Even though the video is somewhat sensationalized at some points, it is well worth a watch for people who are interested in computers but don't have a background in it. There is a nice mixture of everything from history (e.g. the founding of the FSF) to a clear explanation of a compression algorithm (clear enough that one should be able to implement it). It also makes claims that should make some people stop and think about the industry as a whole (such as Linux being the most important contemporary operating system).
I'm not sure if it is HN-crowd type material since it is easy enough information for most of us to dig up, assuming we didn't already know it. Yet it does not simplify things to the point of, "technology is magic."
This is IMO one of the coolest tech stories to ever happen, seriously amazing spycraft & hacking skills, but I haven't been keeping up with new developments from this story since it broke. Last I heard, the best guess at what happened was some state-sponsored actor worked very hard to get this merged, and it was caught luckily at the last minute. But no one had any smoking gun as to who did it or why or who they were targeting. Any new developments since then? Are we still just totally in the dark about what was going on here?
> A lot of the aliases, like Jia Tan, they sound like Asian names, and the published changes are all timestamped in UTC+8, Beijing time. So the signs point to China. And that's why it's probably not China. I mean, why would they make it that obvious? Every other part of the operation has been so meticulous, so cautious.
> And they also worked on Chinese New Year, but not on Christmas. And over the years, there were nine changes that fall outside of the Beijing time into UTC+2, which is a time zone that includes Israel and parts of Western Russia. That's why some experts have speculated that this could be the work of APT29, a Russian-state-backed hacker group also known as Cozy Bear. But again, do we know? No, of course we don't know who it is, and we likely will never know.
That was also what I took away when watching the video. Russians don't celebrate Christmas on the 25th (they Celebrate on January 7th), but even more than that: Russians don't celebrate Christmas the same way we do in the west.
Their "Christmas" family celebrations are on New Years Eve.
So if you're drawing conclusions from them not working on the 25th (which is a literal normal day in eastern europe) then signs point elsewhere unfortunately.
Those anecdotes don’t mean anything. If I were China and wanted plausible deniability I would work on CNY and take off on foreign holidays. Of course that leaves Beijing time as a weird oversight though it’s always Beijing time anywhere in China.
I actually watched this last night, and while I totally understand that criticism is easy, and making things is hard (and the production quality here is great); I got a weird vibe from the video when it comes to who it is for.
The technical explanations are way too complex (even though they're "dumbed down" somewhat with the colour mixing scenario), that anyone who understands those will also know about how dependencies work and how Linux came to be.
It feels almost like it's made for people like my mum, but it will lose them almost immediately at the first mention of complex polynomials.
The actual weight of the situation kinda lands though, and that's important. It's really difficult to overstate how incredibly lucky we were to catch it, and how sophisticated the attack actually was.
I'm really sad that we will genuinely never know who was behind it, and anxious that such things are already in our systems.
My partner who is an accountant, so intelligent but not technical, watched some Veritasium documentaries the other day.
Her comment was that she was really impressed that it didnt dumb anything down like normal documentaries do. She was able to follow along more technical stuff than she anticipated, and that made her enjoy it even more.
I think we need to give people more credit when it comes to complex or techincal explanations. If people are enjoying the context but dont understand the techincal, they can just gloss over that if they prefer. But I felt this was quite telling at how and why Veritasium is such a popular channel.
Even though the video is somewhat sensationalized at some points, it is well worth a watch for people who are interested in computers but don't have a background in it. There is a nice mixture of everything from history (e.g. the founding of the FSF) to a clear explanation of a compression algorithm (clear enough that one should be able to implement it). It also makes claims that should make some people stop and think about the industry as a whole (such as Linux being the most important contemporary operating system).
I'm not sure if it is HN-crowd type material since it is easy enough information for most of us to dig up, assuming we didn't already know it. Yet it does not simplify things to the point of, "technology is magic."
Ireland recently created a Basic Income scheme for artists.
Europe should have an equivalent scheme for programmers of important Open Source projects such as this one.
Just German, not European, but still a start: https://en.wikipedia.org/wiki/Sovereign_Tech_Agency
The problem was more than remuneration. It was burnout and mental health issues. They may have been moderated by income but we don’t know.
Also today as I understand it much of OSS is done in-house by major companies (red hat, Ubuntu, ibm, Google, etc)
https://boehs.org/node/everything-i-know-about-the-xz-backdo...
This is the scariest part to me:
> A pull request (https://github.com/jamespfennell/xz/pull/2) to a go library by a 1Password employee is opened asking to upgrade the library to the vulnerable version
This is IMO one of the coolest tech stories to ever happen, seriously amazing spycraft & hacking skills, but I haven't been keeping up with new developments from this story since it broke. Last I heard, the best guess at what happened was some state-sponsored actor worked very hard to get this merged, and it was caught luckily at the last minute. But no one had any smoking gun as to who did it or why or who they were targeting. Any new developments since then? Are we still just totally in the dark about what was going on here?
Still no smoking gun, but possibly Russia. From the video https://youtu.be/aoag03mSuXQ?t=2883:
> A lot of the aliases, like Jia Tan, they sound like Asian names, and the published changes are all timestamped in UTC+8, Beijing time. So the signs point to China. And that's why it's probably not China. I mean, why would they make it that obvious? Every other part of the operation has been so meticulous, so cautious.
> And they also worked on Chinese New Year, but not on Christmas. And over the years, there were nine changes that fall outside of the Beijing time into UTC+2, which is a time zone that includes Israel and parts of Western Russia. That's why some experts have speculated that this could be the work of APT29, a Russian-state-backed hacker group also known as Cozy Bear. But again, do we know? No, of course we don't know who it is, and we likely will never know.
>And that's why it's probably not China. I mean, why would they make it that obvious?
That's just what they want you to think!
Russians don't celebrate Christmas on the 25th.
That was also what I took away when watching the video. Russians don't celebrate Christmas on the 25th (they Celebrate on January 7th), but even more than that: Russians don't celebrate Christmas the same way we do in the west.
Their "Christmas" family celebrations are on New Years Eve.
So if you're drawing conclusions from them not working on the 25th (which is a literal normal day in eastern europe) then signs point elsewhere unfortunately.
Those anecdotes don’t mean anything. If I were China and wanted plausible deniability I would work on CNY and take off on foreign holidays. Of course that leaves Beijing time as a weird oversight though it’s always Beijing time anywhere in China.
I actually watched this last night, and while I totally understand that criticism is easy, and making things is hard (and the production quality here is great); I got a weird vibe from the video when it comes to who it is for.
The technical explanations are way too complex (even though they're "dumbed down" somewhat with the colour mixing scenario), that anyone who understands those will also know about how dependencies work and how Linux came to be.
It feels almost like it's made for people like my mum, but it will lose them almost immediately at the first mention of complex polynomials.
The actual weight of the situation kinda lands though, and that's important. It's really difficult to overstate how incredibly lucky we were to catch it, and how sophisticated the attack actually was.
I'm really sad that we will genuinely never know who was behind it, and anxious that such things are already in our systems.
My partner who is an accountant, so intelligent but not technical, watched some Veritasium documentaries the other day.
Her comment was that she was really impressed that it didnt dumb anything down like normal documentaries do. She was able to follow along more technical stuff than she anticipated, and that made her enjoy it even more.
I think we need to give people more credit when it comes to complex or techincal explanations. If people are enjoying the context but dont understand the techincal, they can just gloss over that if they prefer. But I felt this was quite telling at how and why Veritasium is such a popular channel.
I'm still floored that Andres both found this and didn't ignore it. It's such a testament to an incredible engineer.
(But also, my conspiratorially-inclined mind is quite entertained by the thought of some sort of parallel construction or tip from a TLA.)