Denzel
daniel:// stenberg://I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
Jim Fuller@bagder still gives me the shivers ....
@jimfuller yeah! it's a good reminder to walk through the steps we have to make us not become part of a future similar documentary...
@bagder I might have a new simulation for curl up this year ;)
Deven Phillips@bagder I wish they had left Stallman out of it though. He's a very problematic figure. While I do not discount the contributions he has made to Open Source and Free Software, his "other" public statements make me stay far away from everything to do with him.
Tobias Hellgren@infosec812 He is part of the whole story, though. Would be weird to leave him out, like a gap in the resume.
King_DuckZ@infosec812 @bagder bullshit argument. No one excels at everything and attacking or hating him for his weak points while overlooking his contributions to society is horrible behaviour. Without him, the world would probably be a very different place today
@infosec812 @bagder having poor social skills is not inexcusable behaviour, in spite of what the pitchfork wielding crowd would have you believe. In fact I'm still waiting for the world to become a better place after his removal and I only see everything going downhill harder than before
stetson@bagder I actually spent some time talking the writers of that video through the technical details of the backdoor, since they came across a lecture I gave about it just after it was discovered (if anyone wants more depth / less polish: https://youtu.be/Q6ovtLdSbEA).
I think their video is definitely a bit dramatic and geared towards a less technical (or at least less cyber-focused) audience, but was impressed with how much they cared about getting the minutiae right.
Realistically, most of their viewers won’t care about ifunc or dynamic linker audit hooks, but it does keep things interesting for the cyber folks watching.
Deep Dive into XZ Utils Backdoor - Columbia Engineering, Advanced Systems Programming Guest Lecture
@FarmerDenzel yeah, I would probably even argue that they made it a little *too* detailed at the risk of getting people bored for a show geared towards "common people"
gunstick@FarmerDenzel @bagder several of their videos have quite some mathematical formulas in them. So I think their audience is not the less technical audience.
@bagder I'm confused to as why binary blobs are allowed to be stored in public source code repositories anyways.
I mean, I understand if you want to include assets for a game, but wouldn't it then be safer to store them in readable format before compression? As a simplified example, png's could be stored as xpm in source and then converted into the better format using provided tools, also in the repo.
Tldr being: If blobs are to be used in tests, write a tool that generates the blob for them.
@thanius convenience? lack of time? didn't think of the security implications?
Keeping everything readable all over takes effort. In the curl project the xz event kicked off a journey making sure we have less opaque data everywhere in git. It is work that is still ongoing!
@bagder Yeah, I understand it takes time to backtrack through an entire project or projects to make everything transparent for reviewers.
But after this debacle I hope that more developers look into dogfooding their binary storage in projects. I too am responsible for storing blobs, albeit in private repos, but I've since tried to implement build-time asset transformation instead even though it may bulk up the repos.
@thanius @bagder just guessing but it might be to hit certain corner cases. For example you might want a file with a certain type of noise to test that your changes to the algorithm didn't cause it to spit out a packed file that's significantly bigger than the incompressible source. Or something that was known to cause crashes or lossy behaviour in previous versions to prevent regressions
@duckz The whole point of unit tests is that they are reproducable. They're tailored for specific scenarios, and should thus be recreateable imho.
If you know how to reproduce a certain scenario, where the application expects a blob for the mockup, then build a tool that creates the blob before testing.
Prepare -> mock -> test
@thanius I get that and you can probably do what you say to generate certain sequences including noise even though it might be non-trivial, but if there is a certain binary sequence that was once a chunk of a file that someone attached to a bug report, you can't reasonably generate that. It doesn't have to be megs either, so why look for a function that generates 10 specific bytes when you can just commit those 10 bytes?
@duckz Because it wouldn't be source code. :)
Renke Meuwese@bagder I learned more than I would care to admit about how encryption works. And the RedHat admin was admirably candid about his role.
Michael White@bagder Interesting
Tristan Clément@bagder Saw it today too. It had a really high production value, and was thoroughly explained. I’d even recommend it to my non-tech friends.
petur 😶🇺🇦🇵🇸🇹🇼@bagder I had up to now never seen the colour mixing analogy, quite like that.
Also, does this count as a rickroll?
hackbyte #antifa #friendica 13HB1@peturdainn @bagder Yes definitiely a rickroll ... albeit a good one.. ;)
mlen@bagder The name that the attacker used is likely fake. Unfortunately it happens to be the name of a person I used to work with that was not related to this backdoor at all. I know that they got harassed online because of that coincidence. When possible, I think it's better to omit the name or include a note that it's likely fake.
jerShame about the #clickbait title, but I guess Veritasium wants that money and that's fine.
@bagder I was positively surprised me too! Very well made, I loved how they tossed on the table that Israel is one of the possible suspects