Di4na

eb, 1 month ago to security

Unfolding now: https://news.ycombinator.com/item?id=39865810

• https://www.openwall.com/lists/oss-security/2024/03/29/4
• https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

• https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
• https://github.com/jamespfennell/xz/pull/2

The timeline on this is going to take so long to unravel

#security #linux

luis_in_brief, 1 month ago to random

Gotta admit I found it pretty irritating, in the xz discussion of the last two weeks, that some people declared confidently "you can't pay maintainers". (cc @ehashman)

It isn't easy to pay maintainers, but it can be done: at Tidelift, we've been doing it for years. So I figured I'd write up how we do it and what we've learned. And yes, it's a HOWTO. Be glad I also avoided an FAQ ;)

https://blog.tidelift.com/paying-maintainers-the-howto

hazelweakly, 1 month ago to random

Core competencies are something I think about a lot. I love to dig into what makes companies or ecosystems or social groups tick. Especially when that core competency enables what they do:

McDonald's, for example, is a real estate company that happens to make burgers.

Walmart is a shipping logistics company that also sells things.

What other examples can you think of where the core competency of the company is such that the "thing" a company does falls out naturally as a consequence?

hazelweakly, 1 month ago to random

Dude bros will really spend millions of dollars on analytics programs rather than go to therapy or actually talk to anyone to figure out how they feel about shit

Introducing an innovative framework for: product discovery, market research, customer focus groups, developer experience, product led growth, business intelligence, and more.

I call it "TALK"

T: TALK TO YOUR FUCKIN PEOPLE
A: ALL OF THEM, SERIOUSLY, JUST DO IT
L: LEGITIMATELY, THIS ACTUALLY WORKS
K: K? THAT WASN'T SO HARD NOW WAS IT

Di4na, 2 months ago to random

The White House declared we have to be Memory Safe now!

So great! None of us had any idea!

Wait, but why is there no analysis of how we are still memory unsafe decades after the start of these yelling about it?

Let's me re share my answer to that crowd from a few months ago. I am definitely not bitter. Defo.

https://www.softwaremaxims.com/blog/memory-safety-end-history

Di4na, 1 month ago to random

Well, I finally have data to back my model of the software world out there. And the data is relatively solid and shows what I keep saying.

You are all on our turf now. Please accept that you have no idea what you are talking about. Sit down. Listen. Ask questions.

But respect our work. We are trying to keep the world running, 1h per month.

https://www.softwaremaxims.com/blog/open-source-hobbyists-turf

Di4na, 1 month ago to random

So we have it now. Rust solved a large number of the safety problems of the system language level. Not everything ofc, but still. Lot of them. And it is actually being adopted.

So I have a question for my cybersecurity/infosec crowd.

Have you introspected why 3 decades of yelling about that stuff got no results, 3 decades of sanitisers and fuzzers barely moved the needle, but Rust slam dunked it?

Where is the retrospective of what went wrong? Where are the learnings?

grimalkina, 6 days ago to random

It's REALLY weird to me when people in software mine research papers for their content and say "researchers" instead of naming the scientists who actually did the work they're using. We're human beings and our work is our livelihood (at a fraction of yours I might add). Name us.

Blessed for the community around me that has this value, side eye at the content engine that doesn't.

hazelweakly, 1 month ago to random

I love explaining complicated subjects in a quippy way that isn't necessarily wrong. For example:

Kubernetes is 20 while-true loops in a trench coat pretending to be a container orchestration platform.

What are your favorite quippy ways to explain a complicated topic? It could be anything! I'm just curious what y'all have :)

Di4na, 26 days ago to opensource

PSA:

If you want to create an event to workshop solutions to help heavily ressource constrained maintainers, consider starting from the pov of "what kind of event a resource constrained maintainer could participate in".

Otherwise, your event will join the long list of useless one.

#opensource #foss

Di4na, 1 year ago to random

I think I finally found a name to put on the work that needs to be done to bring all the fantastic ideas that come out of academia and esolang into the tooling for developers out there.

And I think this is the way out of the pit of pain and security vulnerabilities our digital infrastructure is in rn.

What do you think?

We Need More Process Engineering in Software

https://www.softwaremaxims.com/blog/process-engineering-software

Di4na, 9 months ago to random

I will repeat it again. If you have a hard time hiring for niche technologies like Elixir, feel free to reach out. I know dozens of experienced and skilled devs dreaming about an elixir job.

But every time they try, they find atrocious hiring practices, really bad work environment or get rejected.

The problem is not the market. It is your practices and your work environment. If you are ready to change that in order to beat the market, I am happy to help you do that.

#myelixirstatus

Di4na, 18 days ago to random

For everyone that calls for ways to make open source more secure, or for all their magical solutions that will provide money and resources to FOSS maintainers, please read this.

This is a rare account of the reality of maintainers, things that are hard, but also how much knowledge and niche expertise you need for anything in there.

That is why just giving money to experts will not help that much. It is too hard to train experts in this. But we may make it easier

http://rhaas.blogspot.com/2024/05/hacking-on-postgresql-is-really-hard.html

Di4na, 1 month ago to random

OH: I want to make a "go fuck yourself openssf" badge

I am sure this is how you educate maintainers and get traction with them. I mean, I am not a security expert nor someone the OpenSSF would choose to listen to or pay, so I am obviously not knowledgeable about this. You should definitely listen to them. They obviously know how to make the OpenSource ecosystem more secure.

krusynth, 22 days ago to random

Everyone is talking about fast fashion, but no one is talking about the plague of fast furniture. It’s impossible to find true durable pieces that can last for generations anymore, even the so-called “Amish made” pieces are typically cheap stuff being bulk produced in one of a dozen massive factories.

I can’t even find a solid wood panel bed at any of the vintage or resale shops anymore. Particleboard is the only choice we’re being given. It’s tragic.

hazelweakly, 1 month ago to random

I swear, so much complexity of my life right now comes from me wanting to be able to graphically draw out an interconnected hypergraph but also have a convenient textual representation of said hypergraph

I'm sure this makes zero sense to people. But ugh. It's so frustrating to have the ideas in your brain and just not be able to really tease them out in a useful way for others

Signed,
trying to figure out how to map "do the platform engineering thing more better" into strategy and architecture

Di4na, 1 month ago to random

I am sure we will all talk about how this was doing all the "secure" stuff properly, got caught by Valgrind, and the right thing to do was to disable the check.

Because we built tools to find out, and then tools to explore and fix, the problem that are so unergonomic.

That when we need them, the only good, right and logical step to do is to disable them. Because noone can understand what to do with the report.

I am sure we are definitely going to talk about that.

Di4na, 1 month ago to random

Whoever wrote, reviewed, and approved this at the OpenSSF.

Consider leaving the organization. I am not joking. You have no idea what you are talking about; you know nothing about Open Source, and you seem to know nothing about Security, either.

Even less all these things combined. Just. Leave. Resign. It is ok to realize you are not the right person for that position. It happened to me before.

Have some self-respect.

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

Di4na, 1 month ago to random

You want the funniest one? Until the past couple of years, the attackers could have just... Released a new autotools version. No need to convince the previous maintainer or anything.

Because there was none. If they had showed up to release a new version, everything using autotools would be infected. And it would probably be easier to hide.

This was... Actually not that impressive of an attack?

Di4na, 1 month ago to random

In the light of the xz stuff, I will recommend, again, that people try to internalise this before responding.

Your model of how this whole stuff work is probably not useful. Accept it, even if you are supposed to be really good at this. Sit this one down. Don't say your hot takes. Come talk to me instead and let's talk. Please.

You. Are. Not. Helping.

https://www.softwaremaxims.com/blog/not-a-supplier

Di4na, 1 month ago to random

I know I am late to it, but I finally read https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/
Thank you @shortridge for being one of the rare person in this domain that make sense.

You are one of the reason I still write about this. I may not have a lot of hope, but at least I feel less lonely.

(And yes, I do not agree with everything, but faaaaar better than all the other answers)

Di4na, 1 month ago to random

After listening to your podcast on security.txt, i have a use case to mandate it @joshbressers @kurtseifried

If i can easily extract an information of where to contact you, i can validate that you actually read the inbox of that email

Makes it something i can check for compliance.

onepict, 26 days ago to random

So that's me received the confirmation that my stuff is removed from Bigstack.

Which is good. It shows the Optout requests are being done.

Go to check again for librecasts old github account. Looks like I missed some.

Opens new ticket

https://huggingface.co/spaces/bigcode/in-the-stack

While I did think it is important for Software Heritage to archive code, I wish it was done Opt-in.

It would be nice to be asked and for that code to be curated. This is not curation. This is automation.

#SoftwareHeritage #BigCode