colonel_mortis

We have to load the font from the web rather than your computer because Comic Sans MS is owned by Microsoft (hence the MS) and is therefore not installed by default on all other operating systems (it may be on some non-MS platforms, but not all). If we relied on a built-in font, it would not be blocked here - that's why the fallback font works fine.

We have to load the font from the web rather than your computer because Comic Sans MS is owned by Microsoft (hence the MS) and is therefore not installed by default on all other operating systems (it may be on some non-MS platforms, but not all). If we relied on a built-in font, it would not be blocked here - that's why the fallback font works fine.

Probably. You're not missing out on much though.

The font is being downloaded from another website, and that site is likely blocked.

Probably. You're not missing out on much though.

The goal is not to be frustrating or unwanted... Just some April Fools fun.

Nothing ever is, just another 'layer of frustration'; just keeping closing the doors if bad actors find them and lock the ones we can predict they'll try to open.
I previously posted "I'm sure smarter people than myself have more practicable solutions though.", I should have included effective in that too.
You are being overly broad with the term "binary blob". In this case we are not talking about the output of an entire package build, which yes would require significant controls to produce the same output, but some binary test files which could be reproduced programmatically in a fairly simple controlled environment.
 
The most important thing is though, if a couple of schmoes in a tech forum can have a productive discussion about ways of thwarting similar attempts moving forward, all hope is not lost 😉

The goal is not to be frustrating or unwanted... Just some April Fools fun.

The goal is not to be frustrating or unwanted... Just some April Fools fun.

The goal is not to be frustrating or unwanted... Just some April Fools fun.

The font is being downloaded from another website, and that site is likely blocked.

The font is being downloaded from another website, and that site is likely blocked.

Probably. You're not missing out on much though.

Probably. You're not missing out on much though.

Probably. You're not missing out on much though.

Community Standards
 
Generally speaking, as long as you stick to the following core principles you should not find yourself subject to disciplinary action:
Ensure a friendly atmosphere to our visitors and forum members Encourage the freedom of expression and exchange of information in a mature and responsible manner "Don't be a dick" —Wil Wheaton "Be excellent to each other" —Bill and Ted Remember your audience; both present and future  
The following is not an exhaustive list of the rules and guidelines that must be followed when participating on Linus Tech Tips. The rules outlined below are only the minimum expectations of members and not every issue can be predicted and addressed here, so conduct could still be considered out of line even if it isn't explicitly covered here. The moderation team reserves the right to terminate any and all accounts or remove any content at any stage without prior notice. The instructions of the moderation team must be followed at all times.
 
Industry Affiliates, in addition to following the Community Standards outlined here, should also familiarize themselves with the Industry Affiliate Code of Conduct.
 
