The things I don't like about the discussion on whether this is a state actor behind the #xz backdoor are:
* It doesn't change the response for pretty much anyone except a narrow group of professionals. Ultimately I don't know that it matters for most of us if this was a state attacker or some kid who wants a way to get op privileges.
* It distracts from next steps.
* Would they think that if the actor were named John? Will this increase suspicion of anyone with a "foreign" sounding name?
Hrefna (DHC)
in reply to Hrefna (DHC) • • •If you are in that narrow group of professionals or you are building a threat model for your system, state actors are definitely part of the equation
But it's very easy to get caught up in "who did it" and not "how did they do it"
I see multiple problems here. Some of which I don't know how to correct but it doesn't matter if it is a state actor, others are things that would apply regardless of if they are a state actor
Maybe there is something, but if so it is likely far beyond lay responses
Hrefna (DHC)
in reply to Hrefna (DHC) • • •Side note: this is part of why we have blameless postmortems even when there is a clear place to assign blame. Acting on the blame takes a different route and sometimes that route is needed, but it also needs to be part of a _different analysis_
Because when a problem in a system is exploited you have two problems. The first is who did it, the second is that the system could be exploited by them in the first place, and focusing too much on the first undermines the second in a great many cases