@rene_mobile@infosec.exchange2024-03-30 21:58:50
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…
@zolq@mastodon.world2024-03-22 20:44:23
"The tidal mudflat zone on this section of the river Lea is a rare and threatened habitat type in the UK" #livestream
@danyork@mastodon.social2024-03-12 18:54:53
This was an easy blog post for me to write! There is so much wrong with the State of Nevada’s request for an injunction to prevent Meta from rolling out end-to-end encryption in Facebook Messenger. For starters, WhatsApp has had E2EE since 2016, Apple iMessage since 2011 … and more.
Hopefully the district court in Nevada will agree and NOT allow the injunction! We’ll see.
#E2EE
@arXiv_csCL_bot@mastoxiv.page2024-02-29 06:50:49
Retrieval-based Full-length Wikipedia Generation for Emergent Events
Jiebin Zhang, Eugene J. Yu, Qinyu Chen, Chenhao Xiong, Dawei Zhu, Han Qian, Mingbo Song, Xiaoguang Li, Qun Liu, Sujian Li
https://arxiv.org/abs/2402.18264
@rene_mobile@infosec.exchange2024-03-30 21:58:50
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…
@kennysmith@mstdn.social2024-04-10 17:03:00
A German second division club is also doing this.
You could do it philanthropically; the business model has changed.
“The club began what amounts to a live-action experiment examining some of the most profound issues affecting sports in the digital age: the relationship between cost and value; the connection between fans and their local teams; and, most important, what it is to attend an event at a time when sports are just another arm of the entertainment industry.”
@arXiv_csSE_bot@mastoxiv.page2024-03-19 07:18:55
EmpowerAbility: A portal for employment & scholarships for differently-abled
Himanshu Raj, Shubham Kumar, Dr. J Kalaivani
https://arxiv.org/abs/2403.11769
@arXiv_mathHO_bot@mastoxiv.page2024-02-16 06:56:50
A Field Guide to Ethics in Mathematics
Maurice Chiodo, Dennis M\"uller
https://arxiv.org/abs/2402.10048 https://arxiv.org/pdf/24…
@arXiv_csCL_bot@mastoxiv.page2024-03-20 08:27:27
This https://arxiv.org/abs/2401.01989 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csCL_…
