wide net to attack as many as possible.

The stuxnet malware, which compromised Siemens industrial controls to attack specific centrifuges in uranium enrichment plants in Iran, is a counterexample to that.

mrb1y ago

Stuxnet wasn't similar to this xz backdoor. The Stuxnet creators researched (or acquired) four Windows zero-days, a relatively short-term endeavor. Whereas the xz backdoor was a long-term 2.5 years operation to slowly gain trust from Lasse Collin.

But, anyway, I'm sure we can find other counter-examples.

2 more replies

Havoc1y ago

Bit much speculating about mistresses and poisoned spouses with well anything to go on...

Muntzer1y ago

Adding some unreadable binary to the source code is a really dangerous thing to do. We also need tools to quickly detect the addition of indentation symbols that can be easily overlooked.

BYW,I had a classmate who used to play DOTA1(on war3) under this name at the University of Science and Technology of China a long time ago, and this was his first girlfriend name (maybe) . His father was a high-ranking official. Then he joined the parent department of the Internal Security Detachment, a secret service that has gained a lot of power in the last few years. I hope I'm not awake . lol.

ibic1y ago

Yes, I believe it's an state actor, and the intention of choosing a typical Chinese name Jia Tan is intentially and malicious.

pyrolistical1y ago

Literally this https://xkcd.com/2347/

2OEH8eoCRo01y ago

It's ridiculous to think it's the US as it would be an attack on Red Hat a US company and an attack on Americans. It's a good way to be dragged in front of Congress.

AimHere1y ago

Hardly ridiculous.

You say that as if members of US government agencies didn't plot terror attacks on Americans (Operation Northwood), steal the medical records of American whistleblowers (Ellsberg), had to be prevented from assassinating American journalists (Gordon Liddy, on Jack Anderson), collude to assassinate American political activists (Fred Hampton), spy on presidential candidates (Watergate), sell weapons to countries who'd allegedly supported groups who'd launched suicide bombing attacks on American soldiers (Iran-Contra), allow drug smugglers to flood the USA with cocaine so that they could supply illegal guns to terrorists abroad on their return trip (Iran-Contra again) and get caught conducting illegal mass-surveillance on American people as a whole (Snowden). Among others.

It's super-naive to suggest that government agencies wouldn't act against the interest of American citizens and companies because there might be consequences if they were caught. Most of the instances above actually were instances where the perpetrators did get caught, which is why we know about them.

3 more replies

guinea-unicorn1y ago

The US has backdoored RSA's RNG and thus endangered the security of American companies. It is naive to think that US intelligence agencies will act in the best interest of US citizens or companies.

3 more replies

mrb1y ago

Have you forgotten about the Snowden leaks exposing the surveillance on Americans by the American govt?

2 more replies

mardifoufs1y ago

Yeah as we know, intelligence agencies are very often held accountable in the US. As witnessed by all the individuals that got charged or punished for uh... nevermind.

asveikau1y ago

I'm not very inclined to think this is the US govt, however, you should better acquaint yourself with the morals of some members of Congress.

I think the best reason to doubt USG involvement is the ease with which somebody discovered this issue, which is only a month or two old. I feel like NSA etc. knows not to get caught doing this so easily.

jpalomaki1y ago

Seems to be a perfect project to hijack. Not too much happening, widely used, long history, single maintainer who no longer has time to manage the project and wants to pass it over.

rwmj1y ago

I handed over all the emails I received to the security team, who I guess will send them "higher". I'll let them analyse it.

b1121y ago

Yikes indeed. This fix is being rolled out very fast, but what about the entire rest of the codebase? And scripts? I mean, years of access? I'd trust no aspect of this code until a full audit is done, at least of every patch this author contributed.

(note: not referring to fedora here, a current fix is required. But just generally. As in, everyone is rolling out this fix, but... I mean, this codebase is poison in my eyes without a solid audit)

b1121y ago

This seems to be the account, correct me if wrong (linked from the security email commit link):

https://github.com/JiaT75

I hope authors of all these projects have been alerted.

STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!

libarchive/libarchive - Multi-format archive and compression library

Seatest - Simple C based Unit Testing

Everything this account has done should be investigated.

Woha, is this legit or some sort of scam on Google in some way?:

https://github.com/google/oss-fuzz/pull/11587

edit: I have to be missing something, or I'm confused. The above author seems to be primary contact for xz? Have they just taken over?? Or did the bad commit come from another source, and a legit person applied it?

A bit confused here.

tux31y ago

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

4 more replies

ikmckenz1y ago

> The above author seems to be primary contact for xz?

They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...

bed991y ago

A SourceGraph search like this shows https://sourcegraph.com/search?q=context:global+JiaT75&patte...

- Jia Tan <jiat75@gmail.com>

- jiat75 <jiat0218@gmail.com>

``` amap = generate_author_map("xz")

        test_author = amap.get_author_by_name("Jia Cheong Tan")

        self.assertEqual(
            test_author.names, {"Jia Cheong Tan", "Jia Tan", "jiat75"}

        )

        self.assertEqual(

            test_author.mail_addresses,

            {"jiat0218@gmail.com", "jiat75@gmail.com"}

        )

```

4 more replies

soraminazuki1y ago

Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.

https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...

It does look innocent enough though. Let's hope there's no unicode trickery involved...

1 more reply

davexunit1y ago

JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735

2 more replies

metzmanj1y ago

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

1 more reply

jnxx1y ago

There is also a variety of new, parallelized implementations of compression algorithms which would be good to have a close look at. Bugs causing undefined behaviour in parallel code are notoriously hard to see, and the parallel versions (which are actually much faster) could be take the place of well-established programs which have earned a lot of trust.

Zetobal1y ago

That looks like a repo that would sound alarms if you look at it from a security standpoint.

formerly_proven1y ago

Well that account also did most of the releases since 5.4.0.

alwaysbeconsing1y ago

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

1 more reply

wpietri1y ago

I get why people are focusing on this bad actor. But the question that interests me more: how many other apparent individuals fit the profile that this person presented before caught?

Phenylacetyl1y ago

Apparently, many.

It looks like gettext may be containing a part of their attack infrastructure.

https://github.com/microsoft/vcpkg/pull/37199#pullrequestrev...

https://github.com/microsoft/vcpkg/pull/37356/files#diff-e16...

https://github.com/MonicaLiu0311

collinfunk1y ago

Are you referencing the '-unsafe' suffix in the second link? That is not something to worry about.

This is from Gnulib, which is used by Gettext and other GNU projects. Using 'setlocale (0, NULL)' is not thread-safe on all platforms. Gnulib has modules to work around this, but not all projects want the extra locking. Hence the name '-unsafe'. :)

See: https://lists.gnu.org/archive/html/bug-gnulib/2024-02/msg001...

2 more replies

5kg1y ago

There is zero web presence for this person and associated email address.

Looks more likely a fake identity than compromised account.

mrb1y ago

Actually the "jiat0218" user part in his email address jiat0218@gmail.com has a bunch of matches on Taiwanese sites:

https://char.tw/blog/post/24397301

https://forum.babyhome.com.tw/topic/167439

https://bmwcct.com.tw/forums/thread1828.html

5kg1y ago

I think it's just a coincidence.

- All the posts are from 2004/2006. - "jiat" can be abbreviation for many common Chinese names.

1 more reply

bruno-miguel1y ago

It might just be a coincidence, but the same username from that gmail account also appears to have a Proton Mail address

1 more reply

junon1y ago

This is all I can find on them.

    carrd.co jiat0218@gmail.com business https://jiat0218@gmail.com.carrd.co
    eBay JiaT75 shopping https://www.ebay.com/usr/JiaT75
    giters jiat0218 coding https://giters.com/jiat0218
    giters JiaT75 coding https://giters.com/JiaT75
    GitHub jiat0218 coding https://github.com/jiat0218
    GitHub JiaT75 coding https://github.com/JiaT75
    Mastodon-meow.so.. jiat0218@gmail.com social https://meow.social/@jiat0218@gmail.com

Beyond that, nothing surefire. (This is all publicly queryable information, if anyone is curious).

janc_1y ago

JiaT75 also used "jiatan" on Libera.Chat using a Singapore IP address (possibly a proxy/VPN).

