Hacker infiltrated XZ Utils open source group for years to implant backdoor

XZ Utils is in practically every distribution of Linux and provides support for the xz compression format. Andres Freund, a developer at Microsoft, noticed that SSH was taking a fraction of a second longer to do its thing and discovered it was a result of changes made to XZ Utils and "took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software". That someone appears to be JiaT75, presumably a state sponsored actor who has been contributing to the XZ Utils project for many years, gained the trust of other contributors and made various changes to cover their tracks before adding a backdoor in February, which eventually made their way into various Linux distributions. The backdoor "allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious command". If it went undetected it would have been a disaster. It also raises questions about how the industry supports open source projects that turn into vital pieces of infrastructure and if any other projects are also in the midst of a long con social engineering attack.

Solar Sunshot is a $1b program to make solar panels in Australia

Australia is blessed with amazing solar resources, we've got one of the highest rooftop solar panel install rates anywhere in the world per capita, most of the minerals required are in our dirt and we are one of the leading R&D centres for solar panel technology. The only thing missing is making the damn panels ourselves. That might change with the federal government's $1b investment in the Solar Sunshot program. ARENA will investigate "the entire supply chain from ingots and wafers to cells, module assembly, and related components, including solar glass, inverters, advanced deployment technology and solar innovation", with the aim of manufacturing solar panels locally - plus a little pork barrelling for the Hunter Region, "where the Prime Minister made the announcement at the site of the former coal-fired Liddell Power Station". Good to see a serious effort put in to do more manufacturing in Australia. We can't sell each other houses or rocks to China forever.

IEEE bans Lenna test image, SBF to spend 25 years in jail, all US fed govt agencies need a chief AI officer

• The famous Lenna standard test image, used by computer graphics nerds for decades to test their image formats and other image related things, is now banned from use by the IEEE in manuscript submissions. Not only is the image off-putting to women in the field, the original model never gave consent for the image to be used this way.
• Sam Bankman-Fried received a 25 year jail sentence. 25 years in jail for taking billions of dollars of people's money via a cryptocurrency exchange called FTX and spending it risky investments via Alameda Research. When people couldn't get their money out of FTX because the Alameda investments went to shit, SBF's antics were exposed.
• The White House has mandated that all US federal agencies must have a "chief AI officer" and have to implement "minimum practices" when it comes to AI. They also "need to publicly disclose a list of AI tools they use, identify any risks associated with those technologies, and disclose how they are working to manage the risks".

UK stamps must have a Datamatrix barcode on them to stop fakes

I saw a story on Hacker News about people getting fined 5 quid in the UK for receiving (yes, receiving!) mail with counterfeit stamps, which is causing concern as these people got their stamps from Royal Mail as part of a program to swap your old stamps for new stamps that have QR codes on them. It's unknown if fake stamps got in the legit supply chain or Royal Mail's scanners are claiming legit stamps as fake. I didn't know the UK had stamps with QR codes on them, so I wondered what the code is for and discovered it's not a QR code, but a Datamatrix and it contains all sorts of info, including a supply chain ID (to combat rampant counterfeiting) and even a URL that if you scan it, can show videos - like Shaun the Sheep. Some bullshit about trying to get stamps to appeal to a younger generation?? That then lead me to this Guardian story from 2022 about people upset with the Datamatrix code stamps, who claim the whole point of their letter writing "was to give us a break from having to be engaged with digital content". That rabbit hole sucked up almost an hour of my life and I want to finish writing today's issue ASAP so I can get back into it.