Meg on Nostr: I think the more interesting aspects of the xz exploit aren't even the technical ones ...
I think the more interesting aspects of the xz exploit aren't even the technical ones but the social ones.
Like, this thing (https://github.com/google/oss-fuzz/pull/10667) where almost a year ago they convinced Google's fuzzing project not to run against xz with one of the mechanisms of the eventual attack enabled anymore is a brilliant(ly evil) move.
At this point it's hard to even rule out the possibility that the original maintainer was targeted for harassment (bad cops) to encourage him to give up maintainership of the project to a friendly newcomer (good cop).
It's such a long game.
Like, this thing (https://github.com/google/oss-fuzz/pull/10667) where almost a year ago they convinced Google's fuzzing project not to run against xz with one of the mechanisms of the eventual attack enabled anymore is a brilliant(ly evil) move.
At this point it's hard to even rule out the possibility that the original maintainer was targeted for harassment (bad cops) to encourage him to give up maintainership of the project to a friendly newcomer (good cop).
It's such a long game.