I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
-
I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
- YouTube
Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
(www.youtube.com)
@bagder I'm confused to as why binary blobs are allowed to be stored in public source code repositories anyways.
I mean, I understand if you want to include assets for a game, but wouldn't it then be safer to store them in readable format before compression? As a simplified example, png's could be stored as xpm in source and then converted into the better format using provided tools, also in the repo.
Tldr being: If blobs are to be used in tests, write a tool that generates the blob for them.
-
@bagder I actually spent some time talking the writers of that video through the technical details of the backdoor, since they came across my talk about it just after it was discovered.
I think the video is definitely a bit dramatic and geared towards a less technical (or at least less cyber-focused) audience, but was impressed with how much they cared about getting the minutiae right.
Realistically, most of their viewers won’t care about ifunc or dynamic linker audit hooks, but it does keep things interesting for the cyber folks watching.
@FarmerDenzel yeah, I would probably even argue that they made it a little *too* detailed at the risk of getting people bored for a show geared towards "common people"
-
@bagder I wish they had left Stallman out of it though. He's a very problematic figure. While I do not discount the contributions he has made to Open Source and Free Software, his "other" public statements make me stay far away from everything to do with him.
@infosec812 He is part of the whole story, though. Would be weird to leave him out, like a gap in the resume.
-
@FarmerDenzel yeah, I would probably even argue that they made it a little *too* detailed at the risk of getting people bored for a show geared towards "common people"
@bagder Yeah, I do sometimes have that complaint especially when I watch their videos on things I don’t know as much about (eg physics).
Sometimes feels like detail for the sake of demonstrating that the problem is complex rather than detail for the sake of teaching the viewer.
-
@bagder I'm confused to as why binary blobs are allowed to be stored in public source code repositories anyways.
I mean, I understand if you want to include assets for a game, but wouldn't it then be safer to store them in readable format before compression? As a simplified example, png's could be stored as xpm in source and then converted into the better format using provided tools, also in the repo.
Tldr being: If blobs are to be used in tests, write a tool that generates the blob for them.
-
@bagder I'm confused to as why binary blobs are allowed to be stored in public source code repositories anyways.
I mean, I understand if you want to include assets for a game, but wouldn't it then be safer to store them in readable format before compression? As a simplified example, png's could be stored as xpm in source and then converted into the better format using provided tools, also in the repo.
Tldr being: If blobs are to be used in tests, write a tool that generates the blob for them.
@thanius convenience? lack of time? didn't think of the security implications?
Keeping everything readable all over takes effort. In the curl project the xz event kicked off a journey making sure we have less opaque data everywhere in git. It is work that is still ongoing!
-
I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
- YouTube
Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
(www.youtube.com)
@bagder I learned more than I would care to admit about how encryption works. And the RedHat admin was admirably candid about his role.
-
R relay@relay.an.exchange shared this topic
-
I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
- YouTube
Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
(www.youtube.com)
@bagder Interesting
-
M meph@social.treehouse.systems shared this topic
-
@thanius convenience? lack of time? didn't think of the security implications?
Keeping everything readable all over takes effort. In the curl project the xz event kicked off a journey making sure we have less opaque data everywhere in git. It is work that is still ongoing!
@bagder Yeah, I understand it takes time to backtrack through an entire project or projects to make everything transparent for reviewers.
But after this debacle I hope that more developers look into dogfooding their binary storage in projects. I too am responsible for storing blobs, albeit in private repos, but I've since tried to implement build-time asset transformation instead even though it may bulk up the repos.
-
I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
- YouTube
Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
(www.youtube.com)
@bagder Saw it today too. It had a really high production value, and was thoroughly explained. I’d even recommend it to my non-tech friends.
-
I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
- YouTube
Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
(www.youtube.com)
@bagder I had up to now never seen the colour mixing analogy, quite like that.
Also, does this count as a rickroll?
-
R relay@relay.publicsquare.global shared this topic
-
I found this Veratasium documentary on the xz Jia Tan backdoor adventure quite good and surprisingly detailed:
- YouTube
Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
(www.youtube.com)
@bagder The name that the attacker used is likely fake. Unfortunately it happens to be the name of a person I used to work with that was not related to this backdoor at all. I know that they got harassed online because of that coincidence. When possible, I think it's better to omit the name or include a note that it's likely fake.
-
@bagder I actually spent some time talking the writers of that video through the technical details of the backdoor, since they came across my talk about it just after it was discovered.
I think the video is definitely a bit dramatic and geared towards a less technical (or at least less cyber-focused) audience, but was impressed with how much they cared about getting the minutiae right.
Realistically, most of their viewers won’t care about ifunc or dynamic linker audit hooks, but it does keep things interesting for the cyber folks watching.
@FarmerDenzel @bagder several of their videos have quite some mathematical formulas in them. So I think their audience is not the less technical audience.
-
R relay@relay.mycrowd.ca shared this topic
