If it was state-sponsored (considering the timeline, that's a real possibility), then "Jia Tan" could actually be a collection of folks, working for the same team.
I think 'Jia Tan' is one person who's committing the changes, based on the language used in the commits. Whether those changes came from a group will never be known.
Never say never. There's a paper trail going back a couple of years. People especially professionals can be good with trade craft but everyone makes mistakes.
It amuses me how the default hacker stereotype changed from an autistic nerd person (no offense) to a state-backed USA/Chinese/Korean/Israel/Russian APT group.
I can absolutely imagine people like crimew pwning sshd because it's fun! it's interesting! it's a way to get people to think more about open source community! just why not?
Absolutely. The old "Dark Hoodie" stereotype is starting to get old.
However, I know that some of the Russian/East European teams were/are composed of a bunch of nerdy types that are rather loosely associated with state sponsors.
It's entirely possible that "Jia Tan" is a contractor that is hired to do the work, so even if we figured out who they were, we might never know who was pulling the puppet strings.
I've been going through Wikiepdia's list of countries by GDP and trying to think about what the poorest country is that could pull it off in the normal course of business, and the poorest country that could pull this off if the leader decided it was important and was willing to push a little. I think there are at least a hundred countries in the later category.
I suspect that something like this could have been pulled off by a single actor with the time and effort and skill needed, so literally every country in the world could have done it, theoretically.
My bet is on the Vatican City elite hackers.
(It's sophisticated, but it could have been done by a "commercial hacking group" for other purposes, especially to sell; if this had gotten into live RedHat systems it would be quite the valuable 0day.)
I think we should use the term "Jai Tan" to refer to someone like this - "I want to hand over maintenance of this project, but I don't want a jaitan." - etc.
It sounds unlikely that he was an individual working on his own. So if the organisation he worked for has another Snowden, yes. (I am not saying it is necessarily the same organization, there are at least 4 obvious candidates and it could be a more surprising one.)
I have no idea if you're correct or not, but that doesn't really indicate who was behind it other than suggesting that it might NOT be Chinese state actors because that would be way to obvious of a giveaway when investing multiple years of effort into a stealthy project.
Are we ever going to figure out who Satoshi is? Probably not anytime soon but we can look for clues. Jia was obviously interested in OSS security and fuzzing[0] but my wild guess is that s/he is not a state actor. I would rather assume s/he is a hobbyist opportunistic hacker who got trigged by the thought "If I can exploit this, why not?". I assume he intended to build a botnet and do whatever s/he came up with. The initial motivation could've been like I said opportunism and perhaps technical challenge of exploiting the software.
I think this is somewhat unlikely. Timezone/timestamp analysis of their commits seems to show them working on it as a day job. And that they were obfuscating their location from the get-go (not 100% successfully). It may not have been a state actor or even paid, but it seems like they started with at least the intent to deceive about their identity and origin, and that they were working on it as more than just a hobby.
The interest in OSS-Fuzz was because it was used to monitor libxz, and so one of the necessary subgoals was to trick its maintainers into exempting libxz from a check that may have caught the backdoor, or at least drawn attention to it for unrelated reasons: https://github.com/google/oss-fuzz/pull/10667
So did he plan all this from the beginning or somewhere down the line he went full yolo?! I am looking at his mailing chat[0] and he seemed pretty enthusiastic about improving and fixing XZ.
> Either way, it's your preference and I will follow your lead. Jia Tan
> It's out of the scope for this patch, but it is something worth considering. Just trying to do my part as a helper elf! Jia Tan
Sounds like someone pulling the strings and using the "it's your idea, I'm just following!" strategy.
My hunch from reading over all the language used is that this person spent a good deal of time in America and has a carefully crafted 'customer service' manner of speaking. I may be wrong on the spending time in America part, but they are most definitely used to putting people at ease with their word choice.
I also found this bit interesting, as it's one of the few times they referred to "us" and "we"
>The contributors to this project are hobbyists so we can't
dedicate 40+ hours a week for fast releases of high quality. Thank you
for your understanding and if you want to help work on anything you
can always submit a patch :)
What a guy....he is trying his best to gain people's trust and then shove a backdoor down your throat. And that smiley face at the end is just straight out trolling.
From what I've seen (and I've not seen much, mind you) - someone went through and carefully categorized various libraries by the ability to be injected into OpenSSH on the target systems AND those that were lightly maintained, if at all.
xz was the winner, but there are likely others that could have been used.
