BrianKrebsApr 3, 2024

One of the more interesting graphics I've seen regarding the XZ backdoor is a representation of Jia Tan's commits over time. Notice how the commits in question were done well outside the normal times this user committed code in the past.

Does this lend credence to the notion that somehow the Jia Tan account was hijacked? Maybe. Or maybe it just means the attackers got sloppy at the tail end of a 2 year op for unknown reasons, like they were up against a hard deadline that was tied to something happening IRL.

I'm curious what the prevailing theory is here.

Show threadVessOnSecurityApr 3, 2024

@briankrebs If the account was hacked, Jia Tan would still be around, proclaiming loudly "hey, it wasn't me, honest". The fact that he has disappeared, means that he knew perfectly well what was happening.

The out-of-character commits probably reflect the time when he forgot to set the time zone to UTC+8 and remained on his "native" time zone of UTC+2.

And, yes, he *was* on a deadline. The systemd people were about to introduce a change that would have prevented the backdoor from working.

Show threadwaldi
@bontchev @briankrebs The timestamps are all in UTC. You need to change the clock of your system, not the timezone, to get this behaviour. However you could also check the separate timestamps of the GitHub pushes and pull requests, which can’t be spoofed.
Apr 3, 2024 at 7:57pmWeb
Show threadPhilApr 3, 2024
@waldi @bontchev @briankrebs git timestamps can be easily munged with a hook script, too. No need to modify the system time.