Learn a new magic trick! Hash-Based Bisect Debugging in Compilers and Runtimes research.swtch.com/bisect
This article attributes the xz attack to a Chinese hacker who texted about it, including claiming that they have at least one other open source bug. thenightly.com.au/world/chines...
A Chinese citizen understood to be the son of a senior Chinese Government official has claimed to be the architect of a multi-year infiltration operation that infected software used by Australia’s age...
Nice catch, will fix. Thanks.
Lasse's incident page is tukaani.org/xz-backdoor/. He was on a scheduled internet break and as I understand it is not fully back yet. It would not surprise me at all if various government agencies were in touch with him, and probably he'd do better to talk to them than us. :-)
Fixed, thanks!
Done, thanks for the tip!
A walkthrough of the xz attack shell script. An RC4 variant in Awk, what more could you want? research.swtch.com/xz-script
Thank you! Fixed. (Bad conversion from Google Doc, which I don't normally use to write these posts.)
I put together a timeline of the xz attack, dating back to 2021. Corrections or additions welcome here on Bluesky. research.swtch.com/xz-timeline
Turns out not his web site, but there they are nonetheless.
Luiz shared this with us at Stone and I'd like to make these essays available to a wider audience. I've uploaded the essays here.