Zenul_Abidin1y ago

Where did you gather this information from?

johnny221y ago

I've never had a web presencse for my associated emails due to wanting to avoid spammers. I don't have a false identity.

johnisgood1y ago

Keep in mind that having a "false identity" does not make you a malicious actor. I have a serious project I work on under another pseudonym, but it has to do more with the fact that I do not want my real name to be associated with that project AND having a serious case of impostor syndrome. :/

That, and I used to contribute to various games (forks of ioquake3) when I was a teen and I wanted to keep my real name private.

2 more replies

stephenr1y ago

> I don't have a false identity.

That's just what someone with a false identity would say.. get him boys!

The biggest /S

heee3991y ago

I am more interest about his git commits https://github.com/JiaT75?tab=overview&from=2021-12-01&to=20... If JiaT75 is a Chinese, then his working log should follow Chinese Holiday, especially Spring Festival and National Holiday. Chinese usually not work on first 3 days of Spring Festival and National Holiday - 2021 2/11 - 2/13 (few commits), 2021 10/1 - 10/3 (nothing) 2022 1/31 - 2/2 (huge commits on 1/31, suspect), 2022 10/1 - 10/3 (nothing) 2023 and 2024, not very much commits. So 2022 1/31 huge commits is a proof that he is not follow Chinese holiday.

But wait, 2021 is his active year, but he missed almost all Aug. Is he on holiday? Who can have such a long holiday? What i can think is a solider who has a long vacation (探亲假). So let's guess he is a solider then it's sense that he worked on Spring Holiday because they need on duty. Let's double check again, if he is a solider, then they will have a holiday on every Aug. 1 because it's liberation army day. I check and no commits on all 4 years Aug. 1.

Retr0id1y ago

Did you check Chinese social media?

thrash1581y ago

I found this link on Zhihu: https://www.zhihu.com/question/650826484

hw1y ago

Why would you think the person would have social media (or would even be on Chinese social media specifically), given the sophistication and planning?

1 more reply

codear1y ago

i wonder if that avatar, familiarity with C/C++ and Git, and "offering help with open source projects" is just coincidence

https://github.com/JiaT75

https://twitter.com/JiaTan1337/status/1774931375994319244

kind of interesting also to see this account was set up ~2 months ago. if it's a troll, it's a somewhat poor joke.

1 more reply

wtznc1y ago

I found a user who seems suspicious to me.

https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denia...

He understood the software architecture quite early on while working on the following repository. He connected the dots from his other projects and went rogue. (probably to benefit from crypto?). Take a look at his other repositories and code style and recent likes on github. Is he our Jia Tan?

source_inform1y ago

An Indian with the name, Jigar (meaning heart) would never address himself as Jigar, as seen in the citation. This would be culturally a bit weird. Unless he is being sarcastic or writing this on some comic note.

Secondly, the use of English is not consistent in what should be from typical Indian. He should be from a foreign background or a very reputed English medium.

The language though seemingly simple for a native English speaker but it seems in this case; a person whose first language: likely is not English.

It is possible that Grammarly or auto correct could have been used to write these. But can't be certain of anything stated above.

I do think that this is a sabotage account with 60% chances unless Mr. Kumar comes out clean, publicly. He is likely a state sponsored actor.

AviationAtom1y ago

Not a developer but reading the changelogs and commit history from this person seem interesting, as they appear to be some effort consolidate control and push things in the direction of supporting wider dissemination of their backdoor code:

Discussing commits that the other author has since reverted, IFUNC change with Project Zero tests, a focus on embedded, etc.:

https://www.mail-archive.com/xz-devel@tukaani.org/msg00642.h...

