Received: by 2002:ab2:7988:0:b0:1f4:b336:87c4 with SMTP id g8csp111918lqj; Thu, 11 Apr 2024 11:15:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVU0dkXjAtQdCvRqUoU58QGF0SeWWHGNX7gSRIUv4bzCWfOlNW9B/SJScto9OmGclvFW8h1J+ORGdVm/SyZHp0R+M6sqkHe78ch73ojqg== X-Google-Smtp-Source: AGHT+IG22E92e4eN0xq5VsRYGepyajpjE571nQe8lJXulugkOELxhfhTuHy5zjZdRrmagzbGFK1b X-Received: by 2002:a05:622a:58f:b0:436:4532:334a with SMTP id c15-20020a05622a058f00b004364532334amr571229qtb.44.1712859333872; Thu, 11 Apr 2024 11:15:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712859333; cv=none; d=google.com; s=arc-20160816; b=OzsQwGvrWQ6PqwxnGrEq2gQQy82ql90MU2CMPt5ZW0UQsKbwdAQZxdpxtHjDsOmmcW eeeRnfqwznfLAg1kYVIEtc5EtiOsEDseIw2AJpcn14lewpYJeOgJs/7NRlVAZGOeTXar Ki41zBIcEggr89MKE4Oo5dYNwtOOyajT5rZr6Quj4sew0SVCUObHFkgaZ/pdDib+SZb9 z3uyULbD4eVlPxEFcNNIP5fwJ+HSOwUSGOefG2G6f47awcnyr6Zm21qOPYJDNSqCZhZZ xTIX48qTaEdhC5XuDA/XlD6L2JKnp9bI41lOO03+yzNDRpwaEVW1yLJvw0MovEjevmaW sD1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:cc:to:from:date:dkim-signature:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=v5IyZEz1ijiurkNbKxDo5/vOdNO77a8S1rn9PeP7+eU=; fh=+DD6Hxg2XM36+kHT3Z6cXPi6pgflf3P93QGa08PlLDQ=; b=Sb6ltzJZpz6aMdZ32XYvXwtXnra3/yLjQRAhqw9L8RhHcOl6BO2+oHBLpGc3l37q4x 5ed6E4VvMeLa8N6zZT7pqAZFY0hqXQNtTsqtRgD5kOAXEyfowxov5Leq8qQ+qLkGelta RO4aqii0H4kHZS1nak9EAL4EbGyZQ7rEAkcqq5I7PFV9rqlOqa8PGYvJetP1zbCuwSQi 9M7it3clHHJH7mN34otg6STtJtszi8loFvTmzb4IYUrT2gipY5tbxd7/9Fg2HyEufW2g 5bJRZuNT0H6wRps5fiZ3A/SFcAl79vf9PPGCQjQM+I0y9cbH/2d/1IKUQP2Up9FDKuRU sAqA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@kernel.org header.s=k20201202 header.b=TSjgf3XD; spf=pass (google.com: domain of oss-security-return-30010-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30010-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id y17-20020a05622a005100b00434c73e7e41si2116387qtw.6.2024.04.11.11.15.33 for ; Thu, 11 Apr 2024 11:15:33 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30010-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@kernel.org header.s=k20201202 header.b=TSjgf3XD; spf=pass (google.com: domain of oss-security-return-30010-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30010-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (qmail 22484 invoked by uid 550); 11 Apr 2024 18:15:11 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 9765 invoked from network); 11 Apr 2024 17:25:31 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712856322; bh=AAONnW18gk1aAXRRdvNlna/+62rrqboRb8RDaC+Tvpo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=TSjgf3XDIXLh0zScQXNAKDs4Jq+Q7Si+vi40NsAcTc/+Ajuux8t/85vsLFDBCGpV+ 3Tni1GPUS9tgKAQtWPl9HqSqrq4E/VklupED+LxghayVUa5MBE7xSAHL4SKf3OWudh cc2QIY9gu+tyAVF9YvPqg8gGZaZEq4TSxBaKRq1Ja/245OIo21gPFz4+vBw0Tp4SLW rY2MGGKxYdmI4mM3wDnwVKwlZMpRRX8EBnXi5t/hTY9/n8Li9tCHTUFNVlN/C7yFHi UBOPwSxUjZsmRtKcfkld+PQusPC2G6TQy0vatLB6YcETKk05n+c1mNcfEkeLgAGaHU T6WLHSrBlRKpQ== Date: Thu, 11 Apr 2024 19:25:11 +0200 From: Alejandro Colomar To: Jacob Bachmeyer Cc: oss-security@lists.openwall.com, Sam James , Joey Hess , Jonathan Nieder , Andres Freund , Lasse Collin , xz@tukaani.org Message-ID: References: <20240410162812.GA17059@openwall.com> <66175855.2090805@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="g3h14OggsUOvJq77" Content-Disposition: inline In-Reply-To: <66175855.2090805@gmail.com> Subject: Re: [oss-security] Analysis on who is Jia Tan, and who he could work for, reading xz.git --g3h14OggsUOvJq77 Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Thu, 11 Apr 2024 19:25:11 +0200 From: Alejandro Colomar To: Jacob Bachmeyer Cc: oss-security@lists.openwall.com, Sam James , Joey Hess , Jonathan Nieder , Andres Freund , Lasse Collin , xz@tukaani.org Subject: Re: [oss-security] Analysis on who is Jia Tan, and who he could work for, reading xz.git Hi Jacob, [reordered] > Lastly, I believe that if (a big "if") enough evidence can be found to ma= ke > attribution of the xz backdoor stick, the results are likely to be a > political scandal that will serve to deter others from similarly going > rogue, so pinning the "Jia" on the sockmaster might be a good step to red= uce > the overall threat to the community. Agree. On Wed, Apr 10, 2024 at 10:26:13PM -0500, Jacob Bachmeyer wrote: > > Note that other recent threads in here about search for code patterns > > similar to Jia Tan's and even for PGP keys similar to Jia Tan's are more > > relevant to oss-security, because they're aimed to uncover potential > > related backdoor code in other projects. In contrast, identifying who > > Jia Tan is or what country/ies they're from doesn't obviously help. At > > best, it may give us guesses on where the presumed targets are, but then > > what? We need to protect the whole ecosystem regardless of who/where > > the current attackers are, and we need to develop means to detect such > > attacks everywhere, not only at currently likely targets. >=20 > First, a factual correction: The hypothesis that "Jia Tan" was actually = in > UTC+03 seems to have been backwards, since the peak activity overlaps only > partially with office hours in UTC+03, but does indeed start with 9AM in > *UTC-03* by my reckoning. The only problem is that UTC-01 through UTC-03 > cover various islands in the Atlantic Ocean and a few Eastern parts of So= uth > America. All of these strike me as unlikely sockmaster bases. The probl= em > with time zones east of UTC is the observed UTC 17:00 "quitting time" (mo= re > below) which only gets /later/ in the local day as you move east. >=20 > Second, I think that we can probably put the "Israeli" hypothesis to bed: The timezone can be faked, but it still has implications. Why would 4 commits in the recent period be committed allegedly in (winter) +0200? I can think of a few options. The person had something to do in a country of that timezone. Maybe it worked for a country in that timezone. Maybe it worked for a different country but was infiltrated in that country. Maybe it was a false flag to implicate that country. But I would discard the "it's just a random timezone that the person chose". For a random timezone, you use either UTC, or the one in a country that would be unsuspicious. I used UTC in the past, but that might be suspicious in Spain where I live, so at some point I decided to use CET/CEST, which would be unsuspicious for a computer in Spain. Now, for the false flag. This attack was very likely something that they didn't intend to be discovered, as it would be significantly more valuable if undiscovered. So we can assume they didn't put those 4 commits for us to find them. Yet, that person could have participated in other false flag attacks, and have its computer set up for them, so there's some chance that the +0200 timezone was false on purpose. If that would be the case, and clearly it wasn't careful because it leaked the timezone in the commit, it might have left a few other traces (for example, when git pushing; maybe the logs have an IP). If it was not a side effect of a false flag from the same computer, this timezone was probably because the person has some implication with a country of that timezone. Either infiltrated (working against them) or working for them. In either case, it was a big mistake to leak the timezone, and it would mean those commits have been likely done from an important computer. It could be a computer of an intelligence agency, or maybe of a programmer infiltrated in a country of the timezone. I tend to favor the former. Programmers don't really need to infiltrate often, since we work remotely just fine (there are reasons to physically infiltrate, but it's less likely, I think); also, this kind of long-term work isn't the kind of work you'd use an infil for. In any of those cases, the timezone is useful information, I think, and shouldn't be discarded easily. > There seems to be no 24 hour period where "Jia" made no commits, and what= I > think is Friday night into Saturday (therefore the Jewish Sabbath) is one= of > the more frequent late-night periods, while "Jia" seemingly (mostly) took > Sundays off. I have read reports where activities were attributed to Isr= ael > and two of the key arguments were that APT group did /nothing/ on Friday > evenings or Saturdays, and Sunday seemed to be an ordinary work day for > them. These characteristics do /not/ describe the "Jia" crew. Whoever > "Jia" is, an observant Jew he is not. That's a very interesting observation. > I have been looking at this from a different angle, assuming