nicce
Mike Shewardpeople are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project
HowToPhil (Phillip R)@SecureOwl This is the best comment on this I have seen and will ever see! :)
Tinker โ๏ธ
Jac@SecureOwl feels like someone testing the waters of how, and how quickly a slow burn attack like this is detected. I'd be willing to bet we see more of this, if they aren't already out there in the wild given this one was only discovered purely by chance.
@sloenthusiast yup, Iโm sure there are plenty more lurking and to be lurked
The Doctor@SecureOwl You are not wrong.
Can I quote you on that?
Sean Boots
Paul Cantrell@SecureOwl @marcan
Itโs true! If this had been authored by the private sector, it would have been started and killed 6 times across 3 different teams, released before it was ready, then suddenly sold off and killed by a capricious C-level who heard that something else is the new hotness now.
Itโs true! If this had been authored by the private sector, it would have been started and killed 6 times across 3 different teams, released before it was ready, then suddenly sold off and killed by a capricious C-level who heard that something else is the new hotness now.
Dieu@hllizi @SecureOwl @marcan
Thanks, but letโs be honest: mocking large institutions is like shooting fish in a barrel.
Thanks, but letโs be honest: mocking large institutions is like shooting fish in a barrel.
Kevin P. Fleming
Tony VladusichLol, point
Patrick Schmitz@SecureOwl this was apparently working, which cant be said for many government IT projects.
sortius@SecureOwl so... US government then?
Tobias Fiebig@SecureOwl Also explains why the final step was hastily rolled out before the end of the fiscal year, leading to early detection making several years of work pointless? ;-P
lebout2canap โ@SecureOwl Thanks for the laugh ๐คฃ.
CountZero@SecureOwl I believe it has been developed to target one specific system with known software stack and update policy.
And indeed, this nation state actor (NSA, fits there just fine lol) wouldn't want to maximize the number of affected servers. As long as they got access to the right one, that is.
Raphael@SecureOwl Question is, which haven't we found yet? Much likely sneaky changes in convoluted laws.
Tim Allison
David Chisnall (*Now with 50% more sarcasm!*)@SecureOwl On the other hand, it's engaging with the open source ecosystem but assuming that the only open source platform that matter is Linux and that any architecture other than x86-64 is probably irrelevant. That has all of the hallmarks of a Microsoft or Google project.