Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 10 Apr 2024 13:28:39 +0200
From: Alejandro Colomar <alx@...nel.org>
To: oss-security@...ts.openwall.com
Cc: Sam James <sam@...too.org>, Joey Hess <id@...yh.name>,
	Jonathan Nieder <jrnieder@...il.com>,
	Andres Freund <andres@...razel.de>,
	Lasse Collin <lasse.collin@...aani.org>, xz@...aani.org,
	secalert@...hat.com, team@...urity.debian.org
Subject: Re: Analysis on who is Jia Tan, and who he could work for, reading
 xz.git

On Wed, Apr 10, 2024 at 05:16:52AM +0200, Alejandro Colomar wrote:
> Hi!
> 
> Regarding <https://tukaani.org/xz-backdoor/>
> 
> I've been researching xz.git to learn about this malicious actor, and
> who he might have worked for.
> 
> This Jia Tan seems to work mostly with the +0800 timezone:
> 
> 	$ git log --all --author 'Jia Tan' \
> 	| grep ^Date \
> 	| grep -o '[+-][0-9][0-9][0-9]0' \
> 	| sort \
> 	| uniq -c;
> 	      4 +0200
> 	     10 +0300
> 	    676 +0800
> 
> According to <https://www.timeanddate.com/time/map/>, in the summer,
> +0800 corresponds to China, or Taiwan, or Hong Kong, or Irkutsk (Russia),
> or Philippines or other small countries around it.  None of the regions
> in +0800 use DST.

For completeness, the list of tz database time zones that have +0800,
according to
<https://en.wikipedia.org/wiki/List_of_tz_database_time_zones>, are:

AQ 	Antarctica/Casey
BN 	Asia/Brunei
MN 	Asia/Choibalsan
CN 	Asia/Chongqing
CN 	Asia/Chungking
CN 	Asia/Harbin
HK 	Asia/Hong_Kong
RU 	Asia/Irkutsk
MY 	Asia/Kuala_Lumpur
MY, BN 	Asia/Kuching
MO 	Asia/Macao
MO 	Asia/Macau
ID 	Asia/Makassar
PH 	Asia/Manila
CN 	Asia/Shanghai
SG, MY 	Asia/Singapore
TW 	Asia/Taipei
ID 	Asia/Ujung_Pandang
MN 	Asia/Ulaanbaatar
MN 	Asia/Ulan_Bator
AU 	Australia/Perth
AU 	Australia/West
HK 	Hongkong
CN 	PRC
TW 	ROC
SG 	Singapore

> 
> +0300 corresponds to, among others, Israel and Moscow, and then a bunch

And the time zones that have +0300 in the summer and +0200 in the
winter are:

EG 	Africa/Cairo
LB 	Asia/Beirut
CY 	Asia/Famagusta
PS 	Asia/Gaza
PS 	Asia/Hebron
IL 	Asia/Jerusalem
CY 	Asia/Nicosia
IL 	Asia/Tel_Aviv
EG 	Egypt
GR 	Europe/Athens
RO 	Europe/Bucharest
MD 	Europe/Chisinau
FI, AX 	Europe/Helsinki
UA 	Europe/Kiev
UA 	Europe/Kyiv
AX 	Europe/Mariehamn
CY 	Europe/Nicosia
LV 	Europe/Riga
BG 	Europe/Sofia
EE 	Europe/Tallinn
MD 	Europe/Tiraspol
UA 	Europe/Uzhgorod
LT 	Europe/Vilnius
UA 	Europe/Zaporozhye
IL 	Israel

-- 
<https://www.alejandro-colomar.es/>

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.