At least microsoft is honest enough to admit their software needs protection, unlike apple and unlike most of the people who have made distros of linux. (edit: microsoft is still dishonest about what kind of protection it needs though)
Even though apple lost a class action lawsuit for false advertising over the claim “mac can’t get viruses” they still heavily imply that it doesn’t need an antivirus.
any OS can get infected, it’s just a matter of writing the code and finding a way to deliver it to the system…Now you might be thinking “I’m very careful about what I click on” that’s a good practice to have, but most malware gets delivered through means that don’t require the user to click on anything.
You need an antivirus on every computer you have, linux, android, mac, windows, iOS, all of them. There’s loads of videos on youtube showing off how well or not so well different antivirus programs work for windows and android.
A “antivirus” tends to be a proprietary black box. Such “antivirus” programs could not of detected the XZ backdoor
Any additional information been found on the user?
Can’t confirm but unlikely.
Via https://boehs.org/node/everything-i-know-about-the-xz-backdoor
They found this particularly interesting as Cheong is new information. I’ve now learned from another source that Cheong isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard) and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses J and especially not Ji). The Tan last name is possible in Mandarin, but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor simply mashed plausible sounding Chinese names together.
Just because somebody picked a vaguely Chinese-sounding handle doesn’t mean much about who or where.
They’re more likely to be based in Eastern Europe based on the times of their commits (during working hours in Eastern European Time) and the fact that while most commits used a UTC+8 time zone, some of them used UTC+2 and UTC+3: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and
It is also hard to be certain as they could be a night owl or a early riser.
as long as you’re up to date on everything here: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
the only additional thing i’ve seen noted is a possibilty that they were using Arch based on investigation of the tarball that they provided to distro maintainers
In a nutshell you say…
Thank you open source for the transparency.
