Right? Absolutely disgusting behavior. This guy deserves an award for maintaining this project for free for so long. Hopefully after this he will get more support.

Just because the maintainer was paranoid didnt mean they weren't after him. People should be serious about their paranoia. The same with depression: Just because you are depressed doesnt mean that you are not getting a beating. Outsiders may tell you it can be solved until it happens to themselves. It may be sad but it may also be a vindication for him. He was gaslighted after all.

@@gertjan1710 That's true. Good point. Either way, I think all of this will end up working out for the best. This was a gigantic discovery.

They released the exploited version while Lasse was on holiday too. What a mess.

AND he was on vacation when this happened!

What if the master plan was to degrade public trust in open source OS so people would stick with Win 11 out of fear. How many millions of systems are Win 10 and in the process of evaluating Ubuntu and Mint as viable alternatives to Win 11? Look at the timing. Look who discovered the hack. Msft to the rescue ? What if Jia Tan is MSFT ? How many people will now pay to stick with Win 11 because Linux feels too risky ? Mission accomplished ?

❤ Thank you Lasse.

it is to be suspected witin any software development and always has my hopes is that this will finally make people take source code auditing more seriously

Actually, attempting this on numerous other projects would increase the likelihood of discovery. Once you've installed a backdoor, you're already in, so attempting to implement multiple additional backdoors would be counterproductive.

@@yuvalamiram5925 I'm talking about the social engineering aspect. Obviously yes, you don't try more than one backdoor at a time. But how many other devels are out there ready to put an exploit in after having worked their mark for years?

i was thinking about the same thing, i belive there will be more atk like this in the future. they made it cleare that no one can be trusted

apparently, none. case closed

The Low Level Learning channel actually demonstrated the hack on a live Linux distro including the CA key exchange. It's wild.

@@BillAnt Oh! Mahalo for that. I'm headed that way now! Aloha!

I'm sure Xi Jinping is very upset, to be sure.

Problem is, we are just seeing the tip of the iceberg. The same actors that impersonated Jia Tan have already impersonated hundreds of other maintainers. God only knows how many other projects could have been compromised.

@@kristoffer8609 although"Jia Tan" isn't a legit Chinese name, which puts some doubt into whether it's really Chinese state sponsored. Although maybe that's what they want us to think!?!?!?!

@@squirlmy Well it's just a username of course. Anyone could put anything. But yeah, going by the usual suspects, it's likely.

​@@squirlmy this is actually interesting. Definitely somebody chose a vaguely common overseas-Chinese name that non-Chinese folks are familiar with even if not common inside China, and the badcop "Jigor kumar" is another common overseas-Indian name that will be familiar to non-Indian folks even if not common inside India. And no one would think that a Kumar and Tan are working together, especially outside of cosmopolitan settings. Let's look at jiatan. Chinese names are 2 or 3 syllables, and one of them is the surname. Usually the first, which makes "jia" the surname, but very common is for folks to swap the surname to the back to match English naming convention, so tan would be the surname, and we see the gh handle being "jiaT75" so the surname is initialised. But then usually folks with 2 syllable names will just keep it intact as jiatan when not required to specify surname (ie legal documents), And if tan is the surname, then it's not a common mandarin surname - you'd find descendents of 陈 in mainland calling themselves Chen, in HK / overseas as Chan, and in Southeast Asia / Taiwan as Tan. So "tan" is hinting towards south China. But then, in the hokkien language (where tan is a common surname), "jia" is not a valid word. "Chia" is, but then they would not romanize it to jia, only chia or (in TW) tsia. The equivalent of jia in hokkien is kway. Jia could either be just bad romanization of hokkien / min, or a mandarin name (ie the person comes from a region that is now mandarin-based but culturally hokkien - something you'd see in Singapore, south/west Malaysia, and Taiwan) so the surname is untouched hokkien but the Chinese name is mandarin. That being said, I highly doubt that it's actually Chinese or south Chinese. They would not use non-Anglican names outside to blend in (and they aren't super language-purists to stick to their own local names in covert times, or even in normal life), nor would the southern Chinese countries (SEasia/tw) actively engage in offensive tactics - usually these countries tend to defend against attacks and preserve their resources for protection not expansion.

upnp?

"The only people..." "...but that's a bit of a stretch." Those two statements are mutually exclusive. If only state actors were willing to go to those lengths, then it would not be a stretch to assume as such. And vice versa, if more people are willing to do that, it would be a stretch to assume any particular bad actor.

Why disable

​@@anteshell read the comment again, slowly. It's not a contradiction.

@@dachimshvidobadze2286 Now that you mentioned it, I noticed the comment can be interpreted in two ways. Either the "stretch" refers only to the ransomware group, in which case it would not be contradictory. Or it can refer to both state actor and ransomware group, in which case it would be. Both are grammatically correct interpretations and I did the latter initially. But only OP can confirm which one they meant. Also, considering I seem to know much more about grammar and have better reading comprehension skills than you, you should not throw such insults. That only make you a fool.

