Gregory's ServerConcerning the xz affair, I am struggling on how to explain this to a normal person. The best approach so far:
This is as if an attacker succeeded in manipulating the manufacturer of a small part that is built into every car worldwide. Every car that would have been built in the future, the attacker could crash upon pressing a button.
And we noticed only because a car fanatic took a prototype to the racetrack and noticed that when he drives it backward through with hand brakes applied, the lap time would be half a second off.
I would like the #infosec community to think about this:
Let us assume the persons behind Jia Tan are doing this for a living. We know that at least one person is doing it for at least two years and that "xz" was far from being a full time job. A lot of know how is reusable, but not the code (could be easily detected).
So how many projects did the person(s) infiltrate in that time?
My personal guess is that that number has more than one digit. We can only pray it was a gifted amateur who did this as a side hustle.
I would like the #infosec community to think about this:
Let us assume the persons behind Jia Tan are doing this for a living. We know that at least one person is doing it for at least two years and that "xz" was far from being a full time job. A lot of know how is reusable, but not the code (could be easily detected).