XZ Hack - "If this timeline is correct, it’s not the modus operandi of a hobbyist. [...] It wouldn’t be surprising if it was paid for by a state actor."
![](https://lemmy.dbzer0.com/pictrs/image/d070732c-c586-495a-9f73-b473e229e10e.jpeg)
![](https://lemmy.ml/pictrs/image/a64z2tlDDD.png)
![Technologist vs spy: the xz backdoor debate](https://lemmy.ml/pictrs/image/15c12519-4c63-4eb4-afb1-286687570b4d.jpeg?format=jpg&thumbnail=256)
lcamtuf.substack.com
Thought this was a good read exploring some how the "how and why" including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.
You are viewing a single comment
All of these are signs of persistent threat actors aka State sponsor hacker. Though the real motive we would never know as it's now a failed project.
imagine how pissed they are. or maybe they silently alerted the microsoft guy themselves as they only did it for cash and theyd been paid
I am sure most super powers in the world can easily sink 2 years to maintain an obscure project in order to break system as important as openssh.
I doubt they will be pissed for one failure, and we can only hope there isn't more vulnerable projects out there (spoiler alert: probably many).