xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

Fun :)

Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).

A daily ISO of Debian testing or Ubuntu 24.04 (noble) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.

But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).

But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.

Who is we???

Perhaps OP is a member of the US congress, trying to figure out what to vote for? 🤪

There is a nice sample of Michael Parenti talking about this kind of use of the word “we” at the beginning of this song. (lyrics here)

Ok, you and @d3Xt3r@lemmy.nz are both mods of /c/linux@lemmy.ml now. Thanks!

Ok, I just stickied this post here, but I am not going to manage making a new one each week :)

I am an admin at lemmy.ml and was actually only added as a mod to this community so that my deletions would federate (because there was a bug where non-mod admin deletions weren’t federating a while ago). The other mods here are mostly inactive and most of the mod activity is by me and other admins.

Skimming your history here, you seem alright; would you like to be a mod of /c/linux@lemmy.ml ?

As of today, NixOS (like most distros) has reverted to a version slightly prior to the release with the Debian-or-Redhat-specific sshd backdoor which was inserted into xz just two months ago. However, the saboteur had hundreds of commits prior to the insertion of that backdoor, and it is very likely that some of those contain subtle intentional vulnerabilities (aka “bugdoors”) which have not yet been discovered.

As (retired) Debian developer Joey Hess explains here, the safest course is probably to switch to something based on the last version (5.3.1) released prior to Jia Tan getting push access.

Unfortunately, as explained in this debian issue, that is not entirely trivial because dependents of many recent pre-backdoor potentially-sabotaged versions require symbol(s) which are not present in older versions and also because those older versions contain at least two known vulnerabilities which were fixed during the multi-year period where the saboteur was contributing.

After reading Xz format inadequate for long-term archiving (first published eight years ago…) I’m convinced that migrating the many projects which use XZ today (including DPKG, RPM, and Linux itself) to an entirely different compression format is probably the best long-term plan. (Though we’ll always still need tools to read XZ archives for historical purposes…)

for those unfamiliar: Reflections on trusting trust by Ken Thompson

something listed on this page: https://wiki.postmarketos.org/wiki/Devices

I think it’s pretty great that Zuckerberg went all-in on the thankfully-wrong bet that his Second Life knockoff would somehow be popular and that people would actually want to strap a computer on their face to use it. 🤡

Which is to say, VR isn’t particularly high on the list of things I’m concerned about giant tech companies’ control of.

I recommend reading The Verge’s review of the Apple Vision Pro which concludes:

Apple may have inadvertently revealed that some of these core ideas are actually dead ends — that they can’t ever be executed well enough to become mainstream. This is the best video passthrough headset ever made, and that might mean camera-based mixed reality passthrough could just be a road to nowhere. This is the best hand- and eye-tracking ever, and it feels like the mouse, keyboard, and touchscreen are going to remain undefeated for years to come.

As someone who doesn’t want to live in a world where head-mounted cameras in public spaces become ubiquitous or even socially acceptable, I found that review to be good news.

+1 to ctrl-alt-fsomething (start at f1 and go up to move through the different virtual terminals). once in a while there are graphics problems which this will fix.

If you’re using GNOME Shell on X you can reload the shell (and all of its extensions) with alt-f2 and then in the “Run a command” dialog that appears type r and hit enter. Unfortunately this doesn’t work in GNOME on Wayland.

/c/eleven@lemmy.ml

I highly recommend Phillip Rogaway’s The Moral Character of Cryptographic Work even if you aren’t interested in cryptography specifically, but especially if you are.

So it will be only Systemd

what? no. did you read the linked post? Some desktop environments will have more functionality and work better if you do use it, but (for now, at least) you can still run even GNOME under OpenRC if you want.

instance name checks out

I’ve never once in my life heard an American use clock in a personal manner like that

this comment is in poe’s law territory but just in case, fyi: https://en.wiktionary.org/wiki/clock#Verb

The only thing I want that I don’t have right now is horizontal monitor splits for vertical monitors.

You can do that with this shell extension (which is the upstream of Ubuntu’s “gnome-shell-extension-tiling-assistant” package, which on Ubuntu is installed by default and called “Ubuntu Tiling Assistant” in the GNOME Extension manager).

xkcd#2501:

Can containers boot on their own? Then they are hosts, if not they are guests.

