The things I don't like about the discussion on whether this is a state actor behind the #xz backdoor are:
It doesn't change the response for pretty much anyone except a narrow group of professionals. Ultimately I don't know that it matters for most of us if this was a state attacker or some kid who wants a way to get op privileges.
It distracts from next steps.
Would they think that if the actor were named John? Will this increase suspicion of anyone with a "foreign" sounding name?
@hrefna I think that the "state actor" assumption is the safer one. Here's why: if it was an extremely persistent and clever kid, then this might be the only instance of this kind of attack. But if it is a well funded group, state or not, this might be a technique that has been used elsewhere, perhaps successfully, and this is the only one that has been caught. So: look for other instances of the same or a similar attack. There were multiple very clever steps here: were they used elsewhere?
@hrefna one way it matters is if this was a state actor, they probably have more resources to continue to throw at this kind of attack. Including possibly other exploits in the pipeline. The hypothetical single kid has just wasted a ton of time and might not try again.
@joeyh Which is absolutely useless analysis from the standpoint of determining how to prevent it in the future, and is also not useful even to speculate about unless you are like quite literally working for a very, very narrow group of security professionals.
It also costs a trivial amount of money to fund this sort of thing. Like you don't need a state actor, a small company could do it trivially.
@joeyh k. Your disagreement and $5 will get me a cup of coffee.
Random dude who doesn't seem to understand threat assessment and who works on low-level utilities has opinions that are different from security professionals, security-adjacent professionals, and SREs. Film at 11.
@hrefna@joeyh
But xe are the only security professional I've seen with this opinion, and this security professional certainly disagrees with xe.
People politely disagreeing with a subjective opinion deserve a better response than
A. Assumptions about gender
B. Assumptions about profession and skill
C. Pithy fucking "film at 11." dismissals.
k, and your complete inability to understand second person pronouns and use of "assumptions about gender" (which I didn't, thank you very much, unless it's changed very recently) also indicates that you are a person I do not need to be talking to either, regardless of your credentials.
If you are in that narrow group of professionals or you are building a threat model for your system, state actors are definitely part of the equation
But it's very easy to get caught up in "who did it" and not "how did they do it"
I see multiple problems here. Some of which I don't know how to correct but it doesn't matter if it is a state actor, others are things that would apply regardless of if they are a state actor
Maybe there is something, but if so it is likely far beyond lay responses
Side note: this is part of why we have blameless postmortems even when there is a clear place to assign blame. Acting on the blame takes a different route and sometimes that route is needed, but it also needs to be part of a different analysis
Because when a problem in a system is exploited you have two problems. The first is who did it, the second is that the system could be exploited by them in the first place, and focusing too much on the first undermines the second in a great many cases
@irenes@hrefna truth. Basically nobody except for a national govt can actually benefit from attributing to an entity beyond a collection of behaviors and tooling.
Whether it was even a state actor or a new development in commodity access brokerage, it doesn’t make a difference for anyone trying to deal with protecting against similar attacks.
Edit: For reference, I work in ICS/OT cybersecurity where being targeted by state actors is a definite reasonable concern. I still don’t benefit from knowing what nationality a group hails from.
@whereisthespai@hrefna we saw that taxonomy of national interests vs. money as, allegedly, the two possible motivators on Friday... we also do think that it's a mistake to exclude ideology as a motivator for individuals. if somebody really believes that the proper shape of the world is some specific thing, yeah, they will absolutely spend years trying to bring it about. there are in fact people who believe in things, even today.
@irenes@whereisthespai@hrefna Bad idea for an April Fool’s: Tip off the world to a backdoor a few days prior, and on April 1 publish a proof that the public key was generated in a way that the attacker can have no knowledge of the private key, and thus the backdoor is not exploitable.
I guess that could be ideology (someone who really hates open source, or wants people to take security seriously).
Addressing structural vulnerabilities is a much more efficient approach than whack-a-moleing bad actors. Gets harder to mole if it's harder to dig a hole.
People who plan to take advantage of holes really love to distract everyone with the blame-chasing. It's more exciting and has more short-term gratification.
Do you think this is the first person in the history of the internet to try to pull this kind of stunt or that they are somehow uniquely qualified?
Do you think that the funding required to do this sort of thing is somehow exceptional?
"But they might give up if they aren't funded." Sure, but then their funder might also pull funds tomorrow, or they might be highly motivated because have you met the kinds of people who would try to get/keep op on IRC servers?
You know that this attack vector is a viable one for a dedicated attacker.
You know that dedicated attackers exist. They may have any of eight million reasons. You also know that even absent that there's very little stopping a dedicated adversary from working to flip someone trusted to their side with a little work.
What will it cost to find out if they are state funded?
If they are state funded how does it change your response?
we would like to see programming language/build system ecosystems where we can define and enforce security boundaries between our projects and our dependencies.
(in fact, wasm already lets us do that! but outside of explicit sandboxing use-cases, nobody does it. possibly in part because interfacing with it is a pain...)
@SoniEx2 I think of it as a series of things that all basically failed together.
Overworked engineer burned out and had no one to hand off project to, was manipulated/harassed (either maliciously or benignly) into handing it off to a bad actor.
Change in ownership did not include a change in trust.
There's a need to verify that what was deployed was properly reviewed and matches what an authorized person expected.