GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Notices by Irenes (many) (irenes@mastodon.social), page 2

  1. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 07:18:24 JST Irenes (many) Irenes (many)
    in reply to

    as we wrote at length in our thread yesterday, a lasting fix would address the SOCIAL weakness by aiming to disseminate emotional awareness skills and vocabulary, heal the fracture lines in society, and not leave individuals isolated

    In conversation about a year ago from mastodon.social permalink
  2. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 07:18:20 JST Irenes (many) Irenes (many)

    you know, it occurs to us also that the social dynamic where somebody with abusive intent shows up and suddenly starts acting like a project owner's new best friend, is in no way unique to software

    we doubt we could find it again, but we once read about a confidence scam perpetrated on a restaurant owner which worked the same way

    In conversation about a year ago from mastodon.social permalink
  3. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:04 JST Irenes (many) Irenes (many)

    RedHat is reporting that the official upstream of xz, a common library on Unix systems that you've probably used via the tar command, contains malware. The full report is at https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users and it's CVE-2024-3094.

    In conversation about a year ago from mastodon.social permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: www.redhat.com
      Urgent security alert for Fedora 41 and Fedora Rawhide users
      Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.
  4. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:03 JST Irenes (many) Irenes (many)
    in reply to

    It's absolutely true in principle that if you think someone is malicious, you shouldn't use anything they give you, source or binary. However, important things happen on the margins of how you find out there's malice. Information security is one of those mirage games where attacker and defender are each trying to guess how much effort it's worth to the other party and then be gratuitous and extra about their own stuff so the other's efforts will be wasted.

    In conversation about a year ago from mastodon.social permalink
  5. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:03 JST Irenes (many) Irenes (many)
    in reply to

    We need to keep this one in mind, because for quite some time we've been advocating to not download binaries from software authors because there's no way to validate them. People usually seem to react as if that's a purely theoretical concern (surely, we're told, if the author is malicious or their credentials get stolen, the git repo would be corrupt too?), and we're left having to argue that it would be a sensible way for them to be stealthy about the attack...

    In conversation about a year ago from mastodon.social permalink
  6. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:03 JST Irenes (many) Irenes (many)
    in reply to

    We haven't yet dug into this ourselves, but if we're understanding the report correctly, the bug is present in the tarball of the source code, and possibly in the binary, but only part of it is in the git repository itself.

    In conversation about a year ago from mastodon.social permalink
  7. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:02 JST Irenes (many) Irenes (many)
    in reply to

    Also, not all attackers who have control of a github account or the artifacts published on it are the original author of the software. If the threat actor is hoping to hide their own identity, that may limit their willingness to do things that produce audit logs...

    In conversation about a year ago from mastodon.social permalink
  8. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:01 JST Irenes (many) Irenes (many)
    in reply to

    Though, that said, apparently a portion of the attack vector here was in fact checked into the repo. Like it had (we've read, but not yet looked for ourselves) two components, a tarball that was part of the project's test suite, and an m4 macro that causes data from the tarball to be included in the build. The tarball was checked in to git, the macro was not.

    In conversation about a year ago from mastodon.social permalink
  9. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:42:00 JST Irenes (many) Irenes (many)
    in reply to

    We still think our point about things happening on the margins, of how things get discovered, holds up here. Like, RedHat had to advise people:

    > PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity.

    (they go on to say they're fixing it ASAP and it'll be safe soon, and that Rawhide is their unstable version)

    Meanwhile, distros that didn't use the tarball are unaffected.

    In conversation about a year ago from mastodon.social permalink
  10. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:59 JST Irenes (many) Irenes (many)
    in reply to

    Privacy and security are topics that exist in this really weird state where experts can be certain that some element of their mental model is real and needs serious attention, based on nothing more than their own knowledge that a certain class of attack WOULD make a ton of sense and work really well, IF anyone else has thought of it.

    In conversation about a year ago from mastodon.social permalink
  11. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:59 JST Irenes (many) Irenes (many)
    in reply to

    We stand by our original argument, that it was a reasonable precaution because it COULD help in principle. Because that's how threat modeling works, there's always a ton of guesswork, but you just have to keep trying anyway.

    We would still be arguing that even if we didn't now have an example where it DID help.

    In conversation about a year ago from mastodon.social permalink
  12. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:58 JST Irenes (many) Irenes (many)
    in reply to

    We don't blame anyone for not finding our point about binaries to be persuasive here. (And now we have to amend that to say tarballs, apparently...)

    We don't blame you, even now with this concrete example to look at. That's just how it goes. Like we said: Everything in this field is mirages and phantasms. The hard part is staying grounded - don't jump at shadows, don't ignore real threats. Follow your own sense of reality, but still calibrate by talking to your peers.

    In conversation about a year ago from mastodon.social permalink
  13. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:58 JST Irenes (many) Irenes (many)
    in reply to

    You'll have these arguments - we've had too many to count - trying to convince stakeholders to prepare the precautions you think are warranted. Stakeholders will say no, that's purely theoretical, it costs too much. You win some of those arguments, you lose most of them.

    Five years after you have the conversation, it turns out an attacker did think of it about a year after your boss decided not to implement the precaution, and it's been stealing your data for four years.

    In conversation about a year ago from mastodon.social permalink
  14. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:57 JST Irenes (many) Irenes (many)
    in reply to

    Just to make this more explicit because it came up a few times in replies and really it should be on the main thread: In our past discussion of this, we've talked about BINARIES. Today's discovery pertains to both binaries and tarballs, and even a component that was checked into the repo. In those respects, our prediction was slightly off, there were details we missed and those details are important.

    In conversation about a year ago from mastodon.social permalink
  15. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:57 JST Irenes (many) Irenes (many)
    in reply to

    Even so, we're happy to have this concrete example to point to, in the future, because it will help us convince people to be careful in SOME of those discussions. That has real impact. We will never know the full scope of harm this kind of work prevents, but people have real stuff on the line, often more than they themselves realize.

    It's not about us being right or wrong - we try hard to detach from our ego and not indulge our feelings about being "right". It's about keeping people safe.

    In conversation about a year ago from mastodon.social permalink

    Attachments

    1. No result found on File_thumbnail lookup.
      realize.it
  16. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:56 JST Irenes (many) Irenes (many)
    in reply to

    It's important that we not pretend to actually know the future, that we always acknowledge that what we're doing is guesswork.

    In conversation about a year ago from mastodon.social permalink
  17. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:55 JST Irenes (many) Irenes (many)
    in reply to

    We reiterate though that RedHat's users - at least on the experimental channel - have real impact, people's shit got compromised today. Security teams will be doing fire drills (the tongue-in-cheek term for getting everyone together to mitigate something urgent) to figure out what they've lost and if they have business impact. Users whose distros build from git aren't having to do that today, which is very nice for them.

    In conversation about a year ago from mastodon.social permalink
  18. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:55 JST Irenes (many) Irenes (many)
    in reply to

    We still think our fundamental point stands. Again, there are distros that build out of the git repo and those distros are unaffected today. RedHat's decision to use the tarball was defensible, for the same reason that we don't blame anyone who's unconvinced by this thread, as we went into above.

    In conversation about a year ago from mastodon.social permalink
  19. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 07:41:54 JST Irenes (many) Irenes (many)
    in reply to

    In a field where half the job is trying to perceive the actual terrain you're standing on through all the illusions, the difference between a theoretical concern and a practical concern is less than you think - so it makes sense to err on the safe side. That's all we're trying to say. <3

    In conversation about a year ago from mastodon.social permalink
  20. Embed this notice
    Irenes (many) (irenes@mastodon.social)'s status on Saturday, 30-Mar-2024 05:03:39 JST Irenes (many) Irenes (many)
    in reply to
    • Daniel Feldman

    @dfeldman nice tabletop exercise

    additionally: going forward, now that everyone knows this one worked (briefly), how common should we expect attacks of this nature to be? what portion of them should we expect to detect, and at what stage in their lifecycles?

    In conversation about a year ago from mastodon.social permalink
  • After
  • Before

User actions

    Irenes (many)

    Irenes (many)

    You are all dreams and we are happy to know you, as you are nice dreams. We are an asexual autistic trans-feminine plural system with a label collection.We compromise with legibility only so far as to say the following: Technology Director at Internet Safety Labs; ex-Google information privacy expert. 🏳️⚧️🍁

    Tags
    • (None)

    Following 0

      Followers 0

        Groups 0

          Statistics

          User ID
          105220
          Member since
          7 Mar 2023
          Notices
          166
          Daily average
          0

          Feeds

          • Atom
          • Help
          • About
          • FAQ
          • TOS
          • Privacy
          • Source
          • Version
          • Contact

          GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

          Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.