And did you also think that #xz lib is now much better secured and has much more contributes looking out for the project? I'm afraid not ... https://github.com/tukaani-project/xz/graphs/contributors

Do you remember the xz supply chain attack (or backdoor) that happened one year ago and nearly compromised half the world? (I think you do)

I claim that we could have automatically detected this backdoor in NixOS thanks to reproducible-builds!

-> Go read about it in my blog post: https://luj.fr/blog/how-nixos-could-have-detected-xz.html

Boosts would be much appreciated!

BZip3

在 Hacker News 上看到 BZip3 的連結：「Bzip3: A spiritual successor to BZip2 (github.com/kspalaiologos)」。

雖然名字看起來與 bzip2 有關，但看起來是不同的人弄出來的東西，不過有些經典的演算法有留下來用，像是 Burrows-Wheeler transform。

另外值得一提的是，bzip2 是 1996 年出的 (不過 1.0 大約是 2000 年時出的)，BZip3 的第一個 release 在 2022 年，這段時間也累積了不少有趣的演算法可以用。

無損壓縮中如果期望有比較的壓縮率，目前比較常用的應該是 LZMA 類的演算法 (差不多是 2001 年出現的)，用的工具通常會是 X

https://blog.gslin.org/archives/2025/02/02/12240/bzip3/

Dear People attending #FOSDEM

The maintainer of #XZ is still in need of true support after they were abused by someone who tried to viciously introduce a backdoor to potentially millions of servers and computers.

They opened a Liberapay account here: https://liberapay.com/Larhzu.
They only receive 13,55€/week for now…

You know XZ is crucial for lots of critical systems. Please tip them generously.and boost this message!

(Discovery borrowed from @Sylvhem)

NOTE : due to the local laws, as a Finnish, Larhzu cannot accept money from Finnish people.

Lasse Collin (the developer of xz-utils) has found out how to accept donations without breaking the Finnish money collection law:
https://github.com/tukaani-project/xz/issues/105#issuecomment-2599004098

He has created an account on #LiberaPay with a restriction to not accept donations from Finns or people living in Finland:
https://liberapay.com/Larhzu/

Lightning Talk: The XZ Backdoor and a 40 Year Old Prediction – Christopher Harpum – ACCU 2024

https://www.youtube.com/watch?v=AzfKTpkml_I

I love playing around with #compression

In this case, it's all text-based data in csv and xml formats.

Size:

32,696,320 202411.tar
 4,384,020 202411.tar.bz2
 4,015,912 202411.tar.zst
 3,878,583 202411.tar.bz3
 3,730,416 202411.tar.xz

zstd was invoked using zstd --ultra -22
xz was invoked using xz -9e
bzip2 was invoked using bzip2 -9
bzip3 has no compression level options

Speed:

zstd    54.31user 0.25system 0:54.60elapsed 99%CPU
xz      53.80user 0.06system 0:53.93elapsed 99%CPU
bzip2    5.33user 0.01system 0:05.35elapsed 99%CPU
bzip3    3.98user 0.02system 0:04.01elapsed 99%CPU

Maximum memory usage (RSS):

zstd    706,312
xz      300,480
bzip3    75,996
bzip2     7,680

*RSS sampled up to ten times per second during execution of the commands in question

#bzip3 is freaking amazing, yo.

#DataCompression #bzip #bz3 #zstd #zst #zstandard #xz #lzma
#CouldaBeenABlost ;)

Lightning Talk: The XZ Backdoor and a 40 Year Old Prediction – Christopher Harpum – ACCU 2024

https://www.youtube.com/watch?v=AzfKTpkml_I

Lightning Talk: The XZ Backdoor and a 40 Year Old Prediction – Christopher Harpum – ACCU 2024

https://www.youtube.com/watch?v=AzfKTpkml_I

How to make #opensource #software more secure
The #xz attack, which followed other well-known cybersecurity incidents involving open source software like #Heartbleed, #Shellshock, and #Log4j, was another stark reminder that open source software, given how widespread it is, can pose significant #security risks.  
https://techcrunch.com/2024/11/01/how-to-make-open-source-software-more-secure/ #itsec

Been a while since I did this commute… but totally worth it for @leigh’s keynote on Protecting Canadian Democracy at 9am!!!

I’m heading to SecTor today and tomorrow, I look forward to seeing the Toronto cybersecurity community. I hope to see you at my keynote tomorrow on the xz-utils backdoor.

We’re at the Metro Toronto Convention Center, a few tickets are still available - register here:
https://www.blackhat.com/sector/2024/registration.html

#cybersecurity #opensource #toronto #xz-utils #sector

If you’ll be at SecTor 2024, come check out @leigh keynote on October 23, and my keynote on October 24!

I’ve known Leigh for years, and I’m thrilled to have an opportunity to present at the same conference as her,

Here’s what to expect at SecTor :

https://www.businesswire.com/news/home/20241010549404/en/SecTor-Announces-Leigh-Honeywell-and-Omkhar-Arasaratnam-as-Keynote-Speakers-for-SecTor-2024

If you’re not registered yet, grab your tickets here: https://www.blackhat.com/sector/2024/registration.html

We look forward to seeing you in a couple of weeks!

#sector2024 #cybersecurity #xz-utils #opensourcesoftware

Finally also available in english.

#fern #ssh #xz #backdoor #jiatan #security

https://www.youtube.com/watch?v=F7iLfuci75Y

This documentary on #xz is awesome. They really point out the #opensource problem that people often feel alone and sometimes pressured. They also make the issue clear to people from outside of OpenSource or software. Realy recommend this to everyone. Especially if you want to show this issue to someone that is unfamiliar with the issues.
https://youtu.be/F7iLfuci75Y?si=NcGPXbluLbcz6xmy

Updated #XZ Code Lands In #Linux 6.12

https://www.phoronix.com/news/Linux-6.12-Updated-Embedded