Who is the mysterious Jia Tan who installed a backdoor in the compression tool XZ Utils?
On March 29, 2023, it was discovered that
Everything I know about the XZ backdoor
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
XZ Utils was developed as open source, and the maintainer merged code submitted by multiple people. Lasse Colin has been the maintainer of XZ Utils for many years, but in 2022 Jia Tan will replace Colin as the maintainer. Then, on February 23, 2024, Jia Tan merged the code containing the backdoor into XZ Utils. The following article summarizes in detail the flow from Jia Tan's participation in the development of XZ Utils to her appointment as a maintainer and merging of malicious code.
Timeline summary of backdoor attack on XZ Utils - GIGAZINE
◆Jia Tan's footprints on GitHub
Jia Tan's footprint remains on GitHub. Jia Tan was active on GitHub under the username 'JiaT75'.
Jia Tan created her GitHub account on January 26, 2021. We then
Jia Tan is also active in projects other than XZ Utils, and on November 2, 2021,
Jia Tan also submitted a pull request to OSS-Fuzz , a software testing platform provided by Google, which was merged on July 7, 2023. Although it has been confirmed that the code Jia Tan sent to OSS-Fuzz is not directly related to the backdoor, a debate has erupted over its handling.
◆Considerations regarding IP addresses
The following log remained on the IRC channel '#tukaani' in which Jia Tan participated.
[libera] -!- jiatan [~jiatan@185.128.24.163]
[libera] -!- was : Jia Tan
[libera] -!- hostname : 185.128.24.163
[libera] -!- account : jiatan
[libera] -!- server : tungsten.libera.chat [Fri Mar 29 14:47:40 2024]
[libera] -!- End of WHOWAS
If you search for the details of the IP address '185.128.24.163' included in the log using
◆Considerations regarding names
When investigating Git logs, it was found that Jia Tan also uses the name 'Jia Cheong Tan'. 'Cheong' is a name often used in Cantonese, but 'Jia' is rarely used in Cantonese. For this reason, Mr. Boes speculates that ``the name 'Jia Cheong Tan' is just a plausible combination of Chinese-sounding names.''
◆ Infer residence based on commit time
There are also attempts on the Internet to determine Jia Tan's activity time from his commit log and infer the time zone where Jia Tan lives. According to analysis by Rhea Carty and Simon Heniger, Jia Tan is likely to live in the area of ``UTC + 02'' or ``UTC + 03''. 'UTC+02' includes countries such as Finland, Russia, Ukraine, Israel, and Greece.
'UTC+03' includes countries such as Russia, Syria, Turkey, Saudi Arabia, and Iraq.
They also said that Jia Tan was committed as usual during the Lunar New Year, when many people in Greater China take a holiday. On the other hand, commitments decreased during the holiday season between Christmas and New Year's. Detailed analysis results for both can be found at the links below.
XZ Backdoor: Times, damned times, and scams
◆Suspicious pull request
On March 23, 2024, a few days before the XZ Utils backdoor was discovered, 1Password employee Jared Allard posted a pull request to update XZ Utils to the latest version of the Go language XZ compression library. ' has been sent. This led to widespread speculation that ``Mr. Allard may be the true identity of Jia Tan,'' but on March 30, 2024, Mr. Allard posted an explanation that it was not intentional. In addition, Mr. Boes seems to have received an ``email from 1Password explaining that Mr. Allard has nothing to do with the backdoor.''
Related Posts:
