Diseased Open Source Software Community - it's about ethics in Code of Conducts

[Man at Arms]

Just

@teriyakiburns I agree the aim of the cloud provider is to cover their ass from insane copyright claims for actually providing the service they are selling.

But to give the devil his due, the way it is written if far in excess of what is necessary to just host the content the user upload, to cache it, and to upload content to people who request it.

With a user agreement like that, a company could go rogue with the content uploaded to it and cut the person who uploaded it out of any profits and right to remove content.

Thankfully no company that I know of has done that. But all it takes is a single vulture capitalist to buy out a company like this that going bankrupt and start to monetize all of the data uploaded to it.

Just like YouTube. Nothing to see here. People just don't read ToS

 

[Markass the Worst]

Well John Walker Flynt isn't enjoying prison and he falsely claims to be a "software engineer" all the time.

You won't go to prison for falsely claiming to be a civil engineer but you may be fined or not have your civil engineering license renewed. That's what happened to car-hater Charles "Chuck" Marohn of Strong Towns infamy. And then he decided to sue the licensing board (AELSLAGID), so LMAO.

 

[0gh]

StackOverflow is fine for underdocumented shit, and nothing else. No one who can't program without access to the Internet is a true hacker.

(Notall but)Most true hackers are basically con men who use social engineering to gain access or script kiddies who look for default usernames and passwords

 

[UERISIMILITUDO]

And if anyone claims they can proficiently code like other coders but with zero Internet access and their name isn't "Terry A. Davis" (and frankly even he had the Internet) I need to see solid evidence of that.

I can. I use well-documented languages, like Ada and Common Lisp, so if I forget how something works I can either pick up a book to check or enquire the system itself. I have every IETF RFC on my system. I also avoid getting myself elbow-deep in the diseased entrails of shitty systems in the first place.

(Notall but)Most true hackers are basically con men who use social engineering to gain access or script kiddies who look for default usernames and passwords

https://stallman.org/articles/on-hacking.html

It is hard to write a simple definition of something as varied as hacking, but I think what these activities have in common is playfulness, cleverness, and exploration. Thus, hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".

 

[Belisarius Cawl]

I can. I use well-documented languages, like Ada and Common Lisp, so if I forget how something works I can either pick up a book to check or enquire the system itself.

Even under those circumstances, you're going to have to do things like go beyond the massive 1,000+-page doorstop that is the Common Lisp standard. People still develop Common Lisp programs but I find it very hard to believe they are doing so just from documentation that was written down from maybe the mid-80s into the 90s and perhaps a bit of the early 00s.

 

[0gh]

No one who can't program without access to the Internet is a true hacker.

lol, but then proceeds to show an article

https://stallman.org/articles/on-hacking.html

that basically says hacking is problem solving and one of the examples is stallman thinking it would be funny to use all 6 chopsticks in front of him to eat food(the problem), so he found a way to do it(the solving)

pick up a book to check or enquire the system itself

then my ninja fucking says he will search not on the internet, but in a book, which is just a different repository of knowledge which is harder to search through because you cannot use ctrl+f or google. He's not even digitizing the fucking book

You cannot make this shit up. You have never written a line of code in your life

 

[Cherenkovblue]

Looks up Rustdesk

Why do we need to keep reinventing VNC/RDP?

Because VNC/RDP is a reinvention of X Windows (only shittier).

 

[ShooterOfCum]

According to Red Hat, Fedora 40 and Fedora Rawhide are compromised (a), at least until Red Hat reverts xz to 5.4.x. Then they are, according to Red Hat, safe to use again.

According to Fedora Project developers posting on the Linux subreddit, Fedora 39 and earlier do not appear to be compromised (a) as they do not have a version of xz newer than 5.4.x. According to the same thread, it seems like only the most bleeding edge of distros are affected. Fedora chuds are mostly safe.



The vulnerability has been filed as CVE-2024-3094 in NVD's database.

 

[Markass the Worst]

Here's a page with more information on what Jia Tan did. (a) In short, he was a ruse going on since at least 2021 and besides backdooring xz also made several suspicious changes to other projects like libarchive. He also made several sock accounts to advocate for his changes.

Amusingly, Github's policy of shooting first and asking questions later is a detriment:

A few hours after all this came out, GitHub suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also suspended Lasse Collin’s account, which is completely disgraceful.

Lasse Collin was the original legitimate maintainer of xz so it's retarded to suspend his account.

 

[306h4Ge5eJUJ]

There are first details on the payload. The actual details are on Bluesky because Valsorda is a retarded nigger, so here is the text:

Spoiler

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). It's RCE, not auth bypass, and gated/unreplayable.

The payload is extracted from the N value (the public key) passed to RSA_public_decrypt, checked against a simple fingerprint, and decrypted with a fixed ChaCha20 key before the Ed448 signature verification.

RSA_public_decrypt is a (weirdly named) signature verification function. https://www.openssl.org/docs/manmaster/man3/RSA_public_decrypt.html (Why "decrypt"? RSA sig verification is the same op of RSA encryption. )

The RSA_public_decrypt public key can be attacker-controlled pre-auth by using OpenSSH certificates. OpenSSH certs are weird in that they include the signer's public key. OpenSSH checks the signature on parsing. https://github.com/openssh/openssh-...bab7aa670b1f8b6b2/PROTOCOL.certkeys#L207-L219

Here's a script by Keegan Ryan for sending a custom public key in a certificate, which on a backdoored system will reach the hooked function. https://gist.github.com/keeganryan/a6c22e1045e67c17e88a606dfdf95ae4

Apparently the backdoor reverts back to regular operation if the payload is malformed or the signature from the attacker's key doesn't verify. Unfortunately, this means that unless a bug is found, we can't write a reliable/reusable over-the-network scanner.

Personally, I'm starting to doubt that this is China. Backdoors that only work if you're "one of us" are a notorious NSA obsession and if it was the chinks, they'd have no reason to make their fall guy persona Chinese.

 

[Markass the Worst]

The actual details are on Bluesky because Valsorda is a retarded nigger, so here is the text:

Bluesky posts are public now, so they can be archived. (a)

 

[9gfuwegw9j9]

Amusingly, Github's policy of shooting first and asking questions later is a detriment

I used to grief random github repos by making a bunch of commits and then getting my account suspended to hide them from blames and history

 

[UERISIMILITUDO]

Huh, I ran xz --version and am apparently using the 5.2.4 release. I guess I misread the apt output, which told me the version of an available version "upgradable from" my current version. I hate this shit.

Eventually, some of us will follow in Chuck Moore's footsteps.

 

[DavidS877]

Huh, I ran xz --version and am apparently using the 5.2.4 release. I guess I misread the apt output, which told me the version of an available version "upgradable from" my current version. I hate this shit.

Eventually, some of us will follow in Chuck Moore's footsteps.

dpkg tells you what is.
apt tells you what could be.

 

[Coolio55]

Give me the gist. Jonathan can blow it out his ass.

"Everything should be written in my gay fad confusingly-licenced language which I will shill 24/7"

...Oops! Sorry! Wrong person.

 

[Strange Looking Dog]

**Smuckles in Void**

What about void**?

 

[The Mass Shooter Ron Soye]

AMD Says They'll Be Open-Sourcing More Of Their GPU Software Stack & Hardware Docs (archive)
forum link

I wonder if my reddit post had something to do with this:

https://www.reddit.com/r/Amd/comments/1bsjm5a/letter_to_amd_ongoing_amd/

 

[Paul Revere Pantry Raider]

So, there was a backdoor introduced to XZ, which through the magic of lazy loading hijacked ssh via systemd to allow for remote code execution without the need to login. This specifically targeted building on Debian and RedHat compatible distributions..

A Microsoft employee discovered the issue when ssh sessions were taking a lot of cpu and cycles.

 

[Mikoyan]

So, there was a backdoor introduced to XZ, which through the magic of lazy loading hijacked ssh via systemd to allow for remote code execution without the need to login. This specifically targeted building on Debian and RedHat compatible distributions..

A Microsoft employee discovered the issue when ssh sessions were taking a lot of cpu and cycles.

Paul Revere rides into the thread just to find the whole last page was everyone talking about the Redcoat invasion.

 

[Paul Revere Pantry Raider]

Paul Revere rides into the thread just to find the whole last page was everyone talking about the Redcoat invasion.

I'm late and gay.