S2E11: "The Blame Game"

Posted
Modified
Comments 0

Navigation
Previous EpisodeNext Episode
Log
Recorded (UTC) Aired (UTC) Editor
2017-07-06 02:29:37 2017-07-16 04:31:52 "Edita"
Verification
Format SHA256 GPG Audio File
MP3 e059ad291aa19eac09557ec9412b388a41c1862fb5f35cafae038e28e40a420b click click
OGG a592c9b47ba5fa89816ed9e5e210f0bc9d396fb2271e4defb43a538180f5b8fc click click
Quicklisten:

We talk about an interesting new(-ish) approach to password management and whether upstream is responsible for downstream SNAFUs.

News

  • An attack against libgcrypt has been found.
  • Amazon and eBay images were held “ransom” by Photobucket.
  • There is a PC build that self-destructs if tampered with.
    • We talked about QubesOS in S1E6 and S2E4.
  • Canonical pushing “advertisements” in the MOTD.
  • Apparently wind turbines are easily compromised.
  • NotPetya is making the rounds
    • And you can find the “live blog” that Paden mentions here.
    • But see Errata
  • Windows 10 S has been compromised (despite Microsoft’s claim that it is invulnerable).
  • Some Windows 10 development builds and source code have been leaked.

Notes

Starts at 14m0s.

I was drinking a mango smoothie. Paden was drinking Pabst Blue Ribbon. Jthan was drinking water because he is unwell.

  • Who’s responsible for downstream’s fuck-ups? (19m37s)
    • Where does liability lie if downstream patches break intended functionality?
    • Examples:
      • Debian’s openssh/openssl fiasco was created downstream
      • The recent “systemd” “vulnerability” was actually caused by various packagers on distros patching out hard username restrictions in shadow-utils/libuser (known guilty parties currently are Red Hat/CentOS and Debian)
        • But all you systemd haters would know that if you actually read the bug report instead of being sensationalist and irrational.
    • We then discuss:
      • Why patching downstream (for either “fixing” nonexistent issues or for introducing new bugs features) bad.
      • Why upstream should not be held responsible for developing “around” downstream.
      • Why/how this happens is usually downstream wanting to add functionality without understanding of the entire system ecosystem (but also failed communication within large downstream projects).
      • How this can be avoided.

Sysbadministration Award

In this segment, we highlight system administration mistakes. Think of them as the IT equivalent of the Darwin Awards. (40m30s)

Errata

  • In the News segment, Paden refers to “Petya” – it’s actually referring to NotPetya, named as such because it’s a variant/masquerade of Petya but is a whole different thing. See the Baddie for more information.
  • Debian 7 (“Wheezy”) supported switching to systemd, but Debian 8 implements it by default.

Music

Music Credits
Track Title Artist Link Copyright/License
Intro C L I M A X Soft and Furious click CC0 1.0
Outro net neutrality Noiseonport click CC-BY 4.0
(All music is royalty-free, properly licensed for use, used under fair use, or public domain.)

Author
Categories

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.