[publius_0xf3]

When all this is over and Collin is in the right state of mind, I'd appreciate if they could shed some light on the social engineering side of this exploit. i.e. the process by which the intruder introduced themselves, gained and exploited their trust, any warning signs or red flags, etc.

Their experience could make for a valuable lesson and prevent future occurrences.

[hintymad]

From what I read, it looks it was not really social engineering per se but the good old way of earning trust, just like any ordinary engineer: the intruder joined the project three years ago and started to contributed patches. He also made good suggestions on design changes. Eventually he became a committer because he consistently made value contributions to the project.

P.S., this does not look like an individual behavior. It's hard to imagine that an individual would spend three years just to plant a backdoor in sshd.

[puffybuf]

It looks like he made multiple sock puppet accounts talking to himself on the mailing lists: https://boehs.org/node/everything-i-know-about-the-xz-backdo...

He made a sock puppet asking debian to update the package in 'unstable'. (along with other package update requests so it wouldn't look suspicious).

[em-bee]

given how widespread sshd is, i'd think it is realistic because the payoff would just be worth it if successful. the whole thing is also complex enough that it would take a while to develop. the attacker starts learning the internals of xz and in the process they develop the skills to contribute patches. so development of the attack and gaining trust go hand in hand.

[lamontcg]

I mean that is still social engineering, it is just really long-game social engineering.

And IDK that we've entirely ruled out that Jia Tan didn't wind up being blackmailed or coerced or something -- although if they were really running sockpuppets to get themselves added to the project up front that is probably less likely.