Trimming security reporting details:

https://git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702...

dang1y ago

We detached this subthread from https://news.ycombinator.com/item?id=39866275. (It's fine; I'm just trying to prune the top-heavy subthread.)

electronwill1y ago

"crazytan" is the LinkedIn profile of a security software engineer named Jia Tan in Sunnyvale working at Snowflake, who attended Shanghai Jiao Tong University from 2011 to 2015 and Georgia Institute of Technology from 2015 to 2017. However, this Jia Tan on LinkedIn might not be the same Jia Tan who worked on XZ Utils. Also, the person who inserted the malicious code might be someone else who hijacked the account of the Jia Tan who worked on XZ Utils.

molaeiali1y ago

Has Jia in any way posted a response to the incident?

AdmiralAsshatOP1y ago

My assumption would be that he knows the jig is up, and is probably going to do everything he can to jettison the JiaTan account, lest any IPs he uses be turned over to authorities.

b7kich1y ago

May or may not be related: https://www.linkedin.com › crazytan Jia Tan - Snowflake | LinkedIn

j / k navigate · click thread line to collapse

0 comments

mrb1y ago

hk__21y ago

https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.h...

ibic1y ago

That "Jigar Kumar" is like fake and one-time throw-off account, probably from the same state actor to orchestrate the painstakingly prepared supply chain attack (under the sun).

2 more replies

mrb1y ago

Dated June 2022. Good find!

occamsrazorwit1y ago

Edit: Also, Github has suspended both accounts. Perhaps they know something we don't.

[1] https://news.ycombinator.com/item?id=39865810#39866275

gamer1911y ago

Where does that comment mention the other maintainer (Lasse Collin)?

1 more reply

salamandar1y ago

1 more reply

Delk1y ago

> I wouldn't be surprised if the state actor interfered with Lasse somehow

Someone then spots the opportunity.

I have no idea what the story is here but it might be something rather mundane.

janc_1y ago

Or they have just one or a small number of targets, but don’t want the target(s) to know that they were the only target(s), so they backdoor a large number of victims to “hide in the crowd”.

I agree that this is likely a state actor, or at least a very large & wealthy private actor who can play the long game…

fullstop1y ago

If anyone here happens to know Lasse, it might be good to check up on him and see how he's doing.

Repulsion95131y ago

> Generally in the blackhat world, attackers have very precise targets

Lol, what

> wants to cast a wide net to attack as many as possible. So that fits the profile of a government intelligence agency

gamer1911y ago

Governments are well known to keep vulnerabilities hidden (see EternalBlue). Intentionally introducing a vulnerability doesn’t seem that backwards tbh

1 more reply

dist-epoch1y ago

According to top comment he committed multiple binary files to xz for the last two years.

Most likely this is not the first backdoor, just the first one to be discovered, so it wasn't two years of work until there were results.

But I still agree that he's probably a state actor.

bombcar1y ago

Don't forget that you could have state actors who are otherwise interested in open source code, and working to actually improve it.

In fact, that'd be the best form of deep cover. It'll be interested to watch as people more knowledgable than I pour over every single commit and change.

1 more reply

apitman1y ago

If you have a backdoor in a specific piece of software already, what is the purpose of trying to introduce another backdoor (and risk it getting caught)?

2 more replies

Bulat_Ziganshin1y ago

xz is a data compression tool, so it's natural to have compressed files for (de)compression tests.

these files are also useful to check that the library we just built works correctly. but they aren't necessary for installation.

jnxx1y ago

> They want to attack this company or this group of individuals. But someone who backdoors such a core piece of open source infrastructure wants to cast a wide net to attack as many as possible.

The stuxnet malware, which compromised Siemens industrial controls to attack specific centrifuges in uranium enrichment plants in Iran, is a counterexample to that.

mrb1y ago

But, anyway, I'm sure we can find other counter-examples.

2 more replies

Havoc1y ago

Bit much speculating about mistresses and poisoned spouses with well anything to go on...

Muntzer1y ago

Adding some unreadable binary to the source code is a really dangerous thing to do. We also need tools to quickly detect the addition of indentation symbols that can be easily overlooked.

ibic1y ago

Yes, I believe it's an state actor, and the intention of choosing a typical Chinese name Jia Tan is intentially and malicious.

pyrolistical1y ago

Literally this https://xkcd.com/2347/

2OEH8eoCRo01y ago

It's ridiculous to think it's the US as it would be an attack on Red Hat a US company and an attack on Americans. It's a good way to be dragged in front of Congress.

AimHere1y ago

Hardly ridiculous.

3 more replies

guinea-unicorn1y ago

The US has backdoored RSA's RNG and thus endangered the security of American companies. It is naive to think that US intelligence agencies will act in the best interest of US citizens or companies.

3 more replies

mrb1y ago

Have you forgotten about the Snowden leaks exposing the surveillance on Americans by the American govt?

2 more replies

mardifoufs1y ago

Yeah as we know, intelligence agencies are very often held accountable in the US. As witnessed by all the individuals that got charged or punished for uh... nevermind.

asveikau1y ago

I'm not very inclined to think this is the US govt, however, you should better acquaint yourself with the morals of some members of Congress.

jpalomaki1y ago

Seems to be a perfect project to hijack. Not too much happening, widely used, long history, single maintainer who no longer has time to manage the project and wants to pass it over.

rwmj1y ago

I handed over all the emails I received to the security team, who I guess will send them "higher". I'll let them analyse it.

b1121y ago

(note: not referring to fedora here, a current fix is required. But just generally. As in, everyone is rolling out this fix, but... I mean, this codebase is poison in my eyes without a solid audit)

b1121y ago

This seems to be the account, correct me if wrong (linked from the security email commit link):

https://github.com/JiaT75

I hope authors of all these projects have been alerted.

STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!

libarchive/libarchive - Multi-format archive and compression library

Seatest - Simple C based Unit Testing

Everything this account has done should be investigated.

Woha, is this legit or some sort of scam on Google in some way?:

https://github.com/google/oss-fuzz/pull/11587

A bit confused here.

tux31y ago

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

4 more replies

ikmckenz1y ago

> The above author seems to be primary contact for xz?

They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...

bed991y ago

A SourceGraph search like this shows https://sourcegraph.com/search?q=context:global+JiaT75&patte...

- Jia Tan <jiat75@gmail.com>

- jiat75 <jiat0218@gmail.com>

``` amap = generate_author_map("xz")

        test_author = amap.get_author_by_name("Jia Cheong Tan")

        self.assertEqual(
            test_author.names, {"Jia Cheong Tan", "Jia Tan", "jiat75"}

        )

        self.assertEqual(

            test_author.mail_addresses,

            {"jiat0218@gmail.com", "jiat75@gmail.com"}

        )

```

4 more replies

soraminazuki1y ago

Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.

https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...

It does look innocent enough though. Let's hope there's no unicode trickery involved...

1 more reply

davexunit1y ago

JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735

2 more replies

metzmanj1y ago

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

1 more reply

jnxx1y ago

Zetobal1y ago

That looks like a repo that would sound alarms if you look at it from a security standpoint.

formerly_proven1y ago

Well that account also did most of the releases since 5.4.0.

alwaysbeconsing1y ago

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

1 more reply

wpietri1y ago

I get why people are focusing on this bad actor. But the question that interests me more: how many other apparent individuals fit the profile that this person presented before caught?

Phenylacetyl1y ago

Apparently, many.

It looks like gettext may be containing a part of their attack infrastructure.

https://github.com/microsoft/vcpkg/pull/37199#pullrequestrev...

https://github.com/microsoft/vcpkg/pull/37356/files#diff-e16...

https://github.com/MonicaLiu0311

collinfunk1y ago

Are you referencing the '-unsafe' suffix in the second link? That is not something to worry about.

See: https://lists.gnu.org/archive/html/bug-gnulib/2024-02/msg001...

