riQQ's recent activity
-
Comment on Backdoor in upstream libxz targeting sshd in ~comp
-
Comment on Backdoor in upstream libxz targeting sshd in ~comp
riQQ LinkAnother post with more findings and a list of affected distros and versions: https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/Another post with more findings and a list of affected distros and versions:
https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/ -
Comment on Backdoor in upstream libxz targeting sshd in ~comp
riQQ LinkAnother write-up by Kevin Beaumont: https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafddAnother write-up by Kevin Beaumont:
https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafddNobody else had raised concerns, and I don’t believe any existing security tooling or processes would have caught this (I realise there will be a torrent of vendors claiming they detect this… but they will detect this now that somebody told them).
How advanced was the threat actor? The backdoor attempt was a very serious one, with a very high bar of knowledge, research, development and tradecraft to reach this far into the Linux ecosystem. Additionally, changes made by the threat actor on Github span multiple years, and include things like introducing functions incompatible with OSS Fuzzer due to outstanding small issues since 2015, then getting OSS Fuzzer to exclude XZ Utils from scanning last year. The backdoor itself is super well put together, and even includes the ability to remotely deactivate and remove the backdoor via a kill command. Several days in, despite global focus, I haven’t seen anybody who has finished reverse engineering it.
Also, Andres had a unique testing environment and a set of coincidental setup issues which allowed him to discover the issue. I don’t know of anybody else has this setup.
When I installed a vulnerable Linux box, I had to double check it was actually vulnerable as I wouldn’t even see a speed issue. For me, it was a completely transparent backdoor — where sshd was running from disk as usual, with the usual file hash and no extra network activity.
-
Comment on Visa, Mastercard settle long-running antitrust suit over swipe fees with merchants in ~finance
riQQ LinkVisa and Mastercard announced a major settlement with U.S. merchants on Tuesday, potentially ending nearly two decades of litigation over the fees charged every time a credit or debit card is used in a store or restaurant.
The deal would lower and cap the fees charged by Visa and Mastercard and allow small businesses to collectively bargain for rates with the payment processors in a similar way that the large merchants do on their own now.
According to the settlement announced Tuesday, Visa and Mastercard will cap the credit interchange fees until 2030, and the companies must negotiate the fees with merchant-buying groups.
The law firm that announced the settlement put the value of the savings in swipe fees at close to $30 billion.
-
Visa, Mastercard settle long-running antitrust suit over swipe fees with merchants
20 votes -
Comment on Tests show high-temperature superconducting magnets are ready for fusion in ~science
riQQ LinkDetailed study of magnets built by MIT and Commonwealth Fusion Systems confirms they meet requirements for an economic, compact fusion power plant.
Before the Sept. 5 demonstration, the best-available superconducting magnets were powerful enough to potentially achieve fusion energy — but only at sizes and costs that could never be practical or economically viable. Then, when the tests showed the practicality of such a strong magnet at a greatly reduced size, “overnight, it basically changed the cost per watt of a fusion reactor by a factor of almost 40 in one day,” Whyte says.
-
Tests show high-temperature superconducting magnets are ready for fusion
10 votes -
Comment on What Boeing’s door-plug debacle says about the future of aviation safety in ~transport
riQQ LinkThis section is the gist of the article in my opinion:This section is the gist of the article in my opinion:
So how does this understanding of aviation reliability help us make sense of Boeing’s recent missteps with its 737? Seen through this lens, the door-plug drama looks highly unusual in that it appears to have been an avoidable error. This is stranger than it seems. On the rare occasions when jetliner failures are attributable to the airplane’s manufacturer, they are almost always “rational accidents,” with root causes that had hidden in the uncertainties of experts’ tests and models. If the insecure plug was due to missing bolts, then this was something else. Securing bolts properly is about the lowest-hanging fruit of high-reliability engineering. It is the kind of thing that manufacturers ought to be catching with their elaborate rules and oversight, before they even begin their “march of nines.”
-
Comment on Boeing is withholding key details about door plug on Alaska 737 Max 9 jet, NTSB says in ~transport
riQQ LinkMore than two months after a door plug panel blew off a Boeing 737 Max 9 jet in midair, the top federal safety investigator says Boeing still has not provided key information that could shed light on what went wrong.
