Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
I think there's a silver lining to this
0:02
whole XE vulnerability. It shows us
0:04
that there's a universal constant. All
0:06
software does indeed suck. That remains
0:08
in effect. And sometimes we even
0:10
benefit from it. Okay, but how does that help
0:12
us? That seems not correct. Well,
0:15
I mean, think about it. Think about it. If
0:17
this backdoor hadn't been buggy and crappy, it never
0:20
would have been found. Hello,
0:34
friends, and welcome back to your weekly Linux
0:37
talk show. My name is Chris. My name
0:39
is Wes. And my name is Brent. Hello,
0:42
gentlemen. Well, yes, coming up on the show
0:44
today, we are diving deep into the XE
0:46
backdoor, how it worked at a
0:48
technical level, how it was found, and
0:50
how the attackers abused the open source trust model.
0:52
And then a little detail we
0:54
discovered this morning that suggests the attackers had
0:56
a limited window of opportunity. We'll
0:59
get into the details around that. Then we'll round
1:01
it out with some great boosts, some picks, and
1:03
a lot more. So let me say time-appropriate
1:06
greetings to our virtual lug.
1:08
Hello, Mumble Room. Hello,
1:10
Chris. Hey, Wes. Howdy, Brent. Hello. Hello.
1:12
Thank you for joining us in there.
1:15
Mumble is always going along with us. They get
1:17
a low latency stream. We got the details on
1:20
our website at jupyterbroadcasting.com. Also,
1:22
check out tailscale.com/Linux Unplugged. That's where you
1:24
go to get 100 devices. Try
1:27
Tailscale for up to 100 devices. Not
1:29
a limited time trial. You can do
1:32
100 devices for free when you
1:34
go to tailscale.com/Linux Unplugged. Tailscale
1:36
is the easiest way to connect your
1:38
devices, services, applications directly to each other
1:41
wherever they are, whatever they are on, secure
1:43
remote access to your production systems, to your
1:45
mobile devices, your VPS, your VMwares. I don't
1:47
know what it is. Yeah, maybe for some
1:50
reason you're feeling like you don't want to
1:52
have a public SSH server running. I don't
1:54
know why. Yeah, for some reason you just
1:56
don't want your box exposed to the Internet.
1:58
Have a nice private. Flat Mesh Network
2:01
with zero config. Works great
2:03
in the enterprise too. tailscale.com
2:05
slash Linux Unplugged. We
2:08
are gonna get into this. I wanted to ask a
2:11
question before we get started because we
2:13
may be double recording next weekend and so we
2:15
wanted to get this out there early. We're
2:17
asking what are the first five things
2:20
you set up after you install a
2:22
Linux desktop? So please
2:24
boost in your top five apps or things that you set
2:26
up on a new install. We'll be recording next week so
2:28
we'd like them to come in as quick as possible. But
2:31
it's something we've been kicking around internally and we
2:33
thought, all right, let's make an episode about this
2:35
potentially. If we get some good ones, I think
2:37
we'll make an episode. As usual, I'm sure the
2:39
audience has way neater things than we do. Probably,
2:41
probably more interesting. On Friday,
2:44
March 29th, 2024, we discovered
2:46
that the XZ project had been backdoored,
2:49
that the actual upstream project itself had
2:51
been compromised. Yeah, it's a
2:53
little complicated. We'll have links to more
2:55
details but there's several stages. There's
2:58
a malicious build to host.m4 file
3:01
that was only contained in the specific release
3:03
tarballs that you would download. It wasn't in
3:05
the repo itself so you couldn't really easily
3:07
see that. You'd have to go looking for
3:09
it in this prepackaged release tarball. Which
3:12
actually makes it kind of tricky for just a
3:14
researcher to drive by Discover. Yeah, it's
3:16
not just there in the gooey repo viewer.
3:18
You had to go take a look and
3:21
see and then be familiar enough with what
3:24
to expect in that file. Plus, there's
3:27
often differences in the release files for C
3:29
projects so that the people building it don't
3:31
have to do all the auto-make and configure
3:33
stuff. So that might not even
3:35
be necessarily super suspicious on its own. But
3:38
okay, so you get this modified build
3:40
to host.m4 file only
3:43
in specific tarballs. That gets
3:45
executed and then malicious code gets
3:47
injected into the configure script which
3:50
then manipulates linker and
3:52
compiler flags within the make file.
3:55
And then the make file finally runs as part
3:57
of the build process and that causes a symbol
3:59
called. RSA underscore public
4:01
underscore decrypt to point
4:04
to malicious code. Then
4:06
later on in the process, SSH
4:09
ends up pulling in XZ through
4:11
a process we'll get into and
4:14
then has an overridden symbol. So it
4:16
tries to call its normal RSA public
4:18
decrypt function. And instead, it
4:21
gets this modified malicious one coming
4:23
from liblcma. And I guess in
4:25
there they could include code which
4:27
could execute something as whatever user
4:29
is running SSH. So
4:31
it's not just that they get onto
4:34
your box, but it's also it's a remote
4:36
code execution vulnerability. Yeah. It's
4:38
kind of the nightmare scenario for folks
4:40
with open SSH servers. Yeah. All
4:43
right. So this is just
4:45
kind of coming out this weekend.
4:47
We've been digging through it all weekend long. It
4:50
does seem like only a few systems were
4:52
impacted. There is, of course,
4:56
always with these types of things, you just want
4:58
to be as careful as possible and just update
5:00
your system regardless, even if your OS wasn't one
5:02
of the impacted ones. It does
5:04
seem though, because the way this is packaged though, Wes, it
5:07
wouldn't be like if you got it from the repo. It would
5:09
be more likely if it was being distributed as a deb or
5:11
an RPM where some of these scripts would actually get triggered. Yeah,
5:14
or if you're just going to like if you go on GitHub
5:16
and you click on releases, there are
5:18
auto-generated links that say source code. And
5:20
those like GitHub automatically, it takes the
5:22
tag corresponding to that release and packages
5:24
it up into an archive for you.
5:26
But then there's the other tar files,
5:28
which are specifically built, you know, as
5:30
part of some reposted section or by
5:32
hand by the maintainer. And so as
5:34
part of the release process, these custom
5:36
crafted tar balls are then stuck up.
5:39
So that's how you probably get it. Yeah. What's
5:42
interesting is that this thing also goes through
5:44
a series of system checks. So it makes
5:46
sure that it's on a glibc box. It
5:48
makes sure that it's an x86 system before
5:50
it will run. It
5:52
checks for several pre-existing conditions. It
5:55
even makes sure that you're not in certain types of
5:57
debug modes where you might actually discover this thing. And
5:59
it checks for those. before it'll actually execute the script.
6:02
So the authors or authors of this thing
6:06
went to a lot of trouble to make it
6:08
look like regular old files that should be included.
6:10
And then it has to go through a series
6:12
of events before it actually does get injected. And
6:14
even at that point, it then does
6:16
a sanity check of its environment. Yeah,
6:18
right, I think some of this stuff was contained
6:20
in what looked like just binary test files. You
6:22
know, it's supposed to be files that the test
6:24
suite would run with the XZ utility. And
6:27
of course, when you got binary files, well, that's a great place
6:29
to hide things. And this test suite
6:31
was one of the big new developments that they were so proud of that
6:34
the attacker had been working on. But
6:36
let's get down to brass tacks for listeners.
6:40
Likely their distro isn't impacted, but we do
6:42
know a few distros that have been impacted.
6:45
Yeah, one sort of nice thing about this
6:47
is it was caught relatively early on in
6:49
the process. These new releases, 5.6.0 and 5.6.1,
6:55
they just happened in the last month or so. So
6:58
for your distro to pull it in, it's gotta be
7:00
a fairly up to date, maybe rolling a release or
7:02
development version. So we've seen things like the
7:04
development versions of Fedora being impacted.
7:08
Obviously, you know, the latest Debian,
7:12
Ubuntu did, it's been pulled, but Ubuntu had some
7:14
in the upcoming code for the upcoming release. Cali
7:16
Linux as well. Cali Linux?
7:19
Yeah, Arch technically,
7:21
but technically not. I guess Arch
7:23
doesn't patch OpenSSH to support the
7:26
system D notification stuff. So
7:30
there's a few different levels to actually be
7:32
vulnerable in this case because of all of
7:34
the checks and some specifics about how SSH
7:36
needs to be configured on your system. So
7:38
there's one level of did the distro pull
7:40
in the code that had these malicious modifications,
7:42
and then there's the secondary level of did
7:45
that code change actually end up
7:48
doing anything? Yeah, so the actual
7:50
vulnerability is SSH
7:53
relying on system D to
7:55
pull in this compression library,
7:57
which is doing the actual
7:59
lifting. and where the vulnerability exists. Right.
8:01
So yeah, in all the malicious stuff,
8:03
they end up modifying this simple. So
8:05
when you have the XC library code
8:07
loaded in memory, there's this RSA decrypt
8:10
function that's sitting there. But on its
8:12
own, SSH doesn't need XC. It
8:14
doesn't use XC. It's not pulling that in. So
8:16
how does this work? Well, some
8:19
distributions patch SSH with
8:21
the patch that enables it to work with
8:23
the system-denotify protocol so that you can easily
8:25
have stuff say like, hey, system D, I
8:27
want you to start these things or restart
8:29
these things or do something after open SSH
8:31
has finished loading. And you have a little
8:33
tiny patch that shims into SSH. And once
8:35
it's all done getting set up and it's
8:37
in ready mode, it
8:39
can go sort of just sets up a socket,
8:41
talks to system D and says, hey, I'm done.
8:45
Now, you don't have to do it this way.
8:47
And it looks like these days, the project advises
8:49
folks, it's like a simple protocol. You don't need
8:51
to pull in the system D library to use
8:54
it. You can just roll it yourself with very
8:56
little code. But that wasn't always
8:58
necessarily the advice you'd find just looking
9:00
at it. Some projects need to pull
9:02
in lib system D, like the system
9:04
D libraries. So a lot
9:07
of these patches that were implementing this behavior
9:09
just pulled in system D via the library.
9:11
And that pulls in XC.
9:13
Yeah. It's funny because
9:16
it, so it's not exactly a system D
9:18
problem. It's not exactly an SSH problem, but
9:20
because the combo together are pulling in the
9:22
XC library, it's everybody's problem. And then when
9:25
SSH goes to actually try to call this
9:27
internal function to itself to decrypt RSA, it
9:30
gets the version that the malicious XC
9:32
supplied by way of the system D
9:34
library. Yeah. And so this
9:36
happens. It seems the attacker got this
9:39
into the XC library about early March.
9:42
So some systems like a small point
9:44
range release of Alpine was also impacted.
9:47
NixOS unstable did pull in the vulnerable
9:49
version of the library, but it doesn't
9:51
build it in a way that actually
9:53
triggered that script, right? Yeah.
9:56
So as you were kind of alluding to, parts of
9:59
the checks. actually check to see if
10:01
it's in a dev or RPM build system.
10:03
Yeah. And of course,
10:05
the NixOS build system. Not dev or
10:07
RPM. No, definitely not. So not only
10:09
did NixOS not apply these
10:12
system de-notifying patches in the first place, so
10:14
there's no linkage there, but
10:16
yeah, then also the build system's different enough not
10:18
to trigger that kind of code. So let's talk
10:20
about the mablad who discovered this, Brent, because it's
10:22
a pretty interesting story. Yeah, Andreas
10:24
Franz seems to have singly discovered
10:27
this, which seems pretty amazing
10:29
to me. And he says, though, I'm
10:31
not a security researcher nor a
10:33
reverse engineer. Now, you
10:35
might believe that until he starts describing how
10:37
he went about finding this. I
10:39
know, he says he's not a security researcher. Andreas,
10:42
I got news for you. You are now,
10:44
buddy. Yeah, a pretty famous one at that.
10:46
Yeah. He says, I
10:49
was doing some micro-benchmarking at the
10:51
time and needed to quiesce the
10:53
system to reduce noise. So
10:55
SSHD processes were using a surprising
10:57
amount of CPU despite immediately failing
11:00
because of wrong usernames and such.
11:03
So I profiled SSHD, showing
11:05
lots of CPU time in
11:07
liblzma, and with
11:09
perf, was unable to attribute it to
11:12
a symbol. We got immediately
11:14
suspicious. Recall that
11:16
I had seen an odd Valgrind
11:18
complaint in automated testing of Postgres
11:20
previously about a few weeks
11:23
later after some package updates. And
11:25
he adds, here's one more aspect that
11:27
I think emphasizes the number of coincidences
11:29
that I had to come together for
11:32
me to find this. I
11:34
ran a number of build farm
11:36
instances for automatic testing of Postgres,
11:38
and among them was Valgrind. For
11:40
some other test instances, I had
11:42
used F no emit frame pointer
11:44
for some reason I don't even
11:46
remember anymore. A year
11:49
or so ago, I moved all the
11:51
test instances to a common base configuration
11:53
instead of duplicate configurations. And
11:55
I chose to make all of them use F
11:58
no emit frame pointer. Far
12:00
as I can tell, Valgrind would not have
12:02
complained about the payload without FNOMIT
12:04
frame pointer. It was because GetCPUID
12:06
expected the stack frame to look
12:09
a certain way. Additionally,
12:11
I chose to use Debian Unstable
12:14
to find possible portability problems early
12:16
on. Without that, Valgrind
12:18
would have had nothing to complain about.
12:21
Without having seen the odd complaints in Valgrind, I
12:23
don't think I would have looked deep enough when
12:26
seeing the high CPU in SSHD
12:28
below GetCPUID. He just happened to
12:30
be running tests, trying to get
12:33
Postgres working right or whatever it
12:35
was. He just happened to have
12:37
his environment set up just right, and he just
12:39
happened to be using Debian Unstable. Although I
12:41
will say, you know, major props to
12:43
Ben. Even after all those things happened,
12:46
not everyone would continue to dig so
12:48
much and do such a nice write-up
12:50
and really try to handle this well.
12:52
And cooperate with everybody and do responsible
12:54
disclosure. I don't think Andres
12:57
is giving himself enough credit for how
13:00
clutch, as my kids would say, he came in here. And
13:02
then the information he shared, he's even answered
13:05
questions to help clarify stuff. As
13:07
if I needed one more reason to use Postgres. I mean,
13:09
it's incredible devs like these that are making it. collide.com/unplugged.
13:15
You've probably heard me talk about Collide
13:17
before because I think it's such a
13:19
great tool. It prevents things connecting
13:21
and authenticating to your network before they've passed
13:23
your checks. But have
13:25
you heard that Collide was just recently acquired by 1Password? Now
13:29
that's big news. These two companies have
13:31
really been focused at creating security solutions
13:33
that put end users first. That's
13:36
fantastic because it reduces friction between end
13:38
users and IT. And for over a
13:40
year, Collide Device Trust has helped companies
13:42
with Okta ensure that only
13:44
known secure devices can access their data.
13:47
They're still doing that, but now they're doing it as 1Password. You
13:50
can imagine when events like today happen,
13:53
the XE vulnerability, it's really
13:56
nice to know that you have Collide because
13:58
Collide can work on devices. that even
14:00
don't have MDMs, like your Linux fleet, contractor
14:03
devices, and every BYOD phone
14:05
or laptop that ends up in your company.
14:08
And Collide comes with a library of pre-built device
14:10
posture checks, but you can also write your own
14:12
custom checks for just about anything you can think
14:14
of when you need it. That's
14:16
pretty great. Now that Collide is part of 1Password,
14:18
things are only getting better. So go
14:20
check it out and support the show. Go
14:23
to collide.com/unplug. That's
14:26
K-O-L-I-D-E dot com slash unplug. To
14:28
learn more, you can watch their demo. It's
14:31
a great way to support the show too. Better
14:33
than ever. Check it
14:35
out at collide.com/unplugged. All
14:41
right, well that's the high level of sort of the
14:43
technical side of this vulnerability. But
14:46
unfortunately, there's also the human side.
14:48
I mean, okay, we've said
14:50
XE was backdoored, but how?
14:52
How did that happen? It
14:55
sort of was a tale that happened over more than
14:57
the last two years. This
15:00
is maybe the most
15:02
troubling part of this story, more
15:05
so than a remote code execution
15:07
flaw, is the way this
15:10
attacker, apparently with others, or
15:12
this attacker working under multiple
15:14
accounts, leveraged
15:17
the burnout that the XE developer
15:19
was experiencing to sort of push them
15:21
out. One individual submitted
15:24
a pretty complicated patch, and
15:26
then another individual came along and gave the developer
15:28
a hard time for not getting it, I
15:31
don't know, I guess accepted. I mean, it's
15:33
quite intense. It's, you know, shame on you. You're
15:36
making this repository wither. You should find
15:38
a replacement. Your users deserve better. And
15:41
then Gia Tan just seems to be in the
15:43
right place at the right time. Hey, I'm building
15:46
this cool testing infrastructure. Look how great this is.
15:48
I have the time. I could take this on.
15:50
Yeah, right, suddenly here's this helpful new contributor that
15:52
maybe you start thinking, okay, they
15:54
could handle some more things. And they've been around
15:57
for a little while. They've been working, you know, in fact,
16:00
core maintainer at the time almost
16:02
referred to them as a co-maintainer
16:04
already before it was official. It
16:06
is scary. It is really scary because
16:08
it suggests
16:11
a persistent prolonged plan
16:14
where they identified a piece low in the
16:16
stack that they could go after in
16:18
a sophisticated manner. Then they
16:21
identified the core contributor to that piece
16:23
in the stack and then
16:25
they bullied that person to essentially convince
16:27
them they were burned out then
16:30
got access to the project and
16:32
then after that reached
16:34
out to other projects like Fedora and
16:38
tried to get them to incorporate
16:40
it as fast as possible. There's
16:42
a great very honest comment on
16:44
Hacker News by a Fedora contributor
16:46
who says, it's very annoying the apparent author
16:48
of the back door was communicating with me
16:50
for several weeks. They were urging me
16:53
to get this in as fast as possible because
16:55
it had quote great new features and
16:57
they write I even worked to help them fix
16:59
this Algrind issue which turns out was caused by
17:02
the bactoria data. The
17:05
open source community is trying to be helpful. Well
17:08
and generally I mean you know we often do
17:10
want updates. Many times there's
17:12
security fixes and updates and you know we
17:15
try to keep things up to date. I
17:17
feel like this attacks this very trust model
17:20
in open source. I mean it's the idea
17:23
that I mean the quiet part that I'm
17:25
about to say out loud now is it seems
17:27
very possible this is a state actor. If
17:30
as a state actor that implies it's an
17:32
intelligence agency how the hell
17:34
do we defend against that and
17:37
we know how significant of a
17:39
problem developer burnout is and
17:41
if state actors or even
17:44
just average everyday
17:46
attackers have realized
17:48
that developer burnout is
17:50
a soft target this
17:53
feels like a pretty significant
17:55
problem and it feels like a problem that
17:57
could be more persistent than we realize. I
18:00
mean there's a lot of FOSS
18:02
software we rely on at
18:05
home in production. And this time
18:07
it wasn't a lack
18:09
of maintenance of OpenSSL or SSH. It
18:11
was a much more nefarious and
18:14
clever little attack, and that's even harder to
18:16
guard against. They were patient.