Fair point 😂

@@Seytonic Lasse is pronounced as "Lussa" :)

​@@user-qi4bu5vv5cxz isn't a person lmfao

​@@user-qi4bu5vv5c bro knows nothing about what he's talking

​@@user-qi4bu5vv5c I don't think anyone is convinced that you even understand the words you're writing, bud.

Yeah. This is when too permisive licenses become an issue.

@@Splarkszter I see now where redis is coming from.

He’d easily get a six figure salary if he wanted to become an employee of some company, and who knows maybe he is and does this on the side. You can’t volunteer for an open source project and then complain about money when you could easily make a lot of money in closed source.

some just don't care about donations, some have a donation link on the github page, some have a donation link in the compiled version of the software they make, or just have a donation link hidden away (not on their github about me page, have to loop through their socials to get the link to their ko-fi front (90% of cases)). if more of them just have a donation link on the git repo, it would be much easier, but the vast majority of them are just hidden in links of links of social media, ain't no one gonna bother going to twitter to get to your kofi page, just link it on the repo lmao

Gov or private business should step up and create a fund... Maintainers need to be paid....

​@@zadekeys2194 True, having some kind of a fund that maintainers can apply for could be really helpful

​@@zadekeys2194lol government? Are you stupid?

​@@zadekeys2194 Sometimes they get paid by business related to their software, like for FreeBSD maintainer once, and Linux Torvalds get paid too, but not everyone get people attention until a disaster occurred .

Aside from the changes to the build flags, there was no commit to check. The tar-ball isn’t a source file. In this case the most important part of the source wasn’t - well - open.

Did not expect to see PewDiePie's chai loving lost cousin here

Ok now what

Yep, it looks like the attackers sniffed out that a change to libsystemd (which is responsible for sshd needing to link to liblzma in the first place) was coming soon that would render their planned attack vector useless, and so they had to ramp up the pressure to try to get the latest xz utils into distro repos as quick as possible.

massive is not enough. It's should be SUPER MASSIVE amount of donations.

isn't it that openssh by itself doesn't depend on systemd, but some distros decide to patch systemd messages support into openssh by themselves?

@@Napert The issue only affects systemd distros, so yes you are correct. OpenSSH does not require systemd by itself, nor does it require xz.

OpenSSH is currently planning to include independent notify code so it doesn't need to be linked against libsystemd in the future.

I wonder if there is any change to Linux that has caused more problems and wasted more time than systemd?

@@Napert yes

This was my first thought when I've heard of this last week. And as an ex nightly-build maintainer in the early 2000s, I am questioning if Linux Distro should adopt are more stringent QA - or be forced to have one by law because of this.

a M$ backdoor? surprisingly the CA certs from NSA in Windows XP? We'll never know for sure (closed source, NDAs etc.)

​@@seedney Do you mean NSAKEY? That wasn't actually an NSA backdoor, it's a myth.

​@@Communist-Dogeaccording to who? dave's garage? the guy that got sued and taken to court for some spyware program he made? yeah, real trustworthy

... do you actually understand the scope of what you're asking?

These guys seem to have incredible patience, I don’t think they made the great opsec mistake by logging in with their real ip adress xd

They did. he used a singapore VPN, leaked his middle name in a commit ("cheong", in which most believe is actually someone trying to pass off as mainland chinese as "cheonge" is only really common as a (cantonese) middle name in Taiwan) in which a surprising turn of events, is starting to trace back to either the US gov (most believe this) or north korea (most are skeptical about that)

@@polinskitom2277 why would the DPRK try to false flag an attack as being done by one of their only allies?

I et it is a group behind the three letters agency

LoL ,yea what the hell.. and The one person, can just pass it on to some he wants 😂 To a person that he havnt meet?! A person via tor/vpn. 😂🤦‍♂️

Ironically, Windows is plagued by backdoors hahaha.

...or Russia or Ukraine or China or North Korea Don't pretend you know

They used WiTopia VPN at least while using IRC.

singapore vpn

@@_-_-_-_-_-_-_- Prob the best advertisement for that VPN. Even the feds use it.

He used WiTopia VPN with a Singaporean server/IP, when connecting to IRC at least. It's unknown what IPs he used elsewhere.

"fanboys" and "autusts" have the same meaning now all of a sudden?

The Microsoft engineer is also a dev for a large open source project Postgresql so he is not all bad.

They already do exist.

Kumar is most usual name in india. Someone just picked it up for simplicity.

What is the significance of that date?

@@theanomaly2587 Putin started war in Ukraine. Under Putinist regime it’s celebrated as some sort of “transformation”. And it’s a day after Russian “military day”.

Let me also mention that poor Lasse just needed some time off, and after that I am pretty sure that he ended up with more stress that before. Organizations (at least big ones) need to f*cking support those hobbists or else expect to have a lot more those in the future.