Skip to main content

2024-03-30

Critical Backdoor Discovered in xz/liblzma Threatening SSH Servers

  • The Openwall project provides free and open-source products for server security, such as a Linux OS, password cracker, and password hashing tools.
  • A backdoor was discovered in the xz/liblzma package, impacting SSH servers on glibc-based x86-64 Linux systems, creating a risk of unauthorized access or remote code execution.
  • Exploit code is targeting specific libraries, prompting distributions like Debian and Red Hat to address the issue; vulnerable systems need urgent upgrades.

Reactions

  • A backdoor in upstream xz/liblzma led to compromises of SSH servers, resulting in account suspensions and the removal of the author's key from repositories, sparking discussions on code complexity and potential state actor involvement in open-source projects.
  • Concerns raised about XZ file format security in enterprise Linux distributions lacking immediate updates, emphasizing the importance of multi-factor authentication with methods like YubiKeys and storing TOTP recovery passwords for emergencies.
  • Debates on the effectiveness of two-factor authentication, limitations of MFA, risks of storing passwords and tokens on the same device, discussions on Passkeys implementation, hardware keys for authentication, and transparency in coding practices, along with the community's call for vigilance and prompt security vulnerability addressing.

Philanthropist creates 'European Yellowstone' in Romania

  • Hansjörg Wyss' philanthropist group is acquiring extensive land in Romania to establish a 'European Yellowstone' in the Carpathian Mountains, aiming to conserve nature, boost ecotourism, and enhance the region's economy.
  • The foundation has purchased 27,027 hectares and targets a 200,000-hectare protected area, encountering opposition from residents, hunting groups, and struggles in setting up a national park.
  • Efforts include reforestation, wildlife preservation, and community involvement to tackle obstacles and establish a viable conservation framework.

Reactions

  • Talks focus on establishing a European Yellowstone National Park in Romania to reintroduce bison, highlighting wildlife behavior, human presence in natural habitats, tourism, conservation, economic struggles in Romania, and capitalism's effects on natural resources.
  • Emphasizes the essence of coexisting with wildlife, acting responsibly, and conserving nature as central themes in the discourse.

Top performers may resign if new hires are paid more

  • Pay transparency is rising across different industries, causing existing employees to notice salary gaps with new hires.
  • Research indicates that without adjusting salaries for current staff post new hiring, top performers may resign.
  • Employers are advised to perform consistent pay equity assessments and promptly modify wages to prevent potential talent loss.

Reactions

  • The discussion highlights challenges of salary disparities, especially when new hires earn more than experienced workers, leading to top performers leaving and existing employees feeling undervalued.
  • Importance of transparency in salaries, negotiating higher pay, and the influence of market conditions on compensation are emphasized.
  • The debate also covers retention strategies, career development, shifting workforce demographics, family planning, knowledge transfer, economic struggles of parents in the US, and the impact of generational gaps in the workplace.

Preserving Santa Barbara's Digital History Amid Bankruptcy Threat

  • The Santa Barbara News-Press, a historic newspaper, has declared bankruptcy, putting its digital archive in jeopardy of being sold to a foreign company with a history of transforming reputable websites into "backlink farms" for SEO.
  • This unethical SEO practice includes adding paid content to manipulate search engine rankings, potentially compromising the historical accuracy of the community's records.
  • Citizens are urged to participate in bidding on the archive to safeguard its content and thwart its involvement in exploitative online activities.

Reactions

  • Deadspin was sold to investors in the online gaming affiliate industry, leading to risks for community history.
  • Workers created a co-op called Defector due to challenges with union representation and local news sites in Santa Barbara.
  • The article covers separating assets from liabilities in businesses, insider trading, price fixing, and the significance of preserving cultural heritage through archives.

Apache Guacamole: Access Desktops Anywhere with Clientless Gateway

  • Apache Guacamole is a clientless remote desktop gateway supporting protocols like VNC, RDP, and SSH, accessible via a web browser for remote desktop access.
  • The software is open source under the Apache License, continuously enhanced by a developer community, with a documented API for seamless integration with various applications.
  • Both community and commercial support options are offered for Apache Guacamole.

Reactions

  • Apache Guacamole is a clientless remote desktop gateway for accessing remote desktops via a web browser, receiving praise for its functionality and customization.
  • Users have reported issues like input lag and sound quality while using Guacamole but have shared positive experiences in education and workplace settings.
  • Alternative projects like BrowserBox, xpra, and KasmWeb have been discussed, with some users seeking Java-independent solutions, showcasing Guacamole's value for remote desktop access.

Iowa fertilizer spill devastates fish in 60-mile river stretch

  • A fertilizer spill in Iowa led to the deaths of almost 800,000 fish in Iowa and Missouri rivers due to liquid nitrogen fertilizer leak from an open valve.
  • This incident, one of Iowa's biggest fish kills, may take years for the ecosystem to restore fully, underscoring persistent water contamination concerns.
  • The spill emphasizes the difficulties in enforcing stricter regulations in agricultural states, shedding light on ongoing water pollution challenges.

Reactions

  • A fertilizer spill in Iowa wiped out most fish along a 60-mile river stretch, with ammonia being the key harmful component affecting the aquatic life.
  • The incident underscores the environmental harm linked to agricultural practices and has sparked debates on enforcing harsher penalties for those causing such disasters.
  • Some discussions shift to drawing parallels between environmental damage and software security concerns, highlighting differing urgencies in addressing these issues.

Uncovering the XZ Backdoor: Risks of Individual Contributors

  • A backdoor in the Xz software was discovered, with Jia Tan, a suspicious contributor, playing a central role in making harmful code changes and pushing compromised versions into repositories.
  • The post highlights the risks of depending heavily on individual contributors like Jia Tan without adequate support, raising industry-wide security concerns.
  • Suspicious LinkedIn profiles and potential identity theft issues connected to Jia Tan are also addressed in the blog post.

Reactions

  • A potential backdoor in the xz compression software raises concerns about an intelligence agency targeting OpenSSH.
  • Suspicions suggest a coordinated effort to compromise the software, possibly by a nation-state agency, emphasizing the need for robust security measures.
  • The post underscores the significance of having multiple maintainers for critical open-source projects to mitigate security risks effectively.

Weathering a DDoS Storm with Simple Design and High-Performance Frameworks

  • The blog addresses a DDoS attack on the company's server, highlighting their choice not to intervene due to their system's capability to withstand the assault.
  • Their resilience during the attack is credited to their uncomplicated, monolithic service structure and utilization of efficient frameworks such as Golang and Rust.
  • Emphasizing the significance of sound deployment strategies, they advocate for employing binaries over containers and enhancing performance by circumventing intermediary layers.

Reactions

  • Tableplus.com discusses DDoS attacks, website vulnerabilities, traffic spikes, application deployment in containers, and security measures like "Under Attack" mode.
  • Topics include building monolith services with Golang, managing high request volumes, and the monolithic vs. microservices architecture debate.
  • Opinions are shared on enhancing security, simplifying deployment, and addressing organizational challenges when selecting architectural strategies.

Maximizing Raspberry Pi's Lifespan: Running with Read-Only Root Filesystem

  • Running a Raspberry Pi with a read-only root filesystem can extend the lifespan of the SD card by reducing write operations.
  • The guide offers detailed instructions on various steps, including removing unnecessary software, configuring read-only filesystem, managing programs installed via snap, utilizing tmpfs for RAM data storage, and limiting space used by journald.
  • It also covers handling errors from processes that might not work correctly on a read-only filesystem, providing a comprehensive approach to optimizing Raspberry Pi performance and efficiency.

Reactions

  • The article explores running a Raspberry Pi with a read-only root filesystem, suggesting SquashFS and EROFS for filesystems.
  • Users share their experiences with various OS and setups for read-only Pi operation, recommending tools like Alpine Linux.
  • Recommendations include industrial SD cards, reliable power supplies, and strategies for SD card longevity to avoid data corruption, along with using overlay filesystems like overlayfs with tmpfs for image production.

Exploring Werons WebRTC Overlay Networks

  • Weron is a WebRTC-based overlay network enabling access to nodes behind NAT, secure home networks, and circumventing censorship, offering a straightforward API for peer-to-peer protocols.
  • Users can install Weron via containerized OCI images or static binaries, detailing the signaling server usage to connect peers, manage communities, and conducting latency and throughput measurements on the network.
  • The text covers creating Layer 3 and Layer 2 overlay networks with Werons VPN, establishing a Layer 2 Ethernet overlay network, and crafting custom protocols with wrtcconn, along with guidance on using weron, including command line arguments, environment variables, and licensing details.

Reactions

  • Discussion focuses on WebRTC for peer-to-peer internet communication, mentioning technologies like SimplePeer, GCM, MLS, and WebTorrent, along with challenges in server and browser support.
  • Speculation arises about Apple's aversion to backing web technologies such as WebTransport and WebRTC, possibly to promote its app store, prompting debates on simplifying peer negotiation and enhancing security through open-source WebRTC video conferencing solutions.
  • Developers weigh the efficiency of STUN and WebRTC in NAT traversal, raising worries about security and usability in the process.

Demis Hassabis: Leading Google's AI Push

  • Demis Hassabis, DeepMind's founder, is spearheading Google's AI research to maintain competitiveness in the field.
  • DeepMind's breakthroughs like AlphaGo and AlphaFold have established their AI expertise, but a communication gap with OpenAI posed challenges in generative models.
  • Hassabis is working on Gemini, a language model to compete with OpenAI's GPT models, alongside developing autonomous agent systems, indicating his commitment to research over potentially becoming Google's CEO.

Reactions

  • The article discusses challenges in implementing tree search algorithms in large language models at Google and emphasizes the significance of training for novelty.
  • It explores Google's leadership, the pursuit of Artificial General Intelligence (AGI), and worries about corporate influence, along with the potential AI impact on different industries.
  • The text also highlights the limitations and feasibility of AI technology, perceived failures of Google's CEO, and the role of DeepMind within the company.

Uncovering the xz-utils Backdoor: Urgent Security Advisory

  • A backdoor was found in xz-utils on March 29th, 2024, impacting systems with versions 5.6.0 or 5.6.1 of xz or liblzma, triggered by remote unprivileged systems connecting to public SSH ports.
  • The exploit uses glibc, systemd, and specific configurations to target OpenSSH's authentication procedures, potentially allowing bypassing of authentication processes.
  • Maintainers of xz-utils are actively working on patches, emphasizing the urgency for users with publicly accessible SSH to update their systems promptly.

Reactions

  • A backdoor, xz-utils, was found in the xz/liblzma library, risking the compromise of SSH servers when the process name matches /usr/bin/sshd.
  • The attacker planted the exploit into the compression library's test folder, sparking debates on software security practices in open and closed source settings.
  • Ongoing talks focus on the implications of past commits and stress the continuous need for vigilant software development and distribution methods to prevent such compromises.

Combatting Banner Blindness: Understanding User Behavior and Ad Effectiveness

  • Banner blindness, first termed in 1998, is when visitors ignore banner-like information on websites due to factors like clutter aversion and user familiarity with the site.
  • User interaction with banner ads is heavily influenced by website familiarity, impacting views and clicks.
  • Factors such as congruency, calls to action, animation, and personalization affect online ad effectiveness, with personalized ads garnering more attention but irrelevant ads causing frustration.

Reactions

  • The forum discusses Banner Blindness, where people ignore warning signs, especially in emergencies, due to autopilot behavior or intentional rule-breaking.
  • Suggestions include making signs more visually noticeable by using physical barriers or tweaking door designs to grab attention.
  • Users also touch upon gender variations, reprimands for safety breaches, the influence of ads on online content, and the use of ad blockers for self-protection.