I imagine if this attacker wasn’t in a rush to get the backdoor into the upcoming Debian and Fedora stable releases he would have been able to notice and correct the increased CPU usage tell and remain undetected.

I think ideas about prevention should be more concerned with the social engineering aspect of this attack. The code itself is certainly cleverly hidden, but any bad actor who gains the kind of access as Jia did could likely pull off something similar without duplicating their specific method or technique.

as long as you’re up to date on everything here: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

the only additional thing i’ve seen noted is a possibilty that they were using Arch based on investigation of the tarball that they provided to distro maintainers

I don’t foresee anyone with the kind of data needed to do more investigation releasing it to the public, so I doubt we’re going to be getting any satisfying answers to this. Microsoft may have an internal team combing through github logs, but if they find anything they’re unlikely to be sharing it with anyone but law enforcement agencies.

we know about the singapore VPN because they connected to IRC on libera chat with it. the only reason I can think people would believe they’re from hong kong is because of the pseudonym they used, but it’s not like that proves anything.

see link posted in another user’s reply: https://boehs.org/node/everything-i-know-about-the-xz-backdoor#irc

he was using a singapore VPN and had access to multiple sockpuppets. we know literally nothing else about them and anything you’ve heard to the contrary is baseless rumor.

leading theory is that it was a state-sponsored actor, but frankly even that much is speculation and which state is still way up in the air.

Another dev who forgot to .AddGameplay()

i also remember having the cube around the same time in OSX somehow but I forget the method

What do you consider difficult to do with CSS that wouldn’t also be difficult without it?

Not sure about your particular situation but there’s also the possibility that the bad CSS was good CSS when it was written and over time that got superseded by advancements in both technology and practice.

The line between problem and solution for C should be 30 miles long.

deleted by creator

if it did, they wouldn’t be nerds anymore.

Yes that is what they are good at. But not as good as a deterministic algorithm that can do the same thing. You use machine learning when the problem is too complex to solve deterministically, and an approximate result is acceptable.

the comic is about using a machine learning algorithm instead of a hand-coded algorithm. not about using chatGPT to write a trivial program that no doubt exists a thousand times in the data it was trained on.

deleted by creator

It’s an open source project. It has no investors driving it toward user hostile profit seeking which is the primary force behind enshittification. A large user base doesn’t cause it, merely triggers it where the cause is already present.

It means they can’t make porn images of celebs or anime waifus, usually.

Look into your shell’s tab completion abilities, the find command, and fzf. There’s also stuff like midnight commander but I find that to be a little overkill for my tastes.

Once again, their adherence to the letter of the GPL is certainly up for debate, I said as much at the start.

Their violation of its intent, however, is not. They are putting up roadblocks, however trivial or insignificant you seem to believe they are, to limit your freedom in redistributing they code they are providing. Period. This controversy would not exist if they weren’t.