Sylvain Miermont @miermont@qoto.org

I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.

The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.

Let me state that again. Any quality assurance, security checks, etc., failed to catch this.

This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.

This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.

A couple more weeks, and it would have been in many major distributions without any of us knowing about it.

The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.

It was luck.

That's it. We got lucky this time.

So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?

And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.

Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.

I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.

(I also hope they run down any and all packages this person had the signing key for....)

#infosec #hacking #cve #cve20243094 #linux #FOSS

Here's how to make green #transit even greener. Put the tram tracks on a carpet of grass or sedum. 2 kms of track creates 1.5 football fields' worth of green space, reducing air pollution and urban heat island effect.

A tram-on-the-lawn thread: 🚋🌱🧵

1/ Milan #Milano

*Okay, yeah, maybe -- the AI-weaponized "Lonely Russian Girlfriend" scam

https://medium.com/@profgalloway/mammal-ai-278e9a656fed

Wikipedia 20 years ago was a fringe geek website with a grandiose goal. Most of the establishment hated it.

People from outside Wikipedia who try to analyse its current status must take its history into account.

People from within Wikipedia must stop behaving as if the project was marginal as it was in the early 2000s, and behave responsibly as the major actor of the web that they are.

Wikipedia used to be bullied. Now some want to turn it into a tool for bullying. That is not its mission.

Until recently, it's been hard to detect invisible to the naked eye #methane leaks. But a number of satellites have been launched to detect methane leaks from space. US & EU recently announced rules require companies to improve monitoring & repair of leaks https://buff.ly/495pRwV

Shutdown reminder!

With just 2 weeks left until the Nintendo Network shutdown, we'd like to take this time to remind everyone that we are accepting network packet dumps for all games, for both the Wii U and 3DS! These packet dumps give us a glimpse into how the games operated when the official servers were still online. While technically possible to do without these dumps, having reference material like this will make the job of making replacement servers FAR easier once these servers go offline!

This is ESPECIALLY true for more obscure/less popular games, and games which have custom additions to them. Having network dumps for smaller games is just as, if not more, important than the bigger ones as we'd likely have much less reference material for them! We know everyone is excited to help get the big names going, but we can't forget the little guys either!

That being said, we appreciate ALL users who help us with this crowd sourcing! We have gotten a LOT of amazing data from everyone so far, all of which will definitely help us moving forward.

For those interested in contributing network packet dumps, see our guide on our website here https://pretendo.network/docs/network-dumps. This page also includes a section listing some games we consider "high priority", though these are NOT the only games we still need data for.

For those curious about our current network dump stats, so far we have:

99 HokakuCafe dumps (specifically Wii U)
528 HokakuCTR dumps (specifically 3DS)
15 general WireShark dumps (applies to both consoles)
65 general proxy dumps (applies to both consoles)

NOTE: These numbers come from the number of network packet dumps submitted through the Bandwidth upload command, and may not represent the real total number of dumps submitted.

"What the Germans will say again and again, and here I say the Germans with some confidence, because this is a consensus which goes, which spans most of the political spectrum, is that peace is the important thing. But PEACE is not what happened to Germany. DEFEAT is what happened to Germany. But you won't find Germans arguing that imperial powers have to be defeated. What you find them arguing is that peace is a good thing. So there's no reflection on empire."

3/3.

Attention customers,
Due to engineering works, the 5v rail will now be operated by a rail replacement bus service until further notice.
We apologize for the inconvenience

The best software tester I’ve ever know once said to me, “Whenever I start at a new place, I find out which teams hate each other. Where their systems interface with each other is the first place I look for bugs — because they’re not talking to each other.”

Software projects stand and fall on the relationships between the humans who create them. (A corollary to Conway’s Law.)

4/

Damn you, Grand Est

I have a TER Grand Est reduction card

BUT if my trip *crosses the border into Luxembourg* - WHERE PUBLIC TRANSPORT IS FREE, my reduction card does not apply *to the whole trip* 🤬 (Bettembourg is the first stop in Luxembourg)

So
Metz-Bettembourg - €9,50 (full price)

Metz-Thionville - €4,10 (reduced price)
Thionville-Bettembourg - €3,90 (full price)

So €8,00 total

#CrossBorderRail total fail

“But AI is cheap!”

It’s not, it has horrendous hardware, server housing and water and power requirements; it’s just that VCs are financing it now so you get in on the hype and later they will charge you rent and it will cost you way more—with inferior results—than, you know, hiring the writers and artists it’s stealing from, but those will be gone by then.

We need a word for real-life enshittification caused by online culture. Like being unable to find an organisation’s info because they’ve Instagram but no website. Or panicked people being sent a videolink to download to their phone when they ring for an ambulance. Or being excluded from residents' association news if you're not on Facebook. Or having cash payment refused. Or staff in the business you’re physically standing in telling you to find the answer to your question on their website.

"Marking the Web’s 35th Birthday: An Open Letter" by #timbernerslee

Worth reading, and taking action to build a better internet. We need it.

Many of we strivers will be gathering at https://dwebcamp.org Aug 7-11. hopefully with Sir Tim.

Tim's article:

https://medium.com/@timberners_lee/marking-the-webs-35th-birthday-an-open-letter-ebb410cc7d42

I've seen things… things you people wouldn't believe *describes the things that I have seen* Okay. Judging from your reactions, you people are in fact perfectly capable of believing the things that I have seen

India has officially outlawed nine types of #UX #DarkPatterns, including saying "Hurry, only X amount left;" adding "processing fees;" adding dire language to opt-out buttons ("No, I'd rather not protect my purchase"); forcing people to agree to a EULA; forcing people to call a phone number to unsubscribe; using confusing opt-out language ("No, don't unsubscribe me"); blending ads into editorial content; and forcing people to click "remind me later" every day. https://bootcamp.uxdesign.cc/dark-patterns-are-now-illegal-in-india-6b3c35c5ce50