18 U.S.C. § 2512, which prohibits the manufacture, possession, advertisement, sale, and transportation in interstate or foreign commerce of devices that are primarily useful for the surreptitious interception of communications
(although is this a hardware-specific prohibition?)
This is a ChatGPT-level question :) . Pasting GPT-4 response:
If someone is caught installing a backdoor into a software library such as libxz, particularly one that interacts with a secure communication protocol like OpenSSH, they could be charged with several offenses under United States law. The specific charges would depend on the details of the case, but here are some possibilities:
1. Computer Fraud and Abuse Act (CFAA) Violations: The CFAA is the primary federal law in the U.S. for computer crime. It prohibits a variety of different types of computer-related activities, including unauthorized access to a computer system, causing damage to a computer system, trafficking in passwords or similar information, and more. A person who installs a backdoor could be charged with unauthorized access and/or causing damage.
2. Wire Fraud: If the backdoor was used to obtain sensitive information or to cause harm, the person could be charged with wire fraud. This is a federal crime that involves using interstate wire communications to carry out a fraudulent scheme.
3. Identity Theft: If the backdoor was used to steal personal identifying information, the person could be charged with identity theft.
4. Economic Espionage Act (EEA) Violations: If the backdoor was used to steal trade secrets, the person could be charged under the EEA.
5. National Stolen Property Act (NSPA) Violations: If the backdoor was used to steal data or other "property," the person could be charged under the NSPA.
6. The USA PATRIOT Act: If the backdoor was used in a way that could be considered "cyberterrorism," such as causing harm to a critical infrastructure system, the person could be charged under the USA PATRIOT Act.
It's also worth noting that if the person was working on behalf of a foreign government or organization, they could be charged with additional crimes, such as espionage.
Keep in mind that this is a complex legal issue, and the specific charges would depend on the details of the case. If you're dealing with a situation like this in real life, you should consult with a legal professional.
As someone on reddit mentioned yesterday "Jia Cheong Tan" is an anagram of "CIA Agent John". Which may be accidental or a funny pun by the backdoor coder.
No, but the patience is quite amazing which makes me think it is someone who is employed to do this either by an intelligence agency or by a major ransomware company.
I think the undersold part with the patience/timeline taking years is that “Jia” surely has more identities and scams in play.
Everyone making products used as supply chain components for someone else should be looking at the timeline and considering which of their developers might match the same pattern.
I do not believe that “Jia” had only one iron in the fire.
I wouldn't make a Pikachu face if it was proven to be a major actor.
But the "amazing patience" is not at all unusual among people who work on open source projects for fun, right?
And what would the payday have been for a single individual who managed to get this backdoor deployed in all major distributions? How much is something like that worth on the black market? Tens of millions of dollars?
most people now will say something about the commit timestamps indicating this is an Eastern European actor, but it seems like any sufficiently dedicated intelligence service could script their commits or even assign a person to keep certain sleep/wake hours just to falsify that data