“the lesson *I'm* choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons”

davel [he/him]@lemmy.ml to Open Source@lemmy.ml – 579 points –
crabby.fyi
57

You are viewing a single comment

he was using a singapore VPN and had access to multiple sockpuppets. we know literally nothing else about them and anything you've heard to the contrary is baseless rumor.

leading theory is that it was a state-sponsored actor, but frankly even that much is speculation and which state is still way up in the air.

It seems I'm out of the loop, how do we know about hongkong and singapore?

we know about the singapore VPN because they connected to IRC on libera chat with it. the only reason I can think people would believe they're from hong kong is because of the pseudonym they used, but it's not like that proves anything.

see link posted in another user's reply: https://boehs.org/node/everything-i-know-about-the-xz-backdoor#irc

we know about the singapore VPN because they connected to IRC on libera chat with it.

Hmm.

I don't know if the VPN provider is willing to provide any information, but I wonder if it's possible to pierce the veil of VPN in at least approximate terms?

If you have a tcpdump of packets coming out of a VPN -- probably not something that anyone has from the Jia Tan group -- you have timings on packets.

The most immediate thing you can do there -- with a nod to Cliff Stoll's own estimate to locate the other end of a connection -- is put at least an upper bound and likely a rough distance that the packets are traveling, by looking at the minimum latency.

But...I bet that you can do more. If you're logging congestion on major Internet arteries, I'd imagine that it shouldn't take too many instances of latency spikes before you have a signature giving the very rough location of someone.

Some other people pointed out that if they used a browser, it may have exposed some information that might have been logged, like encodings.

I don't foresee anyone with the kind of data needed to do more investigation releasing it to the public, so I doubt we're going to be getting any satisfying answers to this. Microsoft may have an internal team combing through github logs, but if they find anything they're unlikely to be sharing it with anyone but law enforcement agencies.