[ShadowAce]

[Magnum44]

[sauropod]

.

[Paal Gulli]

TL;DW

[If You Want It Fixed - Fix It]

Would have been a beautiful thing.

Imagine, no freaks to know about nor talk to each other. The freak harmonic....evaporated.

[hillarys cankles]

Bring it on. I would welcome the demise of the internet.

It’s gonna happen eventually. I’d rather see it sooner rather than later.

[kawhill]

“The Internet Was Weeks Away From Disaster and No One Knew”. I wonder if algore knew...he invented it.

[Worldtraveler once upon a time]

53 minute video.....

Know anything about the content creator -- "includes paid promotion" and such?

One comment said amusingly: "Only Veritasium can rickroll 1,2 million people within 7 hours after uploading a video."

Veritasium

Description> An element of truth - videos about science, education, and anything else we find interesting.

And selling their "Elements of Truth - The Game" [ a tabletop trivia game ] via Kickstarter. 13,262 backers pledged $1,397,368 to help bring this project to life. Only $43, for a game of 200 questions....

And selling their "magnetic molecular modeling kit" -- strarting at only $87.98. Experience science with Snatoms by Veritasium

The channel is all about money. looking through the many video titles, one may conclude we've been wrong about everything. And Veritasium -- not an element on the periodic table, but a guy in Los Angeles making videos and asking for money via Patreon -- will set us straight. Like the recent title -- if you are a paid member -- "How One Rock (Almost) Poisoned The Entire Planet - our latest video, ad-free!" Almost. The entire planet.

About that money thing, here is a link to an estimate of his AdSense haul from Created On July 21, 2010

Circa $700 a day, as an estimate. Promote YouTube channels! Yeah, that's the ticket. Buy the board game. Snap up those Snatoms. Money makes the world go 'round.

And, " and No One Knew."

[BenLurkin]

Ping Me When the Internet Goes Down ping

If anyone wants on or off the Ping Me When the Internet Goes Down pinglist, kindly FReepmail me. Thanks!

[Fresh Wind]

AI slop.

[Bob434]

Oh- I knew. I didn’t know I knew, but I knew alright. I know a lot of things i know nothing about! LOL

[Racketeer]

Thankfully we had the likes of Al Gore to insure its proficiency.

[Libloather]

Only 4.92 years left.

[E. Pluribus Unum]

Video Transcript Summary

The transcript is a detailed narrative (likely from a Veritasium video) recounting the XZ Utils backdoor incident (CVE-2024-3094), one of the most sophisticated supply-chain attacks in open-source history.

Origins and ContextThe story traces back to Richard Stallman's frustrations in the 1980s with proprietary software (e.g., Xerox printer source code refusal and NDAs), leading him to champion free software. This ethos birthed projects like Linux, created by Linus Torvalds as an open alternative to Unix. Linux now dominates servers, supercomputers, Android (billions of devices), embedded systems, defense, banking, and more. Its security relies on "Linus's Law" (many eyes make bugs shallow) and the open review of code.

However, the ecosystem depends on thousands of small, often volunteer-maintained libraries. Critical components can rest on one person's unpaid work, creating single points of failure.

The Attack: XZ Utils Backdoor

• Target: XZ Utils (liblzma), a high-performance lossless compression library used in nearly all major Linux distributions for packaging and updates.
• Maintainer burnout: Original maintainer Lasse Collin (Finland) maintained it unpaid since ~2005, facing mental health struggles and community pressure for faster updates.
• Infiltration (2021–2024): A persona "Jia Tan" (JiaT75 on GitHub, likely pseudonymous) appeared in 2021, contributing helpfully for ~2 years. Sockpuppet accounts pressured Lasse to step back. In 2023–2024, Jia Tan was handed maintainership.
• The backdoor (introduced in versions 5.6.0 and 5.6.1, Feb–Mar 2024):
  • Hidden via obfuscated "test" binary blobs (never human-reviewed) and clever build-process tricks (M4 macros, ifunc resolvers, dynamic audit hooks).
  • Targeted OpenSSH's RSA authentication via liblzma (a dependency chain).
  • Used a "Goldilocks" timing window to overwrite the Global Offset Table (GOT) entry for RSA decryption.
  • Allowed anyone with a specific Ed448 private key to bypass authentication and execute arbitrary code (RCE) remotely via SSH—essentially a master key to affected servers.
  • Extremely stealthy: custom encryption, anti-detection (garbled strings), logging suppression, safety checks to avoid crashes.
• Goal: Compromise SSH (the internet's remote access backbone) on millions of Linux servers (Fedora pre-releases, Debian/Ubuntu testing, potentially RHEL 10).

Impact could have enabled spying, ransomware, data theft, or nation-state-level disruption (e.g., taking down infrastructure).Discovery and Near-MissIn March 2024, Microsoft engineer Andres Freund noticed ~400–500 ms SSH login slowdowns (plus Valgrind memory errors) while testing Postgres on Debian unstable. He traced it to XZ updates, dug deeper, and uncovered the backdoor.

He reported it privately then publicly on oss-security mailing list (March 29, 2024).Distributions quickly reverted/removed the versions. It never reached stable production releases widely—averting catastrophe.Aftermath and Lessons

• Who was behind it? Highly patient (~2.5–3 years), resource-intensive operation points to nation-state (possible APT29/Cozy Bear/Russia per some experts, though clues like UTC+8 timestamps are inconsistent and likely misdirection). Attacker vanished post-discovery.
• Why muted mainstream coverage? Limited real-world exploitation (caught early), but experts called it potentially catastrophic.
• Broader implications:
  • Highlights risks of volunteer-maintained critical projects (burnout, underfunding).
  • Open source's transparency helped detection (contrast with closed-source, where backdoors could hide via court orders or internal secrecy).
  • Underscores supply-chain fragility: one compromised dependency can cascade.
  • Community response: audits of similar projects, calls for better maintainer support/funding.

The narrative contrasts this near-miss with a demo (hacking a cloned Veritasium site via the backdoor) to show real-world danger, while praising Andres Freund as a hero and critiquing lack of support for volunteers like Lasse Collin. It's a cautionary tale about open source's strengths and vulnerabilities in an era of advanced threats.

[Excellence]

The world was saved by a rando at Microsoft.