2 more replies

5kg1y ago

There is zero web presence for this person and associated email address.

Looks more likely a fake identity than compromised account.

mrb1y ago

Actually the "jiat0218" user part in his email address jiat0218@gmail.com has a bunch of matches on Taiwanese sites:

https://char.tw/blog/post/24397301

https://forum.babyhome.com.tw/topic/167439

https://bmwcct.com.tw/forums/thread1828.html

5kg1y ago

I think it's just a coincidence.

- All the posts are from 2004/2006. - "jiat" can be abbreviation for many common Chinese names.

1 more reply

bruno-miguel1y ago

It might just be a coincidence, but the same username from that gmail account also appears to have a Proton Mail address

1 more reply

junon1y ago

This is all I can find on them.

    carrd.co jiat0218@gmail.com business https://jiat0218@gmail.com.carrd.co
    eBay JiaT75 shopping https://www.ebay.com/usr/JiaT75
    giters jiat0218 coding https://giters.com/jiat0218
    giters JiaT75 coding https://giters.com/JiaT75
    GitHub jiat0218 coding https://github.com/jiat0218
    GitHub JiaT75 coding https://github.com/JiaT75
    Mastodon-meow.so.. jiat0218@gmail.com social https://meow.social/@jiat0218@gmail.com

Beyond that, nothing surefire. (This is all publicly queryable information, if anyone is curious).

janc_1y ago

JiaT75 also used "jiatan" on Libera.Chat using a Singapore IP address (possibly a proxy/VPN).

Zenul_Abidin1y ago

Where did you gather this information from?

johnny221y ago

I've never had a web presencse for my associated emails due to wanting to avoid spammers. I don't have a false identity.

johnisgood1y ago

That, and I used to contribute to various games (forks of ioquake3) when I was a teen and I wanted to keep my real name private.

2 more replies

stephenr1y ago

> I don't have a false identity.

That's just what someone with a false identity would say.. get him boys!

The biggest /S

heee3991y ago

Retr0id1y ago

Did you check Chinese social media?

thrash1581y ago

I found this link on Zhihu: https://www.zhihu.com/question/650826484

hw1y ago

Why would you think the person would have social media (or would even be on Chinese social media specifically), given the sophistication and planning?

1 more reply

codear1y ago

i wonder if that avatar, familiarity with C/C++ and Git, and "offering help with open source projects" is just coincidence

https://github.com/JiaT75

https://twitter.com/JiaTan1337/status/1774931375994319244

kind of interesting also to see this account was set up ~2 months ago. if it's a troll, it's a somewhat poor joke.

1 more reply

wtznc1y ago

I found a user who seems suspicious to me.

https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denia...

source_inform1y ago

Secondly, the use of English is not consistent in what should be from typical Indian. He should be from a foreign background or a very reputed English medium.

The language though seemingly simple for a native English speaker but it seems in this case; a person whose first language: likely is not English.

It is possible that Grammarly or auto correct could have been used to write these. But can't be certain of anything stated above.

I do think that this is a sabotage account with 60% chances unless Mr. Kumar comes out clean, publicly. He is likely a state sponsored actor.

AviationAtom1y ago

Discussing commits that the other author has since reverted, IFUNC change with Project Zero tests, a focus on embedded, etc.:

https://www.mail-archive.com/xz-devel@tukaani.org/msg00642.h...

Trimming security reporting details:

https://git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702...

dang1y ago

We detached this subthread from https://news.ycombinator.com/item?id=39866275. (It's fine; I'm just trying to prune the top-heavy subthread.)

electronwill1y ago

molaeiali1y ago

Has Jia in any way posted a response to the incident?

AdmiralAsshatOP1y ago

My assumption would be that he knows the jig is up, and is probably going to do everything he can to jettison the JiaTan account, lest any IPs he uses be turned over to authorities.

b7kich1y ago

May or may not be related: https://www.linkedin.com › crazytan Jia Tan - Snowflake | LinkedIn

j / k navigate · click thread line to collapse