I don't think he was from Eastern Europe, but if you want to look at UTC+0200/+0300, in Europe this only includes Finland, Baltics, Ukraine, Romania, Moldavia, and Greece. But notably if you look a bit down it also includes a good chunk of the Middle East, including Israel.
I don't know about holidays but Israel uses the same daylight savings as the mentioned Eastern Europe countries, ie switching from UTC+0200 to +0300 at around the same time - only difference is that they start daylight savings on Friday instead of Sunday the same week.
I don't know all the holidays but they have commits on Yom Kippur dates in 2021 and 2022. For 2023 it's harder to say because their commit activity is sparser.
Israelis are usually off from the evening of Friday (sundown) till the evening of Saturday (sundown) for Shabbat. Where did you get the idea that they’re off on Fridays during daytime?
In this context, middle eastern countries with Islam as the majority religion have the day off on Fridays.
Not sure why you’re downvoted. When you think of state actors, Israel comes very high (stuxnet etc), as well as the usual US/Russia/China/NK groups.
Unit 8200 in the IDF especially have a very notable reputation.
That’s not to say other counties don’t have capabilities (and this doesn’t look like you need the resources of a group like say the NSA or GCHQ for this particular attack - indeed it could just be a single lone wolf) but it’s noteworthy.
If the only think I knew was UTC+2 (and I don't even think I know that, I'm really cautious with assumptions about what mistakes that kind of people plausibly make), Israel would be very high on the list. But FWIW, 25Dec is a Catholic holiday, and even though it's mentioned on Wikipedia page about Israel holidays, I'm not sure how official that is. I mean, it doesn't seems to be, like, a real Israeli holiday.
I think no commits on December 25 is not enough to go by. He's been active for about 2 years, so that's what, 1-2 Christmases? I assume he doesn't commit literally every day. So it could be a coincidence that he didn't on those particular 1-2 days. Also, in many Orthodox Christian majority countries including those in UTC+2 they don't celebrate on 12/25.
But doesn't Israel also not follow a typical work week? Eg. No commits on Friday afternoon?
Yes, that's what I mean as well: I don't really think this analysis is any near to be considered any conclusive. It's interesting. But this is it. From what I'm seeing, there really isn't very much data. The article makes it feel like there is this huge archive of commits, that draws a picture of a guy working almost every day on these projects with some very much visible gaps in time, but there really isn't. The data is quite scarce. I would need to actually do the analysis myself to decide what I'm willing to believe, and I don't think I want to do this right now. But for now, I don't think we really have anything.
…What I would really want is some input from Microsoft. I don't know what they can reveal, but I believe they must have quite a bit more data, than us. Even speaking about times, well, he must have been using Github more than to just commit stuff. And I'd imagine they have some logs. Also, it's very fair to assume than he was using VPN all the time, but it's also fair to assume that he wouldn't accidentally slip like that, revealing his real time zone in 9 commits. So, yeah, for sure there are people who have waay more data than me, and probably know how to use it properly better than me too. Not sure they will be willing to share, though.
No need to bother with a tracking image. Just scour the message headers of any message sent in the past--there's decent chance there's a few more dates lurking in those headers, and even an IP address or two.
Years ago they would include the IP of the end user. Gmail and hotmail stopped including that more than a decade ago. But they both used to. I think Gmail stopped this practice years ahead of Hotmail.
I have a relative with mental health problems who lives on the street, and he sometimes writes me from public libraries -- kind of luckily for family members who are concerned about him, the webmail service he uses still includes that info in headers. So I usually know which public library he writes from.
It's not just that there's only two Christmases. It's that Christmas fell on Sunday in 2022 and Monday in 2023, and the article already established the attacker mainly worked Tuesday-Friday. The note about the attacker never working on New Year has the same problem (New Year's Eve/Day always lines up with Christmas Eve/Day, so would not have hit the Thu-Fri window either).
December 25 and and Jan 1 are regular work days in Israel, with the legal option that someone can't be refused to take those days off, but have it deducted from their accrued vacation time (there are other days that one can't be refused to take off, but if no available vacation days, have to be offered leave without pay for those days).
NK are one if the most prolific state actor countries. They aren't UTC+2 though.
Greece and Finland aren’t prolific. I’m sure they have the resources, many lone people would have. I don’t think they have the motives though. The US, Russia, China, NK and Israel have the motive, opportunity and track record. I wouldn’t rule out Ukraine either (and Ukraine is GMT+2)
I still think that an individual is the most likely candidate though.
“Trust no one! The minute God crapped out the third caveman, a conspiracy was hatched against one of them! ” - Gen. Hunter Gathers, OSI (The Venture Bros.)
There are parties who have effectively endless resources and motivation to mock up a false-flag event to steer the responsibility for this a certain way. They're all very, very good at covering their tracks, and even the most experienced security researchers will take months or years to just get an educated guess of who could be responsible. Trying to figure out who did this is a waste of time.
The lesson is this:
1. Never, ever install bleeding-edge software in production, for any reason.
2. Pentesters in your organization should be regularly trying to blow holes in your stack and let both you and package maintainers know the result. If they're not, they're not doing their jobs.
3. FOSS maintainers should audit the new code in each release for security issues, particularly for things that are obviously security-sensitive.
4. Donate to your FOSS maintainers; they do insanely important work.
These rules will pay off no matter who or what wants to break into systems.
This fortunately didn't get to stable. This was as close of a shave as you can possibly get without a security Chernobyl in your systems.
EDIT:
Downvote all you want; I'm right.
There are people who very much want to convince you and everyone you know that a certain party is responsible for this and every other attack you read about. They'll go out of their way to do that. There are geopolitical goals to be achieved by doing so.
We're currently talking about banning foreign ownership of an incredibly popular web app in the US right now. If you are a government or commercial entity that would benefit from such a law, how convenient would it be if there happened to be a GitHub user with a Chinese-sounding name who committed an attack vector to the project with a timestamp that looked like it could have come out of the PRC?
And let's say it is someone in mainland China. We find out they are beyond a shadow of a doubt and who they are on a personal level. Some big-time DA's office like the Southern District of New York puts out an indictment for them and requests extradition. The people who are behind this are almost certainly state-sponsored and there's no way their asses are being handed over to US Marshals, ever. You could even argue that if they managed to stumble into a situation where they could be extradited, the government responsible for backing them would "tie up the loose end" before letting that happen, lest greater knowledge of what the organization has been doing fall into enemy hands.
Besides the Bond-style intrigue, there's no practical application to the knowledge. You already know where your users are coming from, most of the time, and might be geo-blocking based on that alone. If not, you know you should be alert to other threats from that region. If you're not, you aren't doing your job.
> Never, ever install bleeding-edge software in production, for any reason.
But for any X which is mainstream today someone was always the first of X. And even then being the second or third is still cutting edge. For a certain kind of company it makes sense to play this way, but if it were everyone then we'd have a tragedy.
That's why you run X in your sandbox/QA/testing/whatever-you-call-it environment, safe from the prying eyes of the public internet and the private data of users. Once it's all good there, and the community has come to a consensus about it being safe and ready-for-release, that's when you can put it wherever you want.
99.9% of releases for packages like this are boring bugfixes and stuff, not earth-shattering new features. You're not at a competitive disadvantage for not having taken this version of xz and having routed all of your traffic through it.
