Put yourself in Jia Tan's shoes, the malicious contributor to the xz backdoor...

It's been, what, two... three?... years since you started this campaign. You've had the entire support of your team and of your chain of command.

Your coders created a complex and sublime backdoor. A secure! backdoor that only you and your team could connect to. Heck it can even be deleted remotely. This is clean code. A responsible hack that doesn't open up the backdoor for others to hijack.

You spend years on your long con - your social engineering skills are at the top of the game. You've ingratiated yourself painstakingly into multiple teams. Finally it all pays off and you're ready to go!

You succeed multiple times in getting your backdoor inserted in all the major Linux distributions!!! Now its just a matter of weeks before it makes it to production and stable releases!

This is the culmination of years of labor and planning and of a massive team and budget.

You did good.

This will get you promoted. Esteemed by your colleagues and leadership alike. Your spouse and kids will understsnd why you haven't been at home lately and why you've spent all those late nights at the office.

It's finally going to pay off.

But what's this?! Some rando poking around in their box running a pre-release unstable version of linux has found everything?!?! It's all being ripped down?! And on a Friday before a western holiday weekend?!?!

Fuck. Fuck. FUCK!!!

Three years for nothing!!! My wife is going to leave me! I missed my kid's recital for this!!! They'll hate me because I told them it was worth it. Daddy will be able to play with you again once Daddy finishes this last bit of work. But it was all for nothing!!!

Leadership took a big risk on me and my team but I kept assuring them it would pay off!

It would be one thing if another nation state found it and stopped it. But one random dude poking his nose where it shouldn't belong?! Ohhh fuck, I'm going to be fired. We're going to lose our budget. My team is going to be fired. I've let down everyone that ever believed in me and supported me and relied on me!

Oh fuck!!!

#xz #backdoor #xzBackDoor #cve #cve20243094 #infosec #hacking #FOSS

Wishing everyone a great time at Gnome 46 Release Party by Volunteers starting today in Offline in #Berlin, #Germany

https://foss.events/2024/03-30-gnome-46-release-party.html

@gnome
#gnome46 #foss #floss #freesoftware #opensource #events #europe #gnome

I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.

The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.

Let me state that again. Any quality assurance, security checks, etc., failed to catch this.

This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.

This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.

A couple more weeks, and it would have been in many major distributions without any of us knowing about it.

The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.

It was luck.

That's it. We got lucky this time.

So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?

And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.

Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.

I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.

(I also hope they run down any and all packages this person had the signing key for....)

#infosec #hacking #cve #cve20243094 #linux #FOSS

Am I late for the Xenia bandwagon?

#furry #furryart #anthro #anthroart #linux #xenialinux #transrights #foss

There is a good discount on the #FOSS conference in #Zagreb in May - why don't you combine your thrust for knowledge with a nice trip.

https://www.dorscluc.org/2024/03/hop-into-dors-cluc-2024-with-our-exclusive-easter-discount/

I most probably will be there speaking about #heavymetal #thunderbird and maybe #osm.

Hop into DORS/CLUC 2024 with Our Exclusive Easter Discount! - DORS/CLUC

As the spring season unfolds, bringing with it a sense of renewal and growth, we at DORS/CLUC 2024 are excited to share some exhilarating news with our esteemed community.

^{andrei (DORS/CLUC)}

💡 The last Wednesday of March can only mean one thing...

#DocumentFreedomDay ✍️

Today we celebrate open standards: The ability for everyone to work and communicate using free software.

If you're using paid software that confines you see if any of the alternatives on my list of #opensource software can make life easier for you:

https://ethicalrevolution.co.uk/opt-open-source/

Includes (but not limited to) @cryptpad @thegoodcloud @piefedadmin @libreoffice @thunderbird @Tutanota @protonprivacy @plausible @GIMP @inkscape @session @signalapp @delta @efoundation @MattermostFR @element

Any I've missed, let me know!

@dff

#FOSS #DFF #DFD #decentralize

Opt Open-Source - Ethical Revolution

Join me in taking step O, “Opt Opensource”, in the A-Z of steps to a better world: transparency, quality, reliability, flexibility +low cost.

