Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ceejayoz 5 hours ago

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

> A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of over two years of effort, starting in 2021, by a user going by the name "Jia Tan". They used sock puppetry in a pressure campaign against the original maintainer of XZ Utils, eventually being given maintainer permissions on the project.

brookst 5 hours ago | parent | next [-]

Can we retire the “seatbelts are useless because they can’t prevent every loss of life” approach to risk mitigation please?

If the acceptance criteria is “would prevent every single past instance and every imaginable future instance”, then yes, no mitigation is every sufficient to address any problem in the world, so we might as well give up.

But I don’t think that’s the right lens to use.

pjc50 4 hours ago | parent | next [-]

That depends on whether it's a issue of accidents or a "you have to get lucky every time, we only have to get lucky once" issue.

ceejayoz 5 hours ago | parent | prev [-]

I'm onboard with this! I just object to the term "fixable".

dist-epoch 5 hours ago | parent | prev [-]

sure. how many cases like these we had so far? 1, 2? and how long did they work to get commit access?

ceejayoz 5 hours ago | parent | next [-]

> how many cases like these we had so far?

As with clever, careful serial killers, it's tough to count the ones we haven't caught.

applfanboysbgon 2 hours ago | parent [-]

It's not that tough. You can get an idea by how many people are being murdered. A successful serial killer results in dead people, and a successful infiltration results in malware being executed. If there are no murdered people with unattributed causes of death, or there are no open-source projects with unattributed causes of malware being shipped, you can conclude there are roughly 0 active serial killers / infiltrators.

It's possible there are infiltrators who are still working on long-term infiltration and haven't yet attempted to add any malicious code anywhere, but the point is that in terms of actual attempts, we've seen a single one and it wasn't even successful despite years of prep.

ceejayoz 2 hours ago | parent [-]

> You can get an idea by how many people are being murdered.

No, we can't, as that happens a lot via non-serial killers.

A truly successful serial killer is likely one who hides in that noise. No taunting the cops, distributed geographic locations, random methods, avoiding calling cards, and careful not to leave too many traces.

It seems likely that some of the 350k unsolved homicides in the US can be explained this way.

> It's possible there are infiltrators who are still working on long-term infiltration and haven't yet attempted to add any malicious code anywhere…

Or the code's already there, latent, as it would've been in the XZ case, which got discovered by chance and someone very dedicated to looking into a performance glitch.

2 hours ago | parent [-]
[deleted]
virtualritz 5 hours ago | parent | prev [-]

We only know how many were discovered.

Since we do not know the ratio to undiscovered this "1-2" is meaningless to assess the risk of this sort of attack.