Hacker News new | past | comments | ask | show | jobs | submit login

You ever get offended that the attacker is so obviously incompetent? At least put in the work like the xz attacker.



> At least put in the work like the xz attacker.

There are very few people who can do that.


There are countless people who can do that and don't. There are almost certainly many people actively doing it still today. Thinking that the xz attack was extraordinary or difficult is a very big mistake.

It's news cycle should have conveyed a sense of "oh shit, we really do need to be watching for discretely malicious contributors" not "whoa, I can't believe there was someone capable of that!" -- it seems like you learned the wrong lesson.


I came to the realization over a year ago, that the only thing needed to be an "Advanced persistent threat" is an attention span. Not even a long one.

Judging how many drive by's a random ipv4 address gets on aws, gcp, azure, or vultr- they get ignored if they get it wrong, and nobody notices until too late if they get it right.


Well, the other take-away is that if somebody can put in the work to do that to hopefully get included into a linux distro; what are they doing to get included into MacOS / Windows?


Well linux distributions can be installed on windows so…


They were targeting OpenSSH servers, not desktops.


I mean people often use desktops to connect to servers.

It's akin to putting an exploit into say some security software. It's probably going to have access to something you care about.


There are many people who could pull off an attack like that if they were so inclined.


You need ability, means (as in -- have the money to spend time on it), and motive. Many people have the ability. Many people have the means. (And there is some overlap, but the overlap isn't that large.) Few people have the motive.

The combination of all three tends to mostly appear in nation states. They have the motive, and they have the money to fund people with the ability to pull off this kind of attack.


Exactly, most of us need to work and aren't motivated enough to spend our free time committing crimes. I also assume this is full time work. From my limited perspective the hardest part was the time investment and gaining enough trust to put the code into action.


Most of the time you can just buy an expired domain name tied to a js include or dependency maintainer email address and you now have arguably -legal- ability to publish any code you want to thousands of orgs.

Plenty of expired npm maintainer email domains right now. Have fun.

I have done it twice to bring exposure to the issue. Seemingly no one cares enough to do the most basic things like code signing.


> There are very few people who can do that

you’re right. What made the XZ attacker rather unique is the fact they made useful contributions at first and only turned nasty later on.

Not many people can keep a malicious campaign going on as long as the XZ attacker did which is why it’s suspected to be a nation-backed attack


Not unique. Bitcoins were stolen with a similar technique of highjacking a js dependency of some bitcoin wallet app. It was done by doing proper contributions at first to gain control of the thing.

They were even better, the library behaved completely normal when used anywhere else.

xz was found because it behaved differently.


I mean, just look at https://milksad.info for what some argue is a very long game supply chain attack. Intentionally bad entropy in the tool recommended in Mastering Bitcoin


...and the ones who truly can, won't be noticed.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: