Hacker News new | ask | show | jobs
by Bromeo 812 days ago
I don't want to read too much into it, but the person (supposedly) submitting the PR seems to work at 1Password since December last year, as per his Linkedin. (And his Linkedin page has a link to the Github profile that made the PR).
4 comments
lelandbatey 811 days ago
They're definitely a real person. I know cause that "1Password employee since December" is a person I know IRL and worked with for years at their prior employer. They're not a no-name person or a fake identity just FYI. Please don't be witch hunting; this genuinely looks like an unfortunate case where Jared was merely proactively doing their job by trying to get an externally maintained golang bindings of XZ to the latest version of XZ. Jared's pretty fantastic to work with and is definitely the type of person to be filing PRs on external tools to get them to update dependencies. I think the timing is comically bad, but I can vouch for Jared.

https://github.com/jamespfennell/xz/pull/2

link
bombcar 811 days ago
If I were trying to compromise supply chains, getting into someplace like 1Password would be high up on the list.

Poor guy, he's probably going to get the third degree now.

link
switch007 811 days ago
As a 1Password user, I just got rather nervous.
link
bombcar 811 days ago
Yubikeys starting to look kinda yummy.
link
wiml 811 days ago
Hardware gets backdoored too, remember Crypto AG?
link
returningfory2 812 days ago
Yeah the GitHub account looks really really legitimate. Maybe it was compromised though?
link
jethro_tell 812 days ago
What looks legit about a gmail address and some stock art for a profile?
link
gpm 811 days ago
[Deleted per below]
link
Jyaif 811 days ago
You are not looking at the right profile. This is the profile that people are talking about: https://github.com/jaredallard
link
gpm 811 days ago
Oops, you're absolutely correct. Deleted (via edit) my comment above. Thanks.
link
TeMPOraL 811 days ago
Can you stay in that org after leaving Google?
link
bananapub 811 days ago
whoever is in charge of removing people from the Google github org has the itchiest trigger finger in the whole exiting-the-company process tree.
link
fooker 811 days ago
No
link
ncr100 811 days ago
He was just (50 minutes ago) removed from the oss fuzz repo.

I hope this also (at least temporarily until verification of 'bad/good') remove him from the org?

link
buildbot 811 days ago
Plus the README.md that is just a rickroll
link
ncr100 811 days ago
The 2 GMail accounts are 85% / mainly associated with XZ work, since 2021, per searching for them explicitly via Google.
link
computerfriend 811 days ago
The PR's two commits are signed by a key that was also used to sign previous commits belonging to that author.
link
dralley 811 days ago
Hold up, are you saying that https://github.com/jaredallard and the accounts affiliated with this XZ backdoor share a PGP key? Or something else?
link
computerfriend 811 days ago
No, this account made a PR and their commits were signed [1]. Take a look at their other repositories, e.g. they did AoC 2023 in Rust and published it, the commits in that repository are signed by the same key. So this is not (just) a GitHub account compromise.

I find this aspect to be an outlier, the other attacker accounts were cutouts. So this doesn't quite make sense to me.

[1] https://github.com/jamespfennell/xz/pull/2/commits

link