In the article it says CISA was notified - that sounds like it's going to be a federal investigation if nothing else. If I was this person, I wouldn't be in the USA (or any US friendly nation) ASAP.
It's also very possible that the account was compromised and taken over. A two years long con with real useful work is a lot of patience and effort vs. just stealing a weakly protected account. I wonder if MFA shouldn't be a requirement for accounts that contribute to important OSS projects.
If you really step back and think about it, this type of behavior is perfectly aligned with any number of well resourced criminal groups and state actors. Two years of contributing in less visible software with the goal of gaining trust and then slowly pushing your broken fix in.
To me that's way more plausible than losing control of your account and the person who compromised it then having someone over a long time insert the backdoor that took a long time to develop and then obfuscate it.
Likely someone at GH is talking to some government agencies right now about the behavior of the private repos of that user and their associated users.
This would be the smarter attack vector, but I've noticed over time that these people are just assholes. They aren't patient. They are in for the smash/grab.
I would not be surprised if there was a group using this approach, but I doubt most of them are/would. If they were that dedicated, they'd just have a fucking job, instead of being dicks on the internet for a living.
However at this point: every developed nation has a professional offensive security group that have varying degrees of potency. All are more resourced than 99.9% of organizations defending and enjoy legal autonomy in their country and allied countries for their work.
If you're getting salaried comfortably, and you have near infinite resources, a two year timeline is trivial. As an American, I always like to point to things we know our own services have done first[0].
Each actor group have their own motivations and tactics[1]. As someone who spent a lot of time dealing with a few state actors, you learn your adversaries tricks of the trade and they are patient for the long-con because they can afford to be.
I think you are confusing non-state e.g. ransomware groups, which are usually not part of a government (although some exceptions like North Korea likely exist) with state-sponsored hackers who are often directly working under military command. Soldiers are not "dicks on the internet".
This is not that costly. Growing bonsai trees also takes a lot of patience, decades, but you don't have to grow only one at a time, the pros are growing them in large numbers, with minimal work on each individual trees once in a while.
It might not even be a long time. He might have just been approached exactly because of his history to insert the back door. And offered either money, or blackmailed or threatened
Oh man. The was a scenario that didn't cross my mind. I was too narrowly focused on the technical aspects rather than the social aspects of security. Great point.
What if this contributor was a member of a state actor/persistent threat group and, like some totally legit software dev houses, they encourage their people to contribute to OSS projects for the whole personal pursuit/enjoyment/fulfillment angle?
With the added bonus that sometimes they get to pull off a longcon like this.
2 years of one engineer's time is very cheap, compared to e.g. the NSA's CryptoAG scam. I'd say most likely a Chinese intelligence plant, kindly offering to relieve the burden of the original author of xz.
I got the same idea. On XZ dev mailing list there were a few discussions about "is there a maintainer?" 2-3 years ago. It's not hard to find these types discussions and then dedicate a few years of effort to start "helping out" and eventually be the one signing releases for the project. That's peanuts for a state actor.
Yeah I saw that - I wouldn't bet on them being in the US but who knows. Maybe they just really love CRC32 ;) And introducing backdoors (if it that was them not an account takeover).
Names can be faked, and even real names are not a great indicator.
Unless you have some very specific cultural knowledge you could not make even vaguely useful deductions about my location, nationality, culture, ethnicity etc. from my name. I get a lot of wrong guesses though!
Remember that agencies like NSA, GCHQ etc will always use false flags in their code, even when it doesn’t have as high risk of exposure as a backdoor in public has.
Looking at the times of commits shouldn’t be given much value at all. A pretty pointless endeavour.
State actors are actually known for not doing that; after all, there's no need to hide when what you're doing is legal. They also tend to work 9-5 in their own timezones.
It might be legal but would (or at least should) be seen as an attack by all other countries using the software, even allies, and in a saner world wouldl receive a strong political response.
As some of the Tweet replies mentioned, they shipped releases that contained the backdoor, and committed other questionable changes at the "usual" times. For sure we're almost certainly not dealing with a compromised workstation, so I don't think that would explain the different times for the worst offending changes.
Maybe he has some technical experts/handlers/managers that had to oversee when they introduced the actual malicious changes, and thus this reflects when he got the go-ahead signal from these other people (and thus that reflects their working hours?)
Or maybe they were just travelling at that time? (maybe travelling to visit the aforementioned handlers? Or travel to visit family... even criminals have a mom and dad)
Also, keep in mind that my Clickhouse query includes all of the Github interactions (for example, timestamp of issue comments)... and unlike a Git commit timestamp, it's hard to fake those (because you'd need to schedule the posting of such comments, probably via the API. Not impossible, but easier to think that JiaT75 just used the Gitub UI to write comments), the Tweet mentions just "commit history"
Usually the simpler explanation has less chance of being wrong... thinking of some possibilities:
- Chinese/Taiwanese state actor, who employs people 9-5 (but somehow, their guy worked 20.00 - 02.00 local time)
- Chinese/Taiwanese rogue group/lone wolf... moonlighting on this exploit after their day job (given that to interact with Lasse they'd be forced to work late, this is not outside of the realm of possibilities)
- Non-Chinese state actor, employing someone 9-5 (consistent with most of the Github interactions), wanting to pin responsibility on China/Taiwan (+0800 timezone for commits), which for some unexplained reason pushed the worst offending changes at really weird times.
- Chinese/Taiwanese state actor, that wanted to pin the blame on western state actors (by making all of the changes at times compatible with someone working in Europe), and somehow they slipped up when pushing the worst offending changes.
- Chinese/Taiwanese state actor, employing someone in Europe (if they need to get approval of changes/gain the trust of the previous maintainer Lasse, it might make sense to have better/more timezone overlap)... which for some weird (yet "innocent") reason, kept the device that they worked on, configured with a +0800 timezone
- Non-Chinese state actor, pretending to be a Chinese entity that wanted to pin the blame on a western entity and slip up by making the worst offending changes at 3am (i.e. it was not a slip up, but it's part of the misdirection efforts.)
Some of these hypotheses are a bit farfetched, but reality is stranger than fiction
My git commits are sometimes in UTC, depending on which computer I make them from. Sometimes my laptop just switches timezones depending on whether I'm using wifi or LTE. I wouldn't put much weight on the timezone.
The time stamp of a git commit depends on the system clock of the computer the commit was checked in. This cannot be checked by github & co (except that they could reject commits which have time stamps in the future).
I assume you mean UTC+8... that covers about 20% of the earth's population, besides China it includes parts of Russia, a bunch of SEA and Western Australia.
We shouldn't rule it out, but it seems unlikely to me.
This is more reckless than any backdoor I can think of by a US agency . NSA backdoored Dual EC DRBG, which was extremely reckless, but this makes that look careful and that was the Zenith of NSA recklessness. The attackers here straight up just cowboy'd the joint. I can't think of any instance in which US intelligence used sock puppets on public forums and mailinglists to encourage deployment of the backdoored software and I maintain a list of NSA backdoors: https://www.ethanheilman.com/x/12/index.html
The CIA had plans to commit terrorist acts against American civilians to start a war against Cuba in the 60s. This is quite literally their style. For example, perhaps they were planning to blame the hack of a power plant or critical infrastructure on this exploit, then use the "evidence" that was leaked to prove it was China, and from there carry out an offensive operation against Chinese infrastructure. There are lots of subversive reasons they would want to do this.
You are referring to Operation Northwoods [0], a set of plans from the 1960s, all of which were rejected.
Operation Northwoods came about because Brig. Gen. Edward Lansdale, asked the CIA to come up with a list of pretexts that might be used to justify an invasion of Cuba. This request had a number of planners at the CIA enumerate possible false flags that could be used as a pretext. One of those plans was a terror attack against US citizens. Operation Northwoods was rejected and never implemented.
The US has plans for nearly everything, but there is a massive difference between a plan that some CIA analyst is pitching and something the US is likely or even able to do. The US had all sorts of plans for how to handle a pandemic, but then when one actually happened, the plans couldn't be implemented because the US didn't actually have the capabilities the plans called for.
> example, perhaps they were planning to blame the hack of a power plant or critical infrastructure on this exploit, then use the "evidence" that was leaked to prove it was China, and from there carry out an offensive operation against Chinese infrastructure.
Backdooring OpenSSH would in no way function as a pretext for attacks on Chinese infrastructure. No one outside the tech companies cares about this. The US also doesn't need to invent hacking pretexts, you could just point to one of many exposed Chinese hacking incidents.
Just so I understand, you're alleging that a U.S. agency was, among other things, submitting patches for a mainland Chinese home-grown CPU architecture (Loongson)?
No, they're not. They are saying that due to the extraordinary circumstances with this case US agencies cannot be excluded from suspicion. At this time no actor seems to be a more likely perpetrator than the next. (Keep in mind that false-flag operations are a very common occurrence in cyber warfare and this cannot be ruled out yet.)
And if someone wanted to attack a target running on Loongson, they would certainly have to make sure the code can actually run there in the first place.
It doesn't seem out of the question that the U.S. or allied nations might want to be involved in the development effort around these CPUs. Even if initially it's just to build some credibility for this account so future adversarial patches are accepted with less suspicion? If you think that's implausible, I'm interested why?
Note that it say "Fedora 41" in the CISA page link to Red Hat, but Red Hat changed the blog title to "Fedora 40" and left the HTML page title as "Fedora 41".
> knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
No, freedom of speech (as far as I know) protects even exploit code. The statutes being linked would cover using the backdoor to gain unauthorized entry to a system. I think the question of whether anything illegal has occurred from the public facts is unclear, at least to me, and interesting.
The first amendment might overrule the cited law if that law didn't already include a requirement for intentional harm. But since the law does already have that requirement, there's not really an opportunity for a freedom of speech justification to be what protects a non-malicious publication of a proof of concept. The law isn't trying to infringe on freedom of speech.
But my argument isn't that freedom of speech could be used as an excuse for something that would otherwise be illegal -- my argument is that publishing and discussing exploit code is a constitutionally-protected activity. The CFAA statutes can be violated by gaining unauthorized access to a protected computer system, but that did not happen in the process of authoring and publishing the exploit code. The attacker was authorized to release new versions of the software, and they did. Their choice of what to make their software actually do is not regulated by the government, any more than a musician's choice of which lyrics to include in their song.
If an attacker then actually uses the backdoor created by someone else's decision to deploy the new release into their own environment, to gain unauthorized access to a protected computer system, then obviously there's a CFAA violation there. The public facts don't contain documented examples of this having happened (yet), though it will be unsurprising if that changes.
So it is still not obvious, at least to me, that any crime under US law has occurred so far. I am not a lawyer, though I'm aware of how badly the government has lost the previous court cases that attempted to restrict what humans can put in source code.
