@djm@cybervillains.com cover
@djm@cybervillains.com avatar

djm

@djm@cybervillains.com

debugging, v: the process of inserting printf statements into code until one's errors reveal themselves

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

futurebird , to random
@futurebird@sauropods.win avatar

Breathing silica dust is bad. I'm so glad that there are government agencies with the autonomy to make rules about this kind of thing -- oh... oh oh no.

(This particular rule is under attack from multiple sides. I wonder how much money it's worth to the mine owners? How much do they get for each year of hacking and suffering in old age from their workforce? We should count it up. Write it on a cake. Make them a cake. Give them the cake. )

https://www.wdtn.com/news/health-news/ap-health/ap-us-miners-union-head-calls-house-republican-effort-to-block-silica-dust-rule-an-attack-on-workers/

djm ,
@djm@cybervillains.com avatar

@futurebird Australia has just banned engineered stone entirely for this reason https://www.safeworkaustralia.gov.au/esban

djm , to random
@djm@cybervillains.com avatar

OpenSSH 9.8 has just been released. This release includes a fix for a critical race condition in sshd that could be exploited for remote code execution so you should definitely patch or upgrade. It also contains a fix for a minor issue in ssh that saw the recently-added ObscureKeystrokeTiming feature work the opposite way as intended.

There are some new features too. Please see the release notes at https://openssh.com/releasenotes.html for more details

gsuberland , to random
@gsuberland@chaos.social avatar

I wish more people knew that light curtain sensors are cheaply available and easy to integrate into an e-stop for automated machinery. you can protect a 3.0m by 0.5m region against ingress for under 70€.

if you're building hobbyist CNC stuff (milling, XY tables, robot arms, etc.) without a full-coverage interlocked enclosure they're a very affordable way to save you from serious injury.

djm ,
@djm@cybervillains.com avatar

@gsuberland links?

djm , to random
@djm@cybervillains.com avatar

Here's my 2c on the xz incident.

This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better.

1/n

djm OP ,
@djm@cybervillains.com avatar

One factor in this incident was deep, unexpected dependency chains. I wish distributions would start taking a more minimalist approach to the options they enable in the default packages they ship.

What fraction of the sshd userbase actually needs Kerberos or SELinux (which also depends on liblzma) enabled? Put that stuff in an alternate package and reduce the exposure for the rest of your users. Fewer dependencies means less attack surface and less supply-chain risk

2/n

djm OP ,
@djm@cybervillains.com avatar

Few of the mooted software-supply chain defences would have prevented this, as the attacker was a (relatively) long-term maintainer, was not averse to using sockpuppet accounts and was careful to hide their exploit from automated tools.

Worse, many of the solutions being offered increase the workload on maintainers. But maintainer burnout was a key factor in this incident. We need to find a way to support maintainers while being proscriptive or parentalistic.

3/n

djm OP ,
@djm@cybervillains.com avatar

This won't be the last sophisticated and methodical OSS supply-chain attack. The actor(s) behind xz are probably already learning their lessons ahead of their next attempt. Indeed, xz might not be the only attack they had in progress.

The next one is going to be more carefully operated and harder to spot. How are we going to stop it?

4/4

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •