Show newer
Sven Slootweg (soft-deprecated) boosted
*
JennyFluff :heart_trans: 💾

Quest: Find a 5V power supply with suitable barrel plug

Event log:
find a 5V power supply with a barrel plug too small
find a 5V power supply with a barrel plug too big
find a 5V power supply with USB output

1
Sven Slootweg (soft-deprecated) boosted
malevolent dictator for life
1
Sven Slootweg (soft-deprecated) boosted
rail [see pinned posts]

1am infodumping about optical fibers is completely normal and neurotypical, innit?

1
Sven Slootweg (soft-deprecated)

xz 

It occurs to me that a lot of distros probably have a lot of already-built packages that involved one of the suspicious xz versions in their build process, and I don't know that they all have the tooling to track which packages need to be rebuilt...

1+
Sven Slootweg (soft-deprecated)

Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.

You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.

It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.

It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.

All you need to do is simply *do it*, and talk about it so that other companies will too.

1+
Sven Slootweg (soft-deprecated) boosted
Gabe Kangas
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanting to help. Could you imagine how happy that maintainer was? They were no longer alone.

And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
1+
Sven Slootweg (soft-deprecated) boosted
TundraWolf

@aral Quite by accident, I have found that some managers respond to describing quality checks and safety inspections as 'the paperwork that keeps the CTO out of prison' can change attitudes in several layers in the company in one go. Most project managers seem to realise that if the CTO is going to be incarcerated, they are going down with them.

0
Sven Slootweg (soft-deprecated) boosted
iliana

most of my personal reactions to the xz thing today have been "this is almost the perfect crime and it's incredible it was caught this early"

0
Sven Slootweg (soft-deprecated) boosted
JP

The fun* part will be figuring out how to prove other stuff hasn't been backdoored. While fighting the cops and spooks who want to be able to backdoor things without us noticing.

0
Sven Slootweg (soft-deprecated) boosted
JP

Not the specific library, but the idea that compromising underpaid and burnt out open source maintainers is easier and cheaper than hacking a server.

0
Sven Slootweg (soft-deprecated) boosted
often frowned upon

Why is there always exactly one lemon in a bag that suddenly decides to become a biohazard.

1
Sven Slootweg (soft-deprecated) boosted
*
Evan B🥥ehs

boehs.org/node/everything-i-kn

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Show thread
0
Sven Slootweg (soft-deprecated) boosted
Joe Cooper 🇺🇦 🍉

Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?

This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux

1
Sven Slootweg (soft-deprecated)

*ponders about how anti-virus software tends to all use the same FOSS archival libraries to quietly and automatically extract untrusted archives for scanning*

1+
Sven Slootweg (soft-deprecated) boosted
Eloy. 🔜 eth0
1+
Sven Slootweg (soft-deprecated) boosted
Matthew Garrett

Just finished writing my lengthy paper on how "Many eyes make all bugs shallow", time to check what's happening on the internet today

0
Sven Slootweg (soft-deprecated) boosted
q3k :blobcatcoffee:

Yeah, whoever wrote that liblzma backdoor knew what they were doing. This isn't amateur work.

0
Sven Slootweg (soft-deprecated)

More thoughts on : it seems that the bootstrap code for the backdoor was hiding in difficult-to-understand code. I hope this prompts people to start taking code readability seriously as a security factor.

It's much harder to hide malicious code in code that's easy to understand.

1+
Sven Slootweg (soft-deprecated)

About the backdoor: please do *not* assume that if your SSH server is not affected, you are not affected by it at all.

A lot about this situation is still unclear, but what *is* clear is that this wasn't a drive-by attack - this was clearly a well-prepared long-term engagement, across many commits and messages by potentially multiple accounts.

That makes it very plausible that there are other backdoors that haven't been found yet, and that might affect you under different circumstances.

There's not much you can concretely do about that yet, but you should carefully watch developments around this situation.

0
Sven Slootweg (soft-deprecated) boosted
9th level spell slut

nixos users: tracking issue for the xz exploit rollback is github.com/NixOS/nixpkgs/pull/

see also github.com/NixOS/nixpkgs/issue

0
Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.

Resources

Developers

What is Mastodon?

pixie.town

  • About
  • v3.5.19patch-2024-07-04

More…

v3.5.19patch-2024-07-04 · Privacy policy