Jump to content

Talk:XZ Utils backdoor

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Sockpuppets

[edit]

The article currently claims that the bad actors used socks to badger the developer into ceding control of his project. While the supporting Ars Technica ref does provide circumstantial evidence that this happened, it isn't definitive. I think we need to at least qualify the claim until we have a better ref. Ef80 (talk) 13:56, 3 April 2024 (UTC)[reply]

I agree. In particular, we shouldn't be using words that the source does not use and the ref does not say they were sockpuppets. The only mention of sockpuppets is when they are quoting someone else rather than in their voice but also isn't referring to the initial pressure to step down. So I've made a change. [1]. Nil Einne (talk) 14:39, 3 April 2024 (UTC)[reply]
I'd note that given the wide speculation which we don't currently mention but might eventually that this is probably a government sponsored attack, or at least a coordinated effort involving multiple people with the main account potentially not really being tied to a particular individual IMO it's simplifying to call them sockpuppets anyway. While sockpuppetry is sometimes used in such cases, it most often refers to one individual using multiple accounts to create an illusion of multiple people having some opinion. In fact, this isn't even like state-sponsored propaganda efforts which may often still use more accounts than there are people (even if just for votes, sharing etc) as in this case there may very well be significantly more people involved than there are identities used, even if the identities were coordinated with one goal perhaps and not tied to any individual or their PoV. Nil Einne (talk) 14:39, 3 April 2024 (UTC)[reply]
Better now, thanks. This was an extremely determined and carefully executed attack, and we need to be wary of implying that anything definitive is known about perpetrators or motivations, at this stage anyway. --Ef80 (talk) 15:05, 3 April 2024 (UTC)[reply]

Citation not needed?

[edit]

A citation needed tag is attached to where it says software vendors have reverted to an older version. The sources right before it do say that packages were reverted to an older unaffected version. We should move the sources to the end of the sentence and remove the tag. NotAPenguinSpy (talk) 14:21, 3 April 2024 (UTC)[reply]

Microsoft

[edit]

@Melmann I'm not saying that he did the work on behalf of Microsoft, just that he worked there at the time of the discovery. I think that is a noteworthy item, similar to his involvement in PostgreSQL. PhotographyEdits (talk) 17:57, 3 April 2024 (UTC)[reply]

@PhotographyEdits The reason I included a mention of PostgreSQL at all is because prior to this event, his involvement in PostgreSQL appears to have been his most notable claim to fame. That is, if the average reader is likely to know Freund at all, it seems mostly likely that they'd know about him from his involvement with PostgreSQL, which is incidentally what I believe Microsoft pays him for.
Based on my reading of the sources (which I'm open to being wrong about), there is no indication that this discovery was the result of work-for-hire arrangement between him and Microsoft, thus I see not need to mention Microsoft, thus giving Microsoft implicit credit for something they had nothing to do with.
But, if you can show me a WP:RS that claims that this discovery was part of his work for Microsoft, then yes, I agree, Microsoft should be mentioned. Melmann 18:34, 3 April 2024 (UTC)[reply]
It's not about giving Microsoft credit, but providing the reader background information about the person who discovered it. That background information should be a summary of the available WP:RS. PhotographyEdits (talk) 22:06, 3 April 2024 (UTC)[reply]
Just because something is in WP:RSes, doesn't mean that it must be automatically included, especially if it bears no relevance to the topic at hand. Melmann 06:42, 4 April 2024 (UTC)[reply]

@DefaultFree In regard to your revert, the contention is that if it is not work for hire, then it is not relevant. Why include mentions of his employer, as this fact has no bearing on the work he performed off-the-clock. To give another example, Freund appears to be German, but this is not a fact we are mentioning because it has no bearing on the work he performed. But if his work was funded by the German government, then it would be a worthwhile inclusion, in my opinion. Melmann 21:18, 3 April 2024 (UTC)[reply]

Can you support the assertion that his involvement in PostgreSQL appears to have been his most notable claim to fame and that his Microsoft employment was not similarly notable? The Ars ref, for example, seems to give more weight to his MS employment than his pgsql involvement. DefaultFree (talk) 21:31, 3 April 2024 (UTC)[reply]
From what I can tell, this is the main thing he's working on. It is in all his social media descriptions, and because Microsoft uses PostgreSQL extensively, they seem to be paying him to help maintain the project.
My main issue here is that I see no evidence that Microsoft has contributed to this. Just because WP:RSes are mentioning this, doesn't mean that we should if it is not relevant.
I'd be supportive of just saying 'Database developer Andres Freund' too, instead of mentioning either PostgreSQL or Microsoft. It just seems to me that this person achieved something quite notable in their spare time, and their employer did nothing to contribute to that, and now they're getting praised for it and getting inserted into the discussion merely because for an average reader who isn't in familiar with the topic one of few things they will recognise when reading a page about a backdoor in some (to them) obscure compression utility is the word 'Microsoft'. Melmann 06:40, 4 April 2024 (UTC)[reply]
I don't think it's particularly positive (or negative) for Microsoft. It's just a description of fact. The occupation and employer of a major involved party seems like relevant background information, regardless of whether the employer was directly involved. I agree that we shouldn't be giving praise, but I don't see that here.
Also, you seem to be asserting that this was done in Andres' spare time - are you sure of that? The oss-security@ post doesn't actually say one way or the other. DefaultFree (talk) 08:34, 4 April 2024 (UTC)[reply]
The Verge source in the article says he was 'off-the-clock', which is the basis of my claim.
I still don't think Microsoft should be mentioned as it is irrelevant, but here's hoping we get further input. Melmann 10:35, 5 April 2024 (UTC)[reply]
I can't see the harm in mentioning that he worked for MS. Lots of open source developers have day jobs working for The Man. Everybody needs to pay the mortgage. --Ef80 (talk) 15:33, 6 April 2024 (UTC)[reply]
OK, then let's mention all the past jobs of all the named developers! Why only MS? 94.25.177.86 (talk) 07:56, 3 May 2024 (UTC)[reply]

Blatant anti-Russian propaganda

[edit]
American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian SVR.

This sentence is propaganda and should be removed. According to the article about Dave Aitel, this person works for the CIA. So there is an obvious conflict of interest. The US American foreign intelligence service accuses the Russian foreign intelligence service. Actually many actors worldwide would have a motive and the means to pull this off, including the CIA. In order to accuse one particular actor, one should present some real evidence. -- 193.96.224.70 (talk) 21:20, 6 April 2024 (UTC)[reply]

It's just a suggestion - and the thought/sentence is cited by a WIRED article. ItzSwirlz (talk) 21:36, 6 April 2024 (UTC)[reply]
He's not the only person suggesting it is Russia either. In the Australian cybersecurity podcast Risky Business episode 743 (timestamp 20:00), the podcast host mentioned offline conversation with Dmitri Alperovitch (former CTO of CrowdStrike), who says this has "Russian-vibes". The podcast hosts also think so. Of course all these are opinions of people working in cybersecurity industry from Five Eyes countries in situation where their reputation and credibility are not on the line. --Voidvector (talk) 02:02, 7 April 2024 (UTC)[reply]
The plain fact is that we don't know who was behind this, and very probably never will. Whoever it was is very, very skilled at deception and obfustication. Intelligence agencies like GCHQ are going to have a pretty good idea, but they're very unlikely to say anything in public because of the need to protect sources and techniques. It's certainly not impossible that a Western agency such as the NSA is behind it. We can report speculation with refs, but only as speculation. --Ef80 (talk) 09:40, 7 April 2024 (UTC)[reply]
That seems reasonable, I have moved it into a separate section from the background. PhotographyEdits (talk) 14:44, 7 April 2024 (UTC)[reply]

Perplexing reverts

[edit]

I'm appalled by seeing my edits being reverted. The ticket itself has a discussion including the creator and the leader of the project, Lennart Poettering, and core systemd developers, I've now found not just one but two news sources (opennet.ru is the most popular Linux news website for Russian speaking readers and has tens of thousands of visits daily) and that's called "no reliable sources". What's a reliable source of anything Linux related? Engadget? Wired? Who decides what is reliable?? That's outright disgusting. And I'm 100% sure the people who revert my edits do so without knowing anything either about Linux or security in general. This is not "*Pedia", this is "We put our rules above extremely serious stuff". Suit yourself.

This is the reverted part. I'll leave it here for posterity. That's my text, it's pertinent for the discussion page:

Systemd changes

As a result of this incident a question[1] of unneeded dependencies in Systemd was raised[2][3] and it led to the project being reworked and dropping link-time dependencies on many libraries including, gcrypt, LZ4, ZSTD, LZMA and BPF. An objection that dependencies had now become hidden and non-transparent was raised but systemd developers refuted it and said that support for unneeded libraries could be disabled completely at compilation time.[4]

References

  1. ^ "Reduce dependencies of libsystemd · Issue #32028 · systemd/systemd". GitHub. Retrieved 2024-04-07.
  2. ^ Darkcrizt (2024-04-06). "In systemd the idea of ​​​​reducing libsystemd dependencies is raised". Linux Adictos. Retrieved 2024-04-08. {{cite web}}: zero width space character in |title= at position 24 (help)
  3. ^ "Инициатива по сокращению зависимостей у libsystemd". www-opennet-ru.translate.goog (in auto). Retrieved 2024-04-08.{{cite web}}: CS1 maint: unrecognized language (link)
  4. ^ "Reduce dependencies of libsystemd · Issue #32028 · systemd/systemd". GitHub. Retrieved 2024-04-07.

Artem S. Tashkinov (talk) 14:40, 8 April 2024 (UTC)[reply]

@Artem S. Tashkinov: I appreciate getting subject matter expertise here. At the same time, Wikipedia works because of the rules we have to balance quality with openness to contributions.
"Who decides what is reliable?" - Wikipedia:Reliable sources. You are raising issues which have been discussed to completion many thousands of times before. Our consensus is that we require citations to journalism, not WP:Original research on WP:PRIMARY sources as you are providing.
Is it your belief that no journalism or report on this topic exists for you to cite for this information? I want expertise in this article but what you are doing obviously is out of scope for our fact-checking and quality control process. Bluerasberry (talk) 14:53, 8 April 2024 (UTC)[reply]
How is the github issue itself with core systemd developers is not a reputable source? Again, "rules" above everything. Suit yourself. I will try to put this piece back in a few months later when you stop caring strongly about "rules". There are entire articles on WP which have a ton of information without "reputable" sources, yet no one has edited the uncited info out as "unworthy". Double freaking standards every time. Artem S. Tashkinov (talk) 08:56, 10 April 2024 (UTC)[reply]
E.g. VirtalBox and VMWare Workstation are two such articles. 95% of information therein is not properly sourced. I dare you to go edit all the "unsourced" information. Show your worth. And that's only the articles that I care about. I'm sure there are tens of thousands more. This is freaking appalling and disgusting. Artem S. Tashkinov (talk) 09:01, 10 April 2024 (UTC)[reply]
Citations to GitHub are WP:SELFPUB and WP:PRIMARY. Most sources on Wikipedia should be WP:SECONDARY, which helps us get the WP:WEIGHT right and to hear an WP:INDEPENDENT perspective, among other good reasons for this practice. Typical secondary sources are newspapers, books, and academic papers. Raw conversations, such as software devs talking in a GitHub issue, or an unedited interview, or a court transcript, etc. will almost never be good references for a Wikipedia article. Hope that makes sense. –Novem Linguae (talk) 09:31, 10 April 2024 (UTC)[reply]
I made an edit commenting about reliability. Yes, primary sources can be reliable, but they should be used very carefully. PhotographyEdits (talk) 10:49, 10 April 2024 (UTC)[reply]
> And I'm 100% sure the people who revert my edits do so without knowing anything either about Linux or security in general.
You're wrong here. But I think the OpenNet source is fine after considering it again. But please link to the original source in the refs, not a Google Translate version (even through that is convenient). The English Wikipedia has no requirement for references to be in English. PhotographyEdits (talk) 12:51, 10 April 2024 (UTC)[reply]

False title

[edit]

@Eric lagergren: in these edits, you removed the word "the" which I had added, following the advice of WP:FALSETITLE. Your edit comment was "grammar". This is not an issue of grammar, but of style. As our article false title points out, omitting "the" in cases like "the programmer John Doe" is journalese and thus not appropriate for an encyclopedia. --Macrakis (talk) 14:44, 9 April 2024 (UTC)[reply]

I don't mind Eric's edits. No offense, but I think I disagree with the essay WP:FALSETITLE. –Novem Linguae (talk) 14:55, 9 April 2024 (UTC)[reply]
I do agree with it, but it's not sufficiently important to bother about. As a general rule, AE users tend to be more tolerant of journalese phrasing than BE users. --Ef80 (talk) 18:45, 11 April 2024 (UTC)[reply]

Requested move 20 April 2024

[edit]
The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review after discussing it on the closer's talk page. No further edits should be made to this discussion.

The result of the move request was: not moved. per consensus. – robertsky (talk) 08:50, 30 April 2024 (UTC)[reply]


XZ Utils backdoorXZ backdoor – This looks like the more common name used in sources [2][3][4][5] Tehonk (talk) 18:10, 20 April 2024 (UTC)[reply]

