I just deleted my Twitter account.

I saw a viral pro-H*tler tweet on my timeline with 66,000 likes and 9.5 million views. That was enough for me to ensure my posts don’t contribute any value to that garbage dump.

I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.

The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.

Let me state that again. Any quality assurance, security checks, etc., failed to catch this.

This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.

This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.

A couple more weeks, and it would have been in many major distributions without any of us knowing about it.

The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.

It was luck.

That's it. We got lucky this time.

So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?

And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.

Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.

I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.

(I also hope they run down any and all packages this person had the signing key for....)

#infosec #hacking #cve #cve20243094 #linux #FOSS

Here's what I want the EU to do about cables:
Before you can sell a device that comes with a cable of any kind, you have to answer the question "what does the user have to do if they lose this cable?"

"they're screwed" and "they'll have to buy another from us" are not acceptable answers, and those products can't be sold. Get a better answer or use a different cable.

Hey everyone! I'm guessing a lot of you will be buying last minute gifts for people, and those tend to involve gift cards. Be very careful when you're buying these off-the-rack at retail stores that sell gift cards for various popular restaurants and brands. Especially those that are not in particularly tamper-proof packaging.

A friend just shared some photos he took after buying a bunch of Dardens restaurant gift cards for some gifts to clients. They didn't discover until leaving the store that several of the cards had been tampered with, their PIN scratch-offs re-covered with look-alike scratch off stickers. Also, the phony ones seem to have goofy looking barcodes, like they were scanned and printed by a laser printer without enough ink.

The trick here is the thieves pull the card out, scratch off the PIN part, record that, cover up the pin with fake tape, and then shove the thing back in the packaging and put it back on the shelf. Then, when someone buys it, the thieves can access the value on the card the minute it is activated (purchased).

The image shows two of these cards that are non-tampered (left) and two on the right that were. These cards can slide right out of their packaging with a little wiggling, and slide back in the same way.

Some stores keep their gift cards behind the counter for this reason. Might be best going for those instead of the ones in aisle 19.

Wow. The jury has sided with Epic, maker of Fortnite. Google’s deals with Android OEMs to privilege the Google Play store makes them an illegal monopoly.

It’s ironic that Google which technically is more open than Apple by supporting 3rd party app stores on Android lost against Epic while Apple won a similar case. Apple not pretending to be open worked in their favor.

I wonder if the judge in the DOJ case against Google paying Apple for search defaults is watching?
https://www.theverge.com/23994174/epic-google-trial-jury-verdict-monopoly-google-play

As always, Satya Nadella is ahead of the curve. I just wrote about how the goal of OpenAI to have AI outperform humans in every economically viable job will spur a rash of unionization among white collar workers to fight back.

Looks like Microsoft sees the same threat and has formed an alliance with 60 unions representing 12.5 million workers to try to address their concerns about AI.

https://www.bloomberg.com/news/articles/2023-12-11/microsoft-and-labor-unions-form-historic-alliance-on-ai