Remember when a whole lot of blue locales legalized shoplifting, either de jure (California) or de facto (a whole bunch of cities that elected Soros-backed prosecutors), and then were shocked, shocked when shoplifting soared?
Tuesday Morning Governor Ron DeSantis signed a retail theft bill into law, instituting a severe crackdown on the Sunshine State’s high levels of shoplifting and porch piracy.
“We’re a law and order state. If you do the crime, you do the time,” DeSantis said. He hosted his press conference at a Walgreens in Stuart, telling Floridians they will no longer have to deal with a “Fort Knox” style situation to simply buy toothpaste.
“It’s all under lock and key for basic items. You gotta get a clerk to come and open it and all this stuff just to do basic shopping. That is not something that is good for quality of life,” he said.
HB 549 makes it a third-degree felony to work with five or more people to commit retail theft. Using social media to plan these thefts would be a second-degree felony, and committing a second offense lands offenders a first-degree felony.
The bill follows Florida’s 2022 loss of $5.421 billion in revenue to theft, meaning retailers lost $302.05 in sales per capita. In 2023, destination city Miami ranked in the top 10 areas for the highest rates of retail theft.
The new law also targets porch pirates, or people who steal packages off of other people’s doormats. Stealing someone’s item worth less than $40 is now a first-degree misdemeanor, and doing it again or stealing property worth over $40 becomes a third-degree felony—up to five years in prison.
“Florida has set the blueprint for other states,” Attorney General Ashley Moody said Tuesday, lauding the effort to be “proactive” in fighting crime.
DeSantis has maintained that Florida is the “law and order state”, stressing that this is not the first time he’s signed off on severe penalties for lawbreaking. He passed a comprehensive “Law and Order” legislation package last year, targeting drug-related crimes, human smuggling, child rapists, and sex criminals, and easing the process to sentence offenders to death.
Being soft on crime gets you more crime. This isn’t exactly rocket science. You have to be a Democrat to ignore this most basic of truths.
Texas should look at DeSantis’ crime initiatives, and think about implementing then in places where we’ve fallen behind in keeping people safe, and to keep Soros prosecutors from inflicting higher crime rates on citizens in the name of “reform.”
The State of Texas and Harris County will again duke it out in court, this time over a guaranteed basic income pilot program that would give 1,500 households in the county $500 per month.
Harris County announced the program last year through Harris County Public Health. On Tuesday, the Office of the Attorney General (OAG) filed suit asking the court to halt its implementation before the April 24 start date.
Attorney General Ken Paxton said of the suit, “This scheme is plainly unconstitutional. Taxpayer money must be spent lawfully and used to advance the public interest, not merely redistributed with no accountability or reasonable expectation of a general benefit. I am suing to stop officials in Harris County from abusing public funds for political gain.”
The OAG’s suit reads, “There is no such thing as free money — especially in Texas. The Texas Constitution expressly prohibits giving away public funds to benefit individuals — a common sense protection to prevent cronyism and ensure that public funds benefit all citizens.”
Central to the state’s argument is that counties, “unlike home-rule cities,” have a substantially more narrow scope of authority. “[T]he legal basis for any action taken must be grounded ultimately in the constitution or statute,” the filing adds.
Both cities and counties are creations of the state, but municipalities have the home-rule provision that grants them a broader array of authority than is granted to counties. The range of that home-rule status is the subject of another suit, this one flowing in the opposite direction, against the Texas Legislature’s new field preemption law passed last year.
The City of Austin just completed the first year of its universal basic income program, allotting 85 families with $1,000 per month.
If there’s any insane, hard left, unconstitutional socialist program idea, there’s a good chance Austin will be in the forefront of pushing for it.
Texas’ contention here is that while a home-rule municipality could enact such a program, a county is explicitly precluded by the Texas Constitution.
Article III, Section 52(a) reads: “Except as otherwise provided by this section, the Legislature shall have no power to authorize any county, city, town or other political corporation or subdivision of the State to lend its credit or to grant public money or thing of value in aid of, or to any individual, association or corporation whatsoever, or to become a stockholder in such corporation, association or company.”
The suit adds, “Second, Harris County does not retain public control over the funds. As described above, the payments have ‘no strings attached,’ and the recipients can use the money however they wish.”
The OAG requests a temporary restraining order against the program and, eventually, a permanent injunction against its operation.
Using taxpayer money to pay people for breathing (or existing) is one of the stupidest pieces of socialist bullshit to come down the pike in many a moon. It’s immoral to take money from those who work in order to bribe those who don’t. It’s also a great way to kickback money directly to the hands of leftwing activists, since the grifters claim that they cannot reveal people receiving such payoffs due to “confidentiality.”
Despite the hosannas offered up by the hard left and economic illiterates everywhere to the scheme as a means of helping the poor, the Seattle-Denver Income Maintenance Experiment (SIME/DIME) experiments showed such no-strings-attached checks from the government hurt the recipients, reducing both the desire to work and lowering actual income among the recipients. See Charles Murray’s Losing Ground, pages 150-153 for details.
Any “Guaranteed Income” taking money from taxpayers and paying people not to work is not just unconstitutional, a bad idea and a moral hazard, it’s an avenue for fraud and an insult to anyone who works for a living.
It’s just another in a long line of illegal left wing experiments from Hidalgo’s office, all of which deserve to be crushed like bugs.
The labour market is tightening – and it’s getting harder to find a job. In the wake of the Great Resignation, which drove more job vacancies than employers could fill, workers often had their pick of open roles. Now, they have largely lost their leverage among layoffs and budget cuts, and those open positions are increasingly rare.
Still, roles do exist – or at least appear to. Job boards like LinkedIn and Indeed continue to advertise open positions, and workers are actively submitting applications. Yet despite an influx of highly qualified candidates, plenty of desirable job adverts have languished on digital platforms with an increasingly common label: “Posted 30+ days ago”.
While the listings may be old, job seekers generally still assume companies are actively hiring for the roles. The truth is more complicated. Some of these are simply not-yet-removed adverts for jobs that have been filled – but some were never meant to be filled at all. These are ‘ghost jobs’, and they’re becoming an increasingly common – and problematic – obstacle for job seekers.
Snip.
Despite the influx of candidates, a staggering number of listings don’t result in hires. Revelio Labs, a US-based workforce intelligence firm, showed that the ratio of hires per job posting fell below 0.5 in 2023, meaning that more than half of listings did not result in an employer turning an applicant into an employee.
Clarify Capital, a New York-based business loan provider, surveyed 1,000 hiring managers, and found nearly seven in 10 jobs stay open for more than 30 days, with 10% unfilled for more than half a year. Half the respondents reported they keep job listings open indefinitely because they “always open to new people”. More than one in three respondents said they kept the listings active to build a pool of applicants in case of turnover – not because a role needs to be filled in a timely manner.
The posted roles are more than just a talent vacuum sucking up resumes from applicants. They are also a tool for shaping perception inside and outside of the company. More than 40% of hiring managers said they list jobs they aren’t actively trying to fill to give the impression that the company is growing. A similar share said the job listings are made to motivate employees, while 34% said the jobs are posted to placate overworked staff who may be hoping for additional help to be brought on.
“Ghost jobs are everywhere,” says Geoffrey Scott, senior content manager and hiring manager at Resume Genius, a US company that helps workers design their resumes. “We discovered a massive 1.7 million potential ghost job openings on LinkedIn just in the US,” says Scott. In the UK, StandOut CV, a London-based career resources company, found more than a third of job listings in 2023 were ghost jobs, defined as listings posted for more than 30 days.
It was bad enough looking for a job during the Biden Recession, and the ghost job listings just make things worse.
Now you’ll have to excuse me. I have some job applications to fill out…
Suchomimus mentions that this is long enough range to hit the large oil refinery in Omsk. Which is true, but if it can reach that far, there are a lot of logistic choke-points now in range that have the potential to put a world of hurt on Russia:
If you can hit Omsk, you can hit the Transiberian railway bridge over the Irtysh river, which Deep State marks (I’m using a launch point of Lyman in Ukraine for all these) as 2494km. As far as I can tell, that’s the only rail line in Russia that connects Moscow with Russia’s far eastern oblasts*. Russia could reroute some traffic through Kazakhstan’s rail network (which runs on the same Soviet 1,520 gauge rails), but I imagine there would be considerable pain in rerouting things that way.
You could hit the E30 highway bridge over the Ishim river near Abitskiy AKA Abatskoe (2324km). Compared to America and China, Russia has a very poor road network east of the Urals. E30 is their only decent east-west highway. You could possibly run some trucks down smaller roads, some of which may not even be paved, or, again, reroute some traffic through Kazakhstan’s highway network, depending on how the Kazakhs feel about it. At the very least, they’ll want to get paid…
There aren’t many crossing spots across the Ob river further north. Hit the rail bridge near Surgut (2582km), the one south of there across the Protoka Yuganskaya Ob (2577km), and, for good measure, the highway bridge just south of Nefteyugansk (2549km), and you’ll put northern Russian transportation in a world of hurt. (Of course, those areas are sparsely populated, and I don’t know how much material extraction done there is vital to the war effort.)
This is hardly an exhaustive list, and was only what I came up with off the top of my head and with a little Google map work. Russia east of the Urals is has extremely poor infrastructure, is crossed by rivers with few bridges (some places where you think there has to be a bridge only has a ferry), and hitting the right parts of that would require Russia to expend a lot of time, effort and logistical difficulty to repair. (Russia’s military has an number of railroad repair units, with the 48th Separate Railway Brigade in Omsk being the most relevant to this discussion, but they have to be able to get there, and get the materials to repair the damage, and bridge repair presents a whole different level of difficulty, like finding a floating crane and getting it in place.) You hit a few Transiberian choke-points and it puts a serious crimp in Russia-China trade, including most heavy military equipment China is selling.
Caveats: The map is not the territory, and bridges can be hard to take out. But 350kg of a modern explosive is not a small charge, and there are a whole slew of logistical targets to be found within 3,000km of Ukrainian territory.
*And krals. And autonomous okrugs. Russian administrative divisions are weird…
— The Redheaded libertarian (@TRHLofficial) March 29, 2024
I was particularly struck by the phrase “fundamentally unwifeable.” Add “social justice” to “feminism” for the reason. As for “Disney Princess programming,” the Disney Princess thing has been around for over half a century. So why have things gotten so much worse on that front over the last 20 years?
On the flipside, here’s a 20-something girl complaining that she can’t afford rent. She apparently deleted the original tweet, but she said her rent had jumped from something like $1,200 a month to $1,600 a month, and she was having trouble affording food. Thanks, Joe Biden! Rent inflation is real, especially in blue cities where regulation prevents new housing being built to meet demand, but if your rent is that much, then you either need to move further out, find roommates to share rent with, or you need to consider moving to a less expensive city entirely.
During an Austin City Council meeting on public safety, Austin-Travis County Emergency and Medical Services (EMS) spoke about the rising rates of opioid deaths in the county.
“Travis County now has twice as many opiate overdose deaths than any other county in Texas, per capita,” said Steven White, acting assistant chief for Austin-Travis County EMS.
White explained how the opioid crisis began in the community in 2016, “with a severe increase in 2017.”
White elaborated that in 2018 there were about 30 overdoses per month, and “now we’re averaging about 100 overdoses a month.”
He went on to show a heat map of where the overdoses are occurring, stating that “opioids do not seem to be contained by geographic barriers or financial barriers.”
“It really gets into every part of our community and touches every family [and] at some point will be affected by the opioid crisis.”
White also highlighted that “30 percent of all the opioid users who die of an overdose, at some point had contact with EMS in the previous 12 months before their death, which gives us an intersection point where we’re actually meeting these patients who have the potential to overdose and die.”
Another statistic he presented is that “patients that receive Narcan in the field by EMS have a 10 percent chance of having a fatal overdose in the next 12 months.”
Numerous commentators—especially those defending President Biden’s economic record—have puzzled over why Americans are sour about the state of the U.S. economy. Unemployment rates have returned to pre-pandemic lows, commentators correctly point out, and the official rate of inflation is declining. So why are Americans ignoring the view of many experts that the economy is doing well?
According to a striking new paper by a group of economists from Harvard and the International Monetary Fund, headlined by former Treasury Secretary Larry Summers, the answer is that Americans have figured out something that the experts have ignored: that rising interest rates are as much a part of inflation as the rising price of ordinary goods. “Concerns over borrowing costs, which have historically tracked the cost of money, are at their highest levels” since the early 1980s, they write. “Alternative measures of inflation that include borrowing costs” account for most of the gap between the experts’ rosy pictures and Americans’ skeptical assessment.
“Backlash Is Real‘: DEI Exodus Gains Steam Across Corporate America.”
The unraveling of “diversity, equity, and inclusion” initiatives was seen on the state level, as Red states rushed to ban DEI programs in 2023. Google, Facebook, and other tech companies slashed DEI staff by late last year. Early this year, universities began rolling back diversity programs, while Harvard President Claudine Gay was demoted.
DEI was doomed to fail, and corporations have been quickly scrambling to abandon mindless and profitless diversity programs with Marxist roots. The latest earnings call data shows that “DEI” mentions have collapsed from their peak in 2021, according to Axios, citing data from AlphaSense.
In January, Johnny Taylor, president of the Society for Human Resource Management, told Axios that corporate executives are fed up with DEI.
“The backlash is real. And I mean, in ways that I’ve actually never seen it before,” Taylor said, adding, “CEOs are literally putting the brakes on this DE&I work that was running strong” since George Floyd’s murder in early 2020.
Kevin Clayton, senior vice president and head of social impact and equity for the Cleveland Cavaliers, said the chief diversity officer role was all the rage across corporate America after Floyd’s murder. He said companies filled these positions “out of gilt,” and hiring wasn’t the best.
Axios noted, “Some businesses are cutting back funding, trimming DEI staff — and even considering pulling back on things like employee resource groups comprised of workers of various races, ethnicities or interests.”
The pushback on DEI is finding momentum across corporations and universities. Subha Barry, former head of diversity at Merrill Lynch, told Bloomberg last month: “We’re past the peak.”
Let’s hope so.
No one at the wheel: “Biden Reportedly Has No Idea He Issued ‘Trans Day Of Visibility’ Proclamation.”
Gen Z hates the lousy Biden economy and favors Trump over Biden. Though a word to those Gen Z sorts who complain about a 9-5 schedule being “unnatural”: A “natural” schedule is performing backbreaking hunter/gatherer or subsistence agriculture work from dawn to dusk 6-7 days a week and dropping dead before you turn 40…
Ukrainian drones hit a Russia drone production facility at Yelabuga, Tatarstan, which is almost 1,000 miles inside Russia, using a drone that looks a whole lot like a light aircraft.
Ukraine hits another Russian airbase with over 40 drones, and presumably took out even more Su-34s.
Whoops, make that three Russian airbases hit. including reports of three Tupolev Tu-95 “Bear” bombers damaged. (Yes, Russia still has a propeller-driven bomber in service. It can carry nuclear weapons and launch cruise missiles.)
Gun crimes evidently mean being released without bail if the perp is an illegal alien.
“Cost estimates more than double to replace failing Austin arts center building.” Note the “Extended community engagement: $1 million” which is code for “Payoffs to leftwing activists.” (Hat tip: Dwight.)
“Paxton Seeks to Investigate Boeing Parts Supplier, DEI Initiatives. Attorney General Ken Paxton is seeking to investigate Spirit AeroSystsems after public outrage involving Boeing’s aircraft manufacturing issues.”
Boeing stated in 2022 that “for the first time in our company’s history, we tied incentive compensation to inclusion.”
Boeing’s 2023 Global Equity, Diversity, and Inclusion report explains that “diversity must be at the table for every important decision our company makes – every challenge we face, every innovation we design. Equity, diversity and inclusion are core values because they make Boeing — and each of us individually — better.”
According to the report, racial and ethnic minorities now hold 41.4 percent of jobs in the U.S. Boeing Commercial Airplanes Unit, and 28.3 percent in the U.S. Boeing Defense, Space, and Security. In 2022, U.S. racial and ethnic minorities made up 47.5 percent of new hires at Boeing.
You know what I want at the table for every important Boeing decision? Planes not falling out of the sky.
Intel lost $7 billion last year. Intel has a technology roadmap to get its process tech back on track, but failure to execute on previous nodes is what got them into this mess.
In addition to having fingers in the pie in Syria and Yemen in addition to their proxy war with Israel, Iran also has to deal with Sunni Baluch separatist organization Jaish al-Adl (“Army of Justice”) on their own territory, where they killed at least 11 Iranian security force members.
“Belew, Vai, Levin and Carey Play 80’s King Crimson.” Sign me up. Edited to Add: Crap, tickets went on sale for the Austin show in September TODAY. I was just barely able to snag two tickets in nosebleed…
Remember when the court system at least pretended to be objective? Remember a few months ago when liberals claimed that Clarence Thomas’ wife knowing conservative activists meant he had to recuse himself from everything?
Here in the real here and now, huge conflict of interest problems with the lawfare cases being waged against President Trump are being deliberately ignored in the headlong rush to convict Trump of something, anything, for any reason before November.
“Lara Merchan, the wife of the judge presiding over former President Donald Trump’s “hush money” case in Manhattan, once worked for New York Attorney General Letitia James, who brought the massive $350 million civil fraud case against the former president, with the revelation reviving claims of bias and calls for the judge’s recusal.”
Records reviewed by The Epoch Times show that Ms. Merchan worked for 21 years as a Special Assistant to the AG in New York, including three years under Ms. James. She changed jobs over two years ago.
Ms. James is a Democrat who fixated on President Trump as she campaigned for New York attorney general, calling him a “con man” and vowing to shine a “bright light into every dark corner of his real estate dealings.”
She began investigating the