They noticed that some ssh sessions took 0.5 seconds too long under certain circumstances. 😲
Holy hell that’s good QA.
Don’t see why you’re being downvoted, the person in question who discovered this is a postgres maintainer employed by Microsoft.
Probably people think this is a troll or something.
I wrote it because I was surprised, especially since I’m not a fan of microsoft and their policies. Lately, I have the feeling Microsoft is better than Google (relative terms) when it comes to oss.
What is additionally surprising is the breaches of Microsoft services in the last year. There is one every few weeks or so… And then they pick up a backdoor because login took 0.5 instead of 0.1s.
Anyway, his findings are amazing.
Damn, it is actually scary that they managed to pull this off. The backdoor came from the second-largest contributor to xz too, not some random drive-by.
They’ve been contributing to xz for two years, and commited various “test” binary files.
Time to audit all their contributions although it looks like they mostly contribute to xz. I guess we’ll have to wait for comments from the rest of the team or if the whole org needs to be considered comprimised.
there will be federal investigation just speculation if the culprit is a foreign actor
This is a fun one we’re gonna be hearing about for a while…
It’s fortunate it was discovered before any major releases of non-rolling-release distros were cut, but damn.
This is the best post I’ve read about it so far: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
In the fallout, we learn a little bit about mental health in open source.
Reminded me of this, relevant as always, xkcd:
