407: Bad Apple

Bad Apple

[00:00:00]

[00:00:04] Brett: Welcome back to Overtired, which has become once again, a, um, kind of sporadic, uh, release schedule, but that’s just, it’s spring break. We’ll be back into the swing of things, uh, shortly. In the meantime, um, we’ll, we’ll just keep putting out kind of random episodes. I kind of wanted to put one out. Oh, hi, by the way, I’m, I’m Brett Terpstra.

[00:00:26] Brett: I’m here with Christina Warren. Um, I kind of wanted to release an episode last week that had an intro and then was just a rickroll, um, and like play the entire song and then, and then just like play the outro music. Um, but I didn’t, because that was probably, there were probably copyright issues with that.

[00:00:47] Christina: Eh,

[00:00:49] Brett: I could probably get away with a 30 second snippet though.

[00:00:52] April Fools Day Fun

[00:00:52] Christina: yeah, probably. I saw one good Okay, so April Fool’s Day was What day was that? Was that like, Monday?

[00:00:59] Brett: It [00:01:00] was on April 1st.

[00:01:01] Christina: Well, no, it was last Friday. No, I know, but I was trying to think where we are like, like, like day wise, like I was trying to think of what day was it this week? And it was Monday. So we’re recording this on Saturday.

[00:01:12] Christina: So it was Monday. So I was trying to figure out when it was. Um, and April Fool’s Day as, as you know, the internet has ruined it. I think we’ve talked about that before. I feel very complicit about my own role. Um, in ruining the day because of, of my time as a blogger, um, especially at Mashable during like the height of brands being extremely online and terrible.

[00:01:36] Christina: But there was one good, well, there were a couple of, of good ones that I saw. Um, I think, uh, I don’t remember what the, the second one was, maybe it’ll come to me, but the one that actually got me to laugh was, um, somebody, um, Uh, and I knew exactly what it was before I saw it and I saw Mr. Macintosh, uh, tweet it and it was somebody who was like, hey, I got a way [00:02:00] of getting, you know, full, you know, modern, um, Mac OS, um, running on old power PC Macs, you know, click here for more.

[00:02:08] Christina: And I knew it was like, Oh, and then you click on the thing. It was like, Oh, you know, click, click, click on this link, you know, to get more information or whatever. And I was like, Oh, I know exactly what this is. Before I even saw the YouTube tool tip, before I even saw that, I like, I knew exactly what I was setting myself up for and I still sent it to someone.

[00:02:23] Christina: Um, and, um, and it was one of those things where I was just like, yep. Okay. This, I was like, you get one, you get one Rick roll of an April Fool’s day. And this is, this is a good one. Cause like, that’s, that’s it.

[00:02:34] Brett: I saw a meme that said, Happy April Fool’s Day, the one day of the year when people critically assess information on the internet before accepting it as true.

[00:02:45] Christina: is very true. And it’s also like very awful that it’s like, we acknowledge, it’s like everybody’s a fucking expert on April Fool’s Day. Um. And, and then, yeah.

[00:02:57] Brett: What was your favorite April Fool’s [00:03:00] prank as a kid?

[00:03:05] Christina: I don’t even, I don’t even know. I, I used to buy like, um, stuff from, from, from Spencer’s. Um, there would be like, joke stuff. And I’m trying to think like, what I had. I think I might have had like, fake vomit or something.

[00:03:18] Brett: Do you remember back when sinks, kitchen sinks used to have like a spray nozzle that you could pull out on like a hose to like spray your dishes down back before, like everything was just part of the faucet. I used to, my favorite prank was to rubber band the lever on that. So when you turn on the sink, it sprays you right in the chest.

[00:03:41] Brett: Um, that was my go to April Fool’s prank that does not work anymore because nobody has faucets like that anymore.

[00:03:50] Christina: Um, okay, I did

[00:03:51] Brett: Also, I’m an adult now and I wouldn’t do that.

[00:03:54] Christina: right. Okay, and I actually did, I did find like, the one like, really good April Fool’s thing that I saw. This was funny. Okay, [00:04:00] so. And this one, um, this one almost got me. Not that I thought that it was ever real, um, but I thought that it might have actually been by the company it’s purporting to be because I didn’t, I didn’t clock the URL at first because it’s very good.

[00:04:13] Christina: So I’m going to send you, um, uh, I’ll let you read it.

[00:04:17] Christina: . I’ll put it in our chat. I’ll put it in our chat link. Um, okay. So. Um, and I’ve already, like, told you this is, like, fake or whatever, but for, for, for listeners who, uh, might, uh, not be old enough to remember, uh, and even some of those who are, uh, Gmail famously launched on April 1st, 2004.

[00:04:36] Christina: Um, let that sink in. And, and we all assumed it was kind of an April Fool’s Day thing because, like, it was a gig of, of, uh, storage and, you know, for free email for life and, and everybody was like, And at the time, you have to understand, I think Hotmail gave you like two megabytes, and I think like Yahoo Mail was something similar.

[00:04:53] Christina: And if you didn’t log into your account, like religiously, like they would fucking nuke all of your messages. And [00:05:00] so a gig was like, Unreal. And now, of course, they give you, I think, like 15 gigs. But, um, Google has, you know, over the years, uh, made a lot of questionable decisions. And one of the most recent ones was with their domain registry.

[00:05:15] Christina: They launched zip and mov. Um, Domain Extensions. And, and the security people were very mad, especially for zip. They were like, this is going to help with the spread of malware, this is going to be bad. So, go to this, this, this website, and it looks like the, it’s done to look exactly like the official Google blog.

[00:05:32] Christina: And it says, Google Registry. Execute your best ideas with Google. Google Registries, exe, Top Level, Domain. And then it has, you know, it says, you know, following the success of zip and move, we’re adding brand new extensions to the internet for everyone. Um, you know, whether you’re learning to code or deploying a helpful tool or starting a new community, exe has you covered.

[00:05:50] Christina: Here’s some examples from our developer community. Mydoom. exe, your gateway to digital innovation. Iloveyou. exe, transforming online interactions with love. [00:06:00] Melissa. exe. Empowering women through digital community, and those are, of course, three very famous viruses. And what got me laughing at this was that I didn’t look at the, I didn’t clock the URL at first and I was like, clearly this is fake.

[00:06:15] Christina: I was like, but maybe the registry team just has a really good sense of humor. I was like, damn, they’re like really self aware at Google. And then I clocked that the, that the URL is, is G O G G E L and

[00:06:27] Brett: Oh, I, I was looking at it. I’m like the, how is that not okay. That’s funny. That’s funny.

[00:06:34] Christina: So it worked twice, but what was also really funny about it is that the share, like the share button, they, um, they changed the share URL so that it actually went to the official Google blog.

[00:06:44] Brett: Oh, that’s funny

[00:06:45] Christina: So yeah, this was like a good one and, and this was like, this, this, this, this, this, this was like a really good one.

[00:06:50] Christina: I was like, okay, I’m, I’m down with this cause this is, I genuinely at first thought I was like, You know, for like, you know, 15 seconds I was like, [00:07:00] Oh, Google is actually self aware. I’m, I’m a little surprised. And, and instead it was like, no. Um,

[00:07:07] Brett: be, to be fair. Dot app is a TLD, um, on the Mac side, but it doesn’t have the same implication ’cause an app is a bundle and it wouldn’t have the same implications as an executable

[00:07:20] Christina: well, right. And I think the other thing too is just like more malware is like, if we had as much Mac, um, not like malware, like if Mac was, if Mac mattered, right. Like, well, I mean, just being honest, right? Like, in terms of an attack service, if it mattered the same way, I do think that would be problematic.

[00:07:36] Christina: Um, but also, and I wonder your thought on this, the fact that we don’t see file extensions on macOS, do you think that that

[00:07:45] Brett: I turn on file extensions.

[00:07:48] Christina: Sure, but like, for, you know, like, even if your applications?.

[00:07:53] Brett: Yeah, I do. I’m looking at my screen right now. I got dayone. app, debughelper. app. [00:08:00] Um,

[00:08:00] Christina: I have, like, I have

[00:08:01] Brett: don’t function well without extensions.

[00:08:04] Christina: I have extensions on, not for app, but I, and I, um, I, whatever the default is, which is, you know, mp4, png, whatever. But there’s some things that like, but by and large, like you can even have like a world in like macOS where like you don’t have. You know, you just give something a filename and it’ll show up, you know, as like a document file and you don’t know what it is.

[00:08:24] Christina: That’s not a thing in Windows. Um, so I, I wonder if that has any kind of role in it too. Um, that like, even if you, like, even if people used, like, targeted Mac the same way, if the fact that like, most people don’t realize that app is the bundle name, you know, that So I don’t, I don’t know if that would, if that would matter.

[00:08:43] Christina: Cause I think, I think a lot of people would be like, what do you mean, what do you mean by dot app file? Like if I said that, I think to even like experienced Mac users, they’d be like, I have no idea what you’re talking about. What the fuck is the dot app file?

[00:08:54] Brett: I don’t, I don’t have no data to say that’s true or is not true. Could be, could be [00:09:00] entirely true. I don’t, I don’t hang out with experienced Mac users, I guess.

[00:09:05] Let the Apple Bitching Commence

[00:09:05] Brett: Um, so anyway, um, while we’re talking about Mac, um, before we get into any kind of mental health corner, I wanted to say Messages. Logged me out on my Mac, and it will not log me back in with any of my Apple IDs or, um, or a phone number.

[00:09:29] Brett: Like, I go through the process, I get the password correct, guaranteed, cause I use a, uh, I have a secret system. I have key bindings that insert my different passwords.

[00:09:42] Christina: bindings? Seriously? Um, you?

[00:09:46] Brett: It’s a sequence. It’s a very secret sequence, but to be fair, most of my system passwords are stored in the key bindings dict file, um, as plain text. So it’s super insecure, [00:10:00] but I just don’t. My Mac, the one that that’s set up on, nobody else touches. Um, and it’s very well protected network wise, so I don’t worry about it.

[00:10:11] Brett: So anyway, I know the password is correct and it’ll spin for about two minutes and then it’ll say an unknown error occurred. And it will timeout. And I cannot get messages working on my Mac, uh, for the last three days. Now I’ve talked to other people, including yourself, who are not having issues. Um, this isn’t a system wide problem.

[00:10:34] Brett: Uh, but I have had people contact me previously with the exact same issue. Um, and I don’t know how or when it clears up. I I’ve rebooted, I’ve restarted. And it’s, I’m missing, I’m missing a lot of messages because when I’m working at my Mac, I don’t know, my phone doesn’t

[00:10:56] Christina: It doesn’t. No, totally. Well, and yeah, oftentimes that is a thing, like, it’ll be [00:11:00] like, oh, if, if we’ve sent a message to one thing, we won’t others, and it’s other, it’s just a context switching thing, right? Like I, like, I find I’ll miss things because I often have like do not disturb turned on on my Mac, but my phone still won’t send me messages or I won’t get them the same way.

[00:11:13] Christina: And I’m like, all right, fine. Whatever.

[00:11:15] Brett: It’s a little opaque how that works, but yeah.

[00:11:18] Christina: very opaque how that works because Apple wants to make everything a fucking black box. So while we’re bitching, let’s bitch about that too. No, I’ve had that issue before. Um, it’s been years, but I have had that issue before where like my, my max of just hasn’t worked. And then it’s usually cleared itself up.

[00:11:33] Christina: But that’s the, this is the frustrating thing is that it’s like, there’s no way to get any insight into this. All you can do is like file feedback. I’ve got to file feedback about a fricking notes app issue. Um, And, um, where the note that I see, a collaborative note that I see, um, on my phone and my iPad is different than what it is on my [00:12:00] Mac.

[00:12:00] Brett: What?

[00:12:01] Christina: Yeah. Where, like, the one on my phone, I see actual, um, oh shit, it is also fucked on my other Mac where I’ve never looked at this before. And so I’m, like, literally got this thing where I made a bunch of edits And it looks one way on one of my Macs and it looks a different way on every other device. And so I don’t know, and it’s a shared note, so I don’t know what the actual point of truth is.

[00:12:27] Christina: And like, yeah, um, I talked to somebody about this and they were like, file a radar

[00:12:33] Brett: What app is this in? In

[00:12:34] Christina: notes, notes. So it’s an iCloud sync thing, clearly, um, where it got a version wrong. And because The system is the way that it is instead of being like a, you know, in my opinion, sane system that would treat people like adults and, and be able to also, um, explain context and in a way that you could do it in a very user friendly way and say, Hey, we see two [00:13:00] versions of this.

[00:13:02] Christina: You know, which one do you want? It just is a failure where it appears one way on

[00:13:10] Brett: guessing. It’s just showing you, it’s showing you random versions. Sure.

[00:13:14] Christina: Right, and it’s like, okay, well, like, that’s exactly what I want out of my fucking notes app. Are, like, are you kidding me? No, you have one job, literally, you have one job, which is to be the same everywhere.

[00:13:26] Christina: And you can’t do that. And we accept this sort of shit from Apple, and I don’t know why we do, because every other company that fails even the slightest amount, we rightfully, like, Bitch about them and they get terrible reputations. Like, like, like, you know, like, like, like Office, I think unfairly because I think the offline or not offline, but like, you know, like the, the standalone apps are actually very good, but like people shit on Microsoft Office a lot.

[00:13:50] Christina: And I’m not going to lie to you and say that the real time collaboration stuff is as good as it is on Google Docs. It’s not as fast or whatever, but it is better [00:14:00] and certainly sync on, um, every other platform. Every other platform is superior to what Apple does, and yet, like, if, if, if, if, if, if Dropbox, if Google Drive, if OneDrive, like, if any of them had any of the sync issues that iDrive, or not iCloud, still has.

[00:14:19] Christina: Fucking almost 15 years into its existence. Genuinely. Like, it would be the talk of, it would be like a constant joke. Like, nobody would accept it. I don’t understand how Apple gets away with having such piss poor, like, just genuinely, like, amateur tier, just like, bad, like, full blown unacceptable sync performance.

[00:14:42] Christina: I don’t understand it.

[00:14:44] Brett: Bush League. Yeah, no, I, I don’t.

[00:14:47] Christina: and they charge so much for it, right? I pay 38 a month or whatever it is for Apple One Premiere, my family plan, and it’s like, and that’s fine. It is what it is. And like all the services, none of them are best in class. Not a [00:15:00] single one. Not a single one.

[00:15:01] Christina: Apple Music is not better than Spotify. Apple TV is not better than Netflix. iCloud is not better than Dropbox. Um,

[00:15:09] Brett: wait, wait, wait, wait. You can’t, Apple TV versus Netflix is, do you mean like versus like, um, like Roku or?

[00:15:18] Christina: I mean like Apple TV

[00:15:20] Brett: Oh, oh yeah, okay. Okay, I thought you meant like the Apple TV

[00:15:25] Christina: no, no, no, no, no, no, no, because I’m talking about the services that you get in Apple, uh, One Premiere.

[00:15:30] Brett: yeah, okay.

[00:15:31] Christina: So like Apple TV is not better than Netflix, uh, Apple Music is not better than Spotify, um, Apple News is dog shit, um, uh, Apple Arcade is not better than, um, I guess the next closest thing to that would be Game Pass, and that’s a real, like that’s not a, uh, competition that Apple wants to get into because, They will lose on every fucking level, um, as they should.

[00:15:53] Christina: Um, uh, you know, um, again, like, uh, iCloud is not better than Dropbox or Google [00:16:00] Drive. Um, it just happens to be more convenient because they can, you know, build certain API. Right. Well, because, because they can now give them self entitlements that they won’t give anybody else. Um, you know, like, like health, who fucking cares?

[00:16:14] Christina: Like, or fitness plus or whatever, who fucking cares? Like, it’s one of those things, like genuinely.

[00:16:18] Brett: It’s just there to make you feel bad. You’re paying for this as part of your,

[00:16:22] Christina: Right, right. Yeah, this is like a

[00:16:24] Brett: you’re not using it because you’re

[00:16:26] Christina: using it. Right. Well, you also it’s like people, well, but Peloton, there, there are other alternatives, right? Like, so it’s just, none of these things are best in class at all. And, um, yeah, they, they charge what they charge and everybody’s like, Oh, Apple’s the best.

[00:16:39] Christina: I’m like, no, they’re really not. Like I, I am in the ecosystem because I, I’m going to be a Mac user and I would never even consider another phone other than an iPhone. Yeah.

[00:16:48] Brett: why, why, uh, do you think it’s just marketing? Like they’ve positioned themselves as like untouchable yet forgivable? Like [00:17:00] everything you’re saying is true. Like, I don’t disagree with anything. I just don’t understand because there are a lot of critics in the Apple world. Why is the general population so willing to forgive these shortcomings?

[00:17:14] Christina: I think, if I’m being completely honest, it’s because the original, um, products were so good for so long that there has been two things. I think that one, there’s like a reputational, um, halo that has, that is no longer accurate, to be honest, but has persisted. And I think that it’s also a thing where people don’t realize how much worse it’s gotten and what the capabilities of other things are.

