Gemini Links 30/03/2024: People on Holiday, Posts on the xz Backdoor
-
Gemini* and Gopher
-
Personal/Opinions
-
🔤SpellBinding: FYMNRTI Wordo: SKIPS
-
Mixtape 2024
I had a great conversation with my friend Alissa recently about music, what we like, and what we think the real reasons are for multi-genre touring music festivals failing across Australia. The two of us have very different taste in music, though I did think a lot about her observation that I “use music as a stim”. My feeling is that this is true for basically everyone, even if they don’t realise it. There’s a whole industry for trying to control or at least influence people’s emotions via music (especially in films and at events of all kinds).
-
ninth
hmmm i wonder why my head hurts... (has not eaten at all today) oh well! im too tired to eat.. im gonna FEAST tomorrow anyway. bday dinner is about to be soooo yum x9
-
Religions
Other note : I'm trying my best not to be the "sky-daddy" kind of guy here, but sometimes it's hard.
-
Cautious optimism about the Sailor Tuzu
Conceptually, I like it. It's supposed to be a casual, no-frills daily driver pen that appeals to people who wouldn't normally use a fountain pen. To that end, its distinguishing feature is a nib that rotates around the barrel to accommodate different grip positions. Most fountain pens have a fairly narrow tolerance range for angles they'll write in, so this is a great accessibility feature.
Whether this product is actually 1. good and 2. successful depends on pricing and execution. If this pen is going to be competitive in the entry-level market, it can't be more than $30. I think even more than $20 is pushing it because there are a lot of good pens in the sub-$20 category (Platinum Preppy/Prefounte/Plaisir, Pilot Kakuno, TWSBI Go, etc).
-
Recently listening 2/...
-
Academiology VII: Silvics
If you follow these steps perfectly, you can expect to spend at most 30 minutes studying every day and to get in the range of an A+ on every test without fail. If you struggle to do step 5, every once in a while you'll find yourself with a considerable backlog and you'll need to to spend a lot more time to catch up
The reason this system works is threefold: it implements all of recall learning, interleaved learning and spaced repetition.
-
Sunrise Season — Almost (publ. 2024-03-30)
We have sunrises fairly often here in Fairbanks, but there is a narrow range of dates in the spring and fall when it is convenient for me to view them and to photograph them, which is when the sun is rising about 30 minutes to an hour before the start of my work shift. We are not quite there yet, but I was able to catch this nice glow at about 7am or so on this Saturday morning, looking down the street where our apartment is located.
-
-
Technology and Free Software
-
Mandatory Post on the xz Backdoor
I don't have deep thoughts on this except "managing a FOSS project is hard and there's a highly profitable corporate ecosystem depending on stressed FOSS programmers that make nothing off their work." Informally-run projects by burnt-out people are ripe for exploitation by social engineering. It seems right now like somebody took advantage of that. The original maintainer, Lasse Collin, does not seem to have had any involvement except trusting the wrong person to try to keep his project maintained.
-
Lessons learned with XZ vulnerability
Yesterday Red Hat announced that xz library was compromised badly, and could be use as a remote execution code vector. It's still not clear exactly what's going on, but you can learn about this on the following GitHub discussion that also links to original posts: Discussion about xz being compromised
[...]
this only happen in the case of:
* the system is running systemd
* openssh is compiled with a patch to add a feature related to systemd
* the system is using glibc (this is mandatory for systemd systems afaik anyway)
* xz package was built using release tarballs published on GitHub and not auto-generated tarballs, the malicious code is missing in the git repository
-
Title: Lessons learned with XZ vulnerability
OpenBSD, FreeBSD, NixOS and Qubes OS (dom0 + official templates) are unaffected. I didn't check for other but Alpine and Guix shouldn't be vulnerable either.
[...]
I actually have two systems that were running the vulnerable libs on openSUSE MicroOS which updates very aggressively (daily update + daily reboot). There are no magic balance between "update as soon as possible" and "wait for some people to take the risks first".
-
xz and liblzma: Exhausted by the Destruction of Trust
Like a lot of technical people, I spent a bunch of time scrolling yesterday, reading about CVE-2024-3094. The short story: someone by the name or alias of Jia Tan started committing code to the xz project (specifically the liblzma library) a couple years ago, and recently it was discovered that some of this was to do with disabling security to allow for remote access bypassing ssh. Pretty sophisticated stuff. The first thing I saw was a Mastodon toot, which took me to a few more, then the requisite Hacker News thread(s). And I despaired, because xz is used a lot (basically, everywhere), and even if the affected version was only being used by bleeding-edge distros (Fedora 40 and 41, Debian Sid, and a few others), the end-game was clearly to try to evade detection long enough to have a backdoor into a massive swath of Linux machines across the internet.
-
Programming
-
Four Random Questions
For the past few months now I have been creating a few flags for various things, essentially building a collection of objects, individuals and similar such that I like or otherwise find value in. One of the things that I like to do, aside from designing and describing the flags, is to give a little background on both the thing and the flag that depicts the thing. For the latter, this is a simple case of highlighting proportions and collinear points on the flag of note, which is known as a description.
-
Yet More Bad Code
The programmer presenting this code claims that $destroy_system can never be true, therefore the code does not need to be fixed, because that branch can never be reached. Another opinion is to remove the bad code. For example, what happens when an intern (or an older and more senile version of you) comes along and manages through ignorance or accident to make "$destroy_system" true?
-
-
-
* Gemini (Primer) links can be opened using Gemini software. It's like the World Wide Web but a lot lighter.