[HN Gopher] The xz backdoor thing reminds me of a story
___________________________________________________________________
The xz backdoor thing reminds me of a story
Author : luu
Score : 76 points
Date : 2024-03-31 21:05 UTC (1 hours ago)
(HTM) web link (rigor-mortis.nmrc.org)
(TXT) w3m dump (rigor-mortis.nmrc.org)
| smitty1e wrote:
| No idea one way or the other on the veracity of the anecdote, but
| Scott Adams shares a bit of wisdom on his podcast: "Beware of
| stories that are a little too 'on the nose'."
| leoh wrote:
| Ok
| astrange wrote:
| Was that before or after he told you people were hypnotizing
| you through the TV and tried to sell you nutritionally complete
| frozen burritos?
| DonHopkins wrote:
| Or before or after he told you Black people are a hate group
| and White people should stay the hell away from Black people,
| and how to treat women:
|
| The Death of Dilbert and False Claims of White Victimhood:
|
| https://time.com/6259311/dilbert-racism-scott-adams/
|
| >"If nearly half of all Blacks are not OK with white people,
| according to this poll, not according to me, according to
| this poll," Adams says calmly in the clip. "That's a hate
| group. That's a hate group and I don't want anything to do
| with it. And I would say based on the current way things are
| going, the best advice I would give to white people is get
| the hell away from Black people. Just get the f-ck away.
| Wherever you have to go, just get away."
|
| Dilbert' Creator Scott Adams Compares Women Asking for Equal
| Pay to Children Demanding Candy:
|
| https://comicsalliance.com/scott-adam-sexist-mens-rights/
|
| "The reality is that women are treated differently by society
| for exactly the same reason that children and the mentally
| handicapped are treated differently. It's just easier this
| way for everyone. You don't argue with a four-year old about
| why he shouldn't eat candy for dinner. You don't punch a
| mentally handicapped guy even if he punches you first. And
| you don't argue when a women tells you she's only making 80
| cents to your dollar. It's the path of least resistance. You
| save your energy for more important battles." -Scott Adams
| smitty1e wrote:
| Tell HN: if the comment was somehow offensive, feedback on the
| specifics of the transgression would help to improve matters.
| strken wrote:
| It's a vague aphorism from a guy who went nuts with no added
| context to explain why it's relevant here. It's not offensive
| so much as low-quality and unrelated to the link.
| renewiltord wrote:
| I don't doubt that this happened, but if you use e-verify and
| fill in Form I-9 how does this happen? I'm in the middle of
| hiring an F-1 student on OPT and I need to look at his EAD and
| verify it's not fake according to my lawyer. So I do. Nice and
| easy.
| furyofantares wrote:
| It says it was a couple decades ago
| astrange wrote:
| Can't be that many (3?) if they made cell phones.
| furyofantares wrote:
| I suppose I'm doubting that e-verify was ubiquitous 20
| years ago, or nearly as likely to catch things.
| dboreham wrote:
| Attacker's opsec presumably takes this into account.
| greyface- wrote:
| Intelligence agencies can presumably mint valid SSNs along with
| other identity documents to use in situations like this.
| Aaargh20318 wrote:
| They can't forge a chipped passport unless they somehow got
| hold of the private key for the country's CSCA certificate.
| greyface- wrote:
| Doing such a thing is entirely within the purview and
| capability set of an intelligence agency.
| freeone3000 wrote:
| Why would you need to? Passports are not required to hire a
| person; most americans don't even have one.
| GauntletWizard wrote:
| They can forge a real one by providing enough forged
| identity documents and paying the right bribes. They don't
| need to suborn the private keys - Just the people who have
| "use" access to them.
| renewiltord wrote:
| > _No record for him nor his social security number seemed to
| check out_
|
| This is the part that doesn't make sense. But the other
| sibling comment is probably right. It might have been before
| e-verify was widely in use. Besides, you just run through
| Checkr and friends unless you know the guy, so this "no
| record of him" thing would pop up these days.
|
| I suppose I'm not too concerned about this attack vector now
| that we have this stuff.
| kortilla wrote:
| E verify was definitely not ubiquitous two decades ago. Even
| during Covid one of my friends didn't have his new employer
| actually verify i9 docs until a year into employment...
| jddj wrote:
| I remember a few months ago there was a discussion[1] here about
| how fossil, the VCS for sqlite, should bring in a dependency on
| mermaid charts already.
|
| Nothing against mermaid, but I guess supply chain attacks are
| hard to conceptualise until they happen. When we're shortsighted
| we risk our mitigations against vague but serious threat models
| losing out against convenience.
|
| [1]https://news.ycombinator.com/item?id=38886344
| curiousgal wrote:
| > _None of his paychecks were ever cashed_
|
| I don't understand this. People were paid by cheque in the early
| 2000s?
| astrange wrote:
| You don't have to give your employer a bank account number, but
| they still have to pay you.
|
| Quite unusual for a tech contractor though.
| magicalhippo wrote:
| > You don't have to give your employer a bank account number
|
| As a Norwegian that sounds so alien. They couldn't do
| anything but deposit money, so why wouldn't you?
| forrestthewoods wrote:
| Because you're trying to plant backdoors you don't want any
| paper trail?
|
| Almost everyone does direct deposit. But it's not a legal
| requirement for an employee to be paid that way.
| kortilla wrote:
| Apart from the paper trail side of it, some people just
| really hate banks and don't have an account.
| xorcist wrote:
| I really hate banks, but I hate not being paid even more.
| zanderwohl wrote:
| Sorry, what does being Norwegian have to do with it? Going
| to the physical bank with a physical check seems like too
| many steps no matter what country you're from.
| leoh wrote:
| Yes and many still are
| donatj wrote:
| Developer in the Midwest. I was paid by paper check brought to
| my desk by the office manager from early-aughts until 2012 when
| they switched to direct deposit.
| furyofantares wrote:
| I certainly got checks at internships in 1999-2000 and at a job
| I briefly held in 2001. I guess my first real-real job was 2006
| and for sure I got checks for at least the first few months. It
| was a mild pain to do the (literal) paperwork for direct
| deposit, and a mild pain to receive checks (I'd categorize it
| as a major pain now, but you were running errands more often
| then and even at the bank for other crap), so laziness won for
| a while.
| nimih wrote:
| I had the option to be paid by paper check as recently as 2017,
| and probably still would if I had remained working for that
| employer (a US-based legacy insurance carrier).
| gumby wrote:
| Pretty common in the US back then. Direct deposit is (still)
| only required to be provided at the company's bank, though I
| doubt anyone implements that minimum any more.
|
| Back in the 90s when I worked for Atari (Back in the terrible
| Warner period) you could only get DD at the company's bank,
| which was a small bank with one branch, in Sunnyvale (surely
| the company had another bank or two as well?). I was told they
| did this so they could invest the float over the week end and
| early in the week.
| NelsonMinar wrote:
| I don't understand this. You go through all this trouble to
| build a fake identity and then you don't do this one simple
| thing to make sure you look like a real employee?
| palijer wrote:
| Why go through the risk of trying to deposit a cheque when
| the plan worked perfectly fine as is?
|
| Once you get banks involved, seems like more of a risk of
| something getting flagged there rather than someone in
| payroll noticing cheques weren't deposited within the time
| you were there.
___________________________________________________________________
(page generated 2024-03-31 23:00 UTC)