  • Comment 'xz' can refer to two things: the compression algorithm and the implementation in the tool of the same name. The current 'Utils' in the title makes it unambiguously clear that it is a backdoor in the implementation. However, I can see the reason for wanting a shorter version. It can be explained in the article as well. PhotographyEdits (talk) 11:23, 24 April 2024 (UTC)[reply]
  • Oppose While WP:TITLE notes that "generally, article titles are based on what the subject is called in reliable sources," and more of this article's sources refer to an "XZ backdoor" than an "XZ Utils backdoor," I agree with Kwpolska that we should prioritize consistency with the existing XZ Utils article and maintain Xz backdoor as a redirect to the current article. I disagree with the inclusion of SSH in the article title on the basis of concision. After all, other malware listed at Timeline of computer viruses and worms shows that comparable articles do not include the mechanism of the vulnerability in the page's title. BluePenguin18 🐧 ( 💬 ) 07:50, 29 April 2024 (UTC)[reply]
  • Oppose. The compromised software was the package itself (and its build infrastructure), and liblzma, just one component of it. Not the xz compression algorithm nor the 'xz' command-line tool. 76.6.209.95 (talk) 20:48, 29 April 2024 (UTC)[reply]
The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

References to Jia Tan in Intro

[edit]

It has been noted by many that the choice of name "Jia Tan", while not likely to be a real Chinese name, was probably chosen to cast suspicion on China in the event of discovery. The introduction of this article indicates that the backdoor was introduced by Jia Tan without so much as quotation marks around the name. A footnote is provided clarifying the anonymity of Jia Tan (though without commenting on the choice of name). Anyone skimming the article intro or reading the Google summary having googled "xz backdoor" will never even see that footnote. If indeed the name was chose to direct suspicion at China, whoever's idea it was must be very pleased to see that Wikipedia is aiding the cause.

In other words, I really think some indication of the nature of "Jia Tan" should be included in the introduction. Blex-max (talk) 12:01, 9 May 2024 (UTC)[reply]

@Blex-max It has been noted by many that the choice of name "Jia Tan", while not likely to be a real Chinese name, was probably chosen to cast suspicion on China in the event of discovery. Do you have a reliable source to support this? It seems entirely speculative. The name used was "Jia Tan". That is a fact. Facts are objective. If readers draw unreasonable inferences, so be it, Wikipedia is not censored. Local Variable (talk) 03:19, 19 May 2024 (UTC)[reply]
In truth, no, I can't provide a decent source. But for the sake of record, "Jia Cheong Tan" is a Mandarin first, Cantonese middle, and Hokkien last name, which is decidedly odd and unlikely. I suppose if I can get it included in a news article on the subject, that would suffice - seeing as included in the article are entirely speculative references that "it was Russia" - but it's a bit late now. I totally object to the suggestion that I am attempting to censor Wikipedia, that's disingenuous at best. How facts are presented largely controls what inferences are made. The intro now presents the facts in a more neutral and informative manner, without any speculation (and rightly so).Blex-max (talk) 13:45, 20 May 2024 (UTC)[reply]

Licensing 'xkcd no. 2347 Dependency' under CC-BY-SA or similar

[edit]

I have asked the user Xkcd (Randall Munroe) to consider licensing 'xkcd no. 2347 Dependency' under a Commons compatible license, for inclusion into this article. The message text and response(s), if any, has been transcluded below.

Extended content

Hi @Xkcd. Your comic 'xkcd no. 2347 Dependency' has been mentioned by many reliable sources as capturing the essence of the fiasco surrounding the XZ Utils backdoor. I have added an external link to it with this edit on 2024-04-12 (9 months ago), and the change appears to be stable.
I think that the XZ Utils backdoor article could benefit from featuring your comic directly in the page. Could you kindly please consider licensing this particular individual comic with a Wikimedia Commons compatible license, such as CC-BY-SA (or similar, see Commons:Licensing#Well-known licenses) so that we may upload it to Commons and feature it in this article? Thank you. Melmann 22:33, 24 May 2024 (UTC)[reply]

Melmann 22:54, 24 May 2024 (UTC)[reply]

Discovery date

[edit]

The infobox currently says the backdoor was discovered on March 29, but this is not correct. That's when it was announced on a public mailing list. For example, openSUSE reverted back to an older version on March 28: https://news.opensuse.org/2024/03/29/xz-backdoor/ There are dozens of articles claiming it was discovered on March 29, many of them likely getting this information from Google, which in turn is presenting information from this Wikipedia article. https://www.redhat.com/en/blog/understanding-red-hats-response-xz-security-incident says Andres contacted the Debian security team on March 27. Andres Freund has given a more precise timeline in this interview with Oxide computer (timestamped link): https://www.youtube.com/watch?v=jg5F9UupL6I&t=1584s He says he understood it was a backdoor "a few days" before sending the public report. Can we change it to say "at or before March 27", in absence of any more concrete information? Thanks, Vegard (talk) 11:19, 20 October 2024 (UTC)[reply]

Feel free to change it! PhotographyEdits (talk) 14:14, 20 October 2024 (UTC)[reply]
Thanks, I've made the change. I had to change the infobox template + docs as well, hopefully I did everything correctly. If not, feel free to revert... Vegard (talk) 13:40, 4 November 2024 (UTC)[reply]