>"At this point Lasse seems to have started working even more closely with Jia Tan. Evan Boehs observes that Jigar Kumar and Dennis Ens both had nameNNN@mailhost email addresses that never appeared elsewhere on the internet, nor again in xz-devel."
That is an important observation!
Takeaway: Most non-agenda driven actual people on the Internet, leave a trail -- an actual trail of social media and other posts (and connected friends) that could be independently verified by system/social media/website administrators via voice or video calls (as opposed to CAPTCHA or other computer-based "Is it a human?" tests, which can be gamed) for stronger confidences in the identity / trustworthiness of the remote individual at the other end of a given account...
Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd,
showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol.
Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates."
Takeaway: We could always use more observability of where exactly CPU time is spent in given programs...
Binaries without symbol tables (which is the majority of programs on computers today) make this task challenging, if not downright impossible, or at least very impractical -- too complex for the average user...
Future OS designers should consider including symbol tables for all binaries they ship -- as this could open up the capability for flame graphs / detailed CPU usage profiling (and the subsequent ability to set system policies/logging around these) -- for mere mortal average users...
First from the article itself:
>"At this point Lasse seems to have started working even more closely with Jia Tan. Evan Boehs observes that Jigar Kumar and Dennis Ens both had nameNNN@mailhost email addresses that never appeared elsewhere on the internet, nor again in xz-devel."
That is an important observation!
Takeaway: Most non-agenda driven actual people on the Internet, leave a trail -- an actual trail of social media and other posts (and connected friends) that could be independently verified by system/social media/website administrators via voice or video calls (as opposed to CAPTCHA or other computer-based "Is it a human?" tests, which can be gamed) for stronger confidences in the identity / trustworthiness of the remote individual at the other end of a given account...
Next takeaway from the linked article: (https://boehs.org/node/everything-i-know-about-the-xz-backdo...):
>"AndresFreundTec @AndresFreundTec@mastodon.social writes:
Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd,
showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol.
Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates."
Takeaway: We could always use more observability of where exactly CPU time is spent in given programs...
Binaries without symbol tables (which is the majority of programs on computers today) make this task challenging, if not downright impossible, or at least very impractical -- too complex for the average user...
Future OS designers should consider including symbol tables for all binaries they ship -- as this could open up the capability for flame graphs / detailed CPU usage profiling (and the subsequent ability to set system policies/logging around these) -- for mere mortal average users...