Kindle Paperwhite 4

Kyoo – Self-hosted media browser (Jellyfin/Plex alternative)

Since the actual operation of the liblzma SSH backdoor payload is still unknown, there's a protocol for securing your impacted systems:

• Consider all data, including key material and secrets on the impacted system as compromised. Expand the impact to other systems, as needed (for example: if a local SSH key is used to access a remote system then the remote system must be considered impacted as well, within the scope the key provides).

• Wipe the impacted host and reinstall it from scratch. Use known good install that does not contain the malicious payload. Generate new keys and passwords. Do not reuse any from the impacted systems.

• Restore configuration and data from backups, but from before the time the malicious liblzma package was installed. However, be careful not to allow potentially leaked credentials or keys to have access to the newly installed system (for example via $HOME/.ssh/authorized_keys).

This handles the systems themselves. Unfortunately any passwords and other credentials stored, accessed or processed with the impacted systems must be considered compromised as well. Change passwords on web sites and other services as needed. Consider the fact that the attacker may have accessed the services and added ways to restore access via for example email address or phone number in their control. Check all information stored on the services for correctness.

This is a lot of work, certainly much more than just upgrading the liblzma package. This is the price you have to pay to stay safe. Just upgrading your liblzma package and hoping for the best is always an option, too. It’s up to you to decide if this is a risk worth taking.

This recovery protocol might change somewhat once the actual operation of the payload is figured out. There might be situations where the impact could be more limited.

As an example: If it turns out that the payload is fully contained and only allows unauthorized remote access via the tampered sshd, and the host is not directly accessible from the internet (the SSH port is not open to internet) this would mean that it might be possible to clean up the system locally without full reinstall.

However, do note that the information stored on the system might have still been leaked to outside world. For example leaked ssh keys without a passphrase could still afford the attacker access to remote systems.

This is a long con, and honestly the only people at fault are the bad actors themselves. Assuming Jia Tan's GitHub identity and pgp key weren't compromised by someone else, this backdoor appears to be the culmination of three years of work.

I will laugh out loud if the “fixed” binary contains a second backdoor, but one of better quality. It’s reminiscent of a poorly hidden small joint, which is naturally found, and then bargaining, apologizing and making amends begin. Although now it is generally not clear where the code is more proven.

As another option Remark42

Try to build Coreboot on Lenovo G505S using the restore_agesa.sh script in conjunction with the csb_patcher script, which applies a group of unofficial patches for AMD platforms

NeonModem - console client for Lemmy

Selfhosted: Miniflux Client cli: newsboat open browser links

Miniflux submit selected articles to Wallabag for later reading. I also use the Newsboat CLI client which can sync with Miniflux installations as an alternative to the web interface it’s comfortable.

Can automate anything you want, a website or wiki use it to roll out any new changes automatically and others use it to test their software. Connects to Gitea/Forgejo as a third party application and requires that it be granted the appropriate permissions in the Settings -> Applications column.

I have used Gogs and Gitea in the past, now Forgejo is a fork of Gitea with Woodpecker-CI