0:10

Hello and welcome to Episode Two Seven

0:13

Six. A Great Night Linux recorded on

0:15

the Seventh or April. Twenty Twenty Four.

0:17

I'm joking with Mail Fate back Graham

0:19

Good. Evening and will. Oh, that's what

0:21

you think fighting. We've actually replaced you

0:24

permanently now with someone who hates Katie

0:26

A and loves the cloud. Is it

0:28

the ai? Others as take that much

0:30

less help. So yeah, So.

0:32

We're recording a little bit early and I'm going

0:35

to try and get this one out and up

0:37

early. Fun will say about that. But.

0:39

There's only really want nice towards talk

0:42

about and that's the x said you

0:44

tells back door but before that some

0:46

happy news. Hybrid Cloud show is a

0:48

new show that as part of the

0:50

late night Linux family. So.

0:52

This. Is the combination of

0:54

a very, very long con.

0:57

To. Troll failing. Essentially I listened to it

0:59

and of the goodness of my a hard

1:01

to give it a chance. Yeah and you

1:04

loved it. I loved every well it's It's

1:06

pretty decent. all is that are in. First

1:08

it's very well done but I. I.

1:10

Honestly couldn't care less anymore about a subject

1:12

or less of as a I. If you

1:14

can combine the two of them together, maybe

1:16

they could talk about ai on the shelf

1:18

next time he added definitely would burst into

1:20

flames. So. I'm not on the show.

1:23

But. We've got for professionals who

1:25

work in the area of cloud talking

1:27

about private cloud, public cloud, and everything

1:30

in between. That's kind of the catchphrase

1:32

for it. So. It's a hybrid

1:34

cloud show.com or it's in the all

1:36

episodes fade. so if you just search

1:38

your pocus player for late night linux

1:41

family all episodes. Then. You'll

1:43

just get everything that we do, and there's

1:45

actually quite a lot now. Between. The

1:47

shower turn off admins, linux matters let us

1:49

after dark the next day of time Hi

1:51

Records show and us the house once a

1:54

month. There's quite a lot going on and

1:56

I'm pretty busy these days, so do subscribe

1:58

to that and check out or. the great

2:00

shows that we have. So the

2:02

news then, there's been a back

2:04

door in XZU tools. Now

2:07

if you want all the technical details for this

2:09

I would strongly recommend listening to the Ubuntu security

2:11

podcast. We'll link to that in the show notes.

2:14

Alex did a great job of explaining the whole thing

2:16

there so I highly recommend it. But

2:18

here's a sort of synopsis of what we know

2:21

about this. So it

2:23

was found by a Microsoft employee called

2:25

Andreas Heind in his free time when

2:27

he was working on Postgraph. And

2:29

this back door was introduced by

2:32

someone calling themself Jia Tan. And

2:34

this person in quotes lurked for about

2:37

two years and slowly contributed and gained

2:39

the trust of the

2:41

XZUtils developers. Some

2:44

sock puppet accounts pressured the

2:46

dev of XZUtils Lassie

2:48

Collin to add Jia Tan as a

2:50

maintainer. And Lassie Collin

2:52

had some mental health issues. And

2:57

about a year ago Jia Tan became

2:59

a maintainer and recently snuck

3:01

in a quite sophisticated back door which

3:04

gives SSH access but only with

3:06

a specific private key. So it's

3:08

only exploitable by this Jia Tan

3:10

person. Now the back

3:13

door made it into Debian, Unstable and

3:15

Testing and Fedora Rawhide. And

3:17

it made it into the proposed

3:19

pocket for Ubuntu 24.04 but not

3:22

into the actual pre-release so

3:24

it's not on the box that I've

3:26

got running 24.04 thankfully. And it

3:28

seems to have made it into Windows which is pretty funny

3:30

and it has delayed the Ubuntu 24.04 beta by a week.

3:34

So that's sort of roughly what we

3:36

know about this. Did I get

3:38

anything wrong or miss anything? Maybe

3:40

the pronunciation I think it's XZ.

3:42

No it's XZ I don't care

3:44

what anyone says. I

3:47

quite like Z. I think I'm gonna go with

3:49

it. It's easy to say. Yeah you've got it

3:51

as EFS as well. Yeah yeah it's so much

3:54

easier to say. You've all changed

3:56

since I've been away. Two

3:58

weeks. It's all gone to crap. So

4:01

I heard to take some this.

4:03

Either. We got incredibly lucky.

4:06

That. It was sound. Or.

4:08

This is classic open source because

4:10

it was all episodes were able

4:12

to find it. I would go

4:15

with both. Yeah, I think we

4:17

were lucky. Fair enough And you

4:19

know there's quite an amazing community

4:21

of. Was the

4:23

nice way to put this. Like.

4:25

To spot that Ssh was running mars

4:27

and he saw like apparently like not

4:29

even that much smell like not as

4:32

and you'd look at and go wireless

4:34

retail work very well as in. Tiny.

4:37

Amounts slow and that's weird and went

4:39

to the effort of borrowing down on

4:41

that's and then the email that which

4:43

unlike included he sent the email with

4:45

his personal account so stuff given myself

4:47

credit for the says i just have

4:49

to do something else. Fuck off misguided

4:51

this on his own time. I

4:53

bitter insists that they're so anyway it's

4:56

boss. I think the fact that we

4:58

have a.the to eat up a seat

5:00

have the ability to even look of

5:02

us have to go back and analyze

5:04

all the stuff like if this happened

5:06

in a proprietary twenty which is absolutely

5:08

those hundred percent because am Isis the

5:10

open source. At podcast and

5:12

they were talking. I sucked up.

5:15

A while they said a very

5:17

large ninety nineties mobile. Not a

5:19

factor so I I say see

5:21

the Nokia or Motorola.which ones maybe

5:23

isn't books. They apparently employed someone

5:25

who turned out to just disappear

5:27

one day because they were Snc

5:29

a state actor working on path

5:31

of an agency fit get something

5:33

entire system and. For.

5:35

Health of as he was can be taken

5:38

advantage of. but I think the fact that

5:40

we are to analyzed and this level is

5:42

an amazing ability of yes it was lucky

5:44

or hello to survive on that was lucky

5:47

Books are still I think that's amazing Africa.

5:49

While. i agree with you i think we

5:51

did get lucky i do think however

5:53

that this was not the only opportunity

5:55

to spot this problem right it happen

5:57

sooner than perhaps it would have done

6:00

But reading around the issue, looking at some

6:02

other comments on GitHub, there seem to be

6:04

a few people who are kind of thinking,

6:06

oh, this looks a little bit dodgy, maybe

6:08

I should look into it, and then never

6:10

did. So I like to believe that even

6:13

if this wasn't spotted when it was spotted,

6:15

that it would have been spotted, let's say,

6:17

before like the next bigger Buntery release, for

6:19

example. But there's no guarantee. Yeah,

6:21

I agree with both of you as well. I

6:23

think I'm definitely erring on the fact

6:26

that it's great that open source has been

6:28

able to respond this way. I mean, you're

6:30

just reading up again about this today. There's

6:33

so many people now who have looked into this

6:35

from a different perspective, so many people who have

6:38

taken the work that others have done and tried

6:41

to take it a little bit further in what's going

6:43

on and the reasons behind it and how

6:45

it's been engineered. And I just can't

6:47

see that happening in anything else other

6:50

than open source. And I think

6:52

that's fantastic. The fact that it

6:54

happened at all is perhaps part of the system

6:56

that we use. But I think overall,

6:59

it's very good because we just never know the whole thing

7:01

would be buried or just be just left to live with

7:03

it. Yeah, because it's all

7:05

open source, it's all there in Git.

7:07

You can go back and see exactly

7:10

how this unfolded. Yeah, exactly. And I'm

7:12

so much for everything being done in

7:14

the open, maybe naively so. But I'd

7:16

much rather know what vulnerabilities I'm exposed

7:19

to than just have my head

7:21

forced into the sand for me. One

7:24

of the most interesting aspects of this

7:26

whole story is how

7:28

targeted it looks to have

7:30

been specifically against

7:33

the people or rather the

7:35

person responsible for maintaining XZ.

7:38

They must have had some inclination that

7:41

this guy was struggling in his personal

7:43

life and used

7:45

that as a sort of crack in the

7:47

armour and gone in there and forced

7:50

it open and pushed the cells in. And

7:52

so that implies to me that they have

7:54

been watching a number of critical

7:57

open source projects and

7:59

looked. these chinks in the armour, wherever they

8:01

could find them, and then really

8:03

attacked them, and not only just in

8:05

a seemingly helpful way, but also having

8:07

these sock puppet accounts hammering the message

8:09

home for them. I guess that's kind

8:11

of standard practice that you would find

8:13

a chink in the armour and then

8:15

force your way through there with all

8:17

of these personalities backing your side. But

8:20

it seems like a very sophisticated

8:22

and quite violent way of

8:24

inserting your code into another

8:26

project. And that really struck

8:28

me as a serious point

8:30

that across all of these open

8:32

source projects, where's the next chink

8:35

in the armour and what can we do as

8:37

the community to try and help support those people?

8:39

I don't really have a good idea for that.

8:41

I think you're absolutely right. I know we'd

8:44

probably come to this, the fact that it just comes down

8:46

to a single person. We've talked about

8:48

this before with really

8:50

important projects that are vital to the

8:52

infrastructure of everything that we use being

8:54

run by one person who's doing it

8:56

voluntarily. And we've

8:59

just talked about is this a problem of open

9:01

source? Maybe the problem we have with open source

9:03

here is the licensing, and that there's

9:05

so many people, so many large corporations,

9:08

so many individuals reliant

9:10

on these pieces of software

9:12

that are run by one

9:14

person for charity when

9:16

so many corporations are able to make billions

9:18

off the back of it. And it

9:20

just doesn't seem right. Yeah, XKCD 2347. I

9:25

did see something interesting about that, though, where they

9:28

said, imagine you do run a small project. You

9:30

probably did the development work 10 years

9:32

ago, and it's just kind of been taking over

9:34

gradually every now and again with a bit of

9:36

a minor release. There's nothing exciting to

9:38

do in that project. It's kind

9:40

of hard to fund something which is essentially

9:42

just sitting there turning over. And

9:44

the other thing was, if you do

9:47

have that project, and then along comes, say,

9:49

Linux Foundation says, hey, we've got five managers

9:51

that are now going to be in charge

9:53

of your project for you, and you're going to

9:55

do what they say, OK, that's cool. And

9:58

no, fuck Off, it's my budget. That's not

10:00

how I want to do a year. you do

10:02

that for a reason and you probably enjoy doing

10:04

that or did so. I don't know what's the

10:06

state forward as just sip it in a lotta

10:09

money because and the other, hey, pay for some

10:11

that doesn't need to change. Was. Thinking

10:13

of money willing to opposed by Thomas

10:15

de Pr. I. Am not a

10:17

supplier and sexy from December. Twenty Twenty

10:19

two. Way. Talks about the

10:21

supply chain and open source people often

10:24

to what they saw console supply chain

10:26

and he says no that's politics. On

10:28

our supply because you don't pay me. I'm

10:31

a volunteer. Yours is using my sit.

10:33

And he can't blame May when things

10:35

go wrong with it. Now you com.

10:38

And. That's. Where I think

10:40

this a piece of the puzzle missing

10:42

in those of us. the company's their response.

10:44

You know that used this kind of punted

10:47

as part of their infrastructure and I don't

10:49

know how we address this problem. And.

