Post details
hey does anybody out there have any thoughts about the xz compromise or perhaps have you thought of a way to relate it to some axe you have been grinding for 20 years
This content type is full of IndieWeb post types, which are all content types which allow me to take greater ownership of my own data. These are likely unrelated to my blog posts. You can find a better breakdown by actual post kind below:
hey does anybody out there have any thoughts about the xz compromise or perhaps have you thought of a way to relate it to some axe you have been grinding for 20 years
The clocks went forward an hour in the UK today, which raises an important question: when they go back in October will there be a compensatory Trans Hour Of Visibility?
I wrote this ⬆️ a few years ago. As the fallout from the #XZ hack reverberates, expect to see people calling for a "real name" policy for contributors to critical infrastructure. But, as I explain, there are several practical problems with that. https://shkspr.mobi/blog/2021/02/whats-my-name-again/ That's before we get to the ethical and privacy issues. Oh, and making it *easier* for attackers to target named individuals.
Maintenance is more important than innovation. This xz debacle is a symptom of a system that prioritizes lots of things above maintenance. Take this as a reminder to rest, to mend things & pay attention to what needs mending in yourself. Do the radical thing of working slowly and making all things more whole.
Proposals(re)accepted: add slices.Repeat functionaccepted: report use of too-new standard library symbols with go vetFrom around the communityBlog: Context-induced performance bottleneck in Go by Gabriel AugendreNew community Q&A site: godev.com, powerd by Apache AnswerBlog: Go Enums Still Suck...
Jacob talks about the backlash against open source maintainers seeking compensation, ethical use of software, financial support for maintainers, and complexities in licensing.
Personally, I’d rather celebrate a day about real living people than a fictitious magic zombie.
If you want many eyes on your open source project, you need to get rid of assholes. Bad community management is a security risk. Assholes bully sole maintainers. Assholes gatekeep and keep maintainer numbers low. Assholes waste time on the mailing list with petty bullshit. If you fundraise, assholes are bullying your grant writers and community managers. Some of the best security contributors don't write a single line of code. They yeet assholes.
Being a woman fixed all the problems in my brain (except the ones caused by the autism and being a huge bitch)
Between and I took 3447 steps.
SQLite is often misconceived as a "toy database", only good for mobile applications and embedded systems because it's default configuration is optimized for embedded use cases, so most people trying it will encounter poor performances and the dreaded SQLITE_BUSY error. But what if I told you that by tuning a
I've been informed by the 11yo that his mother and I are the target of an antitrust lawsuit joined by at least 15 other children, that we have abused our power to maintain an illegal monopoly in the relevant market of "parenting decisions" specifically for preventing choice and putting in place limits regarding food, videogames, and other media, and have conspired to make it effectively impossible for them to switch to alternative parenting decision providers
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. https://boehs.org/node/everything-i-know-about-the-xz-backdoor for a good timeline): 1. This is going to be an excellent teaching example for advanced supply chain attacks that I will definitely be using in the future - after much more in-depth analysis. 2. It seems to have been a long game, executed with an impressive sequence of steps and preparation, including e.g. disabling OSSFuzz checks for the particular code path and pressuring the original maintainer into accepting the (malicious) contributions. 3. The potential impact could have been massive, and we got incredibly lucky that it was caught and reported (https://www.openwall.com/lists/oss-security/2024/03/29/4) early. Don't count on such luck in the future. 4. Given the luck involved in this case, we need to assume a number of other, currently unknown supply chain backdoors that were successfully deployed with comparable sophistication and are probably active in the field. 5. Safe(r) languages like #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C++ for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough. 6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases). 7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits. 8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though. 9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact. H/T @GossiTheDog@cyberplace.social @AndresFreundTec@mastodon.social @danderson@hachyderm.io @briankrebs @eloy@hsnl.social
Attached: 1 image This text is not something we wrote in a rush this morning to meet the moment. We've had variations on this on our site from day 1. I believed it then and I believe it now.
people are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project
@Gaelan@cathode.church @neil@mastodon.neilzone.co.uk You see, I saw your response and I *still* clicked anyway. Social engineering will be the death of me.
New blogpost: _**[It is about trust, not software](https://neilzone.co.uk/2024-03-30-it-is-about-trust-not-software.html)**_ My reflections on the `xz` situation. > This isn't about software, it's about trust, and trust, especially *digital* trust, is easy to misplace...
"open source needs more funding!" *nation state pays for backdoor* "not like that!"
Justin & Autumn take you with them to the 2024 SoCal Linux Expo where they asked six fellow attendees about their favorite open source projects and their least favorite commands.
