XZ Backdoor: Times, damned times, and scams
Operational security and traceability
- Many comments debate how traceable the attacker is via GitHub, IPs, and SSH keys.
- Some expect law enforcement to subpoena GitHub / VPN logs; others argue careful use of VPNs, Tor, or hijacked accounts can make that difficult.
- Several point to apparent opsec mistakes: inconsistent timezones, different emails/names, and a US-based VPN provider that likely keeps logs.
- Others counter that high‑end actors sometimes insert deliberate inconsistencies to misdirect investigators.
VPNs, payments, and metadata
- Discussion around anonymity of commercial VPNs: most keep some logs or payment trails.
- Mullvad’s cash-in-envelope option is seen as stronger, but people note postal metadata and upstream traffic analysis can still weaken anonymity.
- Some argue serious attackers often just use already-paid hacked VPN accounts or proxy chains, not stolen credit cards.
Timezone and holiday analysis
- The article’s commit-time analysis (UTC+8 vs UTC+2/3) draws both interest and criticism.
- Commenters catch arithmetic errors in the examples; the authors acknowledge and correct them.
- People note DST quirks, differing Christmas dates (Western vs Eastern Orthodox), and varying workweeks (e.g., Israel, Middle East).
- Several argue the data set is thin and easily spoofed with scripts or scheduled pushes; others note real-time interactions (bug reports, mailing lists) are harder to fake consistently.
- Multiple regions are floated as plausible; consensus is that origin remains unclear.
Who is behind it? Lone hacker, team, or state?
- Views range from lone-wolf to organized team to state actor.
- Some think the long time horizon and sophistication point to a well-resourced organization; others say individuals could do this too.
- Several warn about attribution traps and false flags, arguing that trying to “guess the country” is largely unproductive.
Why rpm/deb and how big could this have been?
- Many suggest rpm/deb were chosen because they cover most major enterprise Linux distros (Red Hat, Debian, Ubuntu, etc.).
- Targeting packaging scripts reduces detection by developers compiling from source and narrows to tested environments.
- Debate over impact: some compare potential scope to or beyond Stuxnet; others stress it never reached stable releases and only a small fraction of systems were actually at risk.
- The exploit’s kill switches and limited current deployment lead some to see it as strange or possibly a “rehearsal.”
Open source trust, maintainers, and lessons
- Strong criticism of how easily core FOSS projects grant commit access to pseudonymous contributors; others note it’s practically impossible to “prove” someone isn’t a state actor.
- Suggestions include tighter social vetting (meeting people, social circles) versus acknowledgment that determined state actors can fake this too.
- Several highlight that maintainers are under-resourced; donations, security auditing of releases, and internal pentesting are urged.
- Some advise never running bleeding-edge in production; others respond that someone must be an early adopter, but only in well-isolated test environments.
- A few share techniques for hiding real locations in git history (UTC-only timestamps, truncating times, scripts/aliases).