-
Boeing is withholding key details about door plug on Alaska 737 Max 9 jet, NTSB says
29 votes -
Comment on <deleted topic> in ~health
riQQ LinkSee also https://tildes.net/~health/1eoe/france_becomes_the_first_country_in_the_world_to_guarantee_abortion_as_a_constitutional_right -
Comment on Weekly Israel-Hamas war megathread - week of February 26 in ~news
riQQ Link ParentAlso discussed here in a separate thread: https://tildes.net/~news/1eio/active_us_air_force_serviceman_self_immolates_himself_in_front_of_the_embassy_of_israelAlso discussed here in a separate thread: https://tildes.net/~news/1eio/active_us_air_force_serviceman_self_immolates_himself_in_front_of_the_embassy_of_israel
-
Comment on What are your favorite series that are not from the US or UK and also not popular anime? in ~tv
riQQ LinkI recommend watching 4 Blocks. It's a German show about an Arab family clan and the drug business in Berlin. It's featuring among others two German rappers as actors who also contributed to the...I recommend watching 4 Blocks. It's a German show about an Arab family clan and the drug business in Berlin. It's featuring among others two German rappers as actors who also contributed to the show's great and atmospheric music. One of them plays a lead role with a really good performance especially considering it was one of his first roles as an actor.
-
Comment on New report from US Federal Aviation Administration: Boeing lacks key elements of safety culture in ~transport
riQQ LinkOriginal FAA report is here: https://www.faa.gov/newsroom/Sec103_ExpertPanelReview_Report_Final.pdf (via... -
Comment on JavaScript bloat in 2024 in ~comp
riQQ Link ParentThere's also LocalCDN, a fork of Decentral Eyes: https://www.localcdn.org/There's also LocalCDN, a fork of Decentral Eyes:
-
Comment on [SOLVED] Bug report: Firefox login in ~tildes
riQQ LinkHave you tried it with a fresh Firefox profile? For me it works without problems with Firefox.Have you tried it with a fresh Firefox profile? For me it works without problems with Firefox.
-
Comment on Minimal Linux bootloader debugging story in ~comp
riQQ LinkInteresting read about debugging a Linux bootloader failure.Interesting read about debugging a Linux bootloader failure.
I maintain two builds of the Linux kernel, a
linux/arm64build for gokrazy, my Go appliance platform, which started out on the Raspberry Pi, and then alinux/amd64one for router7, which runs on PCs.The update process for both of these builds is entirely automated, meaning new Linux kernel releases are automatically tested and merged, but recently the continuous integration testing failed to automatically merge Linux 6․7 — this article is about tracking down the root cause of that failure.
-
Minimal Linux bootloader debugging story
6 votes -
Comment on Google Pixel phones unusable after January 2024 system update in ~tech
riQQ (edited )Link ParentLooks like it: https://www.androidpolice.com/google-pixel-january-2024-play-system-update-paused/ Edit: I also checked on my Pixel 6a and I have the September 2023 Google Play system update and it...Looks like it:
First things first, Google has seemingly stopped the rollout of the January 2024 Play System Update as it tries to ascertain the cause, according to an unnamed source quoted by Android expert and AP contributor Mishaal Rahman.
https://www.androidpolice.com/google-pixel-january-2024-play-system-update-paused/
Edit:
I also checked on my Pixel 6a and I have the September 2023 Google Play system update and it says I'm on the latest version. -
Comment on Google Pixel phones unusable after January 2024 system update in ~tech
riQQ LinkThere's a somewhat complicated manual fix available: https://www.bleepingcomputer.com/news/mobile/google-shares-fix-for-pixel-phones-hit-by-bad-system-update/There's a somewhat complicated manual fix available:
https://www.bleepingcomputer.com/news/mobile/google-shares-fix-for-pixel-phones-hit-by-bad-system-update/Although Google hasn't shared any details regarding the root cause of the issue, it stated it's more prevalent on Pixel devices with multiple user accounts.
The company says they are working on fixing the root cause of the system update issue and will provide further updates when they learn more.
While Google is working on a fix that will be pushed out to all Pixel phones via an update, it has released a fairly complicated temporary solution that requires installation of the Android Platform Tools developer toolkit.
Most detailed timeline I have found so far:
https://research.swtch.com/xz-timeline