Hackers are targeting open-source

Hackers are targeting open-source

Comments 0 Comment

A Microsoft engineer became suspicious of performance problems while optimizing his code. After digging in, he discovered that a simple data compression library called XZ Utils was creating a secret backdoor. What made this discovery noteworthy is that the innocuous looking compression library is used in tons of open-source projects and Linux distributions.

The analysis of how the code got into XZ utils uncovered a fiendishly sophisticated operation. The XZ utility was understaffed with only one primary maintainer. He was increasingly catching flack for falling behind – an increasing problem with open source projects. An eager developer named Jia Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it. Eventually Tan ascended to being co-maintainer of the project which allowed him to add code without needing the contributions to be approved.

Tan did this by what now appears to be a coordinated set of accounts and discussions that were aimed at installing him as a co-owner. Various accounts appeared and started complaining about the speed of updates, features, and questions. They coordinated questions and complaints as well as contributions by Tan appear to create pressure for the owner to elevate Tan as a co-owner. Whether this was done by one person or several, this mechanism is known as ‘persona management’ – something that’s been proposed as far back as 2010.

“I think the multiple green accounts seeming to coordinate on specific goals at key times fits the pattern of using networks of sock accounts for social engineering that we’ve seen all over social media,” said Molly, the EFF system administrator. “It’s very possible that the rogue dev, hacking group, or state sponsor employed this tactic as part of their plan to introduce the back door. Of course, it’s also possible these are just coincidences.”

The code introduced was sophisticated enough that analysis of its precise functionality and capability is still ongoing.

The National Counterintelligence and Security Center has defined this kind of attack as a ‘supply chain attack’; and open-source projects are particularly susceptible to it.

It’s definitely worth reading the article because these kinds of sophisticated social attacks are obviously now reality.

Articles:

Did it get creepy? It got creepy

Did it get creepy? It got creepy

Comments 0 Comment

Realbotix got a decent amount of press in the ‘in other things we saw at CES 2025’ category. They’re a company which aims to make more humanoid robots in both appearance and conversation – though it appears they aren’t making robots that look like just anyone. Maybe to attract a certain demographic(s) that might shell out the $125k for one?

It was kind of fun to watch the press tastefully stumble around how to describe them.

Leaving it all to live in a ghost town

Leaving it all to live in a ghost town

Comments 0 Comment

Mark Manson (the author of ‘The Subtle Art of Not Giving a F*ck’) traveled to the California desert to visit Brent Underwood at Cerro Gordo. Brent bought a deserted mining town in 2019, originally just for kicks and the occasional visit. He wound up escaping there when the pandemic struck. Now he lives there full time – mostly by himself.

So, how has living alone for years gone? What follows in the video is a little bit of a philosophical exploration of leaving it all behind and discovering the ancient Greeks were probably right – and modern society is wrong about what freedom really is.

Interesting quotes:

Loneliness is intoxicating.

I’m sad to report that my dopamine fueled monkey brain did not find peace and solace among the rocks or dirt. I mostly just found boredom.

It’s escapism. That’s the big appeal of the idea of lone man in the wilderness. All my problems are left behind wherever I leave them and I’ll go to the woods. But the same anxieties, the same stress, the same issues still exist. Running to a mountaintop is not going to solve any of your problems.

What he is referring to (leaving Austin behind and committing to his ghost town) is the freedom of commitment. Freedom is not the ability to do what you want – it’s the freedom to not be distracted by the things you don’t want.

OpenAI connected to a rifle

OpenAI connected to a rifle

Comments 0 Comment

OpenAI has cut off a developer who built a device that could respond to ChatGPT queries to aim and fire an automated rifle. The device went viral after a video on Reddit showed its developer reading firing commands aloud, after which a rifle beside him quickly began aiming and firing at nearby walls.

This kind of robotic automation has been possible for some time – and it’s components are easily available to hobbyists around the world. The only novel thing is using voice control; which isn’t even that novel by chatGPT standards. The reality is – as we are seeing in Ukraine – that drones are being used for active warfare and it’s only a small stretch further to imagine soldiers building something like this to defend their positions.

This obviously brings up a lot ethical and philosophical questions. Are these weapons – or defenses like barbed wire/electric fences? Are they illegal? What makes them illegal? What makes them a war crime? These sorts of devices even have their own classification: lethal autonomous weapons – and many of them are not actually illegal in war.

In civil law, there is the famous Katko v. Briney case of a booby trapped shotgun. It isn’t the automated, unattended, or indiscriminate nature of such a device that makes it illegal. It’s the fact that deadly force can only be used to defend a human life imminently in peril. A robot, or even a homeowner, cannot use deadly force to defend property – even if the person is on the property illegally or performing other illegal acts (theft). But what if the autonomous system could determine when someone was about to kill? What if it’s a mob with weapons approaching you?

We’re entering a brave new world – one in which our ethics and laws are going to have to do a lot to catch up on.

Articles:

I like Movies

I like Movies

Comments 0 Comment

“I can’t believe my job is to make you feel good about yourself”

-Lawrence’s boss Alana

I Like Movies is a film about an naive, overly optimistic kid named Lawrence who is absorbed in the world of movies and his own ‘creative’ viewpoints. Unfortunately, he’s socially abrasive, clueless as to how the world/life works, and goes on about creative visions when he hasn’t even held a simple job or seems to make anything anyone wants to see. He shares too much to the point of embarrassing himself and his friends.

I think the movie hits a couple of important themes that are relevant today. First, that when we’re young we often embarrassingly think our thoughts and ideas are unique and amazing – only later to realize how cringe we really were.

Secondly, I think the quote from the boss nails what being a manager is like today – especially for those that grew up in the isolation of covid. Maybe that’s one of the reasons they’re struggling at a much higher rate than other generations – even when rated by their own peers. So the question is, how does one help those that are struggling like Lawrence along?

Epic Photography often is boring looking

Epic Photography often is boring looking

Comments 0 Comment

I used a lot of interesting tricks when I was taking landscape photography. You could use a dirty mud puddle to make amazing shots that looked like you were on the beach or overlooking a lake. It works for shooting people too. Epic shots are often all about lighting and focusing on split second shot. A good reminder in the Instagram era where everyone is posting ‘perfect’ pictures.

Doughnut shop in Indiana is still using Commodore 64’s as their cash register

Doughnut shop in Indiana is still using Commodore 64’s as their cash register

Comments 0 Comment

The Hilligoss Bakery in Brownsburg, IN is a respectable local donut shop. What sets it apart, however, is the fact they are still using Commodore 64’s for their cash registers.

A recent series of photos on X attracted a lot of attention this week, as it showed staff at the Hilligoss Bakery apparently processing orders on a Commodore 64-based register system. Commenters pointed out that the last publicly posted picture of the register was taken in 2021, so Tom’s Hardware decided to give them a call—and staff duly verified that the systems were still in use.

Links: