Notices by Damien Miller (djm@cybervillains.com)

Few of the mooted software-supply chain defences would have prevented this, as the attacker was a (relatively) long-term maintainer, was not averse to using sockpuppet accounts and was careful to hide their exploit from automated tools.

Worse, many of the solutions being offered increase the workload on maintainers. But maintainer burnout was a key factor in this incident. We need to find a way to support maintainers while being proscriptive or parentalistic.

3/n

One factor in this incident was deep, unexpected dependency chains. I wish distributions would start taking a more minimalist approach to the options they enable in the default packages they ship.

What fraction of the sshd userbase actually needs Kerberos or SELinux (which also depends on liblzma) enabled? Put that stuff in an alternate package and reduce the exposure for the rest of your users. Fewer dependencies means less attack surface and less supply-chain risk

2/n

Here's my 2c on the xz incident.

This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better.

1/n

@dalias we've received a few that haven't been terrible

@robpike the year is 34157 (reformed epoch calendar). The final living human reaches out, with their last remaining energy, to add another debugging printf

The "robustness principle" is the most destructive concept in protocol design and implementation of all time. We should be embracing its inverse: strict, explicit state-machines with model-checked proofs

@annika First, this is amazing.

At the risk of being the one guy who doesn't understand the joke: why is the third Buffalo capitalised and not the fourth?

If the Buffalo buffalo are buffaloing the Buffalo buffalo, then shouldn't the sentence be "Buffalo buffalo buffalo Buffalo buffalo"?

We quietly released the code a little while ago but this is the official announcement of Capslock, our contribution to the supply-chain security conversation.

https://security.googleblog.com/2023/09/capslock-what-is-your-code-really.html

Capslock is a tool for understanding at high level what a given piece of (Golang) code is capable of and for detecting when an update to a library changes this capability set, to give users a chance to catch supply-chain attacks in progress.

1/2

I'm happy to announce that #OpenSSH 9.4 has been released.

This release fixes a few bugs and adds a few small features. Full release notes at https://www.openssh.com/releasenotes.html#9.4p1

@bascule here I am perpetually terrified that I'm going to make some subtle crypto fuckup and along comes these clowns

We've just made an OpenSSH release to fix a remotely exploitable RCE vulnerability in ssh-agent's PKCS#11 support (CVE-2023-38408). Details at https://openssh.com/releasenotes.html#9.3p2

Thanks to the Qualys Security Advisory Team for finding and reporting this bug.

did hell freeze over too? https://sourceware.org/git/?p=glibc.git;a=commit;h=454a20c8756c9c1d55419153255fc7692b3d2199

Trying to run a short-arc xenon globe from a TIG welder. It didn't work.

Apart from the wiring mistake (negative/TIG electrode should go to the pointy electrode in the globe), the HF start on my unit wasn't enough to strike the arc.

I wasn't optimistic going in - the HF start spark on my welder is only about as long as the electrode spacing, but AFAIK these lamps run at several ATM pressure so more voltage is needed to get started.

Looks like I'll have to make my own power supply...