I attended the swap meet held by the Neon Temple, Tampa Bay’s security guild, where attendees were selling, swapping, or simply giving away old tech gear and books they no longer needed.
That’s where I found and took a photo of the relic above: a PCMCIA card (a name that got shortened to “PC Card”), which used to be a way of adding peripherals to laptops. The card above was for a 56K modem, which means that it was likely used to download Backstreet Boys songs using Napster.
“What did they call those things before they shortened the name to ‘PC Card’?” someone behind me asked.
“PCMCIA,” someone else replied. “Can’t remember what that was short for.”
I have a great memory for trivia, and even I couldn’t remember. I confessed: “I only remember the joke that it was short for ‘People Can’t Memorize Computer Industry Acronyms’.”
Here it is — the video of my presentation, xz made EZ, which covers the security incident with the xz utils utility on Unix-y systems, which I gave at BSides Tampa 2024 on April 6th:
The details of the xz vulnerability were made public mere days before the BSides Tampa 2024 cybersecurity conference, and on a whim, I emailed the organizers and asked if I could do a lightning talk on the topic.
They quickly got back to me and let me know that they’d had a last-minute speaker cancellation and gave me a full slot in which to do my presentation.
The moral of the story? It never hurts to ask, and it can lead to opportunities!
What’s this xz thing, anyway?
Let me answer with this slide from my presentation:
xz is short for xz Utils, a compression utility that you’ll find in Unix-y operating systems, including:
Linux distributions
macOS
It’s usually used by Unix greybeards who generally use it in combination with tar.
What happened with xz?
xz was one of those open source projects that had a vulnerability best illustrated by this xkcd comic:
xz was like that project pointed out in the comic, except that the “random person” doing the maintaining was Lass Collin, a developer based in Finland, who was experiencing burnout. As a result, xz was languishing.
In what appeared to be a stroke of good fortune, a developer who went by the handle of “Jia Tan” on GitHub came to the rescue and started submitting patches to xz.
At about the same time, there were a number of complaints about xz’s lack of apparent maintenance. In hindsight, it looks like a clever two-pronged campaign:
A group of people loudly clamoring for someone else to take the reins of the xz project, and
A friendly developer who swoops in at the right time, making patches to the xz project…
…all while a burned-out Lasse Collin was facing a lot of stress.
On November 30, 2022, Lasse changed the email address for xz bug reports to an alias that redirected to both his email address as well as Jia Tan’s. At that point, Jia Tan, the apparently helpful developer who appeared at just the right time, was now an official co-maintainer.
Not long after, Lasse releases his last version of xz, and soon after Jia Tan, now the sole maintainer of the project, releases their own version.
With full control of the project, Jia Tan starts making changes — all the while, carefully disguising them — that create a “back door” within the xz application.
On any system that had Jia Tan’s tainted version of xz installed, an unauthorized user with the right private key could SSH into that system with root-level access. By becoming the maintainer of a trusted application used by many Linux versions, Jia Tan managed to create a vulnerability by what could have been one of the most devastating supply-chain attacks ever.
I originally posted a series of articles on date/time programming in Swift here on Global Nerdy, updated it, and published it on the Auth0 Developer Blog when I worked there.
I just checked to see how it ranked, and at least for me — remember, everyone sees different Google results — the series is still the number one result for swift dates times and smilar search terms.
In addition to updating the text of the article, I also created some explainer graphics to liven it up and save the reader from being hit with just a wall of text. Those graphics are what you see in this article — enjoy!
Tap to read the original article.Tap to read the original article.Tap to read the original article.Tap to read the original article.Tap to read the original article.
The first few panels of the 1988 Frosh Primer, which was sent to the incoming Applied Science class of ’92, written and illustrated by Yours Truly.
Tap to view at full size.
If you were to time travel and visit Crazy Go Nuts University during my student days, you’d find that the thing I was known for wasn’t programming or playing the accordion, but drawing comics.
The web came around at the very end of my long and colorful academic career, so my comics mostly appeared in student newspapers — primarily Golden Words, a satire newspaper in the same vein as the original print version of The Onion, as well as the main student newspaper, The Queen’s Journal.
I make the occasional comic every now and again these days, and when Dan Arias, a former coworker at Auth0, found out about it, he asked me to draw some comics as a way to “storyboard” some screens for an app for the 2023 Oktane conference.
The comics were supposed to showcase some features of Auth0’s customer identity management system, and if possible, do so in a humorous way. They also had to use some animal mascots that had been created for the project: a platypus, a rabbit, a capybara, and a boar.
