Andres Freund and the xz backdoor
nytimes.com> Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.)
Huh, my take was that the "guy in Nebraska" was Lasse Collin, the original xz maintainer. Am I alone in that?
Just made exactly the same comment, the xz maintainer is clearly the proverbial "random guy in Nebraska"
That would definitely be a more accurate/literal interpretation of what the xkcd comic meant.
But I think this holds up in the spirit of it, which is that core open source contributors / maintainers keep things afloat despite a shocking lack of resources or investment by the companies that benefit from it. (Notwithstanding the fact that Freund is employed by Microsoft.)
Yup, they definitely got that wrong
Same, possibly a mix up on their part
Why is the NY Times afraid to namedrop XKCD :( https://xkcd.com/2347/
NY Times links to the XKCD comic directly. Try clicking on the words "some random guy in Nebraska" in the article.
A more level-headed report with less fluff from the economist: https://www.economist.com/science-and-technology/2024/04/02/...
> In the cybersecurity world, a database engineer inadvertently finding a backdoor in a core Linux feature is a little like a bakery worker who smells a freshly baked loaf of bread, senses something is off and correctly deduces that someone has tampered with the entire global yeast supply.
These kind of analogies are always a bit of an eye roll for me but I’ll grant a few points for creativity here
Or someone finding a $.75 accounting error, and uncovering an international East-German hacker ring.
This is way better analogy
The wonders of open source.
Why is the HN submission titled "Andres Freund and the xz backdoor"? The NYTimes title (at least right now?) is: "Did One Guy Just Stop a Huge Cyberattack?"
"Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.)"
No, it's Lasse Collin the _maintainer_ of xz..
In an otherwise well written and accessible article, I found the naming of example nations gratuitous:
> some researchers believe only a nation with formidable hacking chops, such as Russia or China, could have attempted it.
… or the US, UK, Israel, Germany, France, Canada, Australia, DPRK, Japan, etc, and the security offence companies that work as a supply chain for such nations in provision of embedded exploits.
It’s based on very weak logic, but perhaps “Jia Tan” rules out China.
>It’s based on very weak logic, but perhaps “Jia Tan” rules out China.
The Stasi sometimes used real names for cover names as well so you could draw no conclusions at all from a fake identity, not even by process of elimination. At the end of the day I don't think you can infer anything from the names or geolocations involved.
For me the names "Hans Jansen" and "misoeater91" also rule out China. I think it's Israel or USA or Russia. Apparently the 6 accidental timezone slip-ups in the commit history would be compatible with Israel or Russia, although can't even rule out that those are there on purpose to throw us off the scent...
Israel has shown in the past, with Stuxnet, that they have the skill, the patience, and the will. Same for Russia with Solarwinds.
If Jia Tan was using a FIDO/U2F key, it would be nice if someone would publish its public component so others can check for any traces of its use, but I honestly don't know how those work and whether such is even possible.
[Edited to add Russia to my personal list of countries I suspect. Something about the "misoeater91" name kinda suggests Russia to me somehow...]
Between that and wrongly calling Andres Freund (the hero who saved the day) the Nebraska Man, I'm inclined to believe Jia Tan is American and the NYT was ordered to push narratives to deflect attention away.
</conspiracy_theory>
> (The New York Times has sued Microsoft and its partner OpenAI on claims of copyright infringement involving artificial intelligence systems that generate text.)
It's strange to see this included randomly in the middle of the article.
Conflict of interest disclaimer. It's pretty standard in journalism.
It's run-of-the-mill disclosure.
With even the NYT on board it should be clear to everyone now that the whole xz thing must be a plot to have that Andres Freund person introduced into government and security circles where he then can finally fulfill that heinous plot. Classic.
Ahh, the voices...