General Conduct
No harassment, discrimination, or abuse of any kind. This includes insults and accusations (fanboy, troll, shill etc). No pornography, sexually explicit, or obscene content. No trolling or flame-bait. This includes topics such as AMD vs NVIDIA, "company X sucks", and religious debates. No political content, regardless of your views. If something spans politics and tech, the discussion must remain clearly within tech and must not descend into politics. This covers all parts of the site, including status updates and the off topic subforum. Only one account per person, except with explicit permission from forum staff. Spam and Non-Constructive posts
No spamming or non-constructive posts, including: Posting the same topic multiple times LMGTFY (Let Me Google That For You) links or comments in the same spirit Post count / Solution count / reputation farming No posts generated by AI No shortened links (bit.ly etc.) without the permission of staff. No thread dumping (posting a thread in the wrong section). Check the forum for the most appropriate location for your thread before posting. Advertising and Begging
No advertising of any non-LTT/LMG material, including: No referral, affiliate, or paid links except those created by Linus Media Group. Self-promotion of personal websites or content (YouTube/Twitch/etc) is only allowed on your own profile page or where appropriate (such as videos demonstrating issues for troubleshooting purposes, and in subforums that permit posting videos per subforum posting guidelines). No promoting items that you are selling on third-party sites (eg. eBay, Craigslist). Trades are only permitted in the Classifieds section of the forum. No begging for free or discounted things, asking for donations, fundraising projects, or any similar content. Piracy, Hacking, and other Illegal Activities
Discussion on how to engage in piracy is not allowed. Redistribution of copyrighted material, including links to third party hosting sites, is not permitted. Discussion of piracy in general is acceptable (e.g. "Game X becomes the most pirated game ever"). Hackintosh discussion is permitted. Discussion on engaging in hacking or cracking is not allowed, including: Bypassing security features, restrictions, or filters (including parental filters, school restrictions, or workplace monitoring), including on your own device. Any illegal content or discussion on engaging in illegal activities is not permitted. Canadian law applies, as well as any jurisdictions that apply to you. Privacy
Do not post other people's personal information (name, email, addresses, phone number, etc) without their explicit consent. Do not post personally identifiable information pertaining to anybody under the age of 16, including yourself, regardless of whether you have permission to do so. Signatures
Text only, no images or other external content linked. No advertising or external links other than a text link to your PC Part Picker profile a text link to your Folding@Home or BOINC stats page Moderation and Bans
Do not openly discuss the moderation of any content or user. If you have an issue please contact a staff member. Do not backseat moderate – if there’s an issue, please use the report function. This includes responses such as "off topic", "spam", "advertising", "status update material" etc; leave it for the mod team to handle. Please be aware staff cannot see private messages unless they are reported, except in exceptional circumstances. If you have an issue with a moderator at any time, please contact an Administrator via PM: @colonel_mortis Subforum-Specific Requirements (including rules on video posting)
Certain subforums have additional rules specific to that section:
Tech News – see here Off Topic – see here Build Logs – see here Member reviews – see here Guides and Tutorials – see here Hot deals – see here Classifieds – see here New Builds and Planning - see here.

Honestly I find this attack pretty terrifying - this is the second example (that we know of) of a very well implemented supply-chain attack (the first being SolarWinds), and it was only caught by chance by someone noticing that OpenSSH was being slow. It is entirely plausible that the perf regression could have gone unnoticed (or, although I don't have a deep understanding of what it was trying to do, I suspect it could also have been possible to write the payload in a way that doesn't cause such a perf regression at all), resulting in this malicious release making it out of the bleeding edge and into mainstream distributions.
 
I hope this will lead to some changes in the industry, but I don't know what those changes could be. Now that the concept has been proven, I doubt that this will be the last time something like this is attempted. It's not a trivial attack to pull off, but nor is it overly difficult as long as you have time to burn (in this case the attacker started getting a foothold 2 years ago) - it would be a great choice for nation-state attackers, but could also be pulled off by solo attackers.
 
The scariest thing to me is that this may not be the first time - for all we know, and with no way to verify, there may be other compromised libraries out there already.

Honestly I find this attack pretty terrifying - this is the second example (that we know of) of a very well implemented supply-chain attack (the first being SolarWinds), and it was only caught by chance by someone noticing that OpenSSH was being slow. It is entirely plausible that the perf regression could have gone unnoticed (or, although I don't have a deep understanding of what it was trying to do, I suspect it could also have been possible to write the payload in a way that doesn't cause such a perf regression at all), resulting in this malicious release making it out of the bleeding edge and into mainstream distributions.
 
I hope this will lead to some changes in the industry, but I don't know what those changes could be. Now that the concept has been proven, I doubt that this will be the last time something like this is attempted. It's not a trivial attack to pull off, but nor is it overly difficult as long as you have time to burn (in this case the attacker started getting a foothold 2 years ago) - it would be a great choice for nation-state attackers, but could also be pulled off by solo attackers.
 
The scariest thing to me is that this may not be the first time - for all we know, and with no way to verify, there may be other compromised libraries out there already.

It is a forum issue, but it's a bit awkward to fix because of how the special offline page works.

It is a forum issue, but it's a bit awkward to fix because of how the special offline page works.

It is a forum issue, but it's a bit awkward to fix because of how the special offline page works.

Community Standards
 
Generally speaking, as long as you stick to the following core principles you should not find yourself subject to disciplinary action:
Ensure a friendly atmosphere to our visitors and forum members Encourage the freedom of expression and exchange of information in a mature and responsible manner "Don't be a dick" —Wil Wheaton "Be excellent to each other" —Bill and Ted Remember your audience; both present and future  
The following is not an exhaustive list of the rules and guidelines that must be followed when participating on Linus Tech Tips. The rules outlined below are only the minimum expectations of members and not every issue can be predicted and addressed here, so conduct could still be considered out of line even if it isn't explicitly covered here. The moderation team reserves the right to terminate any and all accounts or remove any content at any stage without prior notice. The instructions of the moderation team must be followed at all times.
 
Industry Affiliates, in addition to following the Community Standards outlined here, should also familiarize themselves with the Industry Affiliate Code of Conduct.
 
General Conduct
No harassment, discrimination, or abuse of any kind. This includes insults and accusations (fanboy, troll, shill etc). No pornography, sexually explicit, or obscene content. No trolling or flame-bait. This includes topics such as AMD vs NVIDIA, "company X sucks", and religious debates. No political content, regardless of your views. If something spans politics and tech, the discussion must remain clearly within tech and must not descend into politics. This covers all parts of the site, including status updates and the off topic subforum. Only one account per person, except with explicit permission from forum staff. Spam and Non-Constructive posts
No spamming or non-constructive posts, including: Posting the same topic multiple times LMGTFY (Let Me Google That For You) links or comments in the same spirit Post count / Solution count / reputation farming No posts generated by AI No shortened links (bit.ly etc.) without the permission of staff. No thread dumping (posting a thread in the wrong section). Check the forum for the most appropriate location for your thread before posting. Advertising and Begging
No advertising of any non-LTT/LMG material, including: No referral, affiliate, or paid links except those created by Linus Media Group. Self-promotion of personal websites or content (YouTube/Twitch/etc) is only allowed on your own profile page or where appropriate (such as videos demonstrating issues for troubleshooting purposes, and in subforums that permit posting videos per subforum posting guidelines). No promoting items that you are selling on third-party sites (eg. eBay, Craigslist). Trades are only permitted in the Classifieds section of the forum. No begging for free or discounted things, asking for donations, fundraising projects, or any similar content. Piracy, Hacking, and other Illegal Activities
Discussion on how to engage in piracy is not allowed. Redistribution of copyrighted material, including links to third party hosting sites, is not permitted. Discussion of piracy in general is acceptable (e.g. "Game X becomes the most pirated game ever"). Hackintosh discussion is permitted. Discussion on engaging in hacking or cracking is not allowed, including: Bypassing security features, restrictions, or filters (including parental filters, school restrictions, or workplace monitoring), including on your own device. Any illegal content or discussion on engaging in illegal activities is not permitted. Canadian law applies, as well as any jurisdictions that apply to you. Privacy
Do not post other people's personal information (name, email, addresses, phone number, etc) without their explicit consent. Do not post personally identifiable information pertaining to anybody under the age of 16, including yourself, regardless of whether you have permission to do so. Signatures
Text only, no images or other external content linked. No advertising or external links other than a text link to your PC Part Picker profile a text link to your Folding@Home or BOINC stats page Moderation and Bans
Do not openly discuss the moderation of any content or user. If you have an issue please contact a staff member. Do not backseat moderate – if there’s an issue, please use the report function. This includes responses such as "off topic", "spam", "advertising", "status update material" etc; leave it for the mod team to handle. Please be aware staff cannot see private messages unless they are reported, except in exceptional circumstances. If you have an issue with a moderator at any time, please contact an Administrator via PM: @colonel_mortis Subforum-Specific Requirements (including rules on video posting)
Certain subforums have additional rules specific to that section:
Tech News – see here Off Topic – see here Build Logs – see here Member reviews – see here Guides and Tutorials – see here Hot deals – see here Classifieds – see here New Builds and Planning - see here.

Community Standards
 
Generally speaking, as long as you stick to the following core principles you should not find yourself subject to disciplinary action:
Ensure a friendly atmosphere to our visitors and forum members Encourage the freedom of expression and exchange of information in a mature and responsible manner "Don't be a dick" —Wil Wheaton "Be excellent to each other" —Bill and Ted Remember your audience; both present and future  
The following is not an exhaustive list of the rules and guidelines that must be followed when participating on Linus Tech Tips. The rules outlined below are only the minimum expectations of members and not every issue can be predicted and addressed here, so conduct could still be considered out of line even if it isn't explicitly covered here. The moderation team reserves the right to terminate any and all accounts or remove any content at any stage without prior notice. The instructions of the moderation team must be followed at all times.
 
Industry Affiliates, in addition to following the Community Standards outlined here, should also familiarize themselves with the Industry Affiliate Code of Conduct.
 
General Conduct
No harassment, discrimination, or abuse of any kind. This includes insults and accusations (fanboy, troll, shill etc). No pornography, sexually explicit, or obscene content. No trolling or flame-bait. This includes topics such as AMD vs NVIDIA, "company X sucks", and religious debates. No political content, regardless of your views. If something spans politics and tech, the discussion must remain clearly within tech and must not descend into politics. This covers all parts of the site, including status updates and the off topic subforum. Only one account per person, except with explicit permission from forum staff. Spam and Non-Constructive posts
No spamming or non-constructive posts, including: Posting the same topic multiple times LMGTFY (Let Me Google That For You) links or comments in the same spirit Post count / Solution count / reputation farming No posts generated by AI No shortened links (bit.ly etc.) without the permission of staff. No thread dumping (posting a thread in the wrong section). Check the forum for the most appropriate location for your thread before posting. Advertising and Begging
No advertising of any non-LTT/LMG material, including: No referral, affiliate, or paid links except those created by Linus Media Group. Self-promotion of personal websites or content (YouTube/Twitch/etc) is only allowed on your own profile page or where appropriate (such as videos demonstrating issues for troubleshooting purposes, and in subforums that permit posting videos per subforum posting guidelines). No promoting items that you are selling on third-party sites (eg. eBay, Craigslist). Trades are only permitted in the Classifieds section of the forum. No begging for free or discounted things, asking for donations, fundraising projects, or any similar content. Piracy, Hacking, and other Illegal Activities
Discussion on how to engage in piracy is not allowed. Redistribution of copyrighted material, including links to third party hosting sites, is not permitted. Discussion of piracy in general is acceptable (e.g. "Game X becomes the most pirated game ever"). Hackintosh discussion is permitted. Discussion on engaging in hacking or cracking is not allowed, including: Bypassing security features, restrictions, or filters (including parental filters, school restrictions, or workplace monitoring), including on your own device. Any illegal content or discussion on engaging in illegal activities is not permitted. Canadian law applies, as well as any jurisdictions that apply to you. Privacy
Do not post other people's personal information (name, email, addresses, phone number, etc) without their explicit consent. Do not post personally identifiable information pertaining to anybody under the age of 16, including yourself, regardless of whether you have permission to do so. Signatures
Text only, no images or other external content linked. No advertising or external links other than a text link to your PC Part Picker profile a text link to your Folding@Home or BOINC stats page Moderation and Bans
Do not openly discuss the moderation of any content or user. If you have an issue please contact a staff member. Do not backseat moderate – if there’s an issue, please use the report function. This includes responses such as "off topic", "spam", "advertising", "status update material" etc; leave it for the mod team to handle. Please be aware staff cannot see private messages unless they are reported, except in exceptional circumstances. If you have an issue with a moderator at any time, please contact an Administrator via PM: @colonel_mortis Subforum-Specific Requirements (including rules on video posting)
Certain subforums have additional rules specific to that section:
Tech News – see here Off Topic – see here Build Logs – see here Member reviews – see here Guides and Tutorials – see here Hot deals – see here Classifieds – see here New Builds and Planning - see here.

It is meant to work even when the topic is scheduled to be posted later, but there might be some edge cases. I'll look into it.

It is meant to work even when the topic is scheduled to be posted later, but there might be some edge cases. I'll look into it.