I recently found the sketchbook with the comics I made for the app. They never went into the app — they were just storyboards for the app’s artist, Sofía Prósper Díaz-Mor, to use as guides, and the final versions that appeared in the app looked fantastic.
Still, there’s a rough charm to my doodles, so I thought I’d post them here. Perhaps it’s time for me to make more posts as comics…
Fine-grained authorization and the big red button
The app had a space theme, so all the comics featured our animal characters — once again, a platypus, a rabbit, a capybara, and a boar — as characters having science fiction adventures that also featured some aspect of digital identity.
This comic was about fine-grained authorization, which is a fancy way of saying “very specific control over who’s allowed to do what in a system”…
Tap to view at full size.
Tap to view at full size.
Authentication needs anomaly detection
This comic was the storyboard for a story about anomaly detection, which attempts to detect logins that have a suspicious quality to them. I did this by having an alien disguise themself as the ship’s commanding officer, Captain Platypus, and board the ship…
Tap to view at full size.
Single sign-on and the planet of a thousand apps
“The planet of a thousand apps” was the setting for this comic about single sign-on. The idea was every activity on the planet was controlled by its own app, which meant that you either had to log into a different app to do anything, or you could use single sign-on…
Tap to view at full size.
The power of the passkey
To illustrate the security advantages of passkeys, I came up with this comic. It shows that with a passkey, you don’t have to memorize a password, and even if a hacker manages to break into the server, all it has is the passkey’s public key, which (as its name implies) is known to everyone…
Tap to view at full size.
Decentralized identity: A new hope
“Make Star Wars without getting us into legal trouble,” they said, and this is the resulting comic. It features our rabbit character as “Bun Solo” and our capybara as “Capybacca.” In this rough sketch comic, they destroy the centralized identity database, the Data Star, freeing the citizens of the galaxy to use decentralized identities. In the second page, I show the uses for them…
Tap to view at full size.
Tap to view at full size.
More to come…
Watch this space — I think it’s time to do more comic-style blog posts here on Global Nerdy!
If you’ve tried to go past the APIs like the ones OpenAI offers and learn how they work “under the hood” by trying to build your own neural network, you might find yourself hitting a wall when the material opens with equations like this:
How can you learn how neural networks — or more accurately, artificial neural networks — do what they do without a degree in math, computer science, or engineering?
There are a couple of ways:
Follow this blog. Over the next few months, I’ll cover this topic, complete with getting you up to speed on the required math. Of course, if you’re feeling impatient…
Read Tariq Rashid’s book, Make Your Own Neural Network. Written for people who aren’t math, computer science, or engineering experts, it first shows you the principles behind neural networks and then leaps from the theoretical to the practical by taking those principles and turning them into working Python code.
Along the way, both I (in this blog) and Tariq (in his book) will trick you into learning a little science, a little math, and a little Python programming. In the end, you’ll understand the diagram above!
One more thing: if you prefer your learning via video…
My third experiment for 2024 involves trying out the ideas from Noah Kagan’s new book, Million Dollar Weekend.
ℹ️ In case you’re wondering: my first experiment of 2024 was to turn my layoff experience into a series of articles; the second was to take a chance working with a pre-seed startup.
Why conduct such an experiment? For now, let’s just say that current circumstances make it necessary, and hey, if anyone can pull off this kind of thing, it would be me.
The general idea of Million Dollar Weekend is that you can start a lucrative business by doing the following:
Identify a problem that you can solve
Solve that problem in a way that is hard to resist and profitable
Test your solution at low (or no) cost by preselling it before you build it.
The prerequisite for the Million Dollar Weekend process is a certain amount of unmitigated gall. Time and again in the book, Kagan states that two things hold people back from starting businesses:
Fear of starting
Fear of asking
Kagan’s methodology is to start by trying out an idea, seeing if someone will pay for that idea, and then either refining that idea or coming up with a new one and repeating the cycle.
The methodology anticipates rejection, and in fact, it says that in selling your idea, you should aim for plenty of rejections. The idea is that if you’re getting rejected often, you’re asking often, and that’s what eventually leads to success.
I’ll write more as I continue with this experiment, but for now, if you’re curious, here are some resources I can point you to:
You might also find these interviews with Kagan interesting:
ℹ️ Also in case you were wondering: This is NOT a paid promo for the book — neither Noah Kagan nor his businesses have any idea who I am or how to deposit money into my bank account. I wish they did!
