Presentations Security What I’m Up To

Video of my Bsides Tampa 2024 presentation, “xz made EZ”

Here it is — the video of my presentation, xz made EZ, which covers the security incident with the xz utils utility on Unix-y systems, which I gave at BSides Tampa 2024 on April 6th:

If you’d like them, here are the Google slides from the presentation.

Questions and answers

How did I land this presentation?

The details of the xz vulnerability were made public mere days before the BSides Tampa 2024 cybersecurity conference, and on a whim, I emailed the organizers and asked if I could do a lightning talk on the topic.

They quickly got back to me and let me know that they’d had a last-minute speaker cancellation and gave me a full slot in which to do my presentation.

The moral of the story? It never hurts to ask, and it can lead to opportunities!

What’s this xz thing, anyway?

Let me answer with this slide from my presentation:

xz is short for xz Utils, a compression utility that you’ll find in Unix-y operating systems, including:

  • Linux distributions
  • macOS

It’s usually used by Unix greybeards who generally use it in combination with tar.

What happened with xz?

xz was one of those open source projects that had a vulnerability best illustrated by this xkcd comic:

xz was like that project pointed out in the comic, except that the “random person” doing the maintaining was Lass Collin, a developer based in Finland, who was experiencing burnout. As a result, xz was languishing.

In what appeared to be a stroke of good fortune, a developer who went by the handle of “Jia Tan” on GitHub came to the rescue and started submitting patches to xz.

At about the same time, there were a number of complaints about xz’s lack of apparent maintenance. In hindsight, it looks like a clever two-pronged campaign:

  1. A group of people loudly clamoring for someone else to take the reins of the xz project, and
  2. A friendly developer who swoops in at the right time, making patches to the xz project…

…all while a burned-out Lasse Collin was facing a lot of stress.

On November 30, 2022, Lasse changed the email address for xz bug reports to an alias that redirected to both his email address as well as Jia Tan’s. At that point, Jia Tan, the apparently helpful developer who appeared at just the right time, was now an official co-maintainer.

Not long after, Lasse releases his last version of xz, and soon after Jia Tan, now the sole maintainer of the project, releases their own version.

With full control of the project, Jia Tan starts making changes — all the while, carefully disguising them — that create a “back door” within the xz application.

On any system that had Jia Tan’s tainted version of xz installed, an unauthorized user with the right private key could SSH into that system with root-level access. By becoming the maintainer of a trusted application used by many Linux versions, Jia Tan managed to create a vulnerability by what could have been one of the most devastating supply-chain attacks ever.

Artificial Intelligence Presentations Programming

Join my online hands-on AI session with Austin Forum next week!

Next Tuesday, April 2nd at 6:15 p.m. Central / 7:15 p.m. Eastern / 23:15 UTC, I’ll lead an online introductory session for people who to dive into AI titled AI: How to Jump In Right Away.

ℹ️ Click here to register for the presentation.

My session is part of Austin Forum on Technology and Society’s third annual AI April, a month of presentations, events, and podcasts dedicated to AI capabilities, applications, future impacts, challenges, and more.

My presentation will start with a brief history of AI, as well as the general principles of how “old school” AI works versus “new school” AI…

…but we’ll quickly dive into building Sweater or No, a quick little AI application that tells you if you should wear a sweater, based on your current location. Here’s a screenshot of some of the code we’ll build:

This is a FREE online session, so you don’t have to be in Austin to participate. I’m not in Austin, but Tampa Bay, and you can join in from anywhere!

You need to register to participate — here’s the registration page. I hope to see you there!

Hardware Meetups Presentations Programming What I’m Up To

Scenes (and full video!) from my “How Computers Work Under the Hood” presentation

Image preview

Back in June, I posed a question on this blog: Would you like to know how computers REALLY work “under the hood?” Tampa Devs, a very active nonprofit with a mission to support the local developer community though this would be a good presentation topic. On Wednesday, I gave that presentation to this crowd:

I started by telling the attendees that while knowing about microprocessors and assembly language isn’t absolutely necessary to function in a lot of developer and tech jobs today, there’s value in that knowledge:

Photo by Richard Schmid.

I talked about transistors…

…made note of the fact that it was the 52nd birthday of the commercial microprocessor…

…introduced the 6502…

…got deeper into its inner workings…

…and then we dove into 6502 assembly language programming!

