Some thoughts about attribution in the XZ backdoor, having just wasted so many hours digging into the details.
The email addresses used for a couple of years at least by the parties involved have absolutely *zero* trace in any kind data breach or database beyond Github/Gitlab, and maybe Tukaani and Debian and a few mailing lists.
Normally when I see this, the assumption is that we're dealing with a single-use or single-purpose email address that was created either for fraud or b/c someone is super paranoid about privacy.
The people in the latter camp who do this tend to have other tells that give them away, or at least *some* trace or home base in the online world. Especially if we're talking on the order of years using that address.
Either way, very few people do opsec well, and for every year you're operating under the same name, nick, number, email, etc you dramatically increase the risk of screwing up that opsec. And almost everyone does, eventually.
To see this complete lack of presence in breached databases once or twice in the course of an investigation is rare, but to find it multiple times suggests we're dealing with an operation that was set up carefully from the beginning. And that almost certainly means a group project (state-sponsored).
@briankrebs It is my good practice to use a unique address for this exact purpose. If I receive spam for a specific address, it is relayed to junk. If a specific address shows up in a leak, no other account is immediately affected. If you get used to it, even remembering account logins is fairly easy.
@himmelssohn @briankrebs dude you just mansplained to Brian Krebs.
