Sounds like he got the double instead of the nothing. The last line of the article mentions he now owes close to 200k, when he had originally owed 100k at the start of the scheme.
I wonder how much he banked from the sold access in the middle.
I ended up with a preorder for the new screen instead of getting a laptop now and the upgraded screen later. Before making that call, I explored a bit around up-cycling the original monitor into a portable display. There are apparently some boards that allow this, if that helps with your math.
I moved my primary phone from Android to iOS and this is hands down the thing I miss the most. I ended up silencing a lot of apps wholesale, mostly rideshares, as a result.
The laptop is bricked, won't boot, won't charge, so pretty frustrating. I really liked it when it was working, and I still have hope that they will warranty the issue.
I’d love to see two types of upvotes on the site. One for “thanks for answering/engaging” and another for “this answer is correct and high quality”. Not sure how you’d restrict or verify the votes, but I think the issue you’re pointing out is a result of only having one metric of engagement.
Slashdot also had the concept of meta-moderation, where the site's users could vote on whether a particular mod's actions were appropriate/fair or not. Presumably mods that were voted as problematic stopped getting the ability to mod.
Slashdot was in many ways way ahead of their time. I think Reddit (and even HN) could benefit from this kind of check/balance.
Haven’t nation state actors openly infiltrated high level companies? This would provide a false sense of security imo. If anything, we need better testing and behavior heuristics for incoming code.
I develop cool thing X. Now, 100 minor things depend upon it.
Suddenly, Facebook (or anyone of that size!) starts using it, and decides to vet the maintainer/author.
Who says anyone has to cooperate? It's his software. He wrote it. Don't like it?
Well tough!
Now obviously Facebook could author a replacement. It could fork and maintain.
But the very nerve that Facebook(or anyone!) would insist upon a security audit of the anonymous author would be very, very strange.
Next up, I lend a neighbour my lawn mower, after he comes begging to borrow it. Oh but wait! My neighbour now wants me to sign a libabilty form, and also undergo a security check, all so he can borrow my lawnmower!
The hell?!?!
Hoping this illustrates my point. The project author owes nothing to anyone.
And it gets more wacky, if there are 100 companies demanding audits. What? Demand?!
This is where distros are the strong point. They aren't perfect, but they catch a lot of stuff on their own. And maintainers of different distros often backchannel, support each other in this.
In terms of some government org "vetting" people? Way to take the last vestiges of free software, and hacking, and turn it into a gatekeeping, bureaucratic nightmare. I guess one will need credentials, government id, a 10 year security check, to be fingerprinted, and so on? Security clearances work like that, and that's how you vet someone.
This exact thing happened to me. I maintain a fairly popular free software project. A few years ago, I received an email from a nasa.gov domain claiming that they want to use the project internally and are auditing all their suppliers.
They wanted documentation on me and on how I audit my supply chain for the project. Not cool. I don't have time for these shenanigans in my personal time.
The point of the anecdote is to supplement the parent poster by stating that their hypothetical scenarios are already happening.
We should have better testing and more eyes on incoming code for projects we depend on. But my point I guess is that vetting maintainers is not an option.
Agreed that the vetting of private people would be invasive and not a good use of resources. It would also not work for recently compromised accounts.
I’m also personally torn on how much we want giant private companies controlling more and more of the core compute infrastructure and software.
In an ideal world, the code and software itself would be automatically analyzed for malicious use cases in release and deployment pipelines, but that’s a magic hand wavy kind of ask of a huge magnitude and complexity.
And in this case Facebook did author a replacement--zstd. It just didn't get popular enough. And even when it does get popular, it won't replace all usages of xz, only some of them.
If OP takes this approach, please please please make this usage data easily accessible, ideally both as a (free?) API endpoint and as a timechart/table in the web UI if applicable.
The analogy I used back when I managed a team was that our workload was like a funnel. You need some amount of overhead to balance the pressure and keep things flowing. If you put too much in the funnel, things backup and spill. It's faster to leave that little gap than it is to try to use the absolute maximum volume.
> As long as the government can keep a private key secure only they could make use of it.
Well, keep in mind they would have to keep it secure in perpetuity. Any leak over the lifetime of any of that hardware would be devastating to the owners. Blue Team/Defensive security is often described as needing to be lucky every time, where as Red Team/attackers just have to get lucky once.
This attack vector is in addition to just exploiting the implementation in some way, which I don't think can be handwaved away.
I wonder how much he banked from the sold access in the middle.