that all of = the > time zone information in the commits is bogus and looking for patterns in > the commit epoch timestamps, which are harder to convincingly fake. The > attached "collect.sh" is intended to run in a directory next to a copy of > the repository as "xz-backdoored" and extracts the commit and author > timestamps in epoch time, further decomposing them into week/time-of-week > and day/time-of-day for analysis and plotting. The week and day numbers = are > counted from 1 Jan 1970, which was a Thursday, so the time-of-week numbers > in the output of the attached script are seconds from midnight Thursday. = An > epoch day number X can be converted back to a date with `date --date=3D'1= Jan > 1970 UTC + X days'` and an analogous command converts week numbers to > Thursdays. This is a work in progress and I am not yet fully confident t= hat > I have correct analysis, in part because my results are different from wh= at > others had found before I started, so I am presenting the data extraction > script for others to either find problems with or replicate my results. = The > script was run on a repository clone with master checked out at commit > f9cf4c05edd14dedfe63833f8ccbe41b55823b00. How did you plot them? Do you have a gnuplot script handy or something? > There is a noticeable cluster in the plot, and about 85% of "Jia Tan"'s > commits were in the five hours starting at UTC noon. If we exclude 2024, > which seems to have been "crunch time" on getting the backdoor out, that > jumps to about 91%. I believe that this pattern *might* be a good indica= tor > for the sock farm containing "Jia Tan" but there are likely to be false > positives, so it is probably a weak indicator. Combining this pattern wi= th > a claimed timezone (like "Jia"'s UTC+08) where that period is into the ni= ght > might work better. In UTC+08, that period is 8PM to 1AM, which are unlik= ely > office hours. The peak also ends almost as abruptly as it begins, > suggesting that UTC 17:00 was "quitting time" at "Jia"'s office, but that > "Jia" did occasionally work late. The five hour active period is consist= ent > with morning planning meetings, followed by general work keeping up "Jia"= 's > appearances, with a floating lunch break somewhere. Think "rogue state > bureaucracy" here. Hmmm. > The percentages above were calculated with these Awk commands: >=20 > awk '{ if ($5>(12*3600) && $5<(17*3600)) A++; else B++ } END {print "in: > "A" out: "B" all: "A+B" %in: "100*A/(A+B)}' > timedata-committer-JiaTan >=20 > awk '$4 < 19723 { if ($5>(12*3600) && $5<(17*3600)) A++; else B++ } END > {print "in: "A" out: "B" all: "A+B" %in: "100*A/(A+B)}' > timedata-committer-JiaTan >=20 > Epoch day 19723 is 1 Jan 2024 by my reckoning, (`TZ=3DUTC date --date=3D'= 1 jan > 1970 UTC + 19723 days'`) so the second command repeats the count, excludi= ng > 2024. >=20 > This thread landed in my inbox as I was planning to start work on further > partitioning the "Jia Tan" commits, initially by keywords in the commit > message. Do commits involving "ifunc" stand out in time from all others? > Alejandro's work raises another question: Does time-of-commit correlate = to > diff size? Alternately: Was the more complex work seemingly done in a > different time zone? I'll try to investigate this. Please update when you finish your study. I'm interested. >=20 > -- Jacob Have a lovely day! Alex --=20 --g3h14OggsUOvJq77 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmYYHPcACgkQnowa+77/ 2zLbhg/+MKEf/5q8LShsy3fDQvNcf8Kq4n/D26YKYr1DDiFSfC4tAC+5GtMmHA3R owAxaroSqbTt6g7lzSmvUVlGj4Qh4w6wj48RZ90V7fIS96gx5YgBHSvkYhfd4xCp 5L2VwOEufUXtYPAE/gl9rEKmQbx6buRQnej+DBrnoA0+RcRza9TySDPiujMavTt0 4FL5lVV8JSRYlxWzB/FKvK9GsOlkozdM3CUUJcr/7FDGff4oXQb9Q5otWCppF4fc rkc1kATXKH4z/qwGoO6B+pbozeI7GBMRv6aQkeUndFQsNEFO6Yxr7GGH0i4z+wrP qCSpSJA6n7WHFm+aSLkPvcN5r0D6NjFLYAZSzen6jLvEhDkxWcCAoHTW+W7rT61P B6n4P300qkGdy+B+dFXvL3Sd6TqBsCmYdoq8Kmo5llQFdoORtjZB5blp78uBCbLk jnvg0Onjv0wA1PxEL/coSgiifaiqS+A0wTEnX7pr7EF71108/gdBSJHtqR+Ln772 HOVSwyY8uGg+G0Xx05epDSSrTzDaIvCQpZjMsJd+s4oWgRvCtGUGzhTqm4CCu9Zj AfL5g2tAAKj94GDkdPyQ4BlyijrpUOfTAKCoUPiQNYgJG7T0hJ8cgtrKe8LgDf1y hHx+5O4WFiRz8a4fYSBF5E3yTaVNy+XFXicVsQMfCw3SaHsID6k= =xGs+ -----END PGP SIGNATURE----- --g3h14OggsUOvJq77--