The sophistication here is really interesting. And it all got caught because of a fairly obvious perf regression. It reminds of a quote I heard in one of those "real crime" shows: "There's a million ways to get caught for murder, and if you can think of half of them, you're a genius."
I can believe it’s because it was a team behind the account. Someone developed the feature and another more careless or less experienced one integrated it. Another one possibly managing sock puppets and interacting in comments and PRs.
It's called AIMS (Advanced Impact Media Solutions) and is used by several state-level actors these days, both pro- and contra-NATO.
Well, at least that one is the most sophisticated one on the market (as of now) and Team Jorge is probably making shitloads of money with it while not giving a damn about who uses their software in the end.
Maybe I’m just being naive or too trusting, but this is sort of what I think when folks are getting worried about other backdoors like this in the wild.
Is it that they just got unlucky to get caught, or is this type of attack just too hard to pull off in practice?
I’d like to think the later. But, we really don’t know.
Note he's not a cybersecurity researcher, he's mostly a database engineer (a great one, making significant PGSQL contributions), so I'm not sure he's familiar with statistics and variety of backdoor attempts.
One measure might be that we never really found that many backdoors. Over time there is quite a large accumulation of hackers looking at the most mundane technical details.
This may be confirmed by regular vulnerabilities that are found in sometimes many decades old software, since vulnerabilities are much harder to find than backdoors. For example shellshock was 30 year old code, PwnKit 12 and log4j was ~10 ish.
So if backdoors were commonplace, we probably would've found more by now.
Perhaps that's changing now, the xz backdoor will for sure attract many copycats.
Doesn't your data prove the opposite point? There are so many vulnerabilities and so few people looking for them that even the thirty year old ones have barely been found.
A healthy feedback loop would have trended the average age of each vulnerability at the time of detection to be *short".
I’m not convinced that if I found a bug that I’d notice all the security implications of fixing it. Occasionally yes, but I wonder how many people have closed back doors just by fixing robustness issues and not appreciated how big of a bug they found.
Maybe something could be built to put more eyeballs on things.
A kind of online-tool that collects the sources to build some relevant distributions, a web front-end to show a random piece of code (filtered by language, probability to show inreasing by less-recently/frequently/qualified viewed) to a volunteering visitor to review. The reviewer leaves a self assesment about their own skills (feed back into selection probability) and any potential findings. Tool-staff double-checks findings (so that the tool does not create too much noise) and forwards to the original authors (bugs) or elsewhere (backdoors).
Fedora and Ubuntu both enable frame pointers / disable -fomit-frame-pointer by default now[1]. That’s quite recent news in comparison to the backdoor’s history, admittedly.
Nah, it applies to the person trying to get away with the murder. People will do really, really intricate jobs of trying to cover up, then slip up because like, they leave a receipt in their car that accidentally breaks their alibi.
My favorite get away with murder stories are the imperfect frame up type stories. So commit a crime and lay a trail of bread crumbs to a false path that will be picked up by the investigators and then later on easily refuted by yourself - because you did it but not in the way you're accused of.
A clever murderer will disguise the murder as an accident, suicide or natural death. It will not even show in the stats as unsolved.
I got the idea from fiction (specifically Dorothy Sayers), but the number of murders Harold Shipman committed before anyone even noticed makes it plausible that people with relevant expertise (doctors, pharmacists, cops, etc.) could easily get away with murder. If Shipman had stopped after the first 100 or so he would have.
That's from Body Heat, said by Mickey Rourke to William Hurt. "...you got fifty ways you're gonna fuck up. If you think of twenty-five of them, then you're a genius - and you ain't no genius." (But a million sounds closer to the truth.)
Depends on locale. In Germany something like 90% of murder cases are solved/cleared.
In the U.S., I suspect a majority of the murders technically unsolved by police are cases where the identity of the perpetrators is somewhat of an open secret within communities that don't trust law enforcement (and LE similarly has little interest in working with them either.)
>In Germany something like 90% of murder cases are solved
You must watch out when reading the German crime statistics. "Solved" which is marked as "aufgeklärt" in those statistics just means that a suspect has been named. Not that someone actually did it/has been sentenced for the crime.
Surely it's pretty common everywhere to have at some point a suspect ('solved!') who is then released, because you lack evidence, realise it's not them, whatever. A suspect isn't necessarily convicted even if you do ultimately convict someone.
Turns out it was someone else, and you convict that other person. You thought you had them, were wrong, but did then ultimately solve the case.
It happens loads too, frequently in high profile stuff on the news they'll have a suspect who's somehow close to it, arrest them, but then they're released once satisfied with their allibi or whatever.
Or most murder investigations are (by definition) incompetent.
Or (more likely): The old idiom quoted above is stupid and useless. (That it presumes that murdering and getting away with it is somehow a noble or esteemed deed should be damning enough.)
There’s no money or benefits in solving crimes. It could be done easily in many cases but nobody cares about certain people like gang members. Lots of cases where the murderer tells everyone but nobody cares.
The 4th option they may appear to propose suggests that murder investigators don't get paid -- neither in money, nor in benefits.
So, to that end: As far as I know, that's not usually the case with government employees, and it is always actionable when it does happen to be the case.
It seems like a much more suitable parallel construction story to invent in this instance would be something like "there were valgrind issues reported, but I couldn't reproduce them, so I sanity checked the tarball was the same as the git source. It wasn't."
Wouldn't it have been easier to just have someone drive-by comment on the changes in the source tree in the comment? Like "what's up with this?"
Though I guess you end up with some other questions if it's totally anonymous. But I often will do a quick look over commits of things that I upgrade (more for backwards compat questions than anything but)
There also isn't really a reason for some contrived parallel construction here - whoever found the issue could just point to it without explaining how it was detected. They could even do that anonymously.
> Classic conspiracy theory.
I would not be too quick to shit on "conspiracy theories" however as there are plenty of proven cases of people conspiring against the interests of the public.
