Mastodawn

Kit Bashir Mar 30, 2024

So if I’m reading this¹ correctly a three year deep-cover operation to backdoor the entire planetary infosphere was blown because one person noticed that their tests suddenly ran a fraction of a second slower?

This is some “do you remember where you were back in 2024 when you first heard about…” level shit.

¹ https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Everything I know about the XZ backdoor

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

Show thread

Potato Enthusiast 🇵🇸Mar 30, 2024

@Unixbigot not clear from that summary at this point if it was a three year long game, or a recent compromise of their account.

Show thread

Kit Bashir

@Br3nda the bit where it says the first thing that this GitHub identity is known to have done in 2021 is introduce a bug in libarchive kinda makes me think the former.

Show thread

Potato Enthusiast 🇵🇸Mar 30, 2024

@Unixbigot yeah, you're right.

Show thread

Potato Enthusiast 🇵🇸Mar 30, 2024

@Unixbigot

Also
https://news.ycombinator.com/item?id=39866275

Very annoying - the apparent author of the backdoor was in communication with me... | Hacker News

Show thread

Potato Enthusiast 🇵🇸Mar 30, 2024

@Unixbigot

But counter to that, the malicious commits seem to be in a different time zone.

https://hachyderm.io/@danderson/112182299348258318

Dave Anderson (@[email protected])

Attached: 1 image · Content warning: twitter x-post about the xz compromise

Hachyderm.io