456

XZ Hack - "If this timeline is correct, it’s not the modus operandi of a hobbyist. [...] It wouldn’t be surprising if it was paid for by a state actor." (lcamtuf.substack.com)

submitted 5 months ago by Jennykichu@lemmy.dbzer0.com to c/opensource@lemmy.ml

71 comments fedilink hide all child comments

Thought this was a good read exploring some how the "how and why" including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

you are viewing a single comment's thread
view the rest of the comments

[-] KarnaSubarna@lemmy.ml 122 points 5 months ago

Careful choice of program to infect the whole Linux ecosystem
Time it took to gain trust
Level of sophistication in introducing backdoor in open source product

All of these are signs of persistent threat actors aka State sponsor hacker. Though the real motive we would never know as it's now a failed project.

[-] jackpot@lemmy.ml 28 points 5 months ago

imagine how pissed they are. or maybe they silently alerted the microsoft guy themselves as they only did it for cash and theyd been paid

[-] baseless_discourse@mander.xyz 24 points 5 months ago* (last edited 5 months ago)

I am sure most super powers in the world can easily sink 2 years to maintain an obscure project in order to break system as important as openssh.

I doubt they will be pissed for one failure, and we can only hope there isn't more vulnerable projects out there (spoiler alert: probably many).

this post was submitted on 31 Mar 2024

456 points (98.3% liked)

Open Source

30263 readers

82 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml