The Stack Overflow Podcast

Diverting more backdoor disasters

Episode Summary

In the wake of the XZ backdoor, Ben and Ryan unpack the security implications of relying on open-source software projects maintained by small teams. They also discuss the open-source nature of Linux, the high cost of education in the US, the value of open-source contributions for job seekers, and what Apple is up to AI-wise.

Episode Notes

ICYMI: A backdoor in XZ, a popular open-source compression utility, highlights the risks of relying on open-source software maintained by small teams. Read more about the cyberattack here.

Apple’s new LLM, Ferret, could help Siri understand the user interfaces of mobile displays, potentially expanding the capabilities of Apple’s digital assistant. 

Shoutout to Stack Overflow user cheese1756, who earned a Great Question badge by asking How do I ensure that whitespace is preserved in Markdown?.

Episode Transcription

[intro music plays]

Ben Popper Hello, everybody. Welcome back to the Stack Overflow Podcast: Linux Backdoor Disaster Averted Edition. I am Ben Popper, Director of Content here at Stack Overflow, joined as I often am by my colleague and collaborator, Ryan Donovan. 

Ryan Donovan Hey.

BP Ryan, on our last podcast, you brought up the XZ vulnerability and we discussed it a little. It has now broken through to my local dads text group so it's clearly a news story. Somebody in the local dads text group who's a digital media person, not a super software savvy person said, “This seems weird. Why is nuclear code level danger floating around the internet and being maintained by a couple of lone individuals?” And I said, “You haven't been listening to the Stack Overflow Podcast for the last five years? Don't you know that's how open source works?” 

RD So many projects. The magic, I think, of Linux-based systems is that they are open source. They're maintained by all these people and all the pieces of the operating system are pulled in, and this is the bad side of it. Somebody could backdoor your compression algorithm. 

BP Exactly. So the twist, I guess, that didn't come up in our last conversation but is sort of being explored now by the security community and a little bit by journalists is, was this person a lone hacker or was this a nation-state actor? And the theory goes, no lone person is this patient. This person just appeared in 2021– their username– and they made contributions to a few other random well-known open source projects and then started contributing useful code to Linux and then focused in on this subset of it. And then as this other maintainer sort of stepped back, said, “I'm not really keeping up with this. I have some of my own issues to deal with. Could you take over,” they took on that burden and then waited another year. And I guess a little bit of the sophistication of the design of it also and the private key and everything, but I don't know if I necessarily buy that. Who's to say there isn't a very patient individual who was doing other things to get paid in the meantime? 

RD It does seem like the actual hack may have occurred over several commits– the stuff that got in there. And if they're just patiently trying to build credibility, backdating this account where they can stick it to you. I think the other thing that was interesting in the article was trying to figure out where this person might be from. And it is, I think, a Chinese name, the user, but that's irrelevant to this. 

BP Sure. While China is a very large country known to have its cyber arm, just like the US does, just like Russia does.

RD But the working hours point to Eastern Europe. 

BP So VPN covering their tracks, who knows, who knows. We'll get to the bottom of it never. We will never get to the bottom of it. There was some good discussion there of just what could have prevented this, and it would be interesting, and we did have one discussion about some kind of usage-based microtransaction funded fee. So if you're working on a huge project and you're making some contributions and Linux is being used in a business context by a bunch of other enormous companies, there needs to be a licensing component that pools money for the open source side and uses that to do security, et cetera, et cetera. But it's just too unwieldy to imagine all that. The cat is out of the bag. The cow is out of the barn long ago. 

RD Right. You could just fork somebody's code and then are you not paying those people anymore? 

BP All right. I was talking to a friend today whose son is about to go from middle school to high school, and they were saying that he's considering doing BOCES, which is, instead of doing a regular high school curriculum, you basically start doing a trade school. And you can do this for automotive work, you can do it for cooking, you can do it for software development if you want and spend your four years of high school getting more sort of on-the-job experience. I don't know how many of our listeners are based in the United States. I think about maybe half and then it's the UK and then it’s India, so brace yourselves if you live outside of the United States. For the 2024-25 school year, we have finally reached $100,000 in tuition for a single semester, which is just bananas. 

RD Yeah, that is bananas and I think a lot of people are sort of asking themselves is it worth it? Are there better ways to go? 

BP I have two kids, so I'm definitely asking myself that. 

RD I think this doesn't happen as much outside of the US. There's a lot more public funding. Because even state schools now are getting super expensive. I've heard stories of Americans going to study law in Germany and paying next to nothing.

BP It is a fairly uniquely American problem, and it's also a mirage of sorts. The cost is 100,000, and less than 30% of students will be expected to pay full freight, and another fraction of that 10-20% are expected to pay nothing. And so the sticker price is shocking, but it's all a big morass where some people are paying an exorbitant amount and other people are paying nothing at all.

RD And some of that is they put the sticker price high to get the whales, the really rich folks. I've heard that international students will bear a lot of this price. But at some point, when does the business model overwhelm the educational experience on this? 

BP Right. So I made a callout recently on the podcast for folks to email us if they had a topic that they wanted to discuss or if they felt like they wanted to come on the show, and we got an email from a developer based in Belgium, a software developer of seven years working on internal tools. And so we're going to have this person on. I'm excited.

RD I think that's exciting. So many of our guests come from pitches from people who want attention and want press, so it's exciting for somebody to be like, “Hey, I just want to talk about software.” 

BP Yes, not here to shill a product or a company as part of it, just want to talk about software, and tried to send over some takes. You don't need microservices, don't throw it away and start from scratch, trying to get a little spicy, trying to bring some takes to the pod, which we appreciate.

RD That's right. I love a good hot take. That's what Stack Overflow has always been about– it's the voice of the practitioner. Podcasts like this are great for getting messages out, but ultimately we want what's the conversation happening with the practitioner. 

BP Speaking of software practitioners, I don't really understand why this story was published in 2024, but a piece was published on Graphite.dev April 4th, 2024. “How Stack Overflow replaced Experts Exchange.” This is old news. This is not new. This is old news. But this is a 3,000-word essay about what life was like in the bad old days and what happened when Stack Overflow showed up and then how it grew over time and then takes it all the way to the future, what might things look like in a post-GPT world and where are other people getting their information outside of Stack Overflow on some other forums or media properties. And so I thought it was well-written and nuanced, at least in its take on what is responsible AI and what is pushback from the community and what might be done to do this right. So I'll put the link in the show notes. 

RD I think that is interesting. I haven't read it yet, but one of my understandings is that Experts Exchange had a paywall in front of it. And if you want to grow a community, you generally don't have them pay for it. Stack Overflow also had a better URL.

BP Again, why did this person write this now? Is this just a passion project or was there some SEO juice around this? I'm just very confused. A mystery we'll get to the bottom, I guess. Graphite is– never wait for a code review again, helps you build smaller pull requests, stay unblocked, and ship faster. So they build dev tools and I guess they thought that this would be a good way to attract developers’ attention and they are correct. It got me. There is a good discussion, created one month ago but active yesterday, on the Stack Overflow discussions page. Question is: “I finished my degree in computer science at the end of 2022, majored in comp sci, applied a bunch, but haven't found a gig that I'm looking for. What is a good project that I could do independently to get attention and boost my chances of getting hired?” 

RD Wow. So what are the recommendations there? Is it to work on open source, make a to-do app? 

BP It seems like mainly start building up your reputation on GitHub, contribute to some things where you can make a difference, showcase your proficiency in more than one language. Those are some of what I see here. 

RD I think Stack Overflow open source has become a great way for programmers to basically have a second resume, to show that they can actually do the work. Because everybody talks about the awful eight-hour coding interviews or homework where you have three days to write whatever piece of software, which they may be stealing from you. 

BP I have a friend who works as a front end engineer who was laid off a few months ago and has had trouble finding new work. That's a common story among, I think, unfortunately, developers these days and so he was boning up on the technical interview side of things. But also on some of the job interviews now they say, “Would you be comfortable doing the pre-interview with a chatbot?” which is a new thing. So he said the conversation was robust enough. It had questions, he had answers. Feels a little dehumanizing, but so be it. 

RD There is always an AI screen, whether it's you talking to a chatbot or them doing the resume filter. Maybe the chatbot is a better version because at least you get to have that interview. 

BP He said he felt less nervous and that in some ways was a benefit.

RD When I've interviewed folks, I do have a set of standard questions I try to ask, but I do try to also improvise and come up with other questions to follow up to press on potential weak points. 

BP What is the difference between a chatbot pre-interview and a form filling pre-interview? But I don't know exactly how much the chatbot pushed back or what nuance they had. A friend of mine who's a big AI skeptic has been using Claude 3 from Anthropic and says that it is shockingly good at critiquing his writing work. He's an AI skeptic, doesn't feel like it's changed the world yet, but impressed with Claude 3 and its ability to look at a piece of writing, an essay, or a legal brief, and be like, “Well, this part seems strong, but you might want to tune this up,” and usually he's like, “Well, pretty on point.”

RD Wow. So the new editor will be AI perhaps. 

BP Exactly. Ryan, you shared something here. Software development at 450 words per minute. What is this? 

RD So this came out in 2017, but it just hit Hacker News again. This is a blog post from somebody who programs and is blind, and it talks about what they actually do to program. And it's pretty interesting that they have no screen, no mouse, a braille display and a synthetic speech that goes at about 450 words per minute. And English is usually spoken at 120 to 150 words per minute, so very fast, and they don't generally use Vim or Emacs. 

BP I'm imagining The Matrix inside of their head, but I guess they're seeing it tactilely. 

RD They touch the pad. Notepad++.

BP Does it say why it goes so much faster? 

RD I assume because that's how he interacts. 

BP That seems fast.

RD It is very fast.

BP Almost 2 or 3x normal conversation speed seems fast, but I guess maybe you get used to it and it improves over time. Very cool.

RD I think if that's your interface, you want your interface to be as fast and as efficient as possible. 

BP All right, last news tidbit before we head off. Apple released a paper showcasing some of what they've been working on in the world of AI, something called ReALM, and a lot of the news coverage is indicating that this would then become a part of Siri and potentially make Siri a more capable conversationalist. And I think that's really interesting because ChatGPT got pretty big, it got to a hundred million users or something like that, but the number of iOS users in the world is in the billions. So if suddenly all those people had a chat assistant that was much smarter, much more conversationally nuanced, better at natural language understanding and reasoning, that could potentially have a pretty huge impact.

RD With all those people playing with it, I look forward to all the stories of people breaking through the guidelines. 

BP Yeah, there's going to be some jailbreaks. It's inevitable. I have to assume that's why they move slowly and conservatively in this. 

RD I'm sure they're testing the heck out of it. I'm sure they have everybody talking to it all the time, trying to get it to slip up. 

BP It seems like the thing that they're doing is it takes what you're saying, and then it also looks at what's on the screen and it puts those two things together and then it has better context and can provide better answers. So maybe it's still not a universal, “Give me your opinion on this political issue,” kind of thing where you can trip it up, but you're able to say, “How do I get out of this menu?” or “Where can I find whatever?” and it's able to help you. So we’ll see.

RD That's interesting. Apple is a huge company with a huge consumer user base so this is going to be a lot of people's first exposure to large language models. 

BP Yeah, exactly.

[music plays]

BP All right, everybody. As always, we want to say thanks for listening. As I mentioned, we got an email from a user and now they're coming on the show and they brought some cool topics and we would love to host more folks, especially if you are a Stack Overflow user and you've been a contributor for a while, or you want to be a user, or you're a lurker who is looking to break out of your shell and contribute, we would love that. It is that time of the show. I want to shout out somebody who came on Stack Overflow and shared a little knowledge. A Great Question Badge was awarded to Cheese1756. “How do I ensure that whitespace is preserved in Markdown?” Cheese, thanks for the question. You've helped 117,000 people who had a similar question get an answer and get on with their day. As usual, I am Ben Popper. I'm the Director of Content here at Stack Overflow. Find me on X @BenPopper. Shoot us an email, podcast@stackoverflow.com. And if you like the show, you can leave us a rating and a review, because it really helps. 

RD I'm Ryan Donovan. I edit the blog here at Stack Overflow. You can find it at stackoverflow.blog. And if you want to send me your hot takes on X, my DMs are open @RThorDonovan. 

BP That's right. Ryan's looking for hot takes.

RD That's right. Spice me up. 

BP You can be the next person to be at the top of Hacker News, hit him up. All right. Thanks for listening, everybody, and we will talk to you soon.

[outro music plays]