Andres Freund and the xz backdoor

52 points by Foe 1 year ago | 23 comments
  • consumer451 1 year ago
    > Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.)

    Huh, my take was that the "guy in Nebraska" was Lasse Collin, the original xz maintainer. Am I alone in that?

    • johtso 1 year ago
      Just made exactly the same comment, the xz maintainer is clearly the proverbial "random guy in Nebraska"
      • wisemang 1 year ago
        That would definitely be a more accurate/literal interpretation of what the xkcd comic meant.

        But I think this holds up in the spirit of it, which is that core open source contributors / maintainers keep things afloat despite a shocking lack of resources or investment by the companies that benefit from it. (Notwithstanding the fact that Freund is employed by Microsoft.)

        • bicepjai 1 year ago
          Yup, they definitely got that wrong
          • quinn_yates 1 year ago
            Same, possibly a mix up on their part
            • ownlife 1 year ago
              Why is the NY Times afraid to namedrop XKCD :( https://xkcd.com/2347/
              • juliusdavies 1 year ago
                NY Times links to the XKCD comic directly. Try clicking on the words "some random guy in Nebraska" in the article.
            • jxy 1 year ago
              A more level-headed report with less fluff from the economist: https://www.economist.com/science-and-technology/2024/04/02/...

              https://archive.ph/rdxhb

              • nf3 1 year ago
                • wisemang 1 year ago
                  > In the cybersecurity world, a database engineer inadvertently finding a backdoor in a core Linux feature is a little like a bakery worker who smells a freshly baked loaf of bread, senses something is off and correctly deduces that someone has tampered with the entire global yeast supply.

                  These kind of analogies are always a bit of an eye roll for me but I’ll grant a few points for creativity here

                  • derekp7 1 year ago
                    Or someone finding a $.75 accounting error, and uncovering an international East-German hacker ring.
                    • bicepjai 1 year ago
                      This is way better analogy
                    • HPsquared 1 year ago
                      The wonders of open source.
                    • juliusdavies 1 year ago
                      Why is the HN submission titled "Andres Freund and the xz backdoor"? The NYTimes title (at least right now?) is: "Did One Guy Just Stop a Huge Cyberattack?"
                      • johtso 1 year ago
                        "Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.)"

                        No, it's Lasse Collin the _maintainer_ of xz..

                        • 1 year ago
                        • yzydserd 1 year ago
                          In an otherwise well written and accessible article, I found the naming of example nations gratuitous:

                          > some researchers believe only a nation with formidable hacking chops, such as Russia or China, could have attempted it.

                          … or the US, UK, Israel, Germany, France, Canada, Australia, DPRK, Japan, etc, and the security offence companies that work as a supply chain for such nations in provision of embedded exploits.

                          It’s based on very weak logic, but perhaps “Jia Tan” rules out China.

                          • Barrin92 1 year ago
                            >It’s based on very weak logic, but perhaps “Jia Tan” rules out China.

                            The Stasi sometimes used real names for cover names as well so you could draw no conclusions at all from a fake identity, not even by process of elimination. At the end of the day I don't think you can infer anything from the names or geolocations involved.

                            • juliusdavies 1 year ago
                              For me the names "Hans Jansen" and "misoeater91" also rule out China. I think it's Israel or USA or Russia. Apparently the 6 accidental timezone slip-ups in the commit history would be compatible with Israel or Russia, although can't even rule out that those are there on purpose to throw us off the scent...

                              Israel has shown in the past, with Stuxnet, that they have the skill, the patience, and the will. Same for Russia with Solarwinds.

                              If Jia Tan was using a FIDO/U2F key, it would be nice if someone would publish its public component so others can check for any traces of its use, but I honestly don't know how those work and whether such is even possible.

                              [Edited to add Russia to my personal list of countries I suspect. Something about the "misoeater91" name kinda suggests Russia to me somehow...]

                              • Dalewyn 1 year ago
                                Between that and wrongly calling Andres Freund (the hero who saved the day) the Nebraska Man, I'm inclined to believe Jia Tan is American and the NYT was ordered to push narratives to deflect attention away.

                                </conspiracy_theory>

                                • 1 year ago
                                • patrick-fitz 1 year ago
                                  > (The New York Times has sued Microsoft and its partner OpenAI on claims of copyright infringement involving artificial intelligence systems that generate text.)

                                  It's strange to see this included randomly in the middle of the article.

                                  • sterlind 1 year ago
                                    Conflict of interest disclaimer. It's pretty standard in journalism.
                                    • 1 year ago
                                      • pvg 1 year ago
                                        It's run-of-the-mill disclosure.
                                        • 1 year ago
                                        • hoc 1 year ago
                                          With even the NYT on board it should be clear to everyone now that the whole xz thing must be a plot to have that Andres Freund person introduced into government and security circles where he then can finally fulfill that heinous plot. Classic.

                                          Ahh, the voices...