this post was submitted on 29 Mar 2024
671 points (99.0% liked)
Technology
59135 readers
2532 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Dude seems like a foreign asset
Jia Tan, University of Hong Kong in China. He’s been the sole maintainer of the package for almost two years.
Looks like he'd done a lot for various US companies on his LinkedIn.
I would not be surprised if he was previously legit but pressured into doing this by the CCP.
Maybe he wasn't sloppy by accident if he was indeed coerced by someone. I don't think we'll ever find out the backstory of this though.
I’ve watched a rundown of what the backdoor does. It’s impossible that this was an accident. It hides a compiled library in test data and injects that into the ssh binary to override code there.
They didn't mean the backdoor was (or was not) an accident. They meant the backdoor was implemented sloppily enough to be discovered and maybe that was not an accident (as in, he wanted it to be found, but still wanted to plausibly be seen as trying his best to keep those coercing him appeased)