Its been all of 24 hours, these things take time. Presumably someone doing an attack this audacious took steps to cover their tracks and is using a fake name.
CISA had a report on this pretty quickly. I think they refer cases to Secret Service for enforcement. But really, we seemingly have no idea who or where the perpetrator is located. This could easily be a state actor. It could be a lone wolf. And the effects of the attack would be global too, so jurisdiction is tricky. We really have no idea at this point. The personas used to push the commits and push for inclusion were almost certainly fronts. I'm sure github is sifting through a slew of subpoenas right now.
github retains an incredible amount of data to review. but if it is a state actor, they likely covered their tracks very well. when i found the original address of the person who hacked elon musk's twitter account it led to an amazon ec2 instance. that instance was bought with stolen financial information and accessed via several vpns and proxies. i would expect state actors to further obfuscate their tracks with shell companies and the like
Based on the level of sophistication being alluded to, I'm personally inclined to assume this is a state actor, possible even some arm of the U.S. govt.
That would honestly be one of the most impactful bits of public service to fall out of any agency, regardless of country. Even if this is nefarious, a couple of intentionally clumsy follow-ups designed to draw further attention would be amazing to see. Think chaos monkey for software supply chain.
Can the community aspects of FOSS survive a Spy vs Spy environment though?
I don't know, but the answer is irrelevant to whether we are in one (we are).
I shudder to think what lurks in the not-open-source world. Closed source software/firmware/microcode, closed spec/design hardware; and artificial restriction of device owners from creating replacement code, or modifying code in consumer and capital goods containing universal machines as components; are significant national security threats and the practice of keeping design internals and intent secret in these products produces a cost on society.
I propose that products which don't adhere to GNU-like standards of openness (caveat*) get national sales taxed some punitive obscene percentage, like 100%. This way the government creates an artificial condition which forces companies to comply lest their market pricing power be absolutely hobbled. If say your company makes five $10MM industrial machines for MEGACORP customer and you're the only game in town, MEGACORP can pay the sales tax. Brian, Dale, and Joe Sixpack can't afford $2,500+ iPhones and Playstations, or $70,000 base model Honda Civics (yes this should apply to cars and especially medical devices/prosthetics), so when Company B comes around making a somewhat inferior competing fully open product then Company A making the proprietary version loses a huge chunk of market share.
(*But not the GNU-spirit distribution rights, so the OEM or vendor is still the only entity legally allowed to distribute [except for national emergency level patches]. Patent rights still apply.)
This is the most direct and sane way to address the coming waves of decade+ old lightbulbs and flatscreens. It has fewest "But if" gotcha exceptions with which to keep screwing you. Stop sticking up for your boss and think about the lack of access to your own devices, or better yet the implicit and nonconsensual perpetual access vendors maintain to universal machines which by all rights only you should have sovereign control over (like cooking your own microcode or tweaking Intel's [but not distributing your tweaks to Intel's])!
Overcomplicated design, sloppy opsec and Eastern European time zone altogether sound more like an attempt to snatch some bitcoins by a small group of people in places.
> This individual/organization needs to be on the top of every country's most wanted lists
Because if the "organization" is a U.S. agency, not much is going to happen here. Russia or China or North Korea might make some strongly worded statements, but nothing is going to happen.
It's also very possible that security researchers won't be able to find out, and government agencies will finger-point as a means of misdirection.
For example, a statement comes out in a month that this was North Korea. Was it really? Or are they just a convenient scapegoat so the NSA doesn't have to play defense on its lack of accountability again?
Highly likely, China has been estimated to have cyberhacking resources that are 10-50x what the USA has currently. It's not even close. The USA will have to up it's game soon or accept China being able to shut down large swathes of the grid and critical infrastructure at will
I did my own research. If you look at the git repository commit log and some mailing list messages, you will see that the author ("Jia Tan", fake name) speaks impeccable English (already lessens the chance of being a Chinese operative), however he commits in the +0800 time zone (Beijing). He works during Chinese holidays and doesn't work during Western holidays.
However, the times don't make sense: It looks like he works mostly at 2am: https://files.catbox.moe/6mdtez.png (hours in the +0800 timezone). I understand this to be indicative of using a different timezone on the computer than where he actually worked, possibly knowing that git commits include the timezone.
If you shift the timezone to US East Coast -0400, it suddenly looks like a very comfortable full-time job, including a fall in commit rate right where the lunch break should be: https://files.catbox.moe/dtvjzr.png
To me, considering that this appears to be a nation-state tier attack, heavily indicates that it was the Americans. Obviously not conclusive proof, but I think it is useful evidence.
Author: Jia Tan <jiat0218@gmail.com>
AuthorDate: Fri Jan 20 21:53:14 2023 +0800
New Years Day (Federal):
Author: Jia Tan <jiat0218@gmail.com>
AuthorDate: Mon Jan 2 22:33:48 2023 +0800
Edit: Also my graphs don't seem to match yours. Did you account for the fact that US/Eastern is -0500 part of the year? I show a spike at what would be 7 am Eastern for both author dates https://imgur.com/a/QcJy16h and commit dates https://imgur.com/a/oMsbNOh and essentially no work being done after noon.
It's a nice analysis but he misses the fact that the Eastern Europe timezone doesn't match office hours, in particular it'd mean he worked around evenings primarily (see this graph https://files.catbox.moe/4itspl.png)
I had noticed UTC+0300 commits in the repository under his name but I believed they might have been simply committed by the main Finnish maintainer who is in the UTC+0300 timezone.
> But I would like to see analysis of timestamp of GitHub events (like PRs and comments timestamps) which are harder to fake.
I doubt the git commit timestamps are faked, since actually faking them is somewhat difficult to do consistently (you would time travel frequently). I don't think there is some kind of github API for this, however from what I've seen they seem to match up with the same work timespan you see in the commit timestamps.
> I had noticed UTC+0300 commits in the repository under his name but I believed they might have been simply committed by the main Finnish maintainer who is in the UTC+0300 timezone.
There was this one though where they are the author and committer... one in +0300, the other in +0800:
commit 3d1fdddf92321b516d55651888b9c669e254634e
Author: Jia Tan <jiat0218@gmail.com>
AuthorDate: Tue Jun 27 17:27:09 2023 +0300
Commit: Jia Tan <jiat0218@gmail.com>
CommitDate: Tue Jun 27 23:56:06 2023 +0800
The time between writing the file and the commit is 89 minutes.
I literally run a git hook that fixes my commit times so I don’t look like a freak to my coworkers making commits at 3am, I think an actor of this caliber would too, so I would bet the git commit times are highly choreographed.
FYI, the Australian comment is wrong, WA (which uses UTC+8) does not DST (there's a party to add it, and multiple referenda which failed to add it), given ASIS is in Canberra (as far as we know ;)), it probably wasn't them.
> He works during Chinese holidays and doesn't work during Western holidays.
“Western Holidays”, as if that is a coherent, cross-nationally consistent set.
Other than the fact that you specific suggestion of it being American makes little sense based in this sibce its not accurate construed as American holidays, this phrasing is bizarre in this context.
and then processed it a bit with gnuplot. Should not be difficult to reproduce this graph, but I am not too much of a gnuplot wizard so I first preprocessed this into some different files in a REPL. Don't have the full code of what I did but it should not be difficult to reproduce, just parse the dates and look at the hours.
I understand the impulse to seek justice, but what crime have they committed? It's illegal to gain unauthorized access, but not to write vulnerable code. Is there evidence that this is being exploited in the wild?
I am definitely not a lawyer so I have no claim to knowing what is or is not a crime. However, if backdooring SSH on a potentially wide scale doesn't trip afoul of laws then we need to seriously have a discussion about the modern world. I'd argue that investigating this as a crime is likely in the best interest of public safety and even (I hesitate to say this) national security considering the potential scale of this. Finally, I would say there is a distinction between writing vulnerable code and creating a backdoor with malicious intent. It appears (from the articles I have been reading so far) that this was malicious, not an accident or lack of skill. We will see over the next few days though as more experts get eyes on this.
Agreed on a moral level, and it's true that describing this as simply "vulnerable code" doesn't capture the clear malicious intent. I'm just struggling to find a specific crime. CFAA requires unauthorized access to occur, but the attacker was authorized to publish changes to xz. Code is speech. It was distributed with a "no warranty" clause in the license.
> knowingly [cause] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Where one of the definitions of “protected computer” is one that is used in interstate commerce, which covers effectively all of them.
The back door is damage. The resulting sshd is like a door with a broken lock. This patch breaks the lock. Transmitting the patch caused intentional damage.