Tampa Devs recorded the entire thing, and you can watch it here:

All the material from the presentation is available online:

My thanks to:

  • Tampa Devs for inviting me to speak at their meetup — it’s always an honor and a pleasure to work with a group that contributes so much to the Tampa Bay tech scene!
  • Kforce for providing the venue, which I like to say has “the comfiest meetup chairs in Tampa Bay.”
  • Civo for sponsoring the pizza, sodas, and water for the attendees, and taking such an interest in supporting the Tampa Bay tech scene.
Artificial Intelligence Presentations Tampa Bay What I’m Up To

Slides from “Centaurs vs. Minotaurs,” my presentation at SocialCode x Tampa

Thanks to everyone who came to The SocialCode x Tampa: Embracing the AI Evolution event last Thursday (September 7, 2023) for an evening of presentations and discussion about AI! As promised, here’s a link to the slides for my presentation, Centaurs vs. Minotaurs:

Presentations Programming

Would you like to know how computers REALLY work “under the hood?”

What’s “under the hood” of your computer, smartphone, tablet,
and other smart devices.

Tap to view at full size.

You might know how to program in a high-level language like JavaScript, Python, PHP, and so on, but do you know what’s happening at the machine level? Have you wondered what pointers and references actually are, or the difference between the stack and the heap, and for that matter, what a “stack overflow” is?

Would anyone be interested in a meetup seminar or two where I explain how your computer works “under the hood,” and maybe even walk you through a little programming at the chip level with hands-on exercises? Let me know.

Presentations Programming Video

Richard “.NET Rocks” Campbell on the next decade of software development

What might the next decade of software development look like? Richard Campbell has some ideas and shares them in this talk from the 2023 edition of the NDC London conference.

Here’s the video:

I know Richard from my former life at Microsoft. He’s the host of the .NET Rocks and RunAs Radio podcasts, and long-time developer, consultant, and tech company founder, and a damn good storyteller.

Still image from security cameera footage of a black bear wandering in the space between Richard’s house and his neighbor’s house.

The first story he tells is about “The Animal Highway,” the space between his and his neighbors’ house, which is frequented by bears. This actually made me laugh out loud, since when I last saw Richard at a backyard barbecue at his house, we had to scare away a bear cub by being noisy. He picked up a pot and barbecue tongs, I picked up my accordion, and with whoops, hollers, and random squeezebox chords, we chased it away into the woods.

Cray X-MP48 supercomputer.
Cray X-MP on display at the École Polytechnique Fédérale de Lausanne, Switzerland.
Creative Commons photo by Rama. Tap to see the source.

One of the themes that runs through his talk is that technology has grown in leaps and bounds. Near the start of the talk, he uses the example of the Cray X-MP. In 1985, it was the world’s most powerful computer. It sold for millions of dollars and required 200kW of power, which could perform 1.9 at gigaflops (billions of floating-point operations per second). It was used to model nuclear explosions and compute spaceflight trajectories.

The iPad 2 from 2011 also performs at 1.9 gigaflops, but it sold for hundreds of dollars instead of millions, and ran on battery power instead of requiring its own power plant. As Richard summed it up: “26 years later, the most powerful computer in the world is now a device we give to children. And they play Candy Crush on it.”

The first transistor ever made
English: The first transistor ever made, built by John Bardeen, William Shockley and Walter H. Brattain of Bell Labs in 1947. Original exhibited in Bell Laboratories.
Creative Commons photo by Unitronic. Tap to see the source.

Near the end of the talk, Richard uses another example of the technological changes that have happened in a lifetime. The picture above shows the first transistor ever, which was made in Bell Labs in 1947.

“It’s pretty hard to look at that,” he said, pointing to the photo of that transistor, “and think ‘M1 chip’.”

M1 chip diagram.

In case you were wondering, here’s how many transistors the different variations of the M1 chip have:

Chip versionNumber of transistors
M1 (original version)16 billion
M1 Pro33.7 billion
M1 Max57 billion
M1 Ultra114 billion

If you want an understanding of how we got to the current state of computing and some good ideas of where it might go, Richard’s talk is not only enlightening, but also entertaining. I listened to it on this morning’s bike ride, and you might find it good listening during your workout, chores, commute or downtime.

Artificial Intelligence Editorial Presentations Video

Maciej Ceglowski’s reassuring arguments for why an AI superintelligence might not be a threat to humanity

Yesterday on the OpenAI blog, founder Sam Altman, President Greg Brockman and Chief Scientist Ilya Sutskever posted an article titled Governance of superintelligence with the subtitle “Now is a good time to start thinking about the governance of superintelligence—future AI systems dramatically more capable than even AGI.”