Awesome! A substandard SBOM is better than none, and a highly detailed SBOM is better than that 🤓 then plugging it into something like dependency-management-data or guac to understand more about your software estate is a great next step. Making sure the runtime environment is safer is a great shout too - recently found out about OpenSSF's S2C2F which has some good stuff in there around reducing supply chain security risks too
stateunstableinblogdate3/29/2024 😖 Unstable Updating at the speed of light, blink once and a word could be gone! These nodes are eratic, unstable, dangerous, but that's why they are fun. Please note: …
I know nobody wants to admit it, but security shit shows like heartbleed, log4shell, or xzgate are kinda exciting times to live thru. 🤓 Also I’m afraid it’s the only way to prove the problems we’ve been droning about for years are real and not made up by greedy maintainers.
Attached: 1 image Today's status: neurospicy 🌶️
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanti...
Attached: 1 image @bob
@0xabad1dea@infosec.exchange that's a warning to malware state actors - do not get between a db guy and performance. They will fuck you up.
Between and I took 10018 steps.
This game came by at just the right time. Covid gave me the perfect excuse to play this game for hours on end without feeling guilty, and now I’ve finally achieved 5 stars! 🐶💩⛳️ I binned the bag in 4 throws, rating ⭐️⭐️⭐️⭐️⭐️ https://vole.wtf/dog-poo-golf/
my only contribution to the xz discourse: absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.
Random, unordered, probably useless thoughts on today's apocalypxze... Part of the success in getting this into Debian may be the result of there being no xz maintainer there. It is "maintained" ...
@glyph @eb@social.coop I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."
@eb@social.coop I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
Attached: 1 image #xz #CVE #cve20243094 #Linux
It’s not surprising that a major security vulnerability is once again caused by maintainer burnout and someone stepping in to take over. We’ve all been talking about that risk for years. Sadly it’s also unsurprising that OSS teams still are going to need to plead with management to stay funded, and paid OSS maintainers will still do unpaid overtime to work with volunteers. 🙃.
Learn how to create a simple Makefile to quickly create a "checkpoint" in your Git history when you are rapidly prototyping.
Jerod, KBall & Nick discuss the latest news: Devin, Astro DB, The JavaScript Registry, Tailwind 4 & Angular merging with Wiz. Oh, and a surprise mini-game of HeadLIES!
I believe I’m a huge consumer of information just like every other people with the internet. The internet has blessed us with access to i...
Join RedMonk analysts James Governor and Kate Holterhoff as they chat with Dan Moore about Hacker News, the social news website for developers. This conversation digs into significant questions concerning this network that include not only what makes it unique, but also the special sauce that makes developers flock there. Moore suggests strategies for vendors hoping to successfully engage this community, and more general best practices for becoming involved. This RedMonk Conversation was originally published in video form on March 28, 2024.
Big fan of oapi-codegen for building openapi specified, contract first Go based APIs, great to see a v2 release reduced module dependencies, and isolated examples in another module! Great pattern to learn and understand. #golang #openapi https://github.com/deepmap/oapi-codegen/releases/tag/v2.0.0
I really wish Spotify would quit with all the bullshit and just focus on music. That’s the only thing they’re good for, why is that so bad?
Doing a bit of TDD as a treat (I require the dopamine from seeing red turn into green)
just realized Easter and the Transgender Day of Visibility coincide this year which means it's the world's ultimate egg hunt
Love to see forks emerge when a company gets greedy and transitions to source-available after years of accepting third party contributions and establishing market share under an open source license.
@steve@s.yelvington.com BREAKING: Old white guy tells marginalized groups there's nothing to worry about; they may actually be the fascists. More later tonight.
Hey, with people in the news getting sentenced to prison, facing the possibility of prison time, etc., just a reminder: it is not desirable, nor funny, that violence in prison (including sexual violence), be a part of someone's punishment. Even people you really, really do not like who have done really super bad things. It is to the United State's shame that violence in prison is part of our carceral system, and we should not celebrate it, ever. We should seek to eliminate it.
Found a whole new level of security incompetence. Went to type in my 2FA code, but nothing appeared on screen. They hadn't disabled pasting. Instead, they used JavaScript to ensure that only numbers could be typed in. But only numbers from the number row of my keyboard. I was using my NumPad which, as every good developer knows, uses different event codes! https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
Attached: 1 image Going to need slightly bigger [truth table](https://en.wikipedia.org/wiki/Truth_table)... :calculator:
Today I got the pleasure to chat with Jerod Santo, the Managing Editor at Changelog Media. Picture this – a podcast that not only uncovers the intricacies of Jerod's career but also shares some unconventional lessons learned from his work. From navigating the ever-evolving tech landscape to spearheading Changelog, Jerod brings a wealth of experience that transcends your typical engineer expectations and taps into the heart of what it means to build a sustainable developer community.
Script flipped! Today we’re sharing two interviews of us on Other People’s Podcasts (OPP): Kathrine Druckman from the Open at Intel podcast invited us on the show at KubeCon NA in November and Den Delimarsky hosted Jerod on The Work Item podcast in February.