Andres Freund and the xz backdoor (opens in new tab)

(nytimes.com)

52 pointsFoe1y ago23 comments

23 comments

> Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.)

Huh, my take was that the "guy in Nebraska" was Lasse Collin, the original xz maintainer. Am I alone in that?

johtso1y ago

Just made exactly the same comment, the xz maintainer is clearly the proverbial "random guy in Nebraska"

wisemang1y ago

That would definitely be a more accurate/literal interpretation of what the xkcd comic meant.

But I think this holds up in the spirit of it, which is that core open source contributors / maintainers keep things afloat despite a shocking lack of resources or investment by the companies that benefit from it. (Notwithstanding the fact that Freund is employed by Microsoft.)

bicepjai1y ago

Yup, they definitely got that wrong

quinn_yates1y ago

Same, possibly a mix up on their part

ownlife1y ago

Why is the NY Times afraid to namedrop XKCD :( https://xkcd.com/2347/

juliusdavies1y ago

NY Times links to the XKCD comic directly. Try clicking on the words "some random guy in Nebraska" in the article.

jxy1y ago

A more level-headed report with less fluff from the economist: https://www.economist.com/science-and-technology/2024/04/02/...

https://archive.ph/rdxhb

nf31y ago

https://archive.ph/nUVGH

wisemang1y ago

> In the cybersecurity world, a database engineer inadvertently finding a backdoor in a core Linux feature is a little like a bakery worker who smells a freshly baked loaf of bread, senses something is off and correctly deduces that someone has tampered with the entire global yeast supply.

These kind of analogies are always a bit of an eye roll for me but I’ll grant a few points for creativity here

derekp71y ago

Or someone finding a $.75 accounting error, and uncovering an international East-German hacker ring.

bicepjai1y ago

This is way better analogy

HPsquared1y ago

The wonders of open source.

juliusdavies1y ago

Why is the HN submission titled "Andres Freund and the xz backdoor"? The NYTimes title (at least right now?) is: "Did One Guy Just Stop a Huge Cyberattack?"

johtso1y ago

"Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.)"

No, it's Lasse Collin the _maintainer_ of xz..

1 more reply

yzydserd1y ago

In an otherwise well written and accessible article, I found the naming of example nations gratuitous:

> some researchers believe only a nation with formidable hacking chops, such as Russia or China, could have attempted it.

… or the US, UK, Israel, Germany, France, Canada, Australia, DPRK, Japan, etc, and the security offence companies that work as a supply chain for such nations in provision of embedded exploits.

It’s based on very weak logic, but perhaps “Jia Tan” rules out China.

Barrin921y ago

>It’s based on very weak logic, but perhaps “Jia Tan” rules out China.

The Stasi sometimes used real names for cover names as well so you could draw no conclusions at all from a fake identity, not even by process of elimination. At the end of the day I don't think you can infer anything from the names or geolocations involved.

juliusdavies1y ago

For me the names "Hans Jansen" and "misoeater91" also rule out China. I think it's Israel or USA or Russia. Apparently the 6 accidental timezone slip-ups in the commit history would be compatible with Israel or Russia, although can't even rule out that those are there on purpose to throw us off the scent...

Israel has shown in the past, with Stuxnet, that they have the skill, the patience, and the will. Same for Russia with Solarwinds.

If Jia Tan was using a FIDO/U2F key, it would be nice if someone would publish its public component so others can check for any traces of its use, but I honestly don't know how those work and whether such is even possible.

[Edited to add Russia to my personal list of countries I suspect. Something about the "misoeater91" name kinda suggests Russia to me somehow...]

Dalewyn1y ago

Between that and wrongly calling Andres Freund (the hero who saved the day) the Nebraska Man, I'm inclined to believe Jia Tan is American and the NYT was ordered to push narratives to deflect attention away.

</conspiracy_theory>

patrick-fitz1y ago

> (The New York Times has sued Microsoft and its partner OpenAI on claims of copyright infringement involving artificial intelligence systems that generate text.)

It's strange to see this included randomly in the middle of the article.

sterlind1y ago

Conflict of interest disclaimer. It's pretty standard in journalism.

pvg1y ago

It's run-of-the-mill disclosure.

hoc1y ago

With even the NYT on board it should be clear to everyone now that the whole xz thing must be a plot to have that Andres Freund person introduced into government and security circles where he then can finally fulfill that heinous plot. Classic.

Ahh, the voices...

j / k navigate · click thread line to collapse

23 comments

consumer4511y ago

Huh, my take was that the "guy in Nebraska" was Lasse Collin, the original xz maintainer. Am I alone in that?

johtso1y ago

Just made exactly the same comment, the xz maintainer is clearly the proverbial "random guy in Nebraska"

wisemang1y ago

That would definitely be a more accurate/literal interpretation of what the xkcd comic meant.

bicepjai1y ago

Yup, they definitely got that wrong

quinn_yates1y ago

Same, possibly a mix up on their part

ownlife1y ago

Why is the NY Times afraid to namedrop XKCD :( https://xkcd.com/2347/

juliusdavies1y ago

NY Times links to the XKCD comic directly. Try clicking on the words "some random guy in Nebraska" in the article.

jxy1y ago

A more level-headed report with less fluff from the economist: https://www.economist.com/science-and-technology/2024/04/02/...

https://archive.ph/rdxhb

nf31y ago

https://archive.ph/nUVGH

wisemang1y ago

These kind of analogies are always a bit of an eye roll for me but I’ll grant a few points for creativity here

derekp71y ago

Or someone finding a $.75 accounting error, and uncovering an international East-German hacker ring.

bicepjai1y ago

This is way better analogy

HPsquared1y ago

The wonders of open source.

juliusdavies1y ago

Why is the HN submission titled "Andres Freund and the xz backdoor"? The NYTimes title (at least right now?) is: "Did One Guy Just Stop a Huge Cyberattack?"

johtso1y ago

No, it's Lasse Collin the _maintainer_ of xz..

1 more reply

yzydserd1y ago

In an otherwise well written and accessible article, I found the naming of example nations gratuitous:

> some researchers believe only a nation with formidable hacking chops, such as Russia or China, could have attempted it.

… or the US, UK, Israel, Germany, France, Canada, Australia, DPRK, Japan, etc, and the security offence companies that work as a supply chain for such nations in provision of embedded exploits.

It’s based on very weak logic, but perhaps “Jia Tan” rules out China.

Barrin921y ago

>It’s based on very weak logic, but perhaps “Jia Tan” rules out China.

juliusdavies1y ago

Israel has shown in the past, with Stuxnet, that they have the skill, the patience, and the will. Same for Russia with Solarwinds.

[Edited to add Russia to my personal list of countries I suspect. Something about the "misoeater91" name kinda suggests Russia to me somehow...]

Dalewyn1y ago

</conspiracy_theory>

patrick-fitz1y ago

> (The New York Times has sued Microsoft and its partner OpenAI on claims of copyright infringement involving artificial intelligence systems that generate text.)

It's strange to see this included randomly in the middle of the article.

sterlind1y ago

Conflict of interest disclaimer. It's pretty standard in journalism.

pvg1y ago

It's run-of-the-mill disclosure.

hoc1y ago

Ahh, the voices...

j / k navigate · click thread line to collapse