Law isn't code. If someone finds precedent, there will be a way to argue it doesn't cover this specific scenario. They call this conversational process "hypos" in law school, and this fundamental truth is why you never hear of a lawyer being stumped as to how to defend a client.
Ultimately, the CFAA will get it done if it gets that far, armchair lawyering aside.
To pressure test this fully, since this can be caricatured as "we can punish degenerate behavior as needed", which isn't necessarily great: it's also why there's a thin line between a authoritarian puppet judiciary and a fair one.
The malicious author caused the transmission of the release tarball to GitHub and the official project site. This act was intentional and as a direct result other computers were damaged (when their administrators unknowingly installed the backdoored library).
You’ve got to be joking if you’re saying that this wouldn’t be an open and shut case to prosecute. It’s directly on point. Law isn’t code, any jury would have zero trouble convicting on these facts.
CFAA covers distribution of malicious software without the owners consent, the Wire Fraud Act covers malware distribution schemes intended to defraud for property, Computer Misuse act in the UK is broad and far reaching like the CFAA, so this likely fall afoul of that. The GDPR protects personal data, so there's possibly a case that could be made that this violates that as well, though that might be a bit of reach.
In which case the defense will claim, correctly, that this malware was never distributed. It was caught. "Attempted malware distribution" may not actually be a crime (but IANAL so I don't know).
If more than one person was involved, it'd presumably fall under criminal conspiracy. Clearly this was an overt act in furtherance of a crime (unauthorized access under CFAA, at the least).
Nah, the CIA assassinates people in MLAT zones all the time. The laws that apply to you and I don’t apply to the privileged operators of the state’s prerogatives.
We don’t even know that this specific backdoor wasn’t the NSA or CIA. Assuming it was a foreign intelligence service because the fake name was asian-sounding is a bit silly. The people who wrote this code might be sitting in Virginia or Maryland already.
Note that while “Eastern Europe” has firm connotations with countries of which some are known for having corrupt autocracies, booming shady businesses, and organized crime and cybercrime gangs in varying proportions, the time zone mentioned also covers Finland, from which the other author is supposed to be.
>They will as a result probably avoid traveling to unfriendly jurisdictions without a diplomatic passport.
First of all, it's not like their individual identities would ever be known.
Second, they would already know that traveling to a hostile country is a great way to catch bullshit espionage charges, maybe end up tortured, and certainly be used as a political pawn.
Third, this is too sloppy to have originated from there anyways—however clever it was.
Laws don’t fix technical issues any more than they fix physical ones. Clearly this was possible, so it could be done by a foreign intelligence agency or well-hidden criminal organization.
I think this is probably illegal. But, I think we should not punish this sort of thing too harshly. Tech is an ecosystem. Organizations need to evolve to protect themselves. Instead, we should make companies liable for the damage that happens when they are hit by one of these attacks.
Before anyone calls it out: yes, this will be blaming the victim. But, companies aren’t people, and so we don’t really need to worry about the psychological damage that victim blaming would do, in their case. They are systems, that respond to incentives, and we should provide the incentives to make them tough.
What is constantly overlooked here on HN is that in legal terms, one of the most important things is intent. Commenters on HN always approach legal issues from a technical perspective but that is simply not how the judicial system works. Whether something is “technically X” or not is irrelevant, laws are usually written with the purpose of catching people based on their intent (malicious hacking), not merely on the technicalities (pentesters distributing examples).
It is code, but it runs on human wetware which can decode input about actual events into output about intent, and reach consensus about this output via proper court procedures.
Calling this backdoor "vulnerable code" is a gross mischaracterization.
This is closer to a large scale trojan horse, that does not have to be randomly discovered by a hacker to be exploited, but is readily available for privileged remote code execution by whoever have the private key to access this backdoor.
No, it is not illegal to distribute malware by itself, but it is illegal to trick people into installing malware. The latter was the goal of the XZ contributor.
specifically, thevCFAA covers distribution of malicious software without the owners consent. Security researchs downloading malware implicitly give consent to be downloading malware marked as such.
In the UK, at least, unauthorised access to computer material under section 1 of the Computer Misuse Act 1990 - and I would also assume that it would also fall foul of sections 2 ("Unauthorised access with intent to commit or facilitate commission of further offences") and 3A ("Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA") as well.
If CFAA doesn't get this guy behind bars then the CFAA is somehow even worse. Not only is it an overbroad and confusing law, it's also not broad enough to actually handcuff people who write malicious code.