Although it’s a good idea to think about this sort of thing, there’s also the possibility that all this fuss over superintelligence may be for nothing. In his talk, Superintelligence: The Idea That Eats Smart People, which he gave at Web Camp Zagreb in 2016, developer Maciej Ceglowski, whom I personally know from another life back in the 2000s, lists some arguments against the idea of an evil superintelligence that is a threat to humanity:

Here are just a few of Maciej’s “inside perspective” arguments, which you can also find in his companion essay:

  • The Argument From Wooly Definitions: “With no way to define intelligence (except just pointing to ourselves), we don’t even know if it’s a quantity that can be maximized. For all we know, human-level intelligence could be a tradeoff. Maybe any entity significantly smarter than a human being would be crippled by existential despair, or spend all its time in Buddha-like contemplation.”
  • The Argument From Stephen Hawking’s Cat: “Stephen Hawking is one of the most brilliant people alive [He was alive at the time Maciej wrote this], but say he wants to get his cat into the cat carrier. How’s he going to do it? He can model the cat’s behavior in his mind and figure out ways to persuade it. He knows a lot about feline behavior. But ultimately, if the cat doesn’t want to get in the carrier, there’s nothing Hawking can do about it despite his overpowering advantage in intelligence.”
  • The Argument From Einstein’s Cat: “There’s a stronger version of this argument, using Einstein’s cat. Not many people know that Einstein was a burly, muscular fellow. But if Einstein tried to get a cat in a carrier, and the cat didn’t want to go, you know what would happen to Einstein.”
  • The Argument From Emus: “In the 1930’s, Australians decided to massacre their native emu population to help struggling farmers. They deployed motorized units of Australian army troops in what we would now call technicals—fast-moving pickup trucks with machine guns mounted on the back. The emus responded by adopting basic guerrilla tactics: they avoided pitched battles, dispersed, and melted into the landscape, humiliating and demoralizing the enemy. And they won the Emu War, from which Australia has never recovered.”
  • The Argument From Slavic Pessimism: “We can’t build anything right. We can’t even build a secure webcam. So how are we supposed to solve ethics and code a moral fixed point for a recursively self-improving intelligence without fucking it up, in a situation where the proponents argue we only get one chance?”
  • The Argument From Complex Motivations: “Complex minds are likely to have complex motivations; that may be part of what it even means to be intelligent. There’s a wonderful moment in Rick and Morty where Rick builds a butter-fetching robot, and the first thing his creation does is look at him and ask ‘what is my purpose?’. When Rick explains that it’s meant to pass butter, the robot stares at its hands in existential despair.
  • The Argument From Actual AI: “When we look at where AI is actually succeeding, it’s not in complex, recursively self-improving algorithms. It’s the result of pouring absolutely massive amounts of data into relatively simple neural networks. The breakthroughs being made in practical AI research hinge on the availability of these data collections, rather than radical advances in algorithms.”
  • The Argument From Maciej’s Roommate: “My roommate was the smartest person I ever met in my life. He was incredibly brilliant, and all he did was lie around and play World of Warcraft between bong rips. The assumption that any intelligent agent will want to recursively self-improve, let alone conquer the galaxy, to better achieve its goals makes unwarranted assumptions about the nature of motivation.”

There are also his “outside perspective” arguments, which look at what it means to believe in the threat of an AI superintelligence. It includes become an AI weenie like the dorks pictured below:

The dork on the left is none other than Marc Andreesen, browser pioneer, who’s now more of a south-pointing compass these days, and an even bigger AI weenie, if tweets like this are any indication:

But more importantly, the belief in a future superintelligence feels like a religion for people who think they’re too smart to fall for religion.

As Maciej puts it:

[The Singularity is] a clever hack, because instead of believing in God at the outset, you imagine yourself building an entity that is functionally identical with God. This way even committed atheists can rationalize their way into the comforts of faith. The AI has all the attributes of God: it’s omnipotent, omniscient, and either benevolent (if you did your array bounds-checking right), or it is the Devil and you are at its mercy.

Like in any religion, there’s even a feeling of urgency. You have to act now! The fate of the world is in the balance!

And of course, they need money!

Because these arguments appeal to religious instincts, once they take hold they are hard to uproot.

Or, as this tweet summarizes it:

In case you need context:

  • Roko’s Basilisk is a thought experiment posted on the “rational discourse” site LessWrong (which should be your first warning) about a potential superintelligent, super-capable AI in the future. This AI would supposedly have the incentive to create a virtual reality simulation to torture anyone who knew of its potential existence but didn’t tirelessly and wholeheartedly work towards making that AI a reality.

    It gets its name from Roko, the LessWrong member who came up with this harebrained idea, and “basilisk,” a mythical creature that can kill with a single look.
  • Pascal’s Wager is philosopher Blaise Pascal’s idea that you should live virtuously and act as if there is a God. If God exists, you win a prize of infinite value: you go to Heaven forever and avoid eternal damnation in Hell. If God doesn’t exist, you lose a finite amount: some pleasures and luxuries during your limited lifespan.