18:19
They introduced apparently themselves around March
18:21
2022. So
18:23
this is March 2024 where we're actually seeing the
18:25
fruits of that labor. In
18:28
January of 2023, they start announcing
18:30
the XE releases. In March 2023,
18:32
they take over signing the release
18:34
tarballs. Yeah, kind of switch some
18:36
of the domains over instead of being on
18:38
the self-hosted stuff running from the original developer.
18:40
No, they're over on GitHub where Jia
18:43
has full control. Yeah,
18:46
and that's all combined with this campaign to
18:48
burn the main developer out, so they transition
18:50
out. So they're no longer involved on their
18:52
own accord. They
18:54
hand it over to Jia on their own accord, which
18:56
is really just so diabolical
18:59
about this. The question really
19:01
has to be, was the maintainer
19:03
of XE a target of an intelligence
19:06
campaign? I really don't
19:08
know, but I'd like to know if that's what
19:10
we're dealing with here. I'm sure there
19:12
will be criminal investigations into this, and maybe we'll get answers.
19:16
But we don't know as we're recording Sunday because this came
19:18
out on Friday. It's amazing
19:20
the amount of detail we do have at this
19:22
point. It's an incredible amount of citizen journalism that's
19:24
been going on. Yeah, I mean most of this
19:26
drop in on a Friday and folks over the
19:28
weekend voluntarily investigating, writing
19:30
things up, and sharing widely.
19:33
I'd love to know people listening to
19:35
this, how they think this impacts open
19:37
source and just their thoughts on this because this to
19:40
me is the scariest part of this story. And
19:42
then we have the most frustrating part,
19:45
and that's the dunking that you start seeing in
19:48
our own community as if we're not
19:50
all affected by this. So
19:52
you'll always see the anti-rolling folks come out of
19:54
the woodwork to dunk on rolling when this kind
19:56
of thing happens, as if this wouldn't have eventually
19:58
hit them. And then
20:00
they would have had it for years before they realized
20:02
it as if. So it's
20:04
again, instead of being thankful that there are
20:07
users out there testing the bleeding edge and
20:09
finding the stuff, they dunk on them, which
20:12
I find to be classic Luddite behavior.
20:15
So congratulations everybody. So
20:20
just given what most servers run, it was
20:22
kind of targeting really more the long-term LTS
20:24
distro with the Deb and RPM business. That
20:26
was obviously the goal. The goal was not
20:29
to pwn a couple of boxes that are
20:31
running Debbie and Sid, right? That wasn't the
20:33
goal. Really it kind of sucks to be
20:35
open to this tumbleweed right now just because
20:37
the combo of rolling release and RPM, just
20:39
bad luck. Yeah, right in the crosshairs. And
20:42
then of course you get the system D
20:45
haters coming out. The Deb Juan folks
20:47
tweeted because you've got to be classy. Let
20:49
everybody know that Deb Juan is not affected by the
20:51
latest vulnerabilities. The malicious backdoor
20:54
in the XZ-Lib-ZLMA is a vector for
20:56
mode exploitation of the SSH daemon due
20:58
to dependency on system D for notifications
21:01
and due to system D's blah blah blah the way it
21:03
pulls it in. And then they go on to dunk. They
21:06
go on to dunk. And of course, first they
21:08
put a really silly GIF about how they're not
21:10
affected. And they say this
21:12
is another proof that system D is an
21:14
anti-pattern for security. With its
21:16
crawling ever-extending web of dependencies, it
21:19
extends the surface of vulnerability to
21:21
orders of magnitude. And
21:23
once embraced, not even a large distro
21:25
community can defend you from that as
21:28
they clutch their pearls. Now
21:30
we've explained how this works with
21:32
system D and how system D doesn't
21:34
actually recommend you pull all of this in but
21:36
doesn't stop developers from doing it. But
21:39
the other wrinkle that I find
21:41
fascinating about this is it
21:43
appears about a month ago a PR was
21:45
created to change this behavior at a system
21:48
D level to essentially load
21:50
these compression libraries in a better
21:52
way that would have made this
21:54
vulnerability likely not work. Yeah, it
21:56
seems like there's interest here in especially
21:59
libraries that aren't necessarily always there. is
22:01
used like a particular compression library to
22:03
have system D be able to load these in a more
22:05
dynamic way that I think maybe then would mean if
22:08
you were kind of pointed in via linking trying
22:10
to do the system be notified stuff, wouldn't
22:12
automatically pull in XE. Which
22:14
would have broken this vulnerability. So
22:17
in a sense, it's very possible
22:19
that the attacker or attackers was
22:22
aware of this and felt
22:24
that they had a window of time and perhaps that's why they
22:26
were pushing as hard as they were to get it included in
22:28
the places. Yeah, and
22:30
maybe that's even why it ended up shipping
22:33
with some bugs in it that ended up
22:35
getting it detected. And if they'd had
22:37
a little more time, perhaps they would
22:39
have been able to clean that up because
22:41
all their other behavior shows a pattern of
22:43
very, very accurate, very, very
22:46
calculated behavior. And we see this one
22:48
slip up. One wonders if
22:50
they weren't under a particular time
22:52
crunch because the system D pull request looks
22:54
like it's in the process of being approved. It looks
22:57
like that change is going to be happening. It's
22:59
just a wild little wrinkle to the story that this
23:02
little window would have been closed. So
23:04
the system D folks I think don't β they
23:06
don't really have a lot of blame
23:08
in this. It's like you said,
23:11
it's depending on how you implement this, how it's been
23:13
implemented. They also have a fix they've been
23:15
working on already to kind of shore this up. I
23:17
also have got to imagine to some extent there's β there
23:20
are other situations like this in
23:22
other relationships between pieces of software.
23:25
Oh yeah. The system D β the system D
23:27
is successful and a lot of systems have this
23:30
patch so it sort of makes a natural target
23:32
if you're trying to go after maximum
23:34
spread. There is β I guess
23:36
I will concede to the Dev1
23:38
folks that when you take software
23:40
and you commonize it across multiple
23:42
systems, you do I
23:45
guess make it easier for malware to
23:48
work across multiple environments. That
23:51
seems sort of obvious. But
23:53
we've been doing that β look at the GNU util, look
23:55
at SSH, open SSH. I mean we've been β that is
23:57
a line that has been β trend
24:00
line going in one direction for a very long time. Can
24:03
it also be argued that system D
24:05
has solved a lot of vulnerability issues?
24:09
Just because it's a more modern way of, you
24:12
know, handling the problems it handles? Yeah,
24:14
perhaps. I mean, it does expose. It depends on
24:16
the level you're talking about. But yeah, I mean,
24:18
there are a lot of security
24:20
related options that exposes for you out of the box that you
24:23
don't have to roll yourself, at least if you choose to hop
24:25
into them. It does. It does
24:27
raise some uncomfortable questions though, Brent. Yeah,
24:30
well, I wrote down a bunch here, but the main
24:32
one for me is like, okay, this was ...
24:35
seems like it was pushed out maybe a little
24:37
sooner than this attacker or
24:39
attackers were hoping for because, you know,
24:41
system D might have been changing things
24:44
on them. So
24:46
therefore, it was discovered, thankfully. But
24:49
that raises the question for me of, well,
24:51
how many of these style of attacks
24:55
and vulnerabilities haven't been discovered because they
24:57
didn't have this pressure cooker where they
24:59
had to ship something sooner? And
25:02
so doesn't that make you wonder, like, look
25:04
at every single piece of software and wonder
25:07
what's that complex set of situations
25:10
that got through and
25:12
just nobody's discovered yet? We
25:15
were in a weird window of time at Carl, right? There's
25:17
several distros that are on the verge of freezing
25:20
their other bits. And
25:22
I suppose this attacker wanted to get this
25:24
in as fast as possible. You
25:27
know, Carl's in the chat room saying, look, it was probably
25:29
they're probably hoping to get into Ubuntu, probably hoping to
25:32
get it in the next version of Sentos. Now was
25:34
your time. It's a good point.
25:36
It's not just that system D was closing this
25:38
and that inevitably would have eventually trickled down
25:40
to downstream distros. Ironically, by the way, it
25:43
would have shipped on rolling distros first, just
25:45
pointing that out. So it
25:47
was more than just that though. It was also getting it
25:49
included in these other distributions. So that way, once it's deployed
25:51
at scale, you could probably just scan the Internet and start
25:54
attacking away. Yeah, give it a couple
25:56
of years. Those become the widely deployed
25:58
versions. So yeah, how many other... how
26:00
many other things like this has ever been done? We'll never know. You
26:03
know, Ikyulys Ryan Gordon, he tweeted a
26:05
picture that is pretty alarming in this
26:07
category. And it's, he got an email
26:10
from somebody named 3764-828-2799. My
26:14
favorite person. Yeah, and the
26:16
subject is Project Collaboration Opportunity, brief
26:19
GitHub login request. And
26:21
here is the body of the email. Hi,
26:24
I'm participating in a project and I need
26:26
to use an active GitHub account to log
26:29
in briefly. I only need to log in
26:31
to the website without making any authorizations or
26:33
changes. I noticed that your account
26:35
meets the criteria. Now get ready for
26:37
this. They write, could I
26:39
borrow it for a few minutes? If the
26:42
website verification is successful, I'm willing to offer
26:44
you a reward of $300. If
26:47
it doesn't work, I'll still give you a
26:50
thank you payment of $30. Seems
26:52
totally legit, why not? I
26:54
can't imagine that Ikyulys is the only one getting
26:56
that kind of email. There's probably people doing scans
26:58
of GitHub and looking at what
27:00
your account history is and what you contribute to. What
27:04
I like about this one is just a blatant
27:06
phishing attack and they're not even trying to hide
27:08
that. Yeah, well, you know, pride and spray, I
27:10
suppose. And there's
27:12
gotta be a few people out there that are gonna say, okay, I'll take
27:14
300 bucks. I'm not even
27:16
using my GitHub account anymore. I've burned out. You just
27:19
got laid off at work. You haven't had time.
27:21
Yeah, you don't even contribute anymore. So we don't even
27:23
know if these accounts, where these
27:25
attackers accounts, the interesting thing is that
27:27
these accounts that were involved don't
27:30
seem to have much other history outside of this
27:32
with a few couple of things here and there. So
27:36
after this event, I don't think it's a great look
27:38
for the open source community. I mean, I don't think
27:40
any of us have our faith shaken, but
27:43
when I think back to like me trying
27:45
to pitch solutions that were free software and
27:47
open source inside corporate environments, these
27:49
type of events would bring doubt about the safety
27:52
of open source software. And here's
27:54
the headline that Techmeme ran with. Microsoft
27:57
engineer accidentally found the malicious.
28:00
code in the versions of the
28:02
XZ utils compression tool, likely preventing
28:04
thousands of infections. Accidentally.
28:07
See, accidentally found it. That
28:11
is going to strike fear into the CTO's
28:13
heart. But I don't know, do
28:15
you guys think it was luck? I mean,
28:17
it was luck for Andreas as
28:19
an individual, but at
28:21
scale, when you consider the
28:23
scope of the open source community, the diverse
28:26
users and the diverse amount of
28:28
itches they're all scratching, was it
28:30
luck? I mean, probably a lot of these things
28:33
it's hard to say for the particular, but yeah,
28:36
at scale, it seems like at least
28:39
we can look and you can poke around and
28:41
you can look at the commit history. And
28:44
you know, if it was some proprietary compression
28:46
library, what would you have to compare except
28:48
the binary bits? I think this is
28:50
too why user adoption of open source is
28:52
still a very critical component, because
28:55
it does mean more eyes and shallower
28:57
bugs. The
28:59
reality is, if we
29:01
have a robust, diverse user base, then
29:03
you will have somebody who has this
29:06
really esoteric setup that is testing on
29:08
Debian SID in just the
29:10
right environment and happens to find things like
29:12
this. And I
29:14
mean, would it have taken us longer? Perhaps,
29:16
you know, it just β but the fact that we actually
29:18
have that scale and capability is
29:20
an inherent asset to open source that you can't
29:22
even put on a pro and cons list with
29:24
commercial software. You know, you'd
29:27
have to consider with commercial software, we'd never know about this kind
29:29
of thing. It may never even be discovered.
29:31
But then on top of that, you
29:34
have all of the information that's now available, like
29:36
all of the reconstructing of the timelines and all
29:38
the commit history, even though GitHub pulled it, like
29:40
we can still put it together. And
29:43
now as a community, this gets announced
29:45
on Friday and by Sunday, we
29:48
have our hands around it and we have a pretty good
29:50
idea of who's impacted, what's going on, how it works. Before
29:53
people even return to work, we've got it figured out. I
29:55
think maybe it also shows, you know, like there is the
29:58
community that is really there and it's not a scramble. of
30:00
disparate businesses who all happen to use the
30:02
same proprietary thing and then have to find a way
30:05
to communicate. I mean, we already have issues and forums
30:07
and mailing lists set up. So when
30:09
folks were ready to help troubleshoot and compare notes
30:11
and debate who's impacted and how do we fix
30:13
this, there were already mature systems
30:16
in place for that. I wonder what would your
30:18
answer be, Brent? I mean, I'd like the audience
30:20
to maybe send in their thoughts too, but
30:23
what is your answer going to be if somebody does say, hey,
30:25
isn't there some sort of backdoor that's in all of these Linux
30:27
systems? Like how these things can filter down?
30:29
Like how do you even respond to that? I am
30:31
sometimes shocked. I'll get these questions. I'll be like,
30:33
what? How did you hear that? And
30:36
what would your answer be, Brent? I think
30:38
my answer would be, how do you know
30:40
there aren't backdoors in other commercial software? Like
30:43
it's sometimes built in on purpose by
30:46
design. And so at least
30:49
maybe there are some that we haven't discovered yet.
30:51
We just don't know. And but that's true of
30:53
every piece of software it seems, if
30:55
you're looking at these kinds of situations. But at
30:58
least we can say that most
31:00
of it doesn't. And we've had
31:02
thousands and thousands of people now working
31:04
on this stuff, having a look and
31:07
know that this software is legitimate. So
31:09
I think you can't say
31:11
that no software has none because
31:14
it seems like this is a
31:16
super sophisticated set
31:18
of compromises here that we're seeing. But
31:21
you can say that actually we've tried really, really
31:23
hard to not have those
31:25
be put in on
31:27
purpose and get through on purpose. I
31:30
think it's like the dichotomy of
31:33
open source development really
31:35
well captured. We'll have a link in the show
31:37
notes that really shows you how this developer was
31:39
socially engineered to burn out when they're already
31:41
on the cusp. And that is an
31:43
inherent vulnerability in free software is we have so
31:45
many burned out maintainers and developers
31:48
that are just waiting for somebody to come take this
31:50
burden off their shoulders. And that's
31:52
an attack factor. But then at the same time,
31:54
we have the many eyes shallow bugs situation. That
31:56
means we catch it on the other end. Luckily.
32:00
Well, in a very real sense, all software
32:02
is garbage. Yeah. Yeah.
32:05
It's all terrible. I don't know what people
32:07
expect that. It
32:09
really is. Yeah, and here we just get to see
32:11
it. Jan on
32:13
Mastodon writes, again, the fast
32:15
world has proven to be vigilant and proactive
32:17
in finding bugs in back doors. The level
32:19
of transparency is stellar, especially compared
32:22
to proprietary software companies. But the
32:24
fast world is accomplished in 24 hours after
32:26
detection of the backdoor code deserves a moment
32:28
of humbleness. Yeah. I
32:32
agree, Jan also says we could tame down the flame wars
32:34
and armchair experts shouting at each other right now. And
32:37
like we said, dunking on things like system D or
32:39
rolling distros. We could do a little bit less of that.
32:42
But we should also take a moment and recognize
32:44
it. It is also a
32:47
big accomplishment how quickly. And to see the different
32:49
distros work super hard and burn the midnight oil
32:51
to get the package ready. Because they get a
32:53
little bit extra heads up, but not much. Usually
32:55
not much. They sometimes know
32:57
maybe 24 hours in advance before
33:00
the general public or something like that. So
33:02
they really have to move quick. Thankfully, in this case, it
33:04
was mostly about rolling things back.
33:06
You can tell, too. This is a tricky
33:08
one. I know for NixOS, XE is pretty
33:10
low down in the stack and part of
33:12
the bootstrapping thing. So you have to rebuild
33:14
everything to include a new version or a
33:16
patched version. I think they were saying 220,000
33:18
packages need
33:20
to be rebuilt because of this. And then you've
33:23
seen other packages and other distros where they've had to
33:25
say, they'd have to make it look like an updated
33:27
package. And then it has a dash. Really,
33:29
this is version 5.4, though. Right.
33:31
To sort of trick the package manager into like, oh,
33:33
no, this is actually an update, even though we're not
33:35
trying to put it all in back. That part is
33:38
really wild to me. But you can
33:40
tell, we're moving fast and just
33:42
trying to figure out whatever we can do to get things
33:45
fixed right now. And then hopefully clean it all up as
33:47
we learn more. Yeah, we will. This
33:49
is going to be one of those stories I think we'll be
33:51
hearing more about. We'll be probably
33:53
seeing some sort of legal investigation. And I've
33:55
wondered, so when GitHub pulls
33:57
this, like they did, they pulled the repository for it.
34:01
Well, technically now Microsoft is the only
34:03
company that has access to that entire
34:05
history and everything. And I would
34:08
presume they're probably doing their own very serious investigation,
34:10
maybe trying to identify if this user worked
34:13
in other repositories under another identity. But
34:16
by having this project on GitHub,
34:18
when this incident occurs, now this
34:21
is proprietary Microsoft information. We've
34:23
been lucky that the public has been able to salute
34:25
it altogether and find mirrors and things like that. I
34:29
just had this kind of chilling moment where I
34:31
realized this is all
34:33
Microsoft's code now and they're going
34:35
to initiate some sort of research.
34:37
They have a very big quote-unquote
34:39
cybersecurity arm and this kind
34:41
of stuff is going to funnel right into that.
34:43
They're essentially just going to get free work from
34:45
GitHub for years and they're probably going
34:47
to follow this process. Instead of marketing it read only
34:49
or anything which would have helped other researchers, they completely
34:52
pulled it down. They have it internally
34:54
and they're no doubt scrambling this weekend to go
34:56
through it all. For good and for
34:58
bad, but just a reminder, taking
35:00
advantage of the decentralized nature of getting out
35:02
there, so yeah. Speaking
35:04
of decentralized, I just want to take a
35:06
moment and mention that this coming Friday, as
35:09
you're listening to this, the week that this
35:11
releases April 5th, we have
35:13
a Noster Workshop. Yes, a live
35:16
workshop notes and other stuff transmitted by Relay.
35:18
So if you've been Noster curious, I've been
35:20
on and off myself, the protocol
35:22
seems to be very promising and we're
35:24
finding new use cases for it beyond just like
35:26
Twitter replacements. It's based on
35:28
really simple flexible event objects which are just
35:30
passed around as plain JSON and every
35:33
user is identified by a public key and
35:35
every post is signed and every client validates these
35:38
signatures. That's the Noster network in a nutshell. That's
35:40
what you need to know about it. Oh, and
35:42
of course it's open source. So
35:44
one of the more compelling use cases
35:47
that Fountain FM has been testing is
35:49
decentralized real-time chat, not to replace
35:51
like your favorite messenger app or
35:54
your blue bubbles or whatever crap you want, but for
35:56
like live events on the Internet, in the app
35:58
or in the web. And because everything's just
36:00
being passed around as plain JSON, it means that
36:02
we have the ability to create cross-platform tools and
36:05
apps and services if we want around this. And
36:07
you as a user can create one identity
36:09
that's verified by a public key that
36:12
you can use across different apps and
36:14
websites or Nostra services. And
36:17
it's just as simple as bringing your key and you can use these
36:19
different clients and these different apps, which I've been playing around with.
36:21
It's pretty nice. And so we're putting
36:23
this to the test. The Fountain FM dev team is
36:25
building a new live experience for the podcasting to-do-do world.
36:28
And we're helping them by testing it every Sunday. They've
36:31
created an embeddable web chat that's gonna also be available
36:33
in the apps or other apps that want it, just
36:36
powered by Nostra. You don't really need to
36:38
use Nostra to use it other than to have a public key that works.
36:41
So we're gonna help people get started. We're gonna
36:43
have a live workshop next Friday. Again, it
36:45
is April 5th, 2024 at 2 p.m. Pacific,
36:49
5 p.m. Eastern. And we'll help
36:51
you get your Nostra identity going. We'll answer
36:54
questions. We're gonna have some fun. We'll give
36:56
some sats away, help you get started
36:58
over there too if you wanna do some boosting, and help
37:01
us test this thing. It's a
37:03
new use case, really, for notes and other stuff transmitted
37:05
by relays. Don't know where it's going, but
37:07
I think it's an opportunity for us to help develop a
37:09
new open standard and test it at least and see if
37:11
it's worth pursuing. Again, Friday, April 5th,
37:13
2 p.m. Pacific, 5 p.m. Eastern. Date,
37:16
time, your local area,
37:18
jupiterbroadcasting.com/calendar. Should be good. We'll be
37:20
in the LUP stream. We'll be just doing a
37:23
LUP live stream. So come over and join us at jvlive.tv. And
37:26
also, thank you to our members. Unplugged Core members
37:28
have been keeping this show going for a couple
37:30
of years now, really. And as
37:32
we are down one sponsor this week, they're
37:34
stepping up and they're helping us. So thank you to
37:36
our Unplugged Core members as well. Oh,
37:40
we are just days away from Texas Linux Fest, April
37:43
12th through the 13th at
37:45
the Paul Boer Event Center in the Austin of Texas.
37:48
I'm excited. Yeah, I
37:50
think we have our place
37:53
booked. We gotta get all our travel booked,
37:55
Wes. We
37:57
do have a Texas Linux Festival Matrix chat room
38:00
in the show notes. You'll find us down there at Texas
38:02
Linux Fest. We're going to be there at
38:04
the Sinaire booth who's helping us get there and do
38:06
some live streaming. Say hi to people. Sinaire
38:08
is also helping Texas Linux Fest get going
38:10
too. It's really great. Looking
38:13
forward to meeting them. And then Linux
38:15
Fest Northwest April 26 through the 28th, just days
38:17
after the one in Austin, we're going to be
38:19
up in Bellingham, Washington at the Bellingham Technical College.
38:21
And we also have a matrix chat room for
38:23
that if you can make it. That
38:25
should be a banger. We'll have a live Linux unplugged. There's
38:27
going to be food. Linux Fest is a hell of a
38:29
party and we'd love it if you could make it to
38:31
that. A lot going on so
38:33
soon. So quick. So quick. So
38:35
great. And then just shortly after that, we'll get you dates soon, but
38:37
Wes and I are going to be in Denver for
38:40
a Red Hat event. So,
38:42
just a lot coming up. And
38:45
I don't have any meetups for these, but I
38:47
think at Texas, we'll
38:49
just get together with folks. It's a small venue
38:51
and we'll head out for lunch or something. I
38:53
don't think we need to do a meetup because we'll all come
38:55
find us. Yeah, we'll bump into each other or you can find
38:58
us at the signer booth. It's pretty easy. And
39:00
then also, I wanted to mention something going
39:02
on that just I am
39:04
so grateful when things like this happen. So when
39:08
these types of days come out where
39:10
we have a horrible vulnerability, something
39:13
like the XZ back door that is
39:15
just you need the information, the technical details, some
39:17
of the background. You don't need all the hype.
39:20
I think it's really nice to know that shows
39:22
like Linux Unplugged, our primary goal
39:24
for this is just get you the best information we
39:26
can as fast as we can do it in the
39:29
time we have and as accurately as we can. And
39:32
if this show
39:34
was following a different
39:36
path, a different model, I think you'd find these types
39:38
of things get amped up. You're going to find this
39:40
will happen now on a lot of YouTube videos. Not
39:42
all of them, but a lot of them are going
39:44
to start really ramping up like the
39:46
SSH vulnerability app, SSH compromise. You're going to start seeing
39:48
this kind of stuff and really kind of amp it
39:51
up for click baiting. And an article came
39:53
out that I'll link in the show notes. Wonderly,
39:55
which is an advertising biz, and iHeart, and
39:57
Lemon Media and others, I don't know. They've
40:00
all been using this service, this private service from
40:02
this group called Mopod, M-O-W-P-O-D.
40:07
And Mopod, they invite you
40:09
to participate in this program, but once they invite
40:11
you, they place ads in
40:13
games like on iOS. And
40:16
these ads, according to Bloomberg, direct
40:19
users to go into Apple Podcasts
40:22
and download the podcast that they've
40:24
been told, and then come
40:26
back to the game and they're awarded like
40:28
an in-game weapon or in-game currency. So I'm
40:30
just playing a game that says, oh hey,
40:32
go download Linux or not Linux unplugged. But
40:35
in this scenario, yeah. We could give it
40:37
a like. If we were
40:39
contacted by Mopod and we wanted to pay them
40:41
tens of thousands of dollars or whatever it is,
40:43
yeah. Wow. Yeah.
40:45
So these in-game ads prompt the user
40:48
to go download a particular podcast, like
40:50
a particular episode even, or direct them to a specific episode. Once
40:53
that's done, they get rewarded. And here's
40:56
the crazy thing. Bloomberg did the research. At
40:59
least nine of the
41:01
current top 50 shows in the Apple Podcast
41:03
directory have been promoted this way. I guess
41:05
it works. Wow.
41:08
And we would never β like a Linux podcast
41:10
that's talking about an XE vulnerability would
41:12
never, ever make it to the top of those charts. How
41:15
could we compete against that? That signal
41:17
would never get out there. But now, now
41:19
that there are charts like on Fountain that are
41:21
based on the value that's contributed back from
41:23
our audience, we're always in
41:25
the top 10, if not in the top
41:27
three of that chart. And I think that
41:30
shows you the difference of the path
41:32
we're trying to take with the show
41:34
versus the direction the traditional mainstream advertising
41:36
industry has gone. And it's not
41:38
good for content. And we don't need this type of
41:40
content to be playing these games. We do not need
41:43
it. So thank you, everybody who is
41:45
a member, and thank you, everybody who boosts into the show.
41:47
We really appreciate it. And
41:50
now it is time for the boost. Oh,
41:53
and speaking of that, Oppie 1984, he's our baller this
41:55
week. I
42:00
have no problem paying attention to the
42:02
studio shows at my work. I
42:07
find live content distracting and I usually end up skipping it since I
42:09
need to focus and, you know, earn those fiat fun coupons for my
42:11
boosting habit. And
42:14
my dog's milk bone addiction. Yeah,
42:17
I know that one. My
42:19
dog has recently been addicted to like β there's a lot of things
42:21
that I'm not going to do. Yeah,
42:26
I know that one. My dog has recently been addicted
42:28
to like β they're shaped like bones, but they're pumpkin.
42:32
Oh, he loves them. They go pretty quick though. They do
42:34
go pretty quick, so he's going to watch out. Now it's a zip
42:36
code boost, Mr. West. Thanks. 4, 4, 7, 1, 8. Okay,
42:42
Stark County, Ohio. Maybe
42:45
a city like Canton or Monterey
42:47
Heights? Well, hello, Stark County,
42:49
Ohio. Thank you for boosting in,
42:51
Oppie. We always really appreciate hearing from you.
42:54
And you nailed our baller booster spot. It's
42:57
not easy. Indeed. Yeah. Mr. Payne, our
43:00
next boost, please. Hybrid
43:03
sarcasm is boosting in today with 42,001
43:05
Satoshi. I
43:09
hoard that with your kind colors. I
43:12
got my 13-inch 13-gen Intel
43:14
framework, decided to christen it with
43:17
none other than NixOS. There's
43:19
something about test-driving hardware that you just can't
43:21
do with a VM. This
43:24
has actually replaced my MacBook
43:26
in every way except
43:29
home.app. Home
43:31
Assistant just hasn't bridged that gap for me yet.
43:34
What? This is crazy, talk hybrid. This
43:36
is crazy talk. I
43:38
think we need to know more. Definitely. I
43:41
mean, I've had the exact opposite experience. I
43:43
was shocked at how easy it was to
43:45
integrate HomeKit accessories into Home Assistant and just
43:48
stop using any of that stuff. I'd
43:51
love to know where you got hung up. Maybe we could figure
43:53
it out. Some sort of challenge. You try
43:55
Home.app for a week. I don't think so. Sarcasm and
43:58
Home Assistant more seriously. I don't know about that. I
44:00
don't know. I would love to know what he ran
44:02
into. I'd also like to know if people use Home
44:04
Assistant in the audience, because you know, it's a big
44:07
topic of conversation that's self-hosted, but we don't talk about it much
44:09
here. So I don't have a good read
44:11
on what the Home Assistant usage is in the audience.
44:14
Hybrid continues on just to say that, I
44:16
feel at home with configuration.nix. I
44:19
think I'll give flakes a try when I need
44:21
something that the .nix files just can't do. Yeah.
44:24
Yeah, I agree. Yeah, I think we're going
44:26
to have to do more on that soon. Our
44:28
third baller booster, Vaymax, boosted in two boosts
44:30
for a total of $24,690. So
44:34
the combination is one,
44:36
two, three, four, five. That's
44:40
the stupidest combination I ever heard in my
44:42
life. That's right. Two spaceballs boosts
44:44
in a row. Number one,
44:47
plus one for having shows in a live
44:49
shows in a separate feed. I have no
44:51
problem with the quality of live shows being
44:54
mixed with planned shows. I do
44:56
appreciate the work that goes into the planned
44:58
shows. I think it sets JB apart from
45:00
other tech shows. Aww. But
45:02
FountainLive notifications refused to notify me, and
45:04
having one show feed I can check
45:07
on a periodic basis would be a
45:09
blessing. I was thinking of you
45:11
folks and good old Plain Podman
45:13
last weekend as I spent it
45:15
fixing my cluster networking. Good
45:18
old Plain Podman, huh? You know, just the
45:21
other day I had occasion to try out
45:23
Scopio for the first time, which is part
45:25
of the Podman and build a sort of
45:27
toolkit. Really nice. Yeah,
45:29
I know. I know Podman is one of the
45:32
unsung pieces of software out there that really
45:35
doesn't get enough attention. But, you
45:37
know, I'm kind of over containers. I don't know if you've heard. I'm past
45:40
containers now. It was great
45:42
though because it built right on my Mac. I didn't have
45:44
to go use like the Linux box just to do the
45:46
Docker interaction because I wanted to fetch an image and take
45:49
a look at some of the innards. Yeah. And,
45:51
you know, package to Nix showed right up.
45:53
I suppose if you're still on a Mac,
45:55
you might need Docker containers and Podman. I
45:57
don't know. I'm beyond containers though. Now
46:00
VMAX did continue with another Spaceballs Boost.
46:02
One, two, three, four, five. One, two,
46:04
three, four, five. Yes. That's
46:07
amazing. I've got the same combination on
46:09
my luggage. PS, I don't know if
46:11
you folks have ever done episodes or
46:13
picks focused on networking or have suggestions
46:15
on podcasts or YouTube channels that focus
46:17
on exactly that. But
46:19
when my clusters metal bees arp
46:21
set up decided to start stubbornly
46:24
assisting, it had no idea who
46:26
or what my router was. When
46:28
I was trying to figure out BGP speakers,
46:31
I realized how badly I needed to develop
46:33
my networking knowledge. Okay. Now, I
46:35
mean, I am absolutely down for doing some
46:37
episodes on networking. That's like saying do an
46:39
episode on computers, though. It is a
46:41
big, I mean, it's as big of a topic as Linux. So
46:45
what exactly? One thing
46:47
that we've always kind of floated internally
46:49
is a dedicated episode on building a
46:51
Linux firewall from scratch. You
46:53
know, not that there's anything wrong with dedicated hardware firewalls,
46:55
but it might just be fun to have
46:58
a, you know, see how it was
47:00
simple but effective Linux machine that would be straightforward
47:02
to configure and tweak when you need to. Maybe
47:04
you don't need a full UI. Maybe it could
47:06
be an MVP. I think
47:08
our audience probably has a lot of ideas. I
47:10
know I've seen some chatter in the Nix nerd
47:12
room about Nix OS routers. Okay. All
47:15
right. Yeah. Well,
47:17
then perhaps. Also, you know, Famax, it sounds like a great
47:19
little home web you set up there. I hope you figured
47:21
it out and update us because I'm sure you're running into
47:23
some interesting problems. That's a
47:25
great point. VT52 comes
47:27
in with 20,202 sat. Coming
47:30
in hot with the booth. As an i3 user,
47:32
I really want to play around with Hyperlin. But
47:35
Wayland doesn't work for me. I have two
47:37
displays at my disposal and both are multi
47:40
panel widescreens. They present as
47:42
two panels per monitor. Whoa. Yeah.
47:45
Most XOR things handle it fine, but Wayland
47:48
based stuff sees it as two separate displays,
47:50
meaning I can't maximize or full screen
47:53
something over the entire display. Does
47:55
anyone know of a workaround? Oh, gee.
47:57
Okay. I can see how that might be prohibitive.
48:00
I can't imagine how that could ever
48:02
be solved unless the desktop environment baked
48:04
in support for that in its display
48:06
management tools directly. I
48:08
could see Wayland technically supporting it,
48:10
but Wayland won't natively just do
48:12
it unless something using the
48:14
protocol tells it to. I
48:16
mean, this could be insert enlightenment joke, but yeah,
48:19
that's, I've never even
48:21
heard of a multi-panel
48:23
widescreen that presents as two panels per monitor.
48:25
I've never even heard of that. That seems
48:27
like quite the niche. Here's hoping
48:29
someone out there knows. Yes, please. That's
48:32
a good one. Okay, and here
48:34
we've got three quick little boosts, one from
48:36
Zenzilla last week with a for 5,000 sats.
48:39
Just to say, listening live, you guys are crushing
48:42
it. Boop, boop, boop. Then of
48:44
course our panel listener Jeff came in with
48:46
5,000 sats just to say thanks. Hello. And
48:48
an anonymous booster came in with 3,000 sats, also
48:52
to say thanks. Boost. Thank you very much. I
48:54
love the live boost. Now following up, Mooter Night
48:56
sent in 5,000 sats to say, can
48:59
a Nix OS config fit on a floppy
49:01
disk? Maybe you should make
49:03
a config and send it out to subscribers
49:06
once a year as a
49:08
particular thank you. B-O-O-S-T. Is
49:11
such a neat idea. Are you checking your Nix
49:13
config right now? Okay, Wes is gonna check to
49:15
see how big his Nix config is right now.
49:17
That's a really fun idea. I've honestly been trying
49:19
to think of ways, I don't know why, to
49:22
incorporate floppy disk as Swag. All
49:24
right, 6K maybe? Oh yeah, we can do
49:26
that. The config and the flake and the
49:28
hardware config, you know, we could probably make
49:30
it smaller. This was just a random example.
49:32
Well, we got 1.4 megabytes to work with. Well, really 1.2.
49:36
Right, yeah. Got a format thing. I
49:38
don't know. I
49:40
love that idea, Mooter Night. I'm gonna
49:42
put that in the old back pocket, and if anybody
49:44
can expand on that, please do. I mean,
49:47
wouldn't the first Swag item have to be
49:50
USB floppy disk? Like you'd have to send those
49:52
out first. I just don't know. Yeah, right, what?
49:55
Well, I saw a little tidbit come across
49:58
the newsfeeds that like, EXT2, this. week
50:00
was being deprecated. And so given
50:03
we want to do this, A, you
50:05
need to procure the hardware, both
50:08
the floppies and also the means of
50:10
reading and writing such things, but which
50:13
format would you throw on this? It
50:15
seems like a multifaceted challenge and problem
50:17
to overcome here. What file system?
50:19
I don't think we'd want to use extended fat just because it's
50:21
a Linux show, right? Technically,
50:24
extended two will be around because it'll be
50:26
supported by the extended four, but the
50:28
extended two driver in the kernel is being
50:30
deprecated. Come on, because you guys got it.
50:32
Yes. Oh, because should be so much fun.
50:35
Maybe. Maybe. All
50:45
right. User 42 boosts in with a row of ducks.
50:49
And they write, I think the best
50:51
and most efficient way to launch and manage
50:53
Minecraft on Linux is a combination of portable
50:55
MC and a Furiem. They
50:58
both are command line programs and portable
51:00
MC installs and starts Minecraft, letting you
51:02
choose a specific version as well as
51:04
automatically installing fabric forage and other mod
51:06
loaders. Oh, okay. That part
51:08
is really nice. Furiem manages mods and
51:11
supports having multiple profiles too. You can
51:13
even upgrade all mods with one simple
51:15
command and it supports mods from
51:17
either mod rinse or curse
51:19
forge. Yes. These are all the things you have to learn as a
51:21
dad that has. I
51:23
know. I'm glad one of us understands. Okay,
51:26
so those are all really great suggestions. Maybe we
51:28
can try to link some of
51:30
those. I will also give a
51:32
shout out to Prism Launcher, a custom
51:35
launcher for Minecraft allows you to easily manage multiple
51:37
installs and that kind of stuff. And I mentioned
51:39
it before on the show, but I'll
51:41
say it again this week, a T launcher,
51:44
which is what my kids are using right now to manage
51:46
their mods on Linux. And this was
51:48
really those apps are really useful because they're
51:51
watching Windows YouTube creators who are doing all these different
51:53
mods and they want to do it on their Linux
51:55
box. And that makes it possible. Ryan
51:57
aka Lotsy comes in with 15,000. That's
52:00
fun. We'll now commence. So
52:03
you got me convinced to try Nick's
52:05
OS. Hey, I had an HP Pro
52:07
book that I wanted to dual boot
52:09
with the existing Windows installation So I
52:11
loaded up the Nick's OS live image
52:14
configured some disk loaded up the next
52:16
config and installed easy reboot
52:19
and Nothing just
52:21
put it into the existing Windows install
52:23
with no option to select next My
52:27
bugger looks like more work to do
52:31
Hopefully there's some you know I don't know bio settings you
52:33
can tweak there and get stuff to show up might be
52:35
doing is it doing that Fast
52:37
boot thing where you don't have time to interrupt it.
52:40
I don't know. Hey, I like that You
52:42
got some theories though. You're helping them out get them in the right direction Good
52:45
luck Quatsy. Good luck. No
52:47
wartime boosted in with a row of Well,
52:50
it's three three three three three sets from
52:52
fountain. I feel like that's that's a lucky
52:54
boost You're doing a good job first time
52:56
listener here. I love the shows and please
52:58
keep them coming Well, thank
53:01
you for boosting. I always really appreciate that
53:03
first time boost Absolutely. I
53:06
recognize that because it is a new system There's
53:08
a lot of ways you can go about it
53:10
and there's weird little edge cases where things won't
53:12
work That first boot boost is
53:14
always the hardest and it is
53:16
much simpler after that appreciate you taking that hike
53:18
wartime Welcome in to the club 40 ducks
53:20
comes in with 8484
53:23
deuce what 40 deuce comes in with 8484 sats I'm
53:25
going with it It's
53:30
a hot booth You
53:32
asked for it. You got it. Here's a link to my
53:34
daily driver Nick's flake. Oh, we're gonna put this in the
53:36
show notes Oh, this is so
53:38
great. It's built for hyperland Amazing.
53:41
Perfect. It also has plasma
53:43
6 Wow, and
53:45
I recently added configs for River sway and way
53:47
fire I
53:49
aim to keep all these configs fairly simple
53:51
and close to vanilla and with
53:53
some basic QL batteries included quality
53:56
of life Batteries included he
53:58
links us to his github. We've got the 40
54:00
deuce file on there.
54:02
He says, I'm using this flake to manage
54:04
three hosts, so it definitely read my notes
54:07
before you dive in. That's good to know.
54:09
That is good to know. He continues on.
54:13
Thanks for all your content and Nick's coverage.
54:17
I bounced off Nick's last February and I
54:19
came back to it around October. While I
54:21
have a ton to learn, since digging in,
54:23
I'm loving the journey. In my
54:25
day job, I'm a nurse, so I don't have a
54:27
ton of time for focused nerd projects. I've
54:29
often had to leave projects for weeks
54:32
or months when work is busy, which
54:34
makes progress tough. With Nick's, I
54:36
finally feel like I'm able to build
54:39
forward since I always have the blueprints
54:41
and the building blocks. Game changer. I
54:45
completely agree. We've
54:49
said it before, it's self-document. You come back, you're like, oh,
54:51
that's right. That's how I solve that. It's
54:53
so great. I'm totally nodding as well. I
54:55
can really relate to this and what an
54:57
advantage. I
54:59
just like that we all have our own how
55:02
I bounced off Nick story. Yeah, we
55:04
do. How did I not see that
55:06
story? Ours is embarrassing because the audience
55:08
told us about it over and over.
55:10
We got it. We finally got the
55:12
message. Our buddy Gene Bean boosts
55:14
in with 5,294 cents across
55:18
four boosts. I think
55:20
these might be stream of listening boosts.
55:23
Here's an idea. Use the extras feed
55:25
for the live shows at conferences and
55:27
stuff like that. I think officially that
55:29
is a deciding boost. We are going to do that. If
55:31
we have live content from
55:35
Texas Linux Fest or Linux Fest Northwest, we will
55:37
record it locally and we will publish it in
55:39
the extras feed and then probably link it in
55:41
the show notes for the show. Here's
55:44
a row of ducks to say that
55:46
regarding Nick's Con at somewhere assigned scale,
55:48
a few of us were trying to get them
55:50
to also come out to self. I've
55:53
never been to self. It would be a good excuse to
55:55
make it down there though. Gene also says
55:57
plus one more desktop preset flakes.
56:00
Keep that trend coming. Check the show notes. We got one in
56:02
there this week. A good one, which we should really check out.
56:05
And Gene's being real sweet saying, I totally
56:07
agree. Y'all are the Linux magazines of today.
56:09
No. Absolutely get from y'all
56:11
what I got from Linux Journal in ye old
56:13
golden printed
56:15
days. Ye old printed days. The days
56:17
of print. Yep. Thank
56:19
you, Gene. That's really sweet. Appreciate
56:22
that support. Galactic Starfish comes in with a
56:24
couple of Rosa ducks. Things
56:26
are looking up for old Mac Duck. And
56:29
they write, join the dark side, Brent. Use
56:31
auto-tylors. They also give a plus
56:34
one, another row of ducks for
56:36
a plus one to prison launcher,
56:39
which is a really solid launcher. Now True
56:41
Grits came in with a Spaceballs boost. One,
56:43
two, three, four, five. So
56:46
the combination is one, two,
56:48
three, four, five. That's the
56:50
stupidest combination I ever heard in my life.
56:52
I definitely would love to see those live
56:54
streams from scale published. And the place I'd
56:56
like to see them is in
56:59
the extras feed. Also with
57:01
a Linux magazine comparison and sending out
57:03
discs or USBs, maybe we could see
57:05
the return of Jupiter OS maybe based
57:07
on Nix. There
57:09
could be several curated config options
57:11
such as gaming, coding, and podcasting
57:14
workstation. Any updates on getting
57:16
boosts working for the members feed, by the way?
57:18
I wonder how many people listening know
57:21
the story of Jupiter OS. I
57:23
actually ... Can you tell it, please? I
57:25
don't know. I'll tell
57:27
it next week if somebody can boost it and tell their
57:29
recollection of it, and then I'll tell my version of it.
57:32
I want to see before I give it if
57:34
anybody can remember Jupiter OS and its
57:37
history in relation to Jupiter broadcasting. I was
57:39
going to say, I think we're
57:41
probably unlikely to do it, but we could certainly
57:43
host a repo somewhere or if folks want to
57:46
make some of these. Maybe if there was
57:48
something out there that was really nice, we would
57:50
want to package it and ship it somehow.
57:52
Or what about a Flake desktop
57:55
repository? That's
57:57
Jupiter OS now. It's like you grab a Flake and you ...
58:00
A certain experience. I don't know what we should talk
58:02
more about it. I as far as boosting on the
58:04
members feed I have, I raised the issue with him.
58:07
As a quiver genocide. The. Problem is.
58:10
That it's an unpublished feed and they're looking
58:12
up the value information. Split information from the
58:14
podcast index A P I N because it's
58:16
an unpublished private member feed. The.
58:18
Guy returns nothing. And.
58:21
So wow, really get that worked up. Into
58:23
some sorry for working on of butter. We.
58:26
Priest Patrick also send in a
58:28
row ducks boosting from podcast grew
58:30
on Android. Another great up a
58:32
great episode and dices that series.
58:34
Laptop looks pretty tempting. Sense.
58:37
Once comes in with. Ten thousand Sats,
58:40
That's supposed to say. Bloop.
58:43
Bloop. To use Am Squats. Thank you for
58:45
the support. Thank. You for also been
58:47
a nice contributor and are telegram group our
58:49
very own otter brain with ten thousand sense
58:51
boosted from some of our nine. Sure
58:55
is a joint. A scale coverage quite
58:57
a bit. I'm currently giving my next
58:59
O S install a system seventy six
59:01
laptop a good workout the through Writing
59:03
up a grant proposal with. Multiple.
59:06
Webbed abs openly my office camp and in
59:08
scape all gone at the same to thank
59:10
you for that boost And we got I
59:12
just about alive who's coming into So I'll
59:14
I'll wrap this up here. Boys on a
59:17
brain appreciate your support and thank you for
59:19
the kind words on the scale coverage A
59:21
good luck on the grant. Goose.
59:23
Guy you came in with a row ducks. That
59:25
excites me. Cholla Texas Linux First know meet ups
59:27
plans yet not yet which is can intuit live
59:29
as they say and then. Ah,
59:31
Goose Guides You also said I spent
59:34
the morning figured out how to boasts
59:36
Congratulations By the way, not ass not
59:38
necessarily the easiest is. ended
59:42
up getting fracking a movies and previous atlanta has
59:44
and point based a crack and wow and then
59:46
moving them over to lightning to founded ah hundred
59:49
miles heaven or issues with cash app on graphene
59:51
i'm not alone yeah oh yeah right so other
59:53
people right and yet i use it regularly on
59:55
grassy the deal what's the deal with that a
59:58
does anybody know that's a weird And we both
1:00:00
checked our settings like you've got the memory exploit
1:00:02
protection. I think you probably mess with that. Uh-huh
1:00:04
Yeah, we also got
1:00:07
flake latem came in with
1:00:09
3000 sats boosting in live from Wellington, New
1:00:11
Zealand Scary story have a
1:00:13
great Sunday team. Hello to New Zealand out
1:00:15
there. Thank you for boosting in really
1:00:17
appreciate that I know New Zealand meetup. That's what
1:00:20
we got. We got to do it at some
1:00:22
point we also got a quote overly complicated flake
1:00:24
that deploys to my Ubuntu machine and my personal
1:00:26
profile and my nix OS machine from Jc
1:00:30
Dickerson will include that in
1:00:32
the show notes as well. Thank you everybody who boosted in live I
1:00:34
would just like to express the value to
1:00:37
the world of long weekends It seems like
1:00:39
you know the research that went into this
1:00:41
vulnerability this weekend, but also just Everything
1:00:44
we heard about people tinkering on projects. They've been wanting to get
1:00:46
to it's like this is a gift to the world I
1:00:48
guess so. I mean usually we work
1:00:51
Easter Sunday That's usually always I mean always has
1:00:53
been for us But it definitely felt like a
1:00:55
lot of the rest of the tech industry was
1:00:57
working this weekend with us We
1:01:00
were actually commenting on it before we started the show before
1:01:02
we even get sat down It's like it really feels like
1:01:04
everybody else was working this Sunday, too Thank
1:01:07
you everybody who boosted in we had more than 23
1:01:09
boosters because we had those live boosters and we stacked
1:01:11
just a little bit more than two hundred and twenty
1:01:14
six thousand three hundred and 57
1:01:17
sats. Thank you everybody It's
1:01:19
a fantastic amount can I just express
1:01:21
the we got a very small boost that I
1:01:23
wanted to bring out From
1:01:25
this guy named noble pain hundred sats says
1:01:27
be zip for life Very
1:01:31
true very good. Thank you everybody who boosts
1:01:33
into this production. It's it
1:01:35
really is something special. We're doing here I I
1:01:37
feel like we have the combination
1:01:39
of the world's greatest community combined with some
1:01:41
of Hopefully the greatest content yet to come
1:01:44
when we go to Linux fest Northwest and
1:01:46
Texas Linux fest I feel like this year
1:01:48
is just going to be fantastic and
1:01:50
the fact that we were able to cover scale
1:01:52
Completely supported by our members and that these productions
1:01:54
even when we're down a sponsor We
1:01:57
continue to get the support via boost in membership. It means a
1:01:59
lot to us And I, you
1:02:01
know, it also means that we're here reporting for
1:02:03
you. You are our biggest customer, and
1:02:05
that means we're always just here to make you as happy as
1:02:07
possible. Thank you, everybody. Special
1:02:10
pick this week, Brentley, special pick. I don't
1:02:13
know if it is a pick, but it's
1:02:15
a PSA, perhaps, today, as we record, just
1:02:17
so happens to be World
1:02:19
Backup Day. So a little reminder
1:02:21
that maybe this weekend is a
1:02:24
good time to, I
1:02:26
don't know, do some backups. So I wrote down
1:02:28
some ideas here since I
1:02:31
think we're tech literates, and we have
1:02:33
maybe basic backups figured out. But a few
1:02:35
stats listed on World Backup Day's website, which
1:02:37
you can check out, 21% of people have
1:02:41
never, ever, not even once made a backup.
1:02:43
Wes, is that you? No.
1:02:47
Apparently 113 phones are lost and
1:02:49
stolen every minute. Whoa, every minute?
1:02:51
Could be yours. 29%
1:02:54
of data loss is caused by accidents.
1:02:57
I was going to push those changes when I
1:02:59
got home, but the delete button was just right
1:03:01
there. Mm-hmm, mm-hmm. I thought that
1:03:04
was a different drive. I thought I was
1:03:06
formatting my test drive. It's
1:03:08
a feature of DD. Also, I think it's
1:03:10
worth pointing out, too, a lot of us store data in the
1:03:13
cloud now. Just because it's in
1:03:15
the cloud, that doesn't mean it's a backup. That's your one copy. So
1:03:17
I tried to come up with some
1:03:19
ideas on how those of us who maybe have
1:03:21
backups can already do
1:03:23
something a little different on a day like today that might
1:03:27
help the world or yourself. So, number
1:03:29
one, help someone else. Like,
1:03:31
help that 21% who doesn't even know what
1:03:33
backups are. Maybe that's a family
1:03:35
member, a friend, or something like that. But
1:03:38
also, and I've run into this, if you set
1:03:40
up a backup system for someone previously, go
1:03:43
check up on it. Maybe it's broken. Maybe
1:03:45
it's not doing what you intended to. My father,
1:03:48
he came to visit last month, and I was
1:03:51
like, oh, yeah, how are your backups going? He's
1:03:53
like, I don't know. It's been having this error message for
1:03:55
the last three months. So
1:03:57
I think it's okay. I was like, jeez. So
1:04:00
some of these things break and you know it's good
1:04:02
to check up on them from time to time. I
1:04:05
think another good idea is verify. You know
1:04:08
you can't just do backups. You should verify
1:04:10
them. Depends you know how you want to do that
1:04:12
but at least go check a file or something like that. Also
1:04:15
maybe you've stood up some recent services that you
1:04:17
didn't include in your backup solution because you were
1:04:19
just playing around. It's going to be temporary. Chris,
1:04:21
you got any of those? I bet you probably...
1:04:24
It's funny you say that. I just,
1:04:27
Thursday realized, oh
1:04:30
I'm not backing up any of my
1:04:32
audiobooks. Remember when we did audiobook sales?
1:04:34
I didn't actually start backing up
1:04:36
that directory. No, I didn't lose anything but it
1:04:38
was a preemptive move but you're right, Brandon. It's
1:04:40
like, I was playing around for the show. It
1:04:43
stuck. I never thought to go
1:04:45
back and incorporate it. So it's a
1:04:47
good reminder. Well and if you're a small number
1:04:49
of those keeners who already did everything on our
1:04:51
list so far, I think you could even think
1:04:54
about just upgrading your backup strategy. Maybe you get
1:04:56
off of Google Photos if that's important to you
1:04:58
or upgrade some of your local
1:05:00
storage for instance. And like
1:05:02
Chris said, just backup some of that
1:05:04
stuff that you keep not on your computer.
1:05:07
And that might even just be like, maybe you
1:05:09
ran an S3 bucket and you threw some very temporary
1:05:11
project files in there and you kind of forgot about
1:05:13
it. Or maybe your website?
1:05:16
I don't know. Maybe that's worth backing up. So
1:05:18
just anything you take for granted on an everyday
1:05:20
basis, today's a good day to think about that.
1:05:23
Good reminder. We have done some backup episodes
1:05:25
but it's, I think, something we should just touch
1:05:27
on from time to time. I
1:05:29
know I need to do more backup of some of our
1:05:31
studio stuff. Like I
1:05:33
don't think I have anything like of the studio
1:05:35
configs really backed up anymore because it's all sort
1:05:37
of changed semi-recently. There's
1:05:40
a fun episode we did semi-recently. Linux unplugged
1:05:42
494 which has one of my
1:05:44
favorite titles, updating your fiddly
1:05:46
bits. And there's a little session
1:05:49
about doing backups and backup upgrades right at the
1:05:51
start of the episode. Bits
1:05:53
are getting fiddly again. Yep. Yeah, it's very true.
1:05:57
Well, okay. It's
1:05:59
really feasting. We're just at the very
1:06:01
beginning of this entire XE, I don't want
1:06:03
to call it drama, but story. We'll
1:06:06
keep an eye on it. I don't really know what more
1:06:08
is going to develop between now and next week, but
1:06:10
I have a sense we'll learn more. Yeah, I know there's
1:06:13
what we've seen that the same developer had made contributions
1:06:15
to the Lib Archive. Maybe there's other things in the works
1:06:17
out there. Yeah, I β
1:06:19
Or parallel operators. And will
1:06:21
Microsoft, you know, on Tuesday or Wednesday maybe start sharing
1:06:23
a little bit more information? We can
1:06:25
learn more then. I'm going to be really curious
1:06:27
to see like some postmortems
1:06:29
from this situation, but from a variety
1:06:31
of perspectives, because this touches on β
1:06:35
well, it touches a lot of people from
1:06:37
project maintainers everywhere to like distribution. So it'll
1:06:39
be interesting to see some
1:06:42
lessons learned communicated from this that
1:06:44
we can apply in the future. Yeah. Will we see
1:06:46
any companies actually step
1:06:48
up and provide some sort
1:06:50
of support to these developers? We often
1:06:53
see that conversation flare up and
1:06:55
some noise is made for a little bit and then
1:06:57
it just dies. Even the US government gets
1:07:00
involved sometimes. It feels like SUSE
1:07:02
and Red Hat β I'd love to
1:07:04
hear something from them on kind of what they β how they
1:07:06
feel like a way to address this is because
1:07:09
they could have been massively impacted by
1:07:11
this. They got really lucky. And
1:07:14
you'd hate to see it take something
1:07:16
like this vulnerability gets widely deployed on
1:07:18
AWS before anybody gives a crap. But
1:07:21
that just might be what it takes unless we
1:07:23
just address it now. We're
1:07:25
going to have to start patching the rolling releases
1:07:27
without telling the LTS? That doesn't feel right. What
1:07:30
if we hadn't discovered this? Like it's being called
1:07:32
a back door. What
1:07:36
could have happened I guess is maybe the scary
1:07:38
place to go to, but important to think about.
1:07:40
That is a good question. What if
1:07:42
we hadn't discovered it? What
1:07:45
if Andreas hadn't been
1:07:47
decided, oh, I'm going to track down and figure
1:07:49
out why SSH is using a little bit more memory than
1:07:51
it should? What if we hadn't
1:07:54
been so lucky? That's a great question. Maybe
1:07:57
one that we'll chew on for the
1:07:59
week. Thank you everybody for tuning in.
1:08:01
Hope you enjoyed the episode. Hope it
1:08:03
was informational. We'll have lots of links
1:08:05
and resources over at Linux unplugged.com/556. Lots
1:08:08
of stuff to go read over there for you. Curious
1:08:10
including diagrams of how the vulnerability works
1:08:13
and everything like that. Now we may be
1:08:15
doing a double next week. We don't really have anything nailed
1:08:18
down, but the live stream. It's going to be kind of
1:08:20
well. A change in
1:08:22
when we go on on on our trip to Texas
1:08:24
Linux fest so. I guess that's
1:08:26
my way of saying we've got one more on the books
1:08:28
for sure and we really like to have you join us
1:08:30
next Sunday at 12 PM
1:08:32
Pacific and 3 PM Eastern.
1:08:35
See you next week. Same bad
1:08:37
time same bad station. And
1:08:39
don't forget we'd love to know the
1:08:42
first 5 things you set
1:08:44
up on a new Linux install and also
1:08:47
send in how you do
1:08:49
a totally hidden Linux OS. What
1:08:52
software? How would you compose it? How would
1:08:54
you hide it? A totally hidden Linux OS
1:08:57
and the first 5 things you set up
1:08:59
on a new Linux install? Linking to a
1:09:01
next repository can count an answer. Let
1:09:05
us know and then go get those notes.
1:09:08
Check back in next week. Thank
1:09:10
you so much for tuning this week's episode
1:09:13
of the Linux unplugged program and
1:09:15
we'll see you right back here next Tuesday as
1:09:17
in. you
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More