Show newer
Sven Slootweg boosted
often frowned upon

Why is there always exactly one lemon in a bag that suddenly decides to become a biohazard.

1
Sven Slootweg boosted
*
Evan B🥥ehs

boehs.org/node/everything-i-kn

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Show thread
0
Sven Slootweg boosted
Joe Cooper 🇺🇦 🍉

Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?

This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux

1
Sven Slootweg

*ponders about how anti-virus software tends to all use the same FOSS archival libraries to quietly and automatically extract untrusted archives for scanning*

1+
Sven Slootweg boosted
Eloy. 🔜 BornHack
1+
Sven Slootweg boosted
Matthew Garrett

Just finished writing my lengthy paper on how "Many eyes make all bugs shallow", time to check what's happening on the internet today

0
Sven Slootweg boosted
q3k :blobcatcoffee:

Yeah, whoever wrote that liblzma backdoor knew what they were doing. This isn't amateur work.

0
Sven Slootweg

More thoughts on : it seems that the bootstrap code for the backdoor was hiding in difficult-to-understand code. I hope this prompts people to start taking code readability seriously as a security factor.

It's much harder to hide malicious code in code that's easy to understand.

1+
Sven Slootweg

About the backdoor: please do *not* assume that if your SSH server is not affected, you are not affected by it at all.

A lot about this situation is still unclear, but what *is* clear is that this wasn't a drive-by attack - this was clearly a well-prepared long-term engagement, across many commits and messages by potentially multiple accounts.

That makes it very plausible that there are other backdoors that haven't been found yet, and that might affect you under different circumstances.

There's not much you can concretely do about that yet, but you should carefully watch developments around this situation.

0
Sven Slootweg boosted
9th level spell slut

nixos users: tracking issue for the xz exploit rollback is github.com/NixOS/nixpkgs/pull/

see also github.com/NixOS/nixpkgs/issue

0
Sven Slootweg boosted
vilmibm

I could take a "LMAO TOLD YOU SO" approach here but really I'm just sad. I really did enjoy working on the github CLI and the copilot feature violated all the values I tried to bring to that project. It's also a great object lesson in the downfall of GH culture under MSFT.

Show thread
0
Sven Slootweg boosted
vilmibm

I guess the "copilot for github cli" launched. i can't bring myself to look at it but friends tell me it's as unreliable as i predicted.

this is the feature i quit over. i wasn't thrilled in general with working at GH at that point but being told i had no choice but to accept/support shoving copilot into the GitHub CLI is the actual event that pushed me out.

I gave plenty of warning that that was my line in the sand and they crossed it.

1
Sven Slootweg boosted
Ninji

just got back from my month-long trip to the middle of nowhere, can’t wait to update my Fedora system and check out the latest enhancements to my favourite data compression library 💻🐺

1+
Sven Slootweg boosted
*
FUCK ANTHROCON & EUROFURENCE

"it is a mistake to rush to impose the individual ethical responsibility that the corporate structure deflects. this is the temptation of the ethical which, as žižek has argued, the capitalist system is using in order to protect itself in the wake of the credit crisis — the blame will be put on supposedly pathological individuals, those "abusing the system", rather than on the system itself."

— mark fisher, "capitalist realism: is there no alternative?"

0
Sven Slootweg boosted
*
Sindarina, Edge Case Detective

Little roundup of the news around the ‘xz’ supply chain compromise that I have seen so far;

arstechnica.com/security/2024/

bleepingcomputer.com/news/secu

redhat.com/en/blog/urgent-secu

lists.debian.org/debian-securi

openwall.com/lists/oss-securit

cisa.gov/news-events/alerts/20

This is unlikely to impact people who run stable or LTS versions of Linux distributions, but if you are on Fedora 41 or Rawhide, for example, it's worth checking for updates.

Same goes for Debian testing, and unstable.

1+
Sven Slootweg

the xz backdoor, distro vetting 

Not to beat a dead horse, but this situation is exactly why I can't take arguments of "you should always use distro repos, they have been vetted and are safe, and avoid public registries" very seriously

0
Sven Slootweg boosted
Pierre Bourdon

xz-utils was backdoored by its upstream. Tracked as CVE-2024-3094 and thoroughly documented by vuln discoverer Andres Freund on oss-security@: openwall.com/lists/oss-securit

0
Sven Slootweg

Got routed over a footpath thrice and through a closed dike path once, also for some fucking reason it made me go *around* a perfectly serviceable street

Show thread
1
Sven Slootweg boosted
Njion the Cofftea Dragon ☕

That wonderful feeling when the professor in one of your classes is wearing an antifa t-shirt 🥰

0
Sven Slootweg

Had to use Google Maps today due to circumstances and yep, their bike routing is still fucking awful

1
Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.

Resources

Developers

What is Mastodon?

pixie.town

  • About
  • v3.5.19patch-2024-07-04

More…

v3.5.19patch-2024-07-04 · Privacy policy