As someone on reddit mentioned yesterday "Jia Cheong Tan" is an anagram of "CIA Agent John". Which may be accidental or a funny pun by the backdoor coder.
No, but the patience is quite amazing which makes me think it is someone who is employed to do this either by an intelligence agency or by a major ransomware company.
I think the undersold part with the patience/timeline taking years is that “Jia” surely has more identities and scams in play.
Everyone making products used as supply chain components for someone else should be looking at the timeline and considering which of their developers might match the same pattern.
I do not believe that “Jia” had only one iron in the fire.
I wouldn't make a Pikachu face if it was proven to be a major actor.
But the "amazing patience" is not at all unusual among people who work on open source projects for fun, right?
And what would the payday have been for a single individual who managed to get this backdoor deployed in all major distributions? How much is something like that worth on the black market? Tens of millions of dollars?
most people now will say something about the commit timestamps indicating this is an Eastern European actor, but it seems like any sufficiently dedicated intelligence service could script their commits or even assign a person to keep certain sleep/wake hours just to falsify that data
https://boehs.org/node/everything-i-know-about-the-xz-backdo...