FoxQuirk 🦊 @quirk@computerfairi.es

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4

by age 30 you should have spent years contributing to an open source project in your free time, building trust and becoming a maintainer, and then have skilfully inserted a highly obfuscated backdoor that successfully made its way into multiple linux distributions

making videogames is easy. you just sit down at your computer every day and put in the work on your game as your sanity slowly slips away from you

Whenever you feel like saying "dude", just say "gamer".

"Gamer" is....

1) Gender neutral: Everyone can be a gamer
2) Guaranteed to piss somebody off because not everybody identifies as "gamer", but they can't give you any real flak for it because see point number one.

In Gaza, every person, the first thing they want to tell me in English or Arabic is 'We need food.' They are saying that because their assumption is the world doesn’t know, because how would this be allowed to happen if the world knew? ~ UNICEF spokesperson James Elder

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

I’ve seen numerous people express concern that their xz installation is several versions out of date — because while it may have saved them in this specific case, doesn’t that mean they must not be running updates correctly in general?

No! It’s normal for your personal copy of an open source program to be several versions out of date. When you get an update to a commercial software package, it’s already been through months of internal testing by professionals. In volunteer-based open source, the bulk of this testing is done by simply releasing the update on their site and letting advanced users try it out. At some point, if there’s no problems, it will get shuffled forward to stable update channels. Therefore it’s normal for most Linux software to be one to two years out of date compared to the absolute newest version you could possibly get.

The good news is that this backdoor was found before most distros accepted the update as stable, and therefore it was not yet installed on the majority of production servers — it’ll be mainly on testing servers. The bad news is that the malicious actor was clever enough to make sock puppet user accounts to complain about xz crashing and claim that the new update is a critical fix that needs to be rushed out the door as soon as possible. This was a close call, we were very lucky.

Me: "Wait, why doesn't Unreal have a cone trace?"

Marketplace: "Don't worry friend, we gotcha, check out this plugin"

<looks>

Me: "This only raises further questions"

#GameDev

Terry keeps rolling out the bangers. Finally, he's found his medium.

https://downpour.games/~terry/a-proper-cup-of-tea

A couple things to think about here:

This appears to be a malicious maintainer - not a compromised account. Meaning the person themselves, coded this in an pushed it out.

So:
1) Did they try and backdoor any other code?
2) Are they part of a greater campaign or is anyone else helping them.

This is a massive breach of trust.

That said! Huge kudos to Andres Freund, Florian Weimer, and others in finding this.

A lot of eyes are on this now. CISA is involved. Major distros are involved, etc. Many eyes and such.

#infosec #linux #foss #hacking #cve20243094 #cve

xz-utils was backdoored by its upstream. Tracked as CVE-2024-3094 and thoroughly documented by vuln discoverer Andres Freund on oss-security@: https://www.openwall.com/lists/oss-security/2024/03/29/4

Distributed tarballs of xz has been backdoored.

https://www.openwall.com/lists/oss-security/2024/03/29/4

#xz #security #linux

Anyway the entire ops/dev world just dodged (we think/hope we dodged, anyway but are not 100% sure) the biggest supply chain attack in history that would have screwed absolutely, literally, everyone.

This needs a giant f**king industry-wide post-mortem once we're sure we're not all doomed.

So this is now the shape of how technology companies introduce new things. A big stage. A huge screen. Prancing and preening about the new thing they have to show you

But the problem is: we KNOW

We KNOW how it works now. There's nothing surprising about what's going on. What was once shocking and exciting—the miniaturization and high usability of advanced consumer electronics—is both familiar and expected.

Yet we're stuck in the old, tedious pattern. Going through the motions.

"A world without trans people has never existed and never will"
Poster spotted in Olympia, WA

this is genuinely heartwarming