10:51

Going back to what Will said before,

10:53

we've got to scrutinize other projects and

10:55

we've got to perhaps come up with

10:57

a as looking for this kind of

10:59

behavior looking for weakness? Test test projects

11:01

in the same way that we test

11:03

software. Which is kind of ironic is

11:05

this was part of the testing infrastructure.

11:07

Vexatious. Get. Rid of

11:09

binary choice in projects that it was to

11:12

from Michigan to reproduce who builds and or

11:14

Amazon Verizon is visible Those yes, if we

11:16

had reproducible veils and we didn't have a

11:18

lot of chunky binary nonsense than a be

11:21

very hard to sneak something in or more

11:23

hard for lot like yes understand that they

11:25

need to have package files that the one

11:27

that works will not doesn't but when you

11:29

look at the site he was doomed that

11:32

like extract the tiny bit of info to

11:34

get the key to work with on the

11:36

different multiple heads mean at the the how

11:38

you look. About go Ah yes so Dinamo

11:40

I didn't things here carry ons and though

11:43

it's it's it's a seems now. Obvious

11:45

that it was weird book. I think

11:47

a technology from gonna be hard to get to solve this

11:49

stuff. I think that the role

11:51

of the destroy is very significant hair

11:54

and I know for a thought about

11:56

a boon to put a lot of

11:58

effort into assisting project that may depend

12:00

on my way of patches and pull

12:02

requests and contributions generates and I'm sure

12:04

all the other destroys their as well

12:06

but they perhaps is a more formal

12:09

structure that could be put in place

12:11

that says if you are destroyed and

12:13

you are reliant on this in in

12:15

the way that they literally all of

12:17

them off well maybe know them most

12:19

of the law then you have some

12:21

obligation to have the amount of work

12:24

that you do measured and reported on

12:26

to try and encourage people to do

12:28

more of it. An. Interesting

12:30

point the alex made on the a

12:32

been too scary for cost with that

12:35

whoever this Tucker is as got really

12:37

detailed knowledge of the entire open source

12:39

ecosystem and. Is probably not One

12:41

person is am and a can't be a

12:43

must be a nice and state. I

12:46

don't forget to go into this. I

12:48

discuss criminal organizations. He wants her blackmail

12:50

people in their systems of pip maybe

12:52

just a small group of hackers who

12:54

won. They find an exploit and sell

12:56

it on. Really, the sophistication of it

12:59

makes me think that there's. A.

13:01

Fairly significant and advanced power behind

13:03

or with is certainly states and

13:05

pile of consent of maybe two

13:07

or three that would take undertake

13:09

such as such a thing. yeah

13:11

why did a bit so thing

13:14

about this and tied to find

13:16

out. Who was responsible but

13:18

I think is all speculation. Rabia we

13:20

are don't think we'll ever know who

13:22

actually was responsible. the other think I

13:24

was by see might not being a

13:26

stay on the of. The. U

13:29

K's ability to put technical solutions

13:31

in places. Like

13:33

the Nhs to be just as gifts

13:35

and is getting there with it was

13:37

the Uk which probably spend about three

13:39

billion on it and then just scrap

13:41

is a specific as far as I

13:44

say under Berlin so let's see what

13:46

you actually what happened with it though

13:48

because I'm in the didn't manage to

13:50

get x that the vulnerability in place

13:52

else does sandri like a government projects

13:54

and yeah exactly two years ever allow

13:56

fucking work for C blown up more

13:58

weekend. what he fucked up on load of things

14:00

in the packaging. No,

14:02

but I don't want to get into too much into

14:05

the conjecture, but I do think, you know, if you

14:07

look at old-fashioned cracking groups

14:09

and the way they've reverse engineered all

14:12

kinds of complicated hardware, people can get

14:14

very, very organised when there's the potential

14:17

of millions or billions. The

14:20

most interesting aspect to me is that this

14:22

is not a general backdoor. This is not

14:24

just leave a backdoor open for anyone to

14:26

get in. This requires a

14:28

private SSH key, and

14:30

so they must have been

14:32

going after some specific target,

14:34

surely? Or did they just want

14:37

to have access to everything, maybe? I think so. It's

14:39

also good that it required this level of

14:41

engineering to kind of create a backdoor in

14:43

SSH. It kind of leaves me thinking that

14:45

SSH generally is such a great solution. Yeah,

14:48

you have to go round the back almost

14:50

to get into it. Exactly. It

14:52

is funny that there's the system D

14:54

dependency, though, and the non-system D folks

14:56

are gloating about that. Linux!

15:00

Also, my Centaur 6.2 is safe. Well

15:05

played, Grim. Well played. It's

15:08

interesting to see that Linux is such

15:10

an important part of the world these

15:12

days that what

15:14

I assume is a very significant amount

15:16

of investment has gone into a project

15:19

like trying to break XC in this

15:21

way. I think it just

15:23

reflects that, as we all know, Linux

15:26

is such a critical piece of every

15:28

infrastructure now that it is worth focusing

15:30

a huge amount of energy on in

15:33

this way. It was only,

15:35

let's say, 15 years ago that

15:37

viruses didn't exist for Linux, primarily because

15:39

it wasn't worth the effort. But now

15:41

it very much is worth the effort.

15:44

And this is probably one of many

15:46

irons they had in this file. Like their first

15:48

one has been discovered, there will be others that

15:51

have been going on at the same time. And

15:53

now we wait and see what they were. Yeah, that

15:56

was what I was going to ask you

15:58

all. How Many more of these accounts do

16:00

you in? We've got the are women their

16:02

way into critical open source projects. And

16:04

what you do about that you can't

16:06

stop casting aspersions on people showed up

16:08

to. Contribute. Your project

16:11

point else. But

16:13

I think that related to what Will was

16:16

saying. I you on. I think the real

16:18

worry isn't now that we look at contributors.

16:20

it's that there are people looking at weaknesses

16:22

and projects. all kinds of weaknesses. This is

16:25

just one that died David then to fight

16:27

and we don't know what are the weaknesses

16:29

them and and like be hosting or t

16:31

to the way project is maintained and the

16:34

I think that's the really ethical one time

16:36

guess now other weaknesses may exist in the

16:38

way that protects a. But.

16:40

You would hope that security researchers

16:43

are just working Brady hard on

16:45

this, trying to find the stuff

16:47

that you mentioned potential other people

16:50

like this because To Ten did

16:52

do some dodgy stars. Quite

16:54

a while ago, but it wasn't quite

16:56

as.a But like in retrospect, he can

16:58

see that there was this patent forming

17:01

and so. Is. There are other

17:03

accounts for the almost certain the are. So.

17:05

Be people looking for new now surely? And

17:07

that has to be a good thing that

17:09

people are making the Ss. Because

17:12

I mean imagine you find the next one. Earlier

17:14

than this. even. The.

17:16

Or Andreas find is a proper Here

17:19

are do. But. Just brainstorming

17:21

this. What Happens A. The.

17:23

Hundred developers the of working on this

17:25

of these important projects of kind of

17:27

working alone. the wicking a home? maybe?

17:29

what's to stop them being kidnapped? What's

17:31

to stop them being murdered in a

17:33

t stolen and some the impersonating them

17:35

for those projects I don't know. We've

17:37

got to think kind of outside the

17:39

box and how these attacks now where

17:41

they could come from and books eight

17:43

they take. To sit on crime can.

17:47

You write those guys a potential risk

17:49

if. There. was a story the

17:51

i had a long time ago about somebody's

17:53

going to read a country and i don't

17:55

know which ones and was that went through

17:58

security at the airport their laptop was taken

18:00

away for examination and it came back with a different

18:02

hard drive in it and you know,

18:04

somebody installed some nefarious software on there.

18:07

And in order to counter that, what

18:09

you had to do was this very

18:11

complex boot chain thing with Linux

18:13

and encryption and so on and so on

18:15

and so on. And now I

18:18

think that was probably quite a good idea. Previously,

18:20

I thought, what is there to worry

18:22

about? But if I was a distro

18:24

maintainer, these people could well

18:27

be targeted by people sending

18:29

them crafted emails or trying

18:31

to steal their laptops from their houses

18:34

and things like that. Like it would

18:36

be very, very easy to insert something

18:39

in the chain of the open source community because

18:42

as Graham said, people are working

18:45

from home, they're quite laid back

18:47

and groovy. It would be quite

18:49

easy to attack them in this way. So I'm

18:51

kind of worried at the moment. As

18:54

far as I'd be concerned, the best thing that

18:56

we can do about this is make things more

18:58

open and more transparent. If there's any code anywhere

19:00

that is a binary blob, things like firmware, those

19:02

are the things we need to worry about. Because

19:04

those are things that can be adjusted and we

19:06

just don't know. All we know is they changed.

19:09

And there's a lot of that stuff that's

19:11

not about in drivers for graphics cards, for

19:14

network cards, all sorts of manner of things. If

19:17

we can eliminate as much as possible, then

19:19

we are able to then use

19:21

Linus's law of the many eyeballs making

19:23

bugs shallow. But we can't do

19:25

that if there's a whole lot of like a big

19:27

chunk of fucking machine code somewhere sitting there that somebody

19:29

says, Oh yeah, well that just loads the thing. Don't

19:31

worry about it. It'd be grand. And yeah, there's only

19:34

one person who knows how that works. We

19:36

need to eliminate the single point failures, not

19:38

to take away projects from people. But if

19:41

you have open code, it makes it harder to

19:43

hide stuff. You can't hide things in plain sight

19:46

unless you're doing like hokey shit like your man

19:48

was doing with his binary files that he was

19:50

chopping head and tail and all over the place.

19:52

Yeah, because this wasn't Easily readable code

19:54

was it? It was very much snuck into a place

19:57

where people wouldn't be looking. Yeah, and it was part

19:59

of the. Susannah only happened if

20:01

it was given the right amount of data,

20:03

otherwise it just ignored and carried on. You

20:06

wouldn't even know it was, it wouldn't trigger

20:08

for you. So and it was in a

20:10

test I think I wasn't. The tests have

20:13

to sail. It was like it was meant

20:15

to be a broken acts as Ads compressed

20:17

file so it was meant to not work

20:19

as part of the test suite And things

20:22

like that where it a it's all hidden.

20:24

He should be able to present your project

20:26

and say yet, this may works You'll need

20:28

to insert these tests of a broken Xv

20:31

file, a warfare sci fi walnuts over the

20:33

size and then they should be able to

20:35

put it into their own test suite so

20:38

you know you don't have to provide the

20:40

Shaanxi files that you've crafted to work with

20:42

us. It's a neat to

20:44

see and six of how to do

20:47

it And then they can provide their

20:49

own stuff so we eliminate every single

20:51

piece of obscured cove. I think the

20:53

primary goal now is remain vigilant, see

20:55

something, say something and means to assess

20:57

assess. I looked into this is to

20:59

as well and tests have taken over

21:02

software development. And. It seems

21:04

to me that. Are not developer

21:06

but there's less scrutiny and tests

21:08

and is more ways as I

21:10

mean this This was like something

21:12

wanted to school and to a

21:15

full right bits from the output

21:17

in a way that you kind

21:19

of get away with in tests

21:21

and creating tendencies. full sets of

21:23

data detest said my specs of

21:25

it and I don't know maybe

21:28

this decreasing for will but is

21:30

testing becomes a wild frontier web.

21:32

For. We're doing is kind of. Building.

21:35

Bespoke. Bits of data that we

21:37

can throw something to testify specific

21:39

things that is leaving us on

21:41

a boat. And as is a

21:43

problem with testing itself, It's an

21:45

interesting question because a lot of

21:47

projects like to have a standardized

21:49

test corpus that you can throw

21:51

your projects and everybody's using the

21:53

same. Bits. Of information and

21:55

so in a you can be

21:58

relatively happy dance. particular

22:00

files which are known to fail in a

22:02

particular way continue to fail, that's

22:04

good. But as you say,

22:06

and I totally agree with this, that it's

22:08

got so diffuse now that just

22:11

throwing another file into a directory and claiming

22:13

that it's a new test file, I

22:15

think you're right. I think people just sort of say, oh

22:18

yeah, yeah, fine tests carry on. So

22:20

what is the answer? Certainly getting rid

22:22

of things like that is not a

22:24

great idea. We are absolutely dependent on

22:26

these kind of crafted files to do

22:28

a whole bunch of testing. Could

22:31

they be replaced with something else? Well,

22:33

yes, probably. Will they be replaced by

22:35

something anytime soon? I doubt it. I

22:38

think that it's a lot of effort to go

22:40

to to replace all of those. I

22:42

don't know the answer to this really. I can

22:44

see that it is a problem, though. That pretty

22:46

much sums up this whole situation, doesn't it? We

22:49

know there's a problem, but we don't know how

22:51

to solve it. Well, we don't. Hopefully people smarter

22:53

than us do. Well, fingers crossed. Okay,

22:56

this episode is sponsored by people who support

22:58

us with PayPal and Patreon. Go

23:01

to latenightlinux.com/support for details of how

23:03

you can support us too. For

23:06

$10 a month on Patreon, you can

23:08

get access to an RSS feed that

23:10

contains all the late night Linux family

23:12

shows without adverts like this. There's also

23:14

an option to get just this show ad free for

23:16

$5 a month. Some episodes are

23:18

even released today or so early for Patreon

23:21

supporters. So if you like what

23:23

we do and can afford it, it'd be

23:25

great if you could support us

23:27

at latenightlinux.com/support. On

23:29

to a bit of admin then. First of all, thank

23:31

you everyone who supports us with PayPal and Patreon. We

23:33

really do appreciate that. And if you want to

23:35

get in contact, you can email show at latenightlinux.com.

23:39

Well, now we're joined by a special guest, Gary.

23:41

Hello, Gary. Hi, Joe. How are you doing? Yeah,

23:43

good. When you won

23:45

the last couple of episodes? I was. I couldn't

23:47

get enough of it, so I've decided to come

23:49

back for more. Yes, this time specifically to talk

23:52

about OCCAMP. So where

23:54

and when is OCCAMP happening, first of all? So

23:56

OCCAMP is happening again this year in 2024. I've been

23:58

away for... five years.

24:01

So it's happening at the Manchester Conference

24:03

Centre in the Pendulum Hotel in Manchester.

24:05

So those of you who were there in 2019

24:07

may remember it. It's exactly the

24:09

same place and it's happening

24:11

on the weekend of the 12th and 13th

24:13

of October. Right, so what is an OCCAMP?

24:16

OCCAMP is an unconference and

24:19

it's effectively the UK's biggest

24:21

free culture, free open source

24:24

software, hardware hacking, digital rights

24:26

meetup. So we have

24:28

a scheduled track of talks that is

24:30

to be announced and then everything else

24:33

is completely decided on the day. So

24:36

turn up with the talk in mind, stick it

24:38

on a whiteboard and people vote for it. Yeah

24:40

there's been various technological solutions over the years

24:42

but they tend to fall over and we've

24:44

ended up with post-it notes most years. Sometimes

24:47

the old systems work best. Yeah, so

24:50

this has been announced and

24:52

it's definitely happening but there's still quite

24:54

a few details to work out like

24:57

discount rates for the hotel and

24:59

when the call for papers is going to be. Yeah absolutely.

25:01

So we will be releasing a call for

25:04

papers hopefully sometime in the next six to

25:06

eight weeks. We've just got some logistics to

25:08

work out there in terms of systems

25:10

that we use etc. And

25:12

yes discount code for the hotel, the venue

25:15

have told us will be available and we'll

25:17

release that hopefully alongside tickets as well. And

25:20

we're very much looking for sponsors for this. Yes

25:22

absolutely. So we've several sponsorship tiers this year

25:24

ranging from individual sponsors so if you feel

25:27

like you can afford a little bit more

25:29

of the ticket I want to chuck us

25:31

some money. We've got that all

25:33

the way up to Pinnacle sponsorship where you get

25:35

things on t-shirts and all the rest of it.

25:38

Details there are available on

25:40

the OCCAMP website, occamp.org sponsors.

25:43

And you mentioned tickets there. When tickets

25:45

are available it's going to be a

25:47

pay-what-you-can situation. Yes absolutely. So we try

25:49

and keep our camp as accessible as

25:52

we can. It's always been the

25:54

case. So we're going for pay-what-you-can. Suggested

25:56

amount is £40 but if you can afford

25:59

more... more. That's absolutely great. If

26:02

you can't afford that much, then feel free to

26:04

check us a few quid wherever you can. And

26:07

there's usually social events often on the Friday,

26:09

Saturday and Sunday nights. Yeah, absolutely. So

26:11

we haven't arranged anything yet. We're definitely planning

26:13

on there being something in the hotel on

26:15

the Saturday evening, as there always traditionally

26:17

has been. And we'll keep

26:19

an eye out and see what there is going to be

26:22

on Friday and Sunday as well. So

26:24

as you said, there's quite a lot still to

26:26

be announced about this. So people are probably going

26:28

to want to follow on socials then. Yeah, absolutely.

26:30

We just wanted to get the word out early

26:32

and let people know it through things so that

26:35

they can arrange it around family and everything else.

26:37

So follow us on

26:39

social media for updates. Main place as

26:41

usual is going to be Mr. Don.

26:43

So that's ockamp at mastodon.social. Or

26:46

if you can't find that, all the details will be on

26:48

the website, ockamp.org. And you're even sticking

26:50

around on Twitter. Yeah, we stay

26:52

there for now just for the stragglers. We haven't moved over

26:54

to the Fediverse quite yet. Well, thanks

26:56

for coming and telling us all about it and

26:58

look forward to updates soon. Yeah, thanks for having us, Jay.

27:01

Well, how very exciting. Ockamp happening

27:03

again. And how about this

27:05

for exciting? No guarantees yet,

27:08

but I would like in June to

27:10

do a meetup in a pub somewhere

27:12

in London. So I'm

27:14

thinking, and this is not official at

27:16

all yet, 15th of June, which is

27:18

the day before England's first match in

27:20

the Euros and the day before Father's

27:22

Day, funnily enough, on a Saturday. But

27:26

I need to find somewhere that will do

27:28

this suitable venue, but just kind of gauging

27:31

interest at this point. Is anyone interested in

27:33

a very informal pub

27:35

meetup in June? Yes.

27:37

Yes. Yeah. Well, we'll see where it's

27:40

going to be. And if it is going to be on

27:42

that day, it is subject to change at this point. But

27:45

let's say roughly around that time, hopefully.

27:47

And do I use my receipt

27:49

of the plane ticket? Do I give that to

27:51

you, Joe? How does that happen?

27:54

Yeah, yeah. You send it to

27:56

me and I'll forward it to Dev Noll. over

28:00

come on maybe I can banjax a

28:02

client server in London oh no I'm

28:04

gonna have to go to London to

28:06

fix that how convenient yeah

28:08

yes come on you've got XE

28:10

exploits to fix that's true and

28:12

that unrivable ZFS that's gone bandy

28:14

again too yeah exactly

28:18

right well on that hopeful bombshell we better get out

28:20

of here we'll be back next

28:22

week when there'll be voice of the masses

28:24

and some disguises probably until then

28:27

I've been Joe I've been Salem I've been

28:29

Graham and I've been well see you later

28:55

you