^{Sam (Ethical Revolution)}

a periodic reminder that open source and free software licences enabled the unpaid mass transfer of skills and labour to corporations and societal elites to an extent unparalleled since the abolition of serfdom and slavery.

they effectively seized the means of production, then packaged them all up and delivered them to the worst people imaginable, wrapped with a bow and a little card that said “exploit me!”

and people are still out here cheerleading for them.

#foss #opensource

How it started: "This change has zero effect on the Redis core license, which is and will always be licensed under the 3-Clause-BSD."

How it's going: "Beginning today, all future versions of Redis will be released with source-available licenses. Starting with Redis 7.4, Redis will be dual-licensed under the Redis Source Available License (RSALv2) and Server Side Public License (SSPLv1)."

#FreeSoftware #OpenSource #OSS #FOSS #Redis

Missed @lea@ordinary.cafe and @jaiden@ordinary.cafe's panel at @socallinuxexpo@social.linux.pizza about the future of the Linux desktop?

Here’s a recording to satisfy your curiosity :3

https://www.youtube.com/watch?v=hNDJDyef_UQ

Featuring:

- @lea@ordinary.cafe, Fyra Labs
- @jaiden@ordinary.cafe, Fyra Labs (Moderator)
- @zana@sfba.social, @gnome@floss.social Foundation
- @technobaboo@tech.lgbt, @stardustxr@fosstodon.org
- @communiteatime@fosstodon.org, @thunderbird@mastodon.online- @mattdm@hachyderm.io, @fedora@fosstodon.org & Red Hat
- @druonysus@mstdn.io, @kde@floss.social & @opensuse@fosstodon.org
#tech #linux #foss #oss #scale21x

Where Does the Linux Desktop Go from Here?

It's no lie that the Linux desktop has been changing greatly. Through technological and social shifts, the desktop and community we know today is a far cry f...

^YouTube

🗺️ 𝘖𝘱𝘦𝘯𝘚𝘵𝘳𝘦𝘦𝘵𝘔𝘢𝘱 3𝘋 🧊

https://demo.f4map.com

Zoom in to street level to see the 3D features.

#map #maps #OpenStreetMap #3D #topography #world #WorldMap #cities #landscape #environment #data #tools #OpenSource #FOSS

Can you #help me?

#Metal music has anger, love, DEI, truth-telling, and more. So why don't we use it to solve everyday problems, such as having fun at work, lacking identity, or standing for our rights? Metal artists put a lot of effort into crafting their art, and we can find the best use of it just by listening.

I want to interview key players in the metal world and do a #Foss #cc documentary to encourage even more people to help themselves!

Please DM me if you know some metal gods!

Apache Pekko has left the incubator phase and is now a top-level project.

https://lists.apache.org/thread/grl5h0l79oywnjtmfv0mdg3w108vsh6o

That's great news! Pekko was created as a Fork of Akka 2.6, right after Lightbend chose to pull a bait-and-switch by relicensing Akka to a non-FOSS license.

I have already switched to Pekko a few months ago, it went very smooth, and I am grateful to everybody involved in making this happen.

#opensource #pekko #akka #scala #java #licensing #apache #foss

We’re seeking input from #FOSS maintainers as we design a fellowship program pilot. We want to test a support mechanism that addresses structural issues in the FOSS ecosystem, and support maintainers who work on open digital infrastructure in the public interest.

If you maintain open source projects, we would be very grateful if you could take ten minutes to respond to the survey:
https://survey.sovereigntechfund.de/968766

Please also repost and share with FOSS maintainers you know. Thanks!

Are you a #ScreenReader and/or #Braille user on #Matrix?

Should we be adding messages as captions until #AltText is supported?

#A11Y #Accessibility #BRLTTY #FOSS #OpenSource #Element #GNOME #KDE #elementaryOS #XFCE

• Yes, always. (66%, 4 votes)
• A quick summary is fine, I'll ask if I need more (16%, 1 vote)
• As long as you do it if I ask. (16%, 1 vote)

Whoa! TIL just how widespread Matrix is at universities in Germany.

This, on top of adoption by their national healthcare system and other corners of their public sector.

Source: https://doc.matrix.tu-dresden.de/why/

#Matrix #OpenSource #OpenStandards #DigitalSovereignty #FOSS

NV Access are pleased to share the release of NVDA 2024.1 Beta 13.

