Email or username:

Password:

Forgot your password?
Tinker's posts Post Back to profile
Tinker ☀️

Put yourself in Jia Tan's shoes, the malicious contributor to the xz backdoor...

It's been, what, two... three?... years since you started this campaign. You've had the entire support of your team and of your chain of command.

Your coders created a complex and sublime backdoor. A secure! backdoor that only you and your team could connect to. Heck it can even be deleted remotely. This is clean code. A responsible hack that doesn't open up the backdoor for others to hijack.

You spend years on your long con - your social engineering skills are at the top of the game. You've ingratiated yourself painstakingly into multiple teams. Finally it all pays off and you're ready to go!

You succeed multiple times in getting your backdoor inserted in all the major Linux distributions!!! Now its just a matter of weeks before it makes it to production and stable releases!

This is the culmination of years of labor and planning and of a massive team and budget.

You did good.

This will get you promoted. Esteemed by your colleagues and leadership alike. Your spouse and kids will understsnd why you haven't been at home lately and why you've spent all those late nights at the office.

It's finally going to pay off.

But what's this?! Some rando poking around in their box running a pre-release unstable version of linux has found everything?!?! It's all being ripped down?! And on a Friday before a western holiday weekend?!?!

Fuck. Fuck. FUCK!!!

Three years for nothing!!! My wife is going to leave me! I missed my kid's recital for this!!! They'll hate me because I told them it was worth it. Daddy will be able to play with you again once Daddy finishes this last bit of work. But it was all for nothing!!!

Leadership took a big risk on me and my team but I kept assuring them it would pay off!

It would be one thing if another nation state found it and stopped it. But one random dude poking his nose where it shouldn't belong?! Ohhh fuck, I'm going to be fired. We're going to lose our budget. My team is going to be fired. I've let down everyone that ever believed in me and supported me and relied on me!

Oh fuck!!!

#xz #backdoor #xzBackDoor #cve #cve20243094 #infosec #hacking #FOSS

1 April at 13:24 | Open on infosec.exchange
41 comments
Fabien Cazenave

@tinker I’m pretty sure the same team has other similar malicious codes in the works. This was a day-time job but not a full-time job, so there must be other attempts in other projects… still in progress.

1 April at 13:33 | Open on mastodon.social
Tinker ☀️

@fabi1cazenave - There's hope yet! Jia can still be redeemed!!!

1 April at 13:36 | Open on infosec.exchange
Miah Johnson

@fabi1cazenave @tinker Maybe this is the one is the one they didn't mind being found, that would distract our attention from finding the others.

1 April at 16:04 | Open on hachyderm.io
Hubert Figuière

@fabi1cazenave @tinker I was thinking the same thing. This is some sort of gambit with too many variable. If they spend that much effort, they can't possibly not have a contingency.

So which project did change maintainer recently?

1 April at 16:06 | Open on cosocial.ca
Rich Felker
yianiris

While reading and learning about this a testimony by actor1 about actor2 was revealed when asked for contact since day0 (3/29) and he responded didn't expect to have any during the easter holiday.

Observed ONLY in western christian (catholic/protestant) dominant countries, not on much of eastern Europe, china, india, arabic, ..

Racist westerners have indirectly made it a reliability/ethnicity issue.

The question I have is whether we can distinguish between the two authors of xz

@tinker

1 April at 13:41 | Open on kafeneio.social
Beanface42

@tinker And a dude working for Microsoft, no less 😆

1 April at 14:08 | Open on peculiar.florist
Sun Cloud

@tinker I’m sorry for your loss.

(Where is that sarcastic font when I need it)

1 April at 14:10 | Open on solarcene.community
Rob O :verified:

@tinker I've been thinking about how much time and effort went into selecting XZ as a target. It probably wouldn't be that hard to create a tool which searched the most commonly used open source projects and sorted them by the number of active maintainers.

1 April at 14:10 | Open on infosec.exchange
Tinker ☀️

@nerdpr0f - Take that idea and flip it! Use it to see what are the first projects that need to be reviewed from a Threat Hunting perspective!

Seriously! Its a great approach you've created!

Specifically identify projects that would be High Value Targets to a malicious actor and then go through the code with the ASSUMPTION THAT THEY HAVE ALREADY BEEN COMPROMISED.

See how many other backdoors and vulns we can find.

#infosec #FOSS #backdoor #xz #xzBackdoor

1 April at 14:42 | Open on infosec.exchange
Royce Williams
Rob O :verified:

@tychotithonus @tinker So, this isn't the space I normally play in (being a Windows guy, for the most part). I just had a chat with @jrwr, and this data is *massively* noisy. The open source ecosystem gets real weird, real quick.

1 April at 15:18 | Open on infosec.exchange
Royce Williams

@nerdpr0f

Indeed. Like any model, whatever we build may not be fully accurate ... but should hopefully be useful. :D

@tinker @jrwr

1 April at 16:02 | Open on infosec.exchange
DELETED

@tinker @nerdpr0f Turning the approach on its head for threat hunting is brilliant! By identifying high-value targets and reviewing their code under the assumption they've already been compromised, we prioritize security from the get-go. This method not only sharpens our focus on potential vulnerabilities but also prepares us to counter sophisticated cyber threats. It’s a proactive defense strategy, ensuring we're always a step ahead of malicious actors. #CyberSecurity #ThreatHunting

1 April at 15:10 | Open on mastodon.social
😀🚲

@nerdpr0f @tinker how many libraries are situated where an exploit could be involved in the early phases of auth code?

