the lesson *I'm* choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons
he was using a singapore VPN and had access to multiple sockpuppets. we know literally nothing else about them and anything you’ve heard to the contrary is baseless rumor.
leading theory is that it was a state-sponsored actor, but frankly even that much is speculation and which state is still way up in the air.
They found this particularly interesting as Cheong is new information. I’ve now learned from another source that Cheong isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard) and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses J and especially not Ji). The Tan last name is possible in Mandarin, but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor simply mashed plausible sounding Chinese names together.
Wild, so it would suggest that the actor wasn’t Chinese at all. An authentic Chinese person probably wouldn’t choose a name that sounded like that, any more than I would name myself Sean MacBerkowitz, it would just sound wrong.
A random name generator might produce something like this, of course, if it wasn’t programmed to be too picky.
Or they are Chinese, and pick non-authentic Chinese names so people wouldn’t suspect them? I don’t think looking at the name can be a great way to identify the source.
This attack is clearly sophisticate: the attacker(s) are probably well-trained in obscuring their identity to not reveal much info from their name picks. Say, just use a random name generator.
The name is suspicious because “Jia Cheong Tan” uses two different romanization of Chinese used in different regions. “Jia” and “Tan” seems to be pinyin, which is commonly used in the mainland; yet “cheong” uses probably Wade-Giles which is used in Taiwan.
OP seems to suggest cheong is Jyuping, which is used as a romanization for cantonese, but according to wikipedia, “eong” is not a final for Jyuping. So I don’t think this is Jyuping.
disclaimer: I don’t know a lot about Jyuping or Wade-Giles, so everything I put out is from wikipedia.
The guy was from Hong Kong, they probably threatened to throw his family in jail.
he was using a singapore VPN and had access to multiple sockpuppets. we know literally nothing else about them and anything you’ve heard to the contrary is baseless rumor.
leading theory is that it was a state-sponsored actor, but frankly even that much is speculation and which state is still way up in the air.
Via https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Wild, so it would suggest that the actor wasn’t Chinese at all. An authentic Chinese person probably wouldn’t choose a name that sounded like that, any more than I would name myself Sean MacBerkowitz, it would just sound wrong.
A random name generator might produce something like this, of course, if it wasn’t programmed to be too picky.
Or they are Chinese, and pick non-authentic Chinese names so people wouldn’t suspect them? I don’t think looking at the name can be a great way to identify the source.
This attack is clearly sophisticate: the attacker(s) are probably well-trained in obscuring their identity to not reveal much info from their name picks. Say, just use a random name generator.
Except it is a Chinese name, as Cantonese is spoken in China. Lots of speculation here by people missing vital information.
The name is suspicious because “Jia Cheong Tan” uses two different romanization of Chinese used in different regions. “Jia” and “Tan” seems to be pinyin, which is commonly used in the mainland; yet “cheong” uses probably Wade-Giles which is used in Taiwan.
OP seems to suggest cheong is Jyuping, which is used as a romanization for cantonese, but according to wikipedia, “eong” is not a final for Jyuping. So I don’t think this is Jyuping.
disclaimer: I don’t know a lot about Jyuping or Wade-Giles, so everything I put out is from wikipedia.
See: