["Followup-To:" header set to alt.os.linux.]
Larry Wolff <larrywolff@larrywolff.net> wrote at 09:05 this Monday (GMT):
> On 3/31/2024 2:11 PM, Lew Pitcher wrote:
[snip]
> Vegard Nossum wrote a script to detect if it's likely that the ssh binary
> on a
> system is vulnerable, attached here. Thanks!
>
>
> Greetings,
>
> Andres Freund
>
> View attachment "injected.txt" of type "text/plain" (8236 bytes)
>
> Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip"
> (36487 bytes)
>
> Download attachment "detect.sh" of type "application/x-sh" (426 bytes)
> Powered by blists - more mailing lists
>
> Please check out the Open Source Software Security Wiki, which is
> counterpart to this mailing list.
>
> Confused about mailing lists and their use? Read about mailing lists on
> Wikipedia and check out these guidelines on proper formatting of your

Hi, the server I am using strips binaries. Would it be possible to
provide a link?
--
user <candycane> is generated from /dev/urandom

Chris <ithinkiam@gmail.com> wrote:
> On 31/03/2024 19:17, Newyana2 wrote:
[...]

[About Apple:]

> > quickly dropping
> > support for older products.
>
> Which from a security standpoint works very well. Apple long ago stopped
> selling OS updates - which Microsoft still kinda does - as it made sense
> to have as many users as possible on the latest and most up-to-date OS
> version.

Maybe you can still buy some Microsoft Windows upgrades for some niche
corner cases, but effectively all Windows upgrades have been free, ever
since Windows 7 (2009!), till today (Windows 11).

Of course you can still buy full licenses, for systems which come
without one, but those are not upgrades.

> Charging for updates means users won't update in a timely manner and
> that leaves MS with the headache of having to support multiple versions
> concurrently which is expensive and inefficient.

Aside from Microsoft not charging for upgrades or updates, Wikipedia
tells me that Apple also still supports three versions of macOS (12, 13
and 14), with - I'm sure - their subversions, while Microsoft supports
two Windows versions (10 and 11), with - to some extent - their
subversions. So I don't think Apple and Microsoft are all that
different in this respect. (Only the number of years spanning those
versions is much shorter for Apple than for Microsoft (less than 3
versus nearly 9).)

<https://en.wikipedia.org/wiki/MacOS_version_history#Releases>

[...]

candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
> ["Followup-To:" header set to alt.os.linux.]

Ignored, because this is about Windows. (Not to mention that
'Followup-To:' is nearly always inappropriate.)

> Frank Slootweg <this@ddress.is.invalid> wrote at 18:57 this Sunday (GMT):
> > Newyana2 <Newyana2@invalid.nospam> wrote:
> > [...]
> >
> >> But Microsoft and
> >> Linux are now both guilty of seat-of-the-pants updating. If it
> >> isn't stopped, Windows will show a message at boot every few
> >> days: "Please wait. Installing updates."
> >
> > With "every few days" actually being *a month* and you only get a
> > "Please wait." message if you're stupid enough not to set your 'Active
> > hours'.
> >
> > And "at boot every few days"!? My system is up from one monthly update
> > cycle to the next, no silly business with booting in between.
> >
> > [...]
>
> I think I've heard of Windows ignoring that sometimes.

I think you've heard wrong. Never happened to me (for two systems,
Windows 10 and 11) and I can't think of a scenario where it (your set
'Active hours') could be ignored.

You also can set Windows Update to pause for 1, 2, 3, 4 or 5 weeks and
you can reset that pause before it runs out, so you can pause
indefinitely.

Frank Slootweg <this@ddress.is.invalid> wrote at 15:48 this Monday (GMT):
> candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
>> ["Followup-To:" header set to alt.os.linux.]
>
> Ignored, because this is about Windows. (Not to mention that
> 'Followup-To:' is nearly always inappropriate.)

I've been told the opposite..

>> Frank Slootweg <this@ddress.is.invalid> wrote at 18:57 this Sunday (GMT):
>> > Newyana2 <Newyana2@invalid.nospam> wrote:
>> > [...]
>> >
>> >> But Microsoft and
>> >> Linux are now both guilty of seat-of-the-pants updating. If it
>> >> isn't stopped, Windows will show a message at boot every few
>> >> days: "Please wait. Installing updates."
>> >
>> > With "every few days" actually being *a month* and you only get a
>> > "Please wait." message if you're stupid enough not to set your 'Active
>> > hours'.
>> >
>> > And "at boot every few days"!? My system is up from one monthly update
>> > cycle to the next, no silly business with booting in between.
>> >
>> > [...]
>>
>> I think I've heard of Windows ignoring that sometimes.
>
> I think you've heard wrong. Never happened to me (for two systems,
> Windows 10 and 11) and I can't think of a scenario where it (your set
> 'Active hours') could be ignored.
>
> You also can set Windows Update to pause for 1, 2, 3, 4 or 5 weeks and
> you can reset that pause before it runs out, so you can pause
> indefinitely.

Oh.
--
user <candycane> is generated from /dev/urandom

On Mon, 1 Apr 2024 15:20:35 +0200, Carlos E.R. wrote:

>>> Bad actor probably paid by some country or mafia with money and resources.
>>>
>>> https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
>>
>> Very sophisticated. Their grand scheme was:
>>
>> 1) sneakily backdoor the release tarballs, but not the source code
>
> Wrong. The source code of xz was compromised.

Read that reference again, and read the other references.
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

It was sneaky. Very sneaky.
It wasn't in the source code.

It was in the packaging/testing code.
https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd
"The upstream xz repository and the xz tarballs have been backdoored."

On 01/04/2024 16:19, Frank Slootweg wrote:
> Chris <ithinkiam@gmail.com> wrote:
>> On 31/03/2024 19:17, Newyana2 wrote:
> [...]
>
> [About Apple:]
>
>>> quickly dropping
>>> support for older products.
>>
>> Which from a security standpoint works very well. Apple long ago stopped
>> selling OS updates - which Microsoft still kinda does - as it made sense
>> to have as many users as possible on the latest and most up-to-date OS
>> version.
>
> Maybe you can still buy some Microsoft Windows upgrades for some niche
> corner cases, but effectively all Windows upgrades have been free, ever
> since Windows 7 (2009!), till today (Windows 11).

I thought the upgrade to 10 from 7/8 was only free for a while? It also
certainly wasn't "transparent" upgrade.

> Of course you can still buy full licenses, for systems which come
> without one, but those are not upgrades.

Although, anyone can use Win10 for free as long as they ignore the
subtle 'nag' from MS. No idea why they still charge so much for Windows.
Maybe it's so they can justify the costs to OEMs?

>> Charging for updates means users won't update in a timely manner and
>> that leaves MS with the headache of having to support multiple versions
>> concurrently which is expensive and inefficient.
>
> Aside from Microsoft not charging for upgrades or updates, Wikipedia
> tells me that Apple also still supports three versions of macOS (12, 13
> and 14),

12 & 13 are only supported with security updates.

> with - I'm sure - their subversions,

There is only ever one fully supported version of macOS: the most recent
feature version.

There's no equivalent to the Win10/11 21Hn or 22Hn or whatever they
are/were called.

> while Microsoft supports
> two Windows versions (10 and 11), with - to some extent - their
> subversions. So I don't think Apple and Microsoft are all that
> different in this respect. (Only the number of years spanning those
> versions is much shorter for Apple than for Microsoft (less than 3
> versus nearly 9).)

The macOS versions are much more similar to each other than Windows
10/11 and like I said above the level of support for 12 & 13 is low.

I'd also argue that Windows has five versions - although two have
recently gone EOL - Win10 21H2, 22H2, Win11 21H2, 22H2, 23H2. Then there
are the enterprise versions.

I think the biggest difference is that macOS users quickly transition to
the latest version as it's released:
https://www.statista.com/statistics/944559/worldwide-macos-version-market-share/[1]

Whereas windows users like to stick with what they know and Win10 is
still the dominant version with >60% with a mishmash of subversions.

[1] this has highlighted a funny quirk that so many websites can't parse
a macOS user agent version that starts with anything other than 10.x
that ever since the relase of macOS 11 all Macs are reporting the same
UA which is frozen at 10.15.
https://bugzilla.mozilla.org/show_bug.cgi?id=1679929

candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote at 15:48 this Monday (GMT):
> > candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
> >> ["Followup-To:" header set to alt.os.linux.]
> >
> > Ignored, because this is about Windows. (Not to mention that
> > 'Followup-To:' is nearly always inappropriate.)
>
> I've been told the opposite..

That's another wrong thing you've been told! :-)

I won't go in all the situations where it's wrong, but will just take
this example.

If I had honoured your 'Followup-To:', I would not see any responses,
i.e. also not any responses to *my own* response (which is, as I said,
about Windows, *not* Linux), because I'm not subscribed to alt.os.linux.

So you were effectively forcing me - *and* any other user who is not
subscribed to alt.os.linux - to subscribe, just because you think it's
the good thing to do.

I hope you realize how inconsiderate and rude that is.

Also a 'Followup-To: alt.comp.os.windows-10' would have been
inappropriate, because you cut off any subscribers of alt.os.linux, who
might be interested in further responses.

Bottom line: Do *not* use 'Followup-To:'.

[...]

Chris <ithinkiam@gmail.com> wrote:
> On 01/04/2024 16:19, Frank Slootweg wrote:
> > Chris <ithinkiam@gmail.com> wrote:
> >> On 31/03/2024 19:17, Newyana2 wrote:
> > [...]
> >
> > [About Apple:]
> >
> >>> quickly dropping
> >>> support for older products.
> >>
> >> Which from a security standpoint works very well. Apple long ago stopped
> >> selling OS updates - which Microsoft still kinda does - as it made sense
> >> to have as many users as possible on the latest and most up-to-date OS
> >> version.
> >
> > Maybe you can still buy some Microsoft Windows upgrades for some niche
> > corner cases, but effectively all Windows upgrades have been free, ever
> > since Windows 7 (2009!), till today (Windows 11).
>
> I thought the upgrade to 10 from 7/8 was only free for a while? It also
> certainly wasn't "transparent" upgrade.

Yes, Microsoft has been sending mixed messages about this and there
may have been gaps when the previous free period was over and the next
free period was not yet there. After all, one can't use Microsoft and
consistent in one sentence, can one!? :-) Anyway, my wife's 8.1 to 10
upgrade was done in March 2023, nearly 8 years after release of 10, and
was free.

> > Of course you can still buy full licenses, for systems which come
> > without one, but those are not upgrades.
>
> Although, anyone can use Win10 for free as long as they ignore the
> subtle 'nag' from MS. No idea why they still charge so much for Windows.
> Maybe it's so they can justify the costs to OEMs?

I only bought Windows 1.0 (the 386 version), never since.

[Details on difference between macOS and Windows update/support cycles.
Thanks!!]

> I think the biggest difference is that macOS users quickly transition to
> the latest version as it's released:
> https://www.statista.com/statistics/944559/worldwide-macos-version-market-share/[1]
>
> Whereas windows users like to stick with what they know and Win10 is
> still the dominant version with >60% with a mishmash of subversions.
>
> [1] this has highlighted a funny quirk that so many websites can't parse
> a macOS user agent version that starts with anything other than 10.x
> that ever since the relase of macOS 11 all Macs are reporting the same
> UA which is frozen at 10.15.
> https://bugzilla.mozilla.org/show_bug.cgi?id=1679929

Well, you'll see that my 'User-Agent:' header also says "NT-10.0-WOW",
while I'm running Windows 11. That's because the kernel is mostly
unchanged and reports "10.0....". I don't know what webbrowsers (can)
see.

badsector writes:
> when did Gates first call Linux a 'cancer'

That was Ballmer. He was evidently terrified of Linux.
--
John Hasler
john@sugarbit.com
Dancing Horse Hill
Elmwood, WI USA

"Carlos E.R." <robin_listas@es.invalid> writes:

> Software is never done.

It is, when the support ends.

--
Jukka Lahtinen

"J.O. Aho" <user@example.net> wrote

| There is less risk of using the compromised xz tarball than using your
| current ms-windows

You're getting more glib and adversarial with each post.
The risks with Windows depend on a lot of things. As does
the risk with anything. Computers are not hacked by pixies.
They're hacked by people exploiting network communication
methods that are inherently unsafe.

If you don't want to deal with that directly then the best
you can do is to allow the dripfeed updates, run anti-virus,
minimize valuable data that you allow on your computer,
like credit card numbers, and hope that some update doesn't
break your system. If you're actually going to deal with
security it's more complicated.

On 4/1/24 14:47, John Hasler wrote:
> badsector writes:
>> when did Gates first call Linux a 'cancer'
>
> That was Ballmer. He was evidently terrified of Linux.

I stand corrected, would not want to accuse Billy falsely but I think I
will hold his nomination for sainthood :-)

Frank Slootweg <this@ddress.is.invalid> wrote:
> Chris <ithinkiam@gmail.com> wrote:
>> On 01/04/2024 16:19, Frank Slootweg wrote:
>>> Chris <ithinkiam@gmail.com> wrote:
>>>> On 31/03/2024 19:17, Newyana2 wrote:
>>> [...]
>>>
>>> [About Apple:]
>>>
>>>>> quickly dropping
>>>>> support for older products.
>>>>
>>>> Which from a security standpoint works very well. Apple long ago stopped
>>>> selling OS updates - which Microsoft still kinda does - as it made sense
>>>> to have as many users as possible on the latest and most up-to-date OS
>>>> version.
>>>
>>> Maybe you can still buy some Microsoft Windows upgrades for some niche
>>> corner cases, but effectively all Windows upgrades have been free, ever
>>> since Windows 7 (2009!), till today (Windows 11).
>>
>> I thought the upgrade to 10 from 7/8 was only free for a while? It also
>> certainly wasn't "transparent" upgrade.
>
> Yes, Microsoft has been sending mixed messages about this and there
> may have been gaps when the previous free period was over and the next
> free period was not yet there. After all, one can't use Microsoft and
> consistent in one sentence, can one!? :-) Anyway, my wife's 8.1 to 10
> upgrade was done in March 2023, nearly 8 years after release of 10, and
> was free.

Interesting. That's not the message I've seen over recent years.

>>> Of course you can still buy full licenses, for systems which come
>>> without one, but those are not upgrades.
>>
>> Although, anyone can use Win10 for free as long as they ignore the
>> subtle 'nag' from MS. No idea why they still charge so much for Windows.
>> Maybe it's so they can justify the costs to OEMs?
>
> I only bought Windows 1.0 (the 386 version), never since.

I've used Windows off and on since 3.1 which came with my first PC, but
only ever bought Win10. I used a pirate version of win98 for a long time
and then linux until I made a gaming rig.

I think my next home computer will be a mac. I'll consider this when win10
goes out of support next year.

On 4/1/2024 10:40 AM, candycanearter07 wrote:
> ["Followup-To:" header set to alt.os.linux.]
> Larry Wolff <larrywolff@larrywolff.net> wrote at 09:05 this Monday (GMT):
>> On 3/31/2024 2:11 PM, Lew Pitcher wrote:
> [snip]
>> Vegard Nossum wrote a script to detect if it's likely that the ssh binary
>> on a
>> system is vulnerable, attached here. Thanks!
>>
>>
>> Greetings,
>>
>> Andres Freund
>>
>> View attachment "injected.txt" of type "text/plain" (8236 bytes)
>>
>> Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip"
>> (36487 bytes)
>>
>> Download attachment "detect.sh" of type "application/x-sh" (426 bytes)
>> Powered by blists - more mailing lists
>>
>> Please check out the Open Source Software Security Wiki, which is
>> counterpart to this mailing list.
>>
>> Confused about mailing lists and their use? Read about mailing lists on
>> Wikipedia and check out these guidelines on proper formatting of your
>
>
> Hi, the server I am using strips binaries. Would it be possible to
> provide a link?
>

Maybe the confusing stuff you were reading, was referring
to attachments on a page like this ?

https://seclists.org/oss-sec/2024/q1/301

For example, check out the attachments at the bottom of this message.

https://seclists.org/oss-sec/2024/q1/268

Paul

On 01/04/2024 22.39, Newyana2 wrote:
> "J.O. Aho" <user@example.net> wrote
>
> | There is less risk of using the compromised xz tarball than using your
> | current ms-windows
>
> You're getting more glib and adversarial with each post.
> The risks with Windows depend on a lot of things. As does
> the risk with anything. Computers are not hacked by pixies.

Then I guess you missed the windows metafile image code execution
(MICE), so you could say you get hacked by a pixel, no matter if it's
your mail client, your browser of a image you got from a friend on an
usb stick that you take a look in windows picture.

> They're hacked by people exploiting network communication
> methods that are inherently unsafe.

You know your browser and your mail client are your weakest points, no
matter if the communication is encrypted or not.

> If you don't want to deal with that directly then the best
> you can do is to allow the dripfeed updates, run anti-virus,
> minimize valuable data that you allow on your computer,
> like credit card numbers, and hope that some update doesn't
> break your system.

I understand that you are reluctant to update for you are afraid that
things will break, that caused by the bad QA checking done by a specific
company, but instead of using something better you keep on hanging
around with a old install that hasn't been updated as it's EOL, harming
the rest of us with your vulnerabilities. Have you fixed CVE-2008-5424
and CVE-2010-3147 yet?

> If you're actually going to deal with
> security it's more complicated.

Yes, it is complicated and you need to be able to analyze the source
code of all programs you run, even the BIOS and OS, if you running a
somewhat modern CPU you would need the access to the source code of the
minix that is running on the CPU. Don't forget the same thing applies to
your other devices like firewall. Don't forget that you should compile
everything from the source you have analyzed and deemed as safe, each
time there is a security patch you should analyze it and decide if
applying it to your code and then recompile the application and all that
depends on it in a static manner.

It's a quite a lot of work and not all have the skill to do so and then
there is the problem that you don't have access to all the source code,
so you have to trust on others judgment and as they also are humans,
they too can make mistakes and that's why all code has bugs.

--
//Aho

On 2024-04-01 20:36, Frank Slootweg wrote:
>> Although, anyone can use Win10 for free as long as they ignore the
>> subtle 'nag' from MS. No idea why they still charge so much for Windows.
>> Maybe it's so they can justify the costs to OEMs?
> I only bought Windows 1.0 (the 386 version), never since.

I have bought Windows 10 and 11.

When I buy laptops for me or for other people, there is an item in the
invoice that says "Windows". You can refuse, and that money is discounted.

--
Cheers, Carlos.

On 2024-04-01 20:06, Frank Slootweg wrote:
> candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
>> Frank Slootweg <this@ddress.is.invalid> wrote at 15:48 this Monday (GMT):
>>> candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
>>>> ["Followup-To:" header set to alt.os.linux.]
>>>
>>> Ignored, because this is about Windows. (Not to mention that
>>> 'Followup-To:' is nearly always inappropriate.)
>>
>> I've been told the opposite..
>
> That's another wrong thing you've been told! :-)
>
> I won't go in all the situations where it's wrong, but will just take
> this example.
>
> If I had honoured your 'Followup-To:', I would not see any responses,
> i.e. also not any responses to *my own* response (which is, as I said,
> about Windows, *not* Linux), because I'm not subscribed to alt.os.linux.
>
> So you were effectively forcing me - *and* any other user who is not
> subscribed to alt.os.linux - to subscribe, just because you think it's
> the good thing to do.
>
> I hope you realize how inconsiderate and rude that is.
>
> Also a 'Followup-To: alt.comp.os.windows-10' would have been
> inappropriate, because you cut off any subscribers of alt.os.linux, who
> might be interested in further responses.
>
> Bottom line: Do *not* use 'Followup-To:'.
>
> [...]

Absolutely.

--
Cheers, Carlos.

Paul <nospam@needed.invalid> wrote at 07:56 this Tuesday (GMT):
> On 4/1/2024 10:40 AM, candycanearter07 wrote:
>> ["Followup-To:" header set to alt.os.linux.]
>> Larry Wolff <larrywolff@larrywolff.net> wrote at 09:05 this Monday (GMT):
>>> On 3/31/2024 2:11 PM, Lew Pitcher wrote:
>> [snip]
>>> Vegard Nossum wrote a script to detect if it's likely that the ssh binary
>>> on a
>>> system is vulnerable, attached here. Thanks!
>>>
>>>
>>> Greetings,
>>>
>>> Andres Freund
>>>
>>> View attachment "injected.txt" of type "text/plain" (8236 bytes)
>>>
>>> Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip"
>>> (36487 bytes)
>>>
>>> Download attachment "detect.sh" of type "application/x-sh" (426 bytes)
>>> Powered by blists - more mailing lists
>>>
>>> Please check out the Open Source Software Security Wiki, which is
>>> counterpart to this mailing list.
>>>
>>> Confused about mailing lists and their use? Read about mailing lists on
>>> Wikipedia and check out these guidelines on proper formatting of your
>>
>>
>> Hi, the server I am using strips binaries. Would it be possible to
>> provide a link?
>>
>
> Maybe the confusing stuff you were reading, was referring
> to attachments on a page like this ?
>
> https://seclists.org/oss-sec/2024/q1/301
>
> For example, check out the attachments at the bottom of this message.
>
> https://seclists.org/oss-sec/2024/q1/268
>
> Paul

Hi, I'm reading this from an NNTP server. Thanks for the link, though!
--
user <candycane> is generated from /dev/urandom

On 4/2/2024 2:57 AM, Chris wrote:

> I've used Windows off and on since 3.1 which came with my first PC, but
> only ever bought Win10. I used a pirate version of win98 for a long time
> and then linux until I made a gaming rig.
>
> I think my next home computer will be a mac. I'll consider this when win10
> goes out of support next year.

How horrible :-) Sorry for your loss.

I have three Macs in the computer room.
But, I got off the treadmill, I went cold and sober.

And here I am today :-)

I can't go into an Apple Bar, for fear of falling off the wagon.

The Apple computers are important. Other computers
are piled on top of them, and they make "great bases"
for computer stacks :-)

Now, what I want, is a computer with a single 40Gbit/sec connector,
when I'm trying to connect... a keyboard. That's my idea of convenience.

Paul

On 4/1/2024 4:39 PM, Newyana2 wrote:
> "J.O. Aho" <user@example.net> wrote
>
> | There is less risk of using the compromised xz tarball than using your
> | current ms-windows
>
> You're getting more glib and adversarial with each post.
> The risks with Windows depend on a lot of things. As does
> the risk with anything. Computers are not hacked by pixies.
> They're hacked by people exploiting network communication
> methods that are inherently unsafe.
>
> If you don't want to deal with that directly then the best
> you can do is to allow the dripfeed updates, run anti-virus,
> minimize valuable data that you allow on your computer,
> like credit card numbers, and hope that some update doesn't
> break your system. If you're actually going to deal with
> security it's more complicated.
>
>

Both ecosystems have had supply chain attacks. There
was also an attack carried out by a local university, for
which Linus assigned a "permaban" on their kernel submissions.
That was an attack on kernel.org . Whereas the XZ one is
a more general Linux one, a test of how well the system
responds to shenanigans.

Windows 11 shows an "Extract from" if I highlight an XZ file.
It would appear the Insider development, is already in
the Release stream. All my instances of XZ are .tar.xz .

https://www.makeuseof.com/enable-archive-support-windows-11/

TXZ <=== hmmm
RAR
7Z <=== likely single-threaded extract, when 7z.exe does multi-core extract
TAR
TAR.GZ
TAR.BZ2
TAR.ZS <=== ZSTD support ? ( .zst )
TAR.XZ <=== hmmm
TGZ
TBZ2
TZST

In the past there was ZIPfldr.dll and CABExtract.dll and
you could unregsrv them to prevent them from operating.

I open most archive formats with 7ZIP, so Extract is not
something I would normally do.

Due to the JPG and TIF library issues long ago, both
Microsoft and Apple are supposed to carry out source code
reviews on "foreign" libraries. And they would have an
opportunity to raise an alarm, as the developer in the
news did. That's if they were actually reading the
above example source.

On Win11, the file might be "archiveint.dll" that supports the new archives.
Properties Text string "Windows internal libarchive library". 1.35MB
Date 1/9/2024.

Paul

Paul <nospam@needed.invalid> wrote:
> On 4/2/2024 2:57 AM, Chris wrote:
>
>> I've used Windows off and on since 3.1 which came with my first PC, but
>> only ever bought Win10. I used a pirate version of win98 for a long time
>> and then linux until I made a gaming rig.
>>
>> I think my next home computer will be a mac. I'll consider this when win10
>> goes out of support next year.
>
> How horrible :-) Sorry for your loss.

I use a mac for work and have done for over a decade. I just don't find
windows to be a pleasant experience.

> I have three Macs in the computer room.
> But, I got off the treadmill, I went cold and sober.
>
> And here I am today :-)
>
> I can't go into an Apple Bar, for fear of falling off the wagon.
>
> The Apple computers are important. Other computers
> are piled on top of them, and they make "great bases"
> for computer stacks :-)
>
> Now, what I want, is a computer with a single 40Gbit/sec connector,
> when I'm trying to connect... a keyboard. That's my idea of convenience.
>
> Paul
>

"Paul" <nospam@needed.invalid> wrote

| Both ecosystems have had supply chain attacks. There
| was also an attack carried out by a local university, for
| which Linus assigned a "permaban" on their kernel submissions.
| That was an attack on kernel.org . Whereas the XZ one is
| a more general Linux one, a test of how well the system
| responds to shenanigans.
| | Windows 11 shows an "Extract from" if I highlight an XZ file.
| It would appear the Insider development, is already in
| the Release stream. All my instances of XZ are .tar.xz .
|

You have XZ files on Windows?

...To my mind this is all a classic
case of placing the blame in the wrong place. Clearly it's a
problem is someone comes up with a hack of remote access
software. But the real problem is that software itself. Something
like SSH shouldn't be in use. Remote Desktop shouldn't be
in use. People just can't even imagine using a computer safely.
We want all the convenience and none of the risk. That's not
going to happen. So instead of opting for sensible security people
throw caution to the wind and then they're shocked to learn
that a hack has happened. Hacks are happening almost daily.
They're professional and borderline-military now. Yet people
shop and bank online, call home to check their security camera,
let Amazon store their credit card number... all while having
remote access enabled and not restricting javascript.

