@philbetts@mastodon.social cover
@philbetts@mastodon.social avatar

philbetts

@philbetts@mastodon.social

Art, code, society, foliage. PhD'd. Probably the world's most pre-eminent Fox Searchlight Pictures scholar, 1994–2009 (...it's ...a Little Miss Sunshine joke). Bisexual icon. Highly suggestible.

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

philbetts , to random
@philbetts@mastodon.social avatar

It is WILD to me still that if there's a video on Mastodon you can just... Save the video file. Can't think of anywhere else that has allowed that for over a decade.

seraph , to random
@seraph@wetdry.world avatar

this shit is so funny

Are you serious, X Corp? Ahoy there, welcome to roblotwitter! I assure you, there's nothing fishy going on here, so feel free to read on. Yeah, it's a "honeypot". Sorry about that. I'm not trying to apologize and get away with it, though. But when you clicked on this link, you probably thought you were looking at something like "roblox.com". Simple URL substitution can cause this kind of thing to happen, so I made this site. So let's shout it out. "Are you serious, X Corp?"

This domain has been acquired to prevent its use for malicious purposes As of April 8, 2024, the iOS Twitter (now X) client automatically replaces the text "twitter.com" in posts with "x.com" as part of its functionality. Therefore, for example, a URL that appears to be "netflix.com" will actually redirect to "netflitwitter.com" when clicked. Please be aware that there is a potential for this feature to be exploited in the future, by acquiring domains containing "twitter.com" to lead users to malicious pages. This domain, "netflitwitter.com," has been acquired for protective purposes to prevent its use for such malicious activities. If there are any concerns, please contact the X account @yuyu0127_ .
ALT
  • Reply
  • Expand (4)
  • Collapse (4)
    • + pluralistic, nickwedig, saddestrobots
    philbetts ,
    @philbetts@mastodon.social avatar

    @weekend_editor @dpnash @seraph @pluralistic @cstross at least @mattround fixed the Scunthorpe problem with the Scunthorpe Sans font: https://vole.wtf/scunthorpe-sans/

    dillyd , to random
    @dillyd@allies.social avatar

    [Thread, post or comment was deleted by the author]

    •
    philbetts ,
    @philbetts@mastodon.social avatar

    @dillyd @SunnJax fortunately my mind immediately went to "pancreas" then, but there's no way I'm thinking of anything non-penile in the pressure of the moment. 😅

    philbetts ,
    @philbetts@mastodon.social avatar

    @dillyd @SunnJax I suppose Phil Phalanges is sitting (standing?) right there. Sounds like some sort of Greek detective.

    tinker , to random
    @tinker@infosec.exchange avatar

    I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.

    The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.

    Let me state that again. Any quality assurance, security checks, etc., failed to catch this.

    This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.

    This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.

    A couple more weeks, and it would have been in many major distributions without any of us knowing about it.

    The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.

    It was luck.

    That's it. We got lucky this time.

    So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?

    And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.

    Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.

    I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.

    (I also hope they run down any and all packages this person had the signing key for....)

    philbetts ,
    @philbetts@mastodon.social avatar

    @dymaxion @whitequark @raito @rst @tinker @AndresFreundTec this was rad to read, thanks all involved. Not that it matters but on balance I think I'm still team @whitequark on this one - FOSS developers don't owe capitalism anything (but I also can see that leads to a crappy outcome - just slightly less crappy than alternatives.)

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •