Matt's Homepage

AMD has just unveiled Frame Latency Meter (FLM) – which allows you to determine keyboard to display latency. Normally, this was done with a high-speed camera, a mouse, and an FPS game with a visible muzzle flash. The camera would capture the moment the mouse was clicked, and you would count the frames until the muzzle flash or other on-screen reaction appeared.

This utility does not require any special equipment and works with any AMD, Nvidia, or Intel GPU that supports DirectX 11 or newer. For capturing data, AMD GPUs use the Advanced Media Framework or AMF codec, while other GPUs use the DirectX Graphics Infrastructure or DXGI codec. FLM can generate detailed latency and effective frame-rate statistics, which can be exported to CSV files for further data analysis.

The way it works is clever: FLM measures latency by continuously capturing frames and comparing each one to the previous frame within a selected region. It then generates a mouse movement event using standard Windows functionality and waits for the frame contents to change. The time between the mouse movement and the detected frame change is recorded as the latency.

FLM is available as a free download for Windows 10 and 11 users via GPU Open or the official GitHub repository

Links:

• https://www.digitaltrends.com/computing/amd-frame-latency-meter/
• https://gpuopen.com/flm/
• https://github.com/GPUOpen-Tools/frame_latency_meter

A Microsoft engineer became suspicious of performance problems while optimizing his code. After digging in, he discovered that a simple data compression library called XZ Utils was creating a secret backdoor. What made this discovery noteworthy is that the innocuous looking compression library is used in tons of open-source projects and Linux distributions.

The analysis of how the code got into XZ utils uncovered a fiendishly sophisticated operation. The XZ utility was understaffed with only one primary maintainer. He was increasingly catching flack for falling behind – an increasing problem with open source projects. An eager developer named Jia Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it. Eventually Tan ascended to being co-maintainer of the project which allowed him to add code without needing the contributions to be approved.

Tan did this by what now appears to be a coordinated set of accounts and discussions that were aimed at installing him as a co-owner. Various accounts appeared and started complaining about the speed of updates, features, and questions. They coordinated questions and complaints as well as contributions by Tan appear to create pressure for the owner to elevate Tan as a co-owner. Whether this was done by one person or several, this mechanism is known as ‘persona management’ – something that’s been proposed as far back as 2010.

“I think the multiple green accounts seeming to coordinate on specific goals at key times fits the pattern of using networks of sock accounts for social engineering that we’ve seen all over social media,” said Molly, the EFF system administrator. “It’s very possible that the rogue dev, hacking group, or state sponsor employed this tactic as part of their plan to introduce the back door. Of course, it’s also possible these are just coincidences.”

The code introduced was sophisticated enough that analysis of its precise functionality and capability is still ongoing.

The National Counterintelligence and Security Center has defined this kind of attack as a ‘supply chain attack’; and open-source projects are particularly susceptible to it.

It’s definitely worth reading the article because these kinds of sophisticated social attacks are obviously now reality.

Articles:

• https://theintercept.com/2024/04/03/linux-hack-xz-utils-backdoor/
• Ars Technica and Wired
• https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27