undefined | Better HN

0 pointshangonhn1y ago0 comments

It's also very possible that the account was compromised and taken over. A two years long con with real useful work is a lot of patience and effort vs. just stealing a weakly protected account. I wonder if MFA shouldn't be a requirement for accounts that contribute to important OSS projects.

0 comments

dralley1y ago

>A two years long con with real useful work is a lot of patience and effort vs. just stealing a weakly protected account.

The long-con theory seems a bit more plausible at the moment

https://github.com/google/oss-fuzz/pull/10667

wyldberry1y ago

If you really step back and think about it, this type of behavior is perfectly aligned with any number of well resourced criminal groups and state actors. Two years of contributing in less visible software with the goal of gaining trust and then slowly pushing your broken fix in.

To me that's way more plausible than losing control of your account and the person who compromised it then having someone over a long time insert the backdoor that took a long time to develop and then obfuscate it.

Likely someone at GH is talking to some government agencies right now about the behavior of the private repos of that user and their associated users.

sonicanatidae1y ago

This would be the smarter attack vector, but I've noticed over time that these people are just assholes. They aren't patient. They are in for the smash/grab.

I would not be surprised if there was a group using this approach, but I doubt most of them are/would. If they were that dedicated, they'd just have a fucking job, instead of being dicks on the internet for a living.

5 more replies

IncreasePosts1y ago

It might not even be a long time. He might have just been approached exactly because of his history to insert the back door. And offered either money, or blackmailed or threatened

hangonhnOP1y ago

Oh man. The was a scenario that didn't cross my mind. I was too narrowly focused on the technical aspects rather than the social aspects of security. Great point.

Arrath1y ago

What if this contributor was a member of a state actor/persistent threat group and, like some totally legit software dev houses, they encourage their people to contribute to OSS projects for the whole personal pursuit/enjoyment/fulfillment angle?

With the added bonus that sometimes they get to pull off a longcon like this.

fmajid1y ago

2 years of one engineer's time is very cheap, compared to e.g. the NSA's CryptoAG scam. I'd say most likely a Chinese intelligence plant, kindly offering to relieve the burden of the original author of xz.

rdtsc1y ago

I got the same idea. On XZ dev mailing list there were a few discussions about "is there a maintainer?" 2-3 years ago. It's not hard to find these types discussions and then dedicate a few years of effort to start "helping out" and eventually be the one signing releases for the project. That's peanuts for a state actor.

throwaway3846381y ago

This right here. This is exactly what I would be doing - find small broke maintainers offer them a few hundred grand - with a target in mind.

dist-epoch1y ago

This is most likely not his first backdoor, but the first which was detected.

So most likely he didn't wait two years to benefit.

ranger_danger1y ago

> It's also very possible that the account was compromised and taken over

Or they WERE legit and simply went rogue, perhaps due to external factors.

jnxx1y ago

I am thinking more in so-called rubberhose cryptoanalysis.

https://xkcd.com/538/

j / k navigate · click thread line to collapse