burnout

2 Articles

Exploit The Stressed-out Package Maintainer, Exploit The Software Package

March 31, 2024 by 10 Comments

A recent security vulnerability — a potential ssh backdoor via the liblzma library in the xz package — is having a lot of analysis done on how the vulnerability was introduced, and [Rob Mensching] felt that it was important to highlight what he saw as step number zero of the whole process: exploit the fact that a stressed package maintainer has burned out. Apply pressure from multiple sources while the attacker is the only one stepping forward to help, then inherit the trust built up by the original maintainer. Sadly, [Rob] sees in these interactions a microcosm of what happens far too frequently in open source.

Maintaining open source projects can be a high stress activity. The pressure and expectations to continually provide timely interaction, support, and updates can easily end up being unhealthy. As [Rob] points out (and other developers have observed in different ways), this kind of behavior just seems more or less normal for some projects.

The xz/liblzma vulnerability itself is a developing story, read about it and find links to the relevant analyses in our earlier coverage here.

Hackaday Links Column Banner

Hackaday Links: August 23, 2020

August 23, 2020 by 14 Comments

Apple, the world’s first trillion-dollar company — give or take a trillion — has built a bit of libertarian cachet by famously refusing to build backdoors into their phones, despite the entreaties of the federal government. So it came as a bit of a surprise when we read that the company may have worked with federal agents to build an “enhanced” iPod. David Shayer says that he was one of three people in Apple who knew about the 2005 program, which was at the behest of the US Department of Energy. Shayer says that engineers from defense contractor Bechtel, seemed to want to add sensors to the first-generation iPod; he was never clued in fully but suspects they were adding radiation sensors. It would make sense, given the climate in the early 2000s, walking down the street with a traditional Geiger counter would have been a bit obvious. And mind you, we’re not knocking Apple for allegedly working with the government on this — building a few modified iPods is a whole lot different than turning masses of phones into data gathering terminals. Umm, wait…

A couple of weeks back, we included a story about a gearhead who mounted a GoPro camera inside of a car tire. The result was some interesting footage as he drove around; it’s not a common sight to watch a tire deform and move around from the inside like that. As an encore, the gearhead in question, Warped Perception, did the same trick bit with a more destructive bent: he captured a full burnout from the inside. The footage is pretty sick, with the telltale bubbles appearing on the inside before the inevitable blowout and seeing daylight through the shredded remains of the tire. But for our money, the best part is the slo-mo footage from the outside, with the billowing smoke and shredded steel belts a-flinging. We appreciate the effort, but we’re sure glad this guy isn’t our neighbor.

Speaking of graphic footage, things are not going well for some remote radio sites in California. Some towers that host the repeaters used by public service agencies and ham radio operators alike have managed to record their last few minutes of life as wildfires sweep across the mountains they’re perched upon. The scenes are horrific, like something from Dante’s Inferno, and the burnover shown in the video below is terrifying; watch it and you’ll see a full-grown tree consumed in less than 30 seconds. As bad as the loss of equipment is, it pales in comparison to what the firefighters face as they battle these blazes, but keep in mind that losing these repeaters can place them in terrible jeopardy too.

Continue reading “Hackaday Links: August 23, 2020”