Another fun fact: Moscow is in the same time zone as the Middle East.
Looks like author posted this themselves earlier, and even used Claude for the HN comment:
This seems like a witch hunt.
what do you mean by "being first hand involved in all this"? what part did you take if you don't mind sharing, this was an incredibly interesting turn of events.
I haven't seen anyone write up a proper analysis that includes consideration of:
- GitHub activity (e.g. all API actions on GitHub side including replying to comments) _and_ mailing list activity _and_ other public facing activity all considered together.
- Complexity of public actions e.g. was there a queue of code changes that would have taken 20 hours effort to put together that were all committed at once? Were there any long streaks of high activity where it might reveal how many people were involved?
- Latency of public actions e.g. if an issue was raised by some random person, how long did it take for the attacker to respond, and later resolve/commit a patch? Similar to the complexity of public actions, it might reveal how many people were involved by estimation of the time needed for an experienced developer to fix an issue vs. actual time taken, both in terms of level of effort and duration.
- International dispersement of a team in different timezones with some core hours for collaboration, review and public facing activity.
- Public holidays, country/region-specific work habits, etc--e.g. consideration of "summer holiday" periods or similar common holiday periods, consideration of unusual days of no/low activity versus snow days, power outages, etc which might have been experienced by the attacker.
Distribution of actions from Github indicates the attacker used a 6 day work week excluding Sunday, and almost all activity conducted between UTC 12:00-16:00. Within these 6 days, activity was uneven at 0.5, 1, 1, 1, 1, 0.5 effort per day. There are low activity periods too that line up with summer solstice (southern hemisphere) or winter solstice (northern hemisphere).
There are interesting patterns in the data not yet publicly analysed (I think?) that seemingly would reveal the true location of attackers, particularly because attacker actions are anchored to uncontrollable events such as a known-good contributor (such as Linux distro maintainer) raising a Github issue against a repository and the attacker replying an hour later. For such events with low latency of reply, it'd be well worth considering when a reply was made quickly, and when it wasn't, across a few years of data points.
https://github.com/AdrianMastronardi/bookwright
There's nowhere near enough public information about the xz vuln to be worth turning into a book, so the merits of AI-generated text aside, this is just a very inefficient way to learn about the topic.
I downloaded the book. It's not fake. Perhaps no masterpiece, but far from worthless. Also, not "enough public information" really sells inference and imagination short. There is a rich amount of material to work with here. More than enough.
I am going to go ahead and say that flagging this was more information suppression than crankiness about AI. A lot of folks get strange when Jia Tan or similar subjects come up. I guess it's wiser to just wait until the grid goes down, or the water supply gets a bit more chlorinated....
Compare this to Jeff Guo (NPR) or Henry van Dyck (Veritasium) or my contact at the WSJ. They all investigated this story, interviewed key people (more people were interviewed for the Veritasium video than appeared), and fact-checked everything with subject matter experts. The NPR story took about 3 months of work and the Veritasium video took 5 months. I was interviewed in total for over 6 hours across all of them.
These are real journalists who worked on these stories and they produced novel work and new findings. I have huge respect for them, especially after being involved with it and seeing what work it took to add something new to the story. At the same time they managed to tell that story to a lay audience which is another skill in itself.
I'm not in the habit of researching the people who respond to me before I ask them about what their role was in something they seem proud of. I thought I was being polite by asking about it.
That's really cool that you were interviewed, which of the interviews do you think most represents your hand in this? I wouldn't mind checking it out. I also really like Veritasium's channel, that's pretty awesome.
I assumed some of my coworkers added "replace all em-dashes with semicolons" into their CLAUDE.md as a really crappy attempt at hiding their inability to write a single sentence without assistance.
I hate those arguments "it has emdash therefore AI", of course humans also write that way.
But poor and excessive usage of them is a pretty strong red flag, also together with other tells.
Might this not actually be a reasonable purpose for AI? I can tolerate the quirky style and AI signatures for something honest and free.
Like, for me personally, I'm terrible at writing, so I'll gladly have some AI throw together a draft, which I then verify and edit.
Edit: One of the things I learned quickly while working with LLMs, is that the quality of the user, the input, determines the quality of the output. Not everyone's input is of equal quality.
Heck, I should put money on this. Start a competition: I give folks a prompt, and tell them to write a book about a subject with AI. I'm the sole judge of quality. Winner gets $2000. Then let's examine the variance in the entries.
In short: using AI is a skill. It's silly to pretend otherwise.
https://news.ycombinator.com/item?id=48966159
And here's their Claude skill for writing
OldMatey•7h ago
miramba•7h ago
VladVladikoff•5h ago
akimbostrawman•4h ago
IshKebab•3h ago
Maintain it for a bit so people switch to your version, and job done.