Changes introduced in Beta 13:
- Bug fix for interacting with some NVDA controls such as the synth selection dialog and selectable checklist items
- Updates to translations

Read the full information and download at: https://www.nvaccess.org/post/nvda-2024-1beta13/

#NVDA #NVDAsr #Release #Software #FOSS #Beta

So @gnome is removing the x11 session, leaving just the Wayland one.

If this goes out before Orca, the GNOME screen reader, is fixed to work on Wayland, it will mean that people who rely on screen readers will have no way to use one on GNOME. And thus on the major Linux distributions.

So I’m hoping the plan is that this change will not land until GNOME has a working screen reader.

#accessibility #a11y #gnome #linux #openSource #foss #wayland #x11 #orca https://peoplemaking.games/@ailepet/112077559713299711

If you see the AGPL licenses on my free and open source work and you think “damn you, I can’t use this to enrich myself or my corporation without sharing back what I’ve built on top of what you’ve freely shared and thus contribute to cultivating a healthy commons where others might enjoy the same benefits from my work that I want to obtain from yours” (a) you really have long-winded thoughts and (b) well, you already see the flaw in your reasoning.

#foss #licenses #freedom #copyleft #gpl

Keep the momentum going for free open source projects in this week's Follow Friday by giving your support with contributions, boosts and follows.

https://www.adamsdesk.com/posts/discover-fediverse-keep-momentum/

- LÖVR @lovr
A framework for rapidly building immersive 3D experiences.
- NV Access @NVAccess
A screen reader.
- BiznisBox @biznisbox
A web app for managing invoices, clients, & payments.
- BookStack @bookstack
Documentation system.

#FollowFriday #fediverse #FreeSoftware #OpenSource #ff #oss #foss #floss

The #GUADEC2024 call for abstracts for those looking to be *sponsored* has passed (due to visa reqs & travel lead time), BUT the call for both in-person (if you don’t need sponsorship) and remote talks IS STILL OPEN!

https://events.gnome.org/event/209/abstracts/

If you’ve been working on something interesting in GNOME or GNOME-adjacent spaces and can present remotely or get yourself to Denver in July, you still have just over two weeks to propose a talk!

#GNOME #GUADEC #OpenSource #Linux #FOSS #FLOSS

Spectral Compressor. It's incredible that FOSS audio production tools are at a level where top EDM producers make videos about them. Props to au5 for acknowledging that it's not just free, but also open-source.

https://youtu.be/jo_ayanaKo4?si=evvqcOYMVwfcMzAp

#MusicProduction #FOSS #SoundDesign #EDM #music

This Plugin Shouldn't Be Free, But Is

School Of Bass: https://bit.ly/SOBassSpectral Compressor: https://github.com/robbert-vdh/nih-plug/tree/master/plugins/spectral_compressorDisable Gatekeeper (...

^YouTube

Get started writing that #app in your favourite programming language!

https://developer.gnome.org/documentation/introduction/languages.html

Then start working on those features, with tutorials for #Blueprint, #JavaScript, #Python, #Rust and #Vala 🚀

https://apps.gnome.org/Workbench/

#GNOME #Workbench #Opensource #FOSS

Workbench – Apps for GNOME

Learn and prototype with GNOME technologies – Workbench lets you experiment with GNOME technologies, no matter if tinkering for the first time or building and testing a GTK user interface. Among other things, Workbench comes with Live GTK/CSS pre...

^{apps.gnome.org}

If you're a fan of the free open source e-mail software Thunderbird, you might want to follow their official PeerTube account:

➡️ @thunderbird@tilvids.com

(You can also follow their Mastodon account at @thunderbird@mastodon.online)

If you just want to browse their PeerTube videos without following them, you can watch them all at https://tilvids.com/a/thunderbird/videos

#Thunderbird #Mozilla #MozillaThunderbird #FOSS #EMail #Libre #PeerTube

Thunderbird

The Thunderbird Project is a family of free & open-source email software and productivity solutions for managing your personal and professional communications. Available on Linux, macOS and Windows. Coming soon to Android.

^TILvids

February was #ILoveFreeSoftwareDay ❤️

|￣￣￣￣￣￣￣￣￣￣￣￣|
| We Love Free Software |
|＿＿＿＿＿＿＿＿＿＿＿＿|
\ (•◡•) /
\ /
——
| |
|_ |_

#FreeSoftware #FOSS