Mastodawn

Adam Leventhal Apr 9, 2024

What an Oxide and Friends last night! @bcantrill and I were joined by the one and only @AndresFreundTec to talk about his discovery of the xz backdoor. It’s an incredible story… so great to get into the details with Andres. Definitely check it out (or on the pod tomorrow).

https://youtu.be/jg5F9UupL6I

Oxide and Friends 4/8/2024 -- Discovering the XZ Backdoor with Andres Freund

YouTube

I was really pleased by this background image so wanted to talk about it briefly. The concept was (of course!) simple: the (in)famous xkcd graphic with the thankless Nebraskan removed https://xkcd.com/2347/

Dependency

xkcd

Adam Leventhal Apr 9, 2024

Like all lazy people in 2024, I turned to Chat GPT for help. This didn't work out well. (Have I mentioned that I'm bad at Chat GPT?)

Adam Leventhal Apr 9, 2024

I should mention that we don't put a ton of time into Oxide and Friends (sorry!) so I try to bound these side-quests at least somewhat. Somewhat. I decided to find a physics simulator (like a lunatic) and SimPHY was the first one I stumbled onto that worked well enough. I roughed out the structure from the xkcd comic:

Adam Leventhal Apr 9, 2024

Then removed the linchpin:

Adam Leventhal Apr 9, 2024

And simulated...

Adam Leventhal Apr 9, 2024

Until I got to something that was suitably calamitous:

Adam Leventhal Apr 9, 2024

I threw it on the iPad that I "borrowed" from my older son and traced it in Procreate with his Apple Pencil. 100% it could have been better, but I already felt like a crazy person and wasn't sure it was going to work out

Adam Leventhal Apr 9, 2024

Then I threw the lines into Photoshop, applied the bucket tool, and ... good enough!

Adam Leventhal Apr 10, 2024

Check out the episode I made this for where we interview Andres Freund on his discovery of a backdoor in XZ—maintained by the metaphorical Nebraskan! https://youtu.be/jg5F9UupL6I

Oxide and Friends 4/8/2024 -- Discovering the XZ Backdoor with Andres Freund

YouTube

Brian Campbell Apr 10, 2024

@ahl Wait, why is everyone referring to Andres as the Nebraskan? It was really more Lasse Collin, the sole maintainer of xz, who was an appealing target because he was sole maintainer of something the whole ecosystem depended on.

Brandon Barker Apr 17, 2024

@ahl Regarding the announcement at the end about the book club: after hearing that the audiobook wasn't available in the US, I signed up for a libro.fm account, moved to Corfe Castle, Dorset, UK (looks like a nice place), and was easily able to change my account info in libro.fm to reflect the move.

Adam Leventhal Apr 18, 2024

@bbarker great tip. Thanks!

Adam Leventhal Apr 10, 2024

The latest episode of Oxide and Friends where @bcantrill and I speak with @AndresFreundTec is now up on podcast platforms https://share.transistor.fm/s/e2538f7d

Oxide and Friends | Discovering the XZ Backdoor with Andres Freund

Andres Freund joined Bryan and Adam to talk about his discovery of the xz backdoor. It’s an incredible story… so great to get into the details with Andres. We started by ranting about the coverage in the New York Times… coverage that explicitly refused to dig into the details! It’s all the more...

verified_flashing

@ahl @bcantrill @AndresFreundTec This was an awesome episode. Super interesting insights!

AndresFreundTec Apr 10, 2024

@ahl @bcantrill I'm sorry for the audio quality. I didn't realize that was happening. I never had done a call on discord before. I now see that there's an "input sensitivity" setting, and I guess that was set wrongly. Seems pretty odd that the default doesn't work though.

Darryl Ramm Apr 11, 2024

@ahl @bcantrill @AndresFreundTec

This was a really great podcast. With a hat-trick of goodness.

1. Super interesting details of the fantastic work by Andres Freund.

2. Dumping on the awful writing in the NYT (Roose's past clueless hyping of Crypto was terrible, thanks esp to Molly White for critiquing that)

3. The guest actually got introduced well. 🎉 🥳 🙂

Mark Pauley Apr 13, 2024

@ahl just listened to this and it was extremely satisfying to hear your NYT takedown. I would watch a YouTube channel of this like it was ASMR

Jamie Reid Apr 9, 2024

@ahl not _just_ good enough. Perfect.

Adam Leventhal Apr 9, 2024

@jambulance too kind. I see only imperfections 😉

Simon Zerafa Nov 30, 2024

@ahl @jambulance

Is there an animated version of this amazing artwork? 🙂🤷‍♂️

Adam Leventhal Nov 30, 2024

@simonzerafa @jambulance hah: no. Just that one frame was kind of a pain

Adam Leventhal Nov 30, 2024

@simonzerafa and I think I recognized your name here... https://www.grc.com/sn/SN-970-Notes.pdf

Simon Zerafa Nov 30, 2024

Guilty! 😉🤷‍♂️

Do you listen to the podcast?

