Show more

Ok I jumped up, hit the lights, and found a stick…this is what was in the freaking bed…

The wife wasn’t feeling good so I went down to the basement to sleep in the spare room. I turned the light off and laid down. Just as I put my head on the pillow, I feel it move and in the darkness I hear the signature rattle…there’s a freaking rattlesnake in my bed, near my head! I’m just gonna lay here for a while and doomscroll. Maybe it will leave. I think it crawled away. OMG why don’t I keep the house cleaner. This is where we fold our laundry and it’s just in a big pile next to me…

Daniel boosted

I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.

The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.

Let me state that again. Any quality assurance, security checks, etc., failed to catch this.

This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.

This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.

A couple more weeks, and it would have been in many major distributions without any of us knowing about it.

The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.

It was luck.

That's it. We got lucky this time.

So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?

And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.

Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.

I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.

(I also hope they run down any and all packages this person had the signing key for....)

#infosec #hacking #cve #cve20243094 #linux #FOSS

Daniel boosted

Just started the Bobiverse books today, so far I’m interested.

Daniel boosted

so this is a bit wild

i've got an oldie iPad 2 running iOS 9.3.5. this has some expired root certificates which results in several apps not working properly. Plex will load, but it won't be able to negotiate with your plex server, for instance.

since apple doesn't offer new iOS updates for it (with refreshed certificates).. it seemed like i was kinda stuck.

as it turns out, and is documented nowhere aside from a post on reddit, you can manually download your own root certificate - and iOS lets you install it without complaint.

if you're on an ancient iOS device, just point its Safari browser to this url: letsencrypt.org/certs/isrgroot

tap Install when prompted - and you've got working certificates again!

this just breathed new life into a 10+ year old iPad, which will become a bedtime plex viewer.

#apple #vintageApple #iOS

@mary and I made an inflatable snow den tonight and we’re expecting a couple feet of snow by tomorrow. Hopefully Edward will be in in one piece when we wake up! Heidi has no idea.

@Linux_in_a_Bit I posted some ramblings on The Outpost (NomadNet), related to email, that you might be interested in.

Daniel boosted
Daniel boosted

The formerly abandoned Bell Labs building in Holmdel, NJ. At one point slated for demolition, the historic site has since been turned into Bell Works, a multi-use complex that was the filming location for the series Severance.

See the rest: abandonedamerica.us/bell-labs

Daniel boosted

If you have any rose-tinted memories of 1994, just remember that 2024 will be somebody’s 1994. Be present and make the world seem a little better than it might actually be to those around you.

Show more
Camp Duffel

We Do Camps!