It depends what you mean by “boot”. Linux containers are by definition not running their own kernel, so Linux is never booting. They typically (though not always) have their own namespace for process IDs (among other things) and in some cases process ID 1 inside the container is actually another systemd (or another init system).

However, more often PID 1 is actually just the application being run in the container. In either case, people do sometimes refer to starting a container as “booting” it; I think this makes the most sense when PID 1 in the container is systemd as the word “boot” has more relevance in that scenario. However, even in that case, nobody (or at least almost nobody I’ve ever seen) calls containers “guests”.

As to calling containers “hosts”, I’d say it depends on if the container is in its own network namespace. For example, if you run podman run --rm -it --network host debian:bookworm bash you will have a container that is in the same network namespace as your host system, and it will thus have the same hostname. But if you omit --network host from that command then it will be in its own network namespace, with a different IP address, behind NAT, and it will have a randomly generated hostname. I think it makes sense to refer to the latter kind of container as a separate host in some contexts.

You main OS is called the host and the container is called the guest

The word “guest” is generally used for virtual machines, not containers.

I considered putting logos of some of the many more user-friendly pre-ubuntu distros in the meme but was lazy.

Debian was intended to be for regular desktop users back then too, though.

What Linux distribution came before Ubuntu that was specifically designed to be user friendly for a non-technical user?

There were a bunch of distros advertising ease of use; several were even sold in physical boxes (which was the style at the time) and marketed to consumers at retail stores like BestBuy years before Ubuntu started.

Here are four pictures of the physical packaging for three of those pre-ubuntu desktop distros designed to be user friendly and marketed to the general public:

Ubuntu was better than what came before it in many ways, and it deserves credit for advancing desktop Linux adoption both then and now, but it was not “one of the first” by any stretch.

https://foundation.gnome.org/1999/03/03/gnome-1-0-released/

there were dozens of others in the 11 years between the first and ubuntu

https://www.thesoftwarereport.com/gitlab-ipo-makes-founder-sid-sijbrandij-a-billionaire-fueled-by-devops-and-remote-work/

https://github.com/dessalines/essays/blob/master/why_not_signal.md

The PineTab 2 looks nice, but I haven’t seen one in person yet.

I don’t know about the other two mods here but I heard @AgreeableLandscape@lemmy.ml plans to return from hiatus eventually.

I’ve done most most of the mod actions here in the last year, first as an admin but eventually I was added as a mod in this community too because there was a bug (fixed in 0.19) which prevented admins’ mod actions from federating (and there were some egregious posts which kept getting remote reports).

Thanks for the offer of help @beta_tester@lemmy.ml but I think the other admins and I (who are all longtime Linux users) are doing OK moderating this community. Also I see that yesterday you re-posted something immediately after it was deleted, with a title referencing its deletion 😦

If you see something that should be deleted, please do flag it, and if you’re unhappy with mod actions you can always message a mod or ask about it in /c/meta@lemmy.ml

It means that lemmy.world is using https://static.cloudflareinsights.com/beacon.min.js to track their users’ behavior and activities 😞

I am deleting this post per community rule 3 (asklemmy is not for questions about lemmy); there are other communities where it would be appropriate to have a thread to discuss this.

I just went looking for this document and found it for sale here; meanwhile over here there is a helpful PDF with a watermarked line drawing of the CD-ROM they’ll sell it to you on.

Fuck ISO so much.

it also was deleted. continuing to write comments with LLMs will get you banned, fyi.

back when Cobol was still used

try searching for COBOL on any big job site, it’s still in use today :)

Fuck both of these companies, but, how can it make sense to sue Citrix for this? The article says they released an advisory and patch for the problem six days prior to when Xfinity says the breach happened, so, it sounds like Xfinity neglected to install their software updates.

I think most chromebooks allow you to disable their boot security? some even allow you to re-enable it with different keys so that you can have a different trust anchor instead of google.

it’s weird how this gist was updated 3 hours ago but still contains lots of claims that haven’t been accurate for years