Morten LinderudNov 3

Wasn't #Bellingcat doing an entire investigation thing around Jia Tan and the xz stuff.

What happened there?

#JiaTan #XZ

Fabian【ファビアン】🏳️‍🌈Oct 9, 2024

Finally also available in english.

#fern #ssh #xz #backdoor #JiaTan #CozyBear #APT29 #security

https://www.youtube.com/watch?v=F7iLfuci75Y

How a Hacker Saved the Internet

Visit https://fern.deals/brilliant for 20% off of a premium subscription. Start learning new skills today! It's also a great way to support our channel. (ad)...

YouTube
Orhun Parmaksız 👾Aug 26, 2024

I fixed a typo in the README; no one cared.

I executed an intricate plan of making significant contributions to the repository over the course of 5 years, became a maintainer, and then added a backdoor; everyone freaked out.

No one notices until you start making big moves.

#opensource #jiatan #nevergiveup

S.R. WeaverMay 26, 2024
We need a more reliable way of hosting images or websites other than tunnel providers, because I suspect the #xz / #jiatan stuff is about to get a lot worse for marginalized creators.
Show threadMarcel WaldvogelMay 14, 2024

Was wissen wir eigentlich über «Jia Tan»? Ich habe mich mal auf eine Spurensuche begeben. Und dabei herausgefunden, dass man mit der Sicherheitslücke wohl mehrere Milliarden hätte verdienen können.

Ich nehme euch gerne mit auf diese Reise und die Schlussfolgerungen, die sich daraus ergeben.
#JiaTan #xz #Backdoor #xzBackdoor #DNIP
https://dnip.ch/2024/05/14/spurensuche-jia-tan-xz/

Wer ist «Jia Tan»? Eine Spurensuche zur xz-Backdoor - Das Netz ist politisch

Über ein Monat ist vergangen und wir wissen immer noch nicht viel über die Hintergründe und Hintermänner der xz-Backdoor. Dies, obwohl die Lücke im besten

Das Netz ist politisch
Show thread❌ DittoMay 12, 2024

@pastermil @linux the attack surface for something that isn't officially maintained by the developers, and that doesn't have more vetting (e.g. distribution packages) opens up room for malicious actors.

e.g. #arch / #aur recommends verifying scripts manually before installing, and malicious scripts have been found and removed.

There are actors like #jiatan out there. An unofficial #flatpak needs manual verification before install - that's why I just go with #snap if the flatpak isn't official

arnoldmelmApr 26, 2024

New #Ubuntu 24.04 with compromised #xz? #JiaTan will be happy. #ITSecurity

https://youtu.be/2L4SbYMCWrY

Ubuntu 24.04 LTS

YouTube
arnoldmelmApr 26, 2024

Neues #Ubuntu 24.04 mit kompromittiertem #xz? #JiaTan wird sich freuen. #ITSecurity #ITSicherheit

https://youtu.be/2L4SbYMCWrY

Ubuntu 24.04 LTS

YouTube
David JONESApr 23, 2024

Jia Tan changes all Open Source contributions forever.

On my projects: Oh, coming over with a PR for an "innocent" feature are we? Quite the Jia Tan move.

On other projects i am contributing to: just extending this to fix on old obscure version, adding a test... hope no one thinks i'm doing groundwork for a Jia Tan.

#JiaTan #OpenSource

Matt WillemsenApr 18, 2024
Researchers stop ‘credible takeover attempt’ similar to XZ Utils backdoor incident
https://therecord.media/researchers-stop-credible-takeover-xz-utils #XZUtils #backdoor #takeover #OpenSource #software #OpenJSFoundation #JiaTan
Researchers stop ‘credible takeover attempt’ similar to XZ Utils backdoor incident

The thwarted social engineering attempts highlight the urgent need to address weaknesses in the management of open source software.