Talk:XZ Utils backdoor: Difference between revisions

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 15:54, 7 April 2024

Linux Mid‑importance

	Linux portal This article is within the scope of WikiProject Linux, a collaborative effort to improve the coverage of Linux on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.LinuxWikipedia:WikiProject LinuxTemplate:WikiProject LinuxLinux articles
Mid	This article has been rated as Mid-importance on the project's importance scale.

Computing: Networking / Software / Security / Free and open-source software Mid‑importance

This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles

Mid

This article has been rated as Mid-importance on the project's importance scale.

This article is supported by Networking task force (assessed as Low-importance).

This article is supported by WikiProject Software (assessed as High-importance).

This article is supported by WikiProject Computer Security (assessed as High-importance).

This article is supported by Free and open-source software (assessed as High-importance).

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Telecommunications

	Telecommunication portal This article is within the scope of WikiProject Telecommunications, a collaborative effort to improve the coverage of Telecommunications on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.TelecommunicationsWikipedia:WikiProject TelecommunicationsTemplate:WikiProject TelecommunicationsTelecommunications articles
???	This article has not yet received a rating on the project's importance scale.

Internet

	Internet portal This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles
???	This article has not yet received a rating on the project's importance scale.

Espionage

	XZ Utils backdoor is within the scope of WikiProject Espionage, which aims to improve Wikipedia's coverage of espionage, intelligence, and related topics. If you would like to participate, visit the project page, or contribute to the discussion.EspionageWikipedia:WikiProject EspionageTemplate:WikiProject EspionageEspionage articles
???	This article has not yet received a rating on the project's importance scale.

This article is written in Australian English, which has its own spelling conventions (colour, realise, program, labour (but Labor Party)) and some terms that are used in it may be different or absent from other varieties of English. According to the relevant style guide, this should not be changed without broad consensus.

Sockpuppets

The article currently claims that the bad actors used socks to badger the developer into ceding control of his project. While the supporting Ars Technica ref does provide circumstantial evidence that this happened, it isn't definitive. I think we need to at least qualify the claim until we have a better ref. Ef80 (talk) 13:56, 3 April 2024 (UTC)[reply]

I agree. In particular, we shouldn't be using words that the source does not use and the ref does not say they were sockpuppets. The only mention of sockpuppets is when they are quoting someone else rather than in their voice but also isn't referring to the initial pressure to step down. So I've made a change. [1]. Nil Einne (talk) 14:39, 3 April 2024 (UTC)[reply]

I'd note that given the wide speculation which we don't currently mention but might eventually that this is probably a government sponsored attack, or at least a coordinated effort involving multiple people with the main account potentially not really being tied to a particular individual IMO it's simplifying to call them sockpuppets anyway. While sockpuppetry is sometimes used in such cases, it most often refers to one individual using multiple accounts to create an illusion of multiple people having some opinion. In fact, this isn't even like state-sponsored propaganda efforts which may often still use more accounts than there are people (even if just for votes, sharing etc) as in this case there may very well be significantly more people involved than there are identities used, even if the identities were coordinated with one goal perhaps and not tied to any individual or their PoV. Nil Einne (talk) 14:39, 3 April 2024 (UTC)[reply]

Better now, thanks. This was an extremely determined and carefully executed attack, and we need to be wary of implying that anything definitive is known about perpetrators or motivations, at this stage anyway. --Ef80 (talk) 15:05, 3 April 2024 (UTC)[reply]

Citation not needed?

A citation needed tag is attached to where it says software vendors have reverted to an older version. The sources right before it do say that packages were reverted to an older unaffected version. We should move the sources to the end of the sentence and remove the tag. NotAPenguinSpy (talk) 14:21, 3 April 2024 (UTC)[reply]

Microsoft

@Melmann I'm not saying that he did the work on behalf of Microsoft, just that he worked there at the time of the discovery. I think that is a noteworthy item, similar to his involvement in PostgreSQL. PhotographyEdits (talk) 17:57, 3 April 2024 (UTC)[reply]

@PhotographyEdits The reason I included a mention of PostgreSQL at all is because prior to this event, his involvement in PostgreSQL appears to have been his most notable claim to fame. That is, if the average reader is likely to know Freund at all, it seems mostly likely that they'd know about him from his involvement with PostgreSQL, which is incidentally what I believe Microsoft pays him for.

Based on my reading of the sources (which I'm open to being wrong about), there is no indication that this discovery was the result of work-for-hire arrangement between him and Microsoft, thus I see not need to mention Microsoft, thus giving Microsoft implicit credit for something they had nothing to do with.

But, if you can show me a WP:RS that claims that this discovery was part of his work for Microsoft, then yes, I agree, Microsoft should be mentioned. Melmann 18:34, 3 April 2024 (UTC)[reply]

It's not about giving Microsoft credit, but providing the reader background information about the person who discovered it. That background information should be a summary of the available WP:RS. PhotographyEdits (talk) 22:06, 3 April 2024 (UTC)[reply]

Just because something is in WP:RSes, doesn't mean that it must be automatically included, especially if it bears no relevance to the topic at hand. Melmann 06:42, 4 April 2024 (UTC)[reply]

@DefaultFree In regard to your revert, the contention is that if it is not work for hire, then it is not relevant. Why include mentions of his employer, as this fact has no bearing on the work he performed off-the-clock. To give another example, Freund appears to be German, but this is not a fact we are mentioning because it has no bearing on the work he performed. But if his work was funded by the German government, then it would be a worthwhile inclusion, in my opinion. Melmann 21:18, 3 April 2024 (UTC)[reply]

Can you support the assertion that his involvement in PostgreSQL appears to have been his most notable claim to fame and that his Microsoft employment was not similarly notable? The Ars ref, for example, seems to give more weight to his MS employment than his pgsql involvement. DefaultFree (talk) 21:31, 3 April 2024 (UTC)[reply]

From what I can tell, this is the main thing he's working on. It is in all his social media descriptions, and because Microsoft uses PostgreSQL extensively, they seem to be paying him to help maintain the project.

