Free software's not-so-eXZellent adventure

Posted Apr 3, 2024 11:33 UTC (Wed) by khim (subscriber, #9252)
In reply to: Free software's not-so-eXZellent adventure by nsheed
Parent article: Free software's not-so-eXZellent adventure

That's why I don't believe for a minute that “Jia Tan” is a free actor. $THREE_LETTER_AGENCY is definitely involved (I wish we knows which one), simply because there was obviously a lot of efforts to plan that.

We only see a top of an iceberg, but that was definitely well-timed and coordinated to make literally tons of distributions vulnerable in the near future… and lone hackers in the basements are not know for such level of coordination while for three letter agencies that's routine scale level of coordination.

Free software's not-so-eXZellent adventure

Posted Apr 5, 2024 10:34 UTC (Fri) by tzafrir (subscriber, #11501) [Link] (1 responses)

How much did it cost? The team behind this definitely had one "star" programmer and some more team members. They worked on it part-time for several years. They were hoping to gain a backdoor to sshd and potentially some more.

This is not beyond what a medium black-hat company could do. Assuming that there's market for such exploits. They could have hoped to cover the costs of the operation. And I guess they already employ such people.

Free software's not-so-eXZellent adventure

Posted Apr 5, 2024 11:38 UTC (Fri) by khim (subscriber, #9252) [Link]

> How much did it cost?

Three years.

> They worked on it part-time for several years.

And that immediately rules out all but largest companies, lone hobbists… and three-letter agencies.

> They were hoping to gain a backdoor to sshd and potentially some more.

They were hoping to get a reusable backdoor.

> This is not beyond what a medium black-hat company could do.

This is beyond what medium black-hat company may plan to do.

> Assuming that there's market for such exploits.

That's precisely the thing: exploits on black market command high price only if they are noncompromised.

Black market favors independent (even if easily detectable and patchable) exploits which you may sell to many buyers. Compromised, well-known exploits go down in price sharply.

This was an attempt to plant reusable exploit which was, presumably, was either planed to be used against one particular extra-high-profile target (which would still be there after three years!) or, alternatively, be reused again and again.

To reuse it again and again you need to “keep it in house” and ensure details wouldn't leak. To even have some high-profile target that is sitting there waiting for your attack you have to large organization which plans that encompass decades.

This, pretty much, rules out everyone but $THREE_LETTER_AGENCY es.

> And I guess they already employ such people.

It's not about abilities to do such an exploit. It's about the use of such exploit. Only $THREE_LETTER_AGENCY (and ironically enough, lone hobbist) may benefit from something like this. And this looks like a work of a team which rules out “lone hobbist” hypnotises.