Sometimes People Do Things You Will Never Have Explained

I’ve been thinking about the recent XZ security issue and surrounding speed with which people in the programming community have responded and investigated. I think right now a lot of people are asking the same question: Why? The What and the How are being thoroughly figured out, but Why is a very curious question.

People are looking into git logs, mailing lists, and code patches (aided by the immutable history of such things) but since the true identity of the individual is unknown, it is unlikely we will ever know the true reason. That is likely to only be known by them and anyone they were working with. We can speculate and conclude based on likelihoods and groups who would have the most interest in doing such a thing, but that doesn’t necessarily make it true on an individual level. For all we know this could have been one person who just really wanted to break into machines, or it could have been a nation state actor (maybe its the rogue AI).

Even if we did have the person telling us that they were the malicious actor and this is why they did it - is that the truth? Can you trust someone who did something so obviously bad to tell you why they actually did the thing, they could be giving you a red herring or trying to guide your attention away from other things that haven’t been found yet.

There will be an aftermath to this whole thing, but I think it will occur mostly through individuals, not so much organizations. At the scales we are talking about its too “hard” (costs too much money) for corporations to change everything in the stack to be better to prevent this. The more likely change is that anyone who was here on social media, and in communities, and on these lists will have seen just how bad something like this could have been, just how susceptible other projects are, and will have a sort of “aftermath trauma” to this whole event that will live on.

People will change their habits, but the system won’t.

======

I wanted to write something that echoes my thoughts and also translates partially to what I’ve been going through in my own life recently. Sometimes people hurt you, and you will never get a valid explanation. You just have to change so that you can’t get hurt as hard again.