1 April at 15:36 | Open on urbanists.social
Rob O :verified:

@enobacon @tinker Probably not a ton, but there's a bunch of other ways one could design the trigger.

1 April at 15:39 | Open on infosec.exchange
Farce Majeure

@nerdpr0f @tinker Adding maintainers got us here. It's probably more useful to sort them by how many functions with the ifunc attribute they have ;)

1 April at 16:31 | Open on better.boston
Fritz Adalis

@tinker
Can we blame this one on capitalism?

1 April at 14:25 | Open on infosec.exchange
Tinker ☀️

@FritzAdalis - You joke, but the Free and Open Source Software maintainer of xz was experiencing heavy burnout without any support. No team, not money, no time off.

That created a vulnerability that Jia Tan (et al) exploited and allowed Jia to take over the project.

And this is not uncommon. Corporations exploit and take FOSS and use it to make money without paying back into it.

Classic capitalistic extraction without regard to hidden costs.

So. Yeah. You can blame capitalism for this, lol! 😂

1 April at 14:39 | Open on infosec.exchange
Fritz Adalis

@tinker
Well, only half joking. Even if we take your post about poor Jia at face value, it certainly looks like exploitation.

1 April at 14:42 | Open on infosec.exchange
Halligan
Jonas

@tinker
Twist : Jian Tan was an identity shared among a team and they all went to their kids recitals

1 April at 14:51 | Open on infosec.exchange
yianiris

But both "it" and the prime-maintainer entity had agreed not to work on this during "western christian" easter, not Russian, Georgian. Amenian, Greek, Syrian, Ethiopian, Egyptian easter, but catholic/protestant easter.

Otherwise people assume they were individuals from GMT +3 or +8 geographies

And also that the two are a separate entity!

@magnetic_tape @tinker

1 April at 16:50 | Open on kafeneio.social
Tinker ☀️
Patrick Howell O'Neill

@tinker you’re right, we should let him have a little back door as a treat

1 April at 14:57 | Open on infosec.exchange
Adam Barnett

@tinker Someone, somewhere, is indeed feeling that defeat has been snatched from the jaws of victory... orrrr maybe they're thinking "well, there goes that one. hope the other 7 I have don't get burnt so easily".

PS I wasn't prepared for this:

>

Daddy will be able to play with you again once Daddy finishes this last bit of work.

Oof.

1 April at 15:11 | Open on infosec.exchange
Lindworm

@tinker Not an ounce of sympathy. Even if those consequences were true, that would not be enough of a penalty.

1 April at 15:36 | Open on chaos.social
Tor Lillqvist

@tinker Or then, “everything is going as planned, they found the one we intentionally made easy to notice thanks to side effects, not the others”.

1 April at 16:10 | Open on urbanists.social
Estarriol, Cat owned Dragon

@tml @tinker now turn that on its head, all the easy to spot ones have been missed, but the payload one was spotted by accident by a rube just poaking around.....

1 April at 16:26 | Open on mastodon.scot
Philip Mallegol-Hansen

@tinker Depending on who you're working for “fired" might be a euphemism for much worse things that are about to happen to you.

1 April at 16:39 | Open on mastodon.mallegolhansen.com
David Fetter

@tinker chances are excellent that this team, and it looks an awful lot like a team, was not put together to attack a single target. That's not how teams are actually put together. Heck, even an individual is seldom so singular in focus that they wouldn't have other projects going and, extremely likely, successful projects already done.

1 April at 16:40 | Open on kolektiva.social
Tinker ☀️

@davidfetter - APTs gotta multitask like the rest of us. Fully agree.

1 April at 16:43 | Open on infosec.exchange
David Fetter

@tinker let's say they work an awful lot like the rest of us. They could easily be bad at multitasking, just as a lot of the rest of us are.

1 April at 17:19 | Open on kolektiva.social
mkb

@tinker Surely most people managing or implementing offensive ops know that operations don’t always succeed.

Then again, there are an awful lot of basic realities of more ordinary tech work that people frequently miss so maybe I need to retract my assertion.

1 April at 16:50 | Open on mastodon.social
The Nexus of Privacy

@tinker "And I would have gotten away with it too if it weren't for you meddling open source developers!"

youtube.com/watch?v=JV3tUPlYn9

1 April at 16:57 | Open on infosec.exchange
Farce Majeure

@tinker I think their employer knows that all of these things eventually get burned, and they treat that actuarially. I think Jia has already gotten some bonuses and their performance reviews still look really good, even though they missed out on one performance bonus and some other results-based incentives.

1 April at 17:14 | Open on better.boston
Joe

@tinker A commenter going by mustached-dog on @arstechnica 's forum pointed out that Jia Tan could possibly be 加蛋 , which Google Translate translates to "add eggs" (suggesting the behavior of a cuckoo, perhaps, which lays its eggs in other birds' nests). As my Mandarin is limited to "hello" and "thank you" I don't know how likely this is to be intentional.

1 April at 17:15 | Open on sfba.social
Shell :fedora: :kde:
Powersource

@shellheim @tinker@infosec.exchange @nonfedimemes lmao shoutout to all the autists

1 April at 23:06 | Open on sunbeam.city
Go Up