Adam Leventhal Nov 30, 2024

@simonzerafa nope!

Simon Zerafa Nov 30, 2024

Well your version of the XKCD artwork was well recieved 😊

PunnO)))Apr 9, 2024

@ahl What does the simulation do if you *don't* remove the Nebraskan?

Adam Leventhal Apr 9, 2024

@ieure this… which seems about right

DJ Sundog Apr 10, 2024

@ieure @ahl shit now I want to watch the cyber-thriller The Nebraskan and that's not something I was prepared for on a Wednesday, my dudes

Tim 🎮Apr 10, 2024

@ieure @ahl I've just come back to this thread a day later and this is one of the greatest scientific questions ever asked

PunnO)))Apr 11, 2024

@timixretroplays @ahl Truly unfortunate that it didn't crush him and topple over anyway.

Gabriel Pettier Apr 10, 2024

@ahl ah, yes, Angry Birds, Open Source Supply Chain Attack edition.

Pxl Phile Apr 10, 2024

@ahl I am stealing this so much 😍

Schaf Apr 10, 2024

@ahl this should be in a museum so people in 500 yrs wonder what the heck this is

tessarakt Nov 30, 2024

@schaf @ahl Could feature in a Star Trek episode, like the Discovery one with the SQL Injection...

Stefan Baur 8 * 💉Nov 30, 2024

@schaf @ahl Right next to https://en.m.wikipedia.org/wiki/File:Minimalist_loss.svg?

File:Minimalist loss.svg - Wikipedia

Simon Zerafa Apr 10, 2024

I suspect this is the beginning of a new meme 🤔🤷‍♂️

beq Apr 11, 2024

@simonzerafa @ahl you know … let’s hope not.

Simon Zerafa Apr 11, 2024

Well the signs.and signals are not auspicious 🫤🤷‍♂️

me·ta·phil, der Apr 10, 2024

@ahl *saved to disk, might come in handy more sooner than later although I hope not* 👌

Marius Gundersen - mdg 🌻Apr 10, 2024

@ahl xkcd needs to update the comic to be interactive using a js physics demo: click any dependency and it dissappears.

Adam Leventhal Apr 10, 2024

@gundersen that would be incredible!

Marius Gundersen - mdg 🌻Apr 10, 2024

@ahl I'm tempted to implement this in box2d now...

Ash_Crow Apr 10, 2024

@gundersen @ahl Now I kinda want a tool that does this, but you provide a git repo and it generates the pile of boxes from the dependencies of the repository, with boxes sized according to the number of contributors/maintainers for each dependency.

Marius Gundersen - mdg 🌻Apr 10, 2024

@Ash_Crow @ahl wow, that would be awesome! I wish I had the time to implement this...

Haelwenn /элвэн/

@gundersen @ahl Makes me wonder if someone could create a 3D game based on the dependency graph of packages.
Cyclic dependencies are going to be weird af, but packages rocketing up in the air because of those would be… quite real.

not Evander Sinque Apr 10, 2024

@ahl nice! Management will argue that it still somewhat stands, so nothing needs to be done about it. ;)

Pfeffiminztee Apr 10, 2024

@ahl you forgot to label one of the middle larger blocks which are at rest as "marketed as stable product"

Dr. Karoline Busse Apr 10, 2024

@ahl awesome! Can I use this for my teaching and training material?

Adam Leventhal Apr 10, 2024

@kbusse sure thing. Wouldn’t say no to attribution, but do what you like

Salve J. Nilsen Apr 10, 2024

@ahl 'Nebraska, falling' 😃

Alan Apr 10, 2024

@ahl saving this for inevitable usage in a PIR.

Ramon Fincken 🇺🇦Apr 10, 2024

@ahl go nebraska!

HTTP 1.1/418 Teapot Apr 10, 2024

@ahl @kevinriggle Perfection.

Max R. Cerrina (he/him)Apr 10, 2024

@ahl PERFECTION

Efi (nap pet) 🦊💤Apr 10, 2024

@ahl it was bound to be

drawnto 🟨⬜🟪⬛Apr 10, 2024

@ahl I wanna run that in box2d or another 2d engine ... but i won't.

fediverse Apr 13, 2024

@ahl Bahhahaaaa

fediverse Apr 13, 2024

@ahl this is GOLD!! all i'll say is keep the negative space above tho (ie. dont crop) to have the best impact.

so fun, reminds me of when i did animation.

Professor Kerstin Sailer Apr 13, 2024

@ahl
Beauty!