My main issue here is that I see no evidence that Microsoft has contributed to this. Just because WP:RSes are mentioning this, doesn't mean that we should if it is not relevant.

I'd be supportive of just saying 'Database developer Andres Freund' too, instead of mentioning either PostgreSQL or Microsoft. It just seems to me that this person achieved something quite notable in their spare time, and their employer did nothing to contribute to that, and now they're getting praised for it and getting inserted into the discussion merely because for an average reader who isn't in familiar with the topic one of few things they will recognise when reading a page about a backdoor in some (to them) obscure compression utility is the word 'Microsoft'. Melmann 06:40, 4 April 2024 (UTC)[reply]

I don't think it's particularly positive (or negative) for Microsoft. It's just a description of fact. The occupation and employer of a major involved party seems like relevant background information, regardless of whether the employer was directly involved. I agree that we shouldn't be giving praise, but I don't see that here.

Also, you seem to be asserting that this was done in Andres' spare time - are you sure of that? The oss-security@ post doesn't actually say one way or the other. DefaultFree (talk) 08:34, 4 April 2024 (UTC)[reply]

The Verge source in the article says he was 'off-the-clock', which is the basis of my claim.

I still don't think Microsoft should be mentioned as it is irrelevant, but here's hoping we get further input. Melmann 10:35, 5 April 2024 (UTC)[reply]

I can't see the harm in mentioning that he worked for MS. Lots of open source developers have day jobs working for The Man. Everybody needs to pay the mortgage. --Ef80 (talk) 15:33, 6 April 2024 (UTC)[reply]

Blatant anti-Russian propaganda

American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian SVR.

This sentence is propaganda and should be removed. According to the article about Dave Aitel, this person works for the CIA. So there is an obvious conflict of interest. The US American foreign intelligence service accuses the Russian foreign intelligence service. Actually many actors worldwide would have a motive and the means to pull this off, including the CIA. In order to accuse one particular actor, one should present some real evidence. -- 193.96.224.70 (talk) 21:20, 6 April 2024 (UTC)[reply]

It's just a suggestion - and the thought/sentence is cited by a WIRED article. ItzSwirlz (talk) 21:36, 6 April 2024 (UTC)[reply]

He's not the only person suggesting it is Russia either. In the Australian cybersecurity podcast Risky Business episode 743 (timestamp 20:00), the podcast host mentioned offline conversation with Dmitri Alperovitch (former CTO of CrowdStrike), who says this has "Russian-vibes". The podcast hosts also think so. Of course all these are opinions of people working in cybersecurity industry from Five Eyes countries in situation where their reputation and credibility are not on the line. --Voidvector (talk) 02:02, 7 April 2024 (UTC)[reply]

The plain fact is that we don't know who was behind this, and very probably never will. Whoever it was is very, very skilled at deception and obfustication. Intelligence agencies like GCHQ are going to have a pretty good idea, but they're very unlikely to say anything in public because of the need to protect sources and techniques. It's certainly not impossible that a Western agency such as the NSA is behind it. We can report speculation with refs, but only as speculation. --Ef80 (talk) 09:40, 7 April 2024 (UTC)[reply]

That seems reasonable, I have moved it into a separate section from the background. PhotographyEdits (talk) 14:44, 7 April 2024 (UTC)[reply]

This would have been doomsday scenario for the internet.

I'm just gonna say it: Had this not been caught, I think this would have been a doomsday scenario for everything and everyone on the internet.

Seriously, to my knowledge, no vulnerability ever got a 10.0 from CVSS. CyanoTex (talk) 15:54, 7 April 2024 (UTC)[reply]

@@ Line 53: / Line 53: @@
 :::The plain fact is that we don't know who was behind this, and very probably never will. Whoever it was is very, very skilled at deception and obfustication. Intelligence agencies like [[GCHQ]] are going to have a pretty good idea, but they're very unlikely to say anything in public because of the need to protect sources and techniques. It's certainly not impossible that a Western agency such as the [[NSA]] is behind it. We can report speculation with refs, but only ''as speculation''. --[[User:Ef80|Ef80]] ([[User talk:Ef80|talk]]) 09:40, 7 April 2024 (UTC)
 ::::That seems reasonable, I have moved it into a separate section from the background. [[User:PhotographyEdits|PhotographyEdits]] ([[User talk:PhotographyEdits|talk]]) 14:44, 7 April 2024 (UTC)
+== This would have been doomsday scenario for the internet. ==
+I'm just gonna say it: Had this not been caught, I think this would have been a doomsday scenario for everything and everyone on the internet.
+Seriously, to my knowledge, no vulnerability ever got a 10.0 from CVSS. [[User:CyanoTex|CyanoTex]] ([[User talk:CyanoTex|talk]]) 15:54, 7 April 2024 (UTC)