Some years ago my starving artist brother called me. He was
in a panic, explaining the "Microsoft" had called him to warn that
there could be repercussions because my brother had not paid his
Windows bill for several years. He didn't know that he was
supposed to. Had the bill been lost in the mail? Was Microsoft going
to sue him? The caller walked him through enabling remote access
and had him download a file. Then he took over the Desktop to
show my brother what they could do if he didn't pay. He was
horrified. They'd got him to download a remote desktop program,
but he didn't understand that. Luckily they were only using it
to scare him. My brother got through it unscathed for one reason
alone: He was flat broke and had never had a credit card, so he
couldn't pay. :)

On 03/04/2024 14.41, Newyana2 wrote:
> "Paul" <nospam@needed.invalid> wrote
>
> | Both ecosystems have had supply chain attacks. There | was also an
> attack carried out by a local university, for | which Linus assigned
> a "permaban" on their kernel submissions. | That was an attack on
> kernel.org . Whereas the XZ one is | a more general Linux one, a test
> of how well the system | responds to shenanigans. | | Windows 11
> shows an "Extract from" if I highlight an XZ file. | It would appear
> the Insider development, is already in | the Release stream. All my
> instances of XZ are .tar.xz . |
>
> You have XZ files on Windows?

Yes, and you have sshd too, that you need of course enable yourself if
you intend to use it. So you have all the tools needed for this hack,
except you lack the systemd part as do all Unix variants and a number of
Linux distributions.

Things evolve, with the amount of work they are putting on WSL you
shouldn't be surprised that next version of microsoft windows may
actually run on a Linux kernel with an api wrapper to allow you to run
old windows applications. There was a talk about this already during
Balmer's time, you can guess who wasn't happy about the idea.

> ...To my mind this is all a classic case of placing the blame in the
> wrong place. Clearly it's a problem is someone comes up with a hack
> of remote access software. But the real problem is that software
> itself. Something like SSH shouldn't be in use. Remote Desktop shouldn't be > in use. People just can't even imagine using a computer safely.

The major danger for desktop users ain't ssh nor rdp, but the web
browser and mail client for those who don't use a web based mail
service, so yet again hinting about CVE-2008-5424, CVE-2010-3147, and
MICE issues on your computer.

On corporate systems you need to be able to remote access them as it
would take hours just to upgrade a few computers if you need to get down
to the data center and then login to each machine locally and do the
update. Sure you shouldn't let the endpoints be accessible directly on
the internet.

> Some years ago my starving artist brother called me. He was in a
> panic, explaining the "Microsoft" had called him to warn that there
> could be repercussions because my brother had not paid his Windows
> bill for several years.

This kind of scams been around for a long time, "Hi, this is Microsoft
calling..." even I have had those calls, quite fun you can have with the
Indian guy on the other side.
It's amazing people still get caught in them... but that is how things
goes when people don't care to learn about the things they use.

On 2024-04-01, Bugsy <bugsy@zimage.comBUGSY> wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> Bad actor probably paid by some country or mafia with money and resources.
>>
>> https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
>
> Very sophisticated. Their grand scheme was:
>
> 1) sneakily backdoor the release tarballs, but not the source code

Almost 40 years ago ACM published Ken Thompson's article "Reflections on
Trusting Trust" this explit seems similar to his compiler exploit.
(trees died for this to be published, here is a scan:
https://dl.acm.org/doi/pdf/10.1145/358198.358210 )

--
Jasen.
🇺🇦 Слава Україні

On 2024-04-01 18:02, Gelato wrote:
> On Mon, 1 Apr 2024 15:20:35 +0200, Carlos E.R. wrote:
>
>>>> Bad actor probably paid by some country or mafia with money and resources.
>>>>
>>>> https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
>>>
>>> Very sophisticated. Their grand scheme was:
>>>
>>> 1) sneakily backdoor the release tarballs, but not the source code
>>
>> Wrong. The source code of xz was compromised.
>
> Read that reference again, and read the other references.
> https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
>
> It was sneaky. Very sneaky.
> It wasn't in the source code.
>
> It was in the packaging/testing code.
> https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd
> "The upstream xz repository and the xz tarballs have been backdoored."

Ok, but it was not a binary, the distributions do not accept binaries.
The tarballs contain the released source code that distributions
download to build their own binaries.

I recogn I get a headache trying to understand it all.

--
Cheers, Carlos.