[00:17:43] Brett: I think, I think because it is an ecosystem, because once you have an iPhone and a Mac and an iPad, you are by default using Apple services. And I think a lot of people don’t have a point of comparison.

[00:17:57] Christina: what I’m saying. That’s what I’m saying. They don’t know. They don’t. That’s exactly what I’m [00:18:00] saying. Like, they don’t actually know, like, what the options are for other places.

[00:18:03] Brett: Yeah, that makes sense. I don’t, I don’t generally, like, I don’t use iCloud for much. Um, I use it if I’m sharing a Pages document, which is rare because I don’t use Pages much. Um,

[00:18:17] Christina: would you?

[00:18:18] Brett: right. So, because again, it’s not best in class. Um, I do, I do like Pages. Numbers is a joke. But, um, Anyway, like, I don’t typically use iCloud for much.

[00:18:32] Brett: I use Dropbox and Google Drive, um, and I don’t, I haven’t dealt with the kind of issues you’re talking about with your iCloud sync, um, because I, not because I don’t think

[00:18:44] Christina: No, totally.

[00:18:45] Brett: because I don’t

[00:18:46] Christina: Well, and well, the thing is, and it’s like, I haven’t had like massive issues in a long time, but they do happen from time to time. And when they do, it’s like a black hole because you can’t force things to sink and you can’t

[00:18:56] Brett: with no It sucks with notes because honestly, [00:19:00] the new version of notes in Sonoma is very good. It’s a great app. It, it, it sure locked a bunch of ideas. Um, and, and, you know, fine. That’s, that is what it is. That’s Apple’s ammo. Um, but. Yeah, it’s a, it’s a good app, but if it’s not reliable, uh, between platforms, which is kind of the whole idea, right?

[00:19:26] Brett: Like,

[00:19:27] Christina: whole idea. Yeah.

[00:19:28] Brett: that sucks. That sucks.

[00:19:30] Mental Health Corner

[00:19:30] Brett: Anyway, do you want to, do you want to do a quick mental health corner before we continue bitching about Apple?

[00:19:35] Christina: Yes. Let’s, let’s do that.

[00:19:38] Brett: I will kick it off. So I, I had that three months of insomnia, right? And, and I was, I was losing my mind and I tried multiple drugs. And then, um, my doctor finally gave up on the FDA approved, um, sleep beds, cause none of them had any effect on me and we switched to large doses of [00:20:00] gabapentin.

[00:20:01] Brett: I’m taking like 1, 200 milligrams of gabapentin a night, and I’m finally getting some sleep. Um, I talk a lot, apparently. Um, and, and at first, anything over 600 milligrams was causing sleep paralysis. Have you ever had that? Where like, you’re, you’re awake, but your body won’t move because Your body’s still asleep and your brain is like, just desperately trying to like get your body back in motion.

[00:20:29] Brett: Uh, you’re trying to like snap your fingers or kick your leg.

[00:20:33] Christina: think I’ve had it like once.

[00:20:35] Brett: Yeah. I

[00:20:37] Christina: but, but it’s not a common thing.

[00:20:38] Brett: it used to happen to me on occasion, especially if I fell asleep, like on the couch in the afternoon, uh, it was, it was more likely to happen. But first time I took 900 milligrams of gabapentin, it happened, um, within an hour. Uh, and then For three nights following that happened every night.

[00:20:57] Brett: So I went back down to 600, [00:21:00] um, and, and that was working okay. Uh, but then it kind of stabled out and now I’m up to 1200 and no longer getting sleep paralysis. So I am sleeping. I got into, uh, like the sleep medicine department of Gundersen clinic. Um. But they can’t get me in until July 30th, um, to do like a sleep study.

[00:21:24] Brett: So it’s just me and Gabba Penton until then. And yeah, I should, the other thing I wanted to say was, so I’ve been doing IFS therapy, which is all about like, um, finding all the different parts that exist within like, that you are a kind of legion. Um, and, uh, my My couple’s counselor suggested that Ella and I go on like a part state where we talk to each other’s parts instead of like to each other.

[00:21:56] Brett: Um, and that went pretty horribly at [00:22:00] first. Uh, but there was one point where like, I was feeling, uh, like My ADHD was making it impossible for me to research something fully. And then when Elle with her autism did research it, um, they were giving me all kinds of facts and I was getting frustrated that I didn’t know this to begin with.

[00:22:20] Brett: And I felt really shitty about myself and that made me defensive. Um, and they were like, Can you figure out what part of you is angry right now? And so I did a quick scan. I, I talked to this part that came forward and realized that like, my anger around my ADHD is not necessarily part of the ADHD itself.

[00:22:44] Brett: Like ADHD gives me some disabilities, but my frustration level around that Is a part that I can like deal with that. I can like talk to you and step in, like, there’s this like instant, like relief. [00:23:00] Um, and I suddenly wasn’t mad and our evening wasn’t ruined and it was, it was pretty cool. So props to IFS.

[00:23:07] Brett: And that’s my mental health corner.

[00:23:10] Christina: That’s great. I think that’s, I’m really, I’m really happy for you for that. Um, Grant takes Gabapentin, um, uh, to help his restless leg, but he still has massive restless leg stuff, and so he has massive sleep issues. But, um, I don’t think he’s on I have no idea actually what he’s on. I just know he takes it.

[00:23:30] Christina: Um, I don’t have much of a mental health update. Things are going pretty well. Um, I, um, you

[00:23:37] Brett: Your last, your last couple have been, um, pretty, uh, I want to say concerning. Like you’ve had some serious, so I’m glad to hear things have stabled out.

[00:23:48] Christina: yeah, yeah. I

[00:23:48] Brett: how long has it been since we talked? Like three weeks?

[00:23:51] Christina: yeah, but I think even last time we talked I was fine. Like, I don’t know. Um, it, it, you know, it’s been a few months since I’ve had any, I don’t know. I’m [00:24:00] fine for, you know, nothing really, nothing really to add of note. Um, but yeah, you know, just kind of same old, same old.

[00:24:08] Brett: I like your beanie. Um, in, uh, Riverside here, it’s showing up backwards. So it looks like the prism is turning into a single beam of light. Um, for, for those listening, it’s, uh, it’s the Octocat from GitHub in the middle with a beam of light going into it and a prism coming out the other side. Uh, but if, if you read the mirrored version left to right, it looks like a reverse prism, which confused me at first.

[00:24:35] Brett: And then I realized, Oh, I’m seeing it backwards.

[00:24:38] Christina: Right, right. That’s funny.

[00:24:41] Dimspirations Again

[00:24:41] Brett: Yeah, so, uh, let’s see, what topic do I want to direct a source next? Um, I just want a quick plug. Um, I made this thing called the Dimspirations Cube. Um, if you go to dimspire. me, um, you can click [00:25:00] on the Dimspirations Cube in the menu and It is a 3D spinning cube that every time it goes around, it has different inspirations on every side.

[00:25:11] Brett: And I finally got the, um, uh, set delay or set time out with JavaScript to actually, um, stagger so that the image on each side changes while it’s in the back. of the spin. So you never see the transition and it just constantly updates. It will kill your browser if you let it run for about 10 minutes. Um, it’ll eventually, you’ll get the note that says, this page is slowing down your browser.

[00:25:42] Brett: Would you like to kill it? Um, in, in any browser, um, which I want to add, uh, Uh, kind of, uh, caveat to the text on the page that says, Much like, much like life. If you, [00:26:00] if you exist too long, it will die. Or something dim. I want to do something dim. Um, I’m working on that still. But, uh, also the Demspiration store.

[00:26:10] Brett: Has a bunch of new merch, so if you need depressing t shirts or coffee mugs that will upset your co workers, uh, check that out. That’s my plug. I would love to hear, I would love to hear about XZ though, so I’m going to turn it over to you.

[00:26:25] The XZ Back Door

[00:26:25] Christina: Okay, so there was a massive, um, backdoor, there’s a, a, a potentially cataclysmic, um, security event in the last, um, uh, a week or so. Um, it wound up not being, um, cataclysmic because, um, frankly of a, a confluence of just like luck. Um. Um. But xz is the, is a compression algorithm. And, um, xz utils is, is, you know, kind, kind of like what, what, uh, manages that.

[00:26:52] Christina: And, and it’s, it’s, it’s used in, um, uh, like a, it’s, it’s a compression utility that’s basically used all over, uh, [00:27:00] like Linux systems. And it’s actually like a, um, a dependency in a lot of projects, including. And, um, it’s a, it’s an important project, but maybe not like a very sexy one. And it’s had like one core, you know, maintainer, the guy who kind of created the, the, the format and has maintained like kind of the, the utility or whatever for a long time.

[00:27:20] Christina: Um, and he’s, um, but, but he’s the only guy and he doesn’t do it for And, um, it doesn’t really, you know, have a lot of time to add features with it. Um, and then there’s this other person who, uh, the, the name that they were using, uh, to contribute was, was Jia Tan, and they’ve been contributing, you know, for about two years.

[00:27:39] Christina: And, you know, making some patches, doing, I guess, some other work off list is, is what the original developer said. And, um, This person was actually eventually made a maintainer. Now, a little bit of background about why this person was potentially made a maintainer. On the ex emailing list about two years ago, there were some kind of [00:28:00] fly by night, um, posters who now, it appears suspicious, but it’s, I don’t think we have enough information to read whether they were socks or not.

[00:28:11] Christina: Um, basically we’re, we’re badgering the maintainer to do more. We’re basically like, if you don’t have enough time and resources for this, then you need to just give this project to someone else. And, you know, you’re, you’re not doing enough. And he was like, well, you know, I’m not paid for this. And, you know, I’ve had mental health struggles and I have been working with this other, you know, person off list.

[00:28:29] Christina: And so, you know, they might even be taking a stronger role in the project, you know, stay tuned. And they’re like, well, I’m sorry for your mental health struggles, but. You know, basically, if you can’t, if you can’t do this stuff, then you need to just like, you know, pass it on because this is not acceptable, blah, blah, blah.

[00:28:43] Christina: And, you know, just kind of shitty, typical entitlement that a lot of open source people have. Um, and, and not just open source people, to be clear, like just a lot of people have. But it, but it is kind of a common, Um, you know, it’s not like when I, when I read through that interaction on the mailing list, [00:29:00] um, and, and there’s like some good rundowns that have this entire kind of timeline of things.

[00:29:04] Christina: Um, nothing about that particularly stands out to me. Here’s, here’s what we do know though. So this, this person who’s brought in as a code maintainer and who, uh, in January took over, um, the, like the webpage, which was put on GitHub and actually made the first kind of releases directly under themselves.

[00:29:23] Christina: They inserted a backdoor into XZ Utils that would, would allow people to basically be able to SSH into other machines without any sort of authentication. And so it was like a, uh, as root. And so, This was, this was a bad, bad thing. And the way that they inserted the backdoor was obfuscated. So if you just looked at the patch, you wouldn’t really be able to tell what was happening.

[00:29:48] Christina: And they’d made some other changes to some other code, like they inserted in a typo into one of the, the original maintainers, like the creators. Commit that wound up, um, I guess like, uh, like blocking a certain [00:30:00] security check or something. There were a lot of things that they were doing that would have made this very, very hard for anyone to pick up on.

[00:30:06] Christina: Then what they did, they released like one version and then they released like a point release. They went and they talked upstream to all the big Linux distros, you know, um, uh, uh, Fedora and Red Hat, uh, uh, Sousa, um, uh, Debian. Um, they, they were in talks with Ubuntu, um, about going ahead and upstreaming.

[00:30:25] Christina: that latest release into their distros. None of the mainstream, like the main release distros, long term support or official releases, adopted it. But like OpenSUSE, Tumbleweed, which is their rolling release, Fedora 40, which is at this point like Fedora is a bleeding edge thing, and Debian Unstable all did adopt it.

[00:30:47] Christina: And so, um, but it was only there for maybe a month. Um, OpenSUSE basically says to people, if you were running Tumbleweed, At this point, we think you need to do a complete system restore, um, just to protect against [00:31:00] everything. And then what happened is the code was there for about a month. It was never, um, acted on to anyone’s knowledge.

[00:31:05] Christina: Um, but, um, a Postgres developer, he works at Microsoft as his day job, but in his no night job, like, he’s just like an all around nerd, noticed that, um, That SSH on his machine, which was running Debian Unstable, was slower than it should have been by like a fraction of a second. He was like, what’s going on?

[00:31:24] Christina: And so as he was looking into the performance reasons for that, he realized something had changed within XZ, which as I mentioned before, is a dependency on OpenSSH. And he went further into the code and further into the code and realized what was happening. So, uh, But the thing is, is that this person up until inserting this backdoor had been an innocuous and, and fairly good committer.

[00:31:48] Christina: Like this, there was not, there was no flags that, that would have let this go on. They’ve been working on the project for two years. So, so it had to be state sponsored. Like in, in my opinion, there’s no way that this was [00:32:00] not a state sponsored thing. There’s no way. Um, the, the person’s name, they apparently had very good OPSEC.

[00:32:06] Christina: They, they did log, um, their names maybe a little bit different. differently a couple of times for their Git commits, but there’s no like reference to this person anywhere else on the internet other than, you know, the, the few, you know, like, um, uh, other kinds of related, um, uh, open source things that they made, um, uh, um, commits to.

[00:32:26] Christina: So this person did OPSEC really, really well. Um, there’s, there’s, you know, I’m sure there, there can be forensics and, and people can get involved, try to like, learn more about like where this person was, like. I think that most people assume because of the name that the person was, um, uh, Malaysian or, or Chinese, um, but the, the time zones they worked in makes it seem like they possibly could have been based in Eastern Europe.

[00:32:50] Christina: It’s unclear. Like, the whole thing is though, like it’s a, it’s a cypher, but it probably, it almost certainly was state sponsored and it’s opened up a lot of questions. In the open [00:33:00] source world, I think a few things, like one, it’s like, how many of these are out there, right? Like we caught this one, but how many of these projects are out there?

[00:33:08] Christina: Because if you were doing a state sponsored thing like this, you probably wouldn’t target one. You’d probably target like a bunch of different projects. So how many of these things are out there? And, and I think that’s like a good question to have. And like a scary thing to consider because there just isn’t enough, like open source, a lot of it runs on trust.

[00:33:23] Christina: And, And it’s easy, it’s easy for people to be like, Oh, well, you should demand, you know, a W 2 and like a social security card and like a photo ID from every person who commits to your code base. That’s not how this works. And that’s never been the culture. People use, you know, um, acronym, you know, like aliases all the time to contribute.

[00:33:41] Christina: You know, people never meet each other face to face. You have people who, that’s just not how it works. And pseudonym,

[00:33:46] Brett: sure. And if someone is contributing valid code, you know, over two years, if someone is like, that’s how you build trust in open source is you, you make, you make solid patches, you make solid commits, [00:34:00] and

[00:34:00] Christina: you take over

[00:34:00] Brett: people are like, this guy knows what he’s doing. Yeah.

[00:34:03] Christina: you take over for a maintainer who has already been put upon and hasn’t been supported. Like, there’s like a lot of, um, you know, yeah. Like this was a really long con. So, you know,

[00:34:15] Brett: pretty

[00:34:15] Christina: of this. It’s really insidious and it’s really scary to think about, but I think the bigger thing, like other than just like how many more of these instances are out there, because there are many of them.

[00:34:25] Christina: And, um, just like with Heartbleed, which was almost exactly 10 years ago, you do have the usual sources who are trying to be like, yeah, well, this is why I don’t

[00:34:31] Brett: years.

[00:34:32] Christina: 10 years. Literally, it’s 10 years tomorrow. Um, that Heartbleed, you know, the, the, the big, the first real famous, you know, um, uh, vulnerability.

[00:34:42] Brett: vulnerability.

[00:34:44] Christina: Um, oh, that was SSL, but yeah,

[00:34:46] Brett: Oh yeah, yeah,

[00:34:47] Christina: but like, but you know, which I think the only reason that was mitigated so well was because they made it, you know, they gave it a brand, gave it a website and, um, But, you know, I’ve seen some people make, you [00:35:00] know, comments, well, this is why I don’t trust open source software.

[00:35:02] Christina: I’m like, well, okay, first of all, your proprietary shit is not any better. Don’t get it twisted. Also, you can’t escape it. Like everybody, like, you know, something like, like 60 something percent or 70 something percent of code, like from when they do audits, like all software is like made up of open source libraries.

[00:35:20] The Future of Open Source

[00:35:20] Christina: Um, it’s just a fact. But like, for me, the bigger thing is, Okay, so you have this important dependency, this project that all these people rely on, and it’s just like with, with Heartbleed, with OpenSSL, where in that case you had this incredibly important project that was made, that had one full time employee.

[00:35:38] Christina: In this case, you have one person who’s been the maintainer, who’s not paid for it, who’s not supported by anything, and it is yet this crucial project. And, and it’s just kind of Okay, well, like, what are we doing? Like, it’s great that the code is all out there and that people are willing to volunteer and do stuff, but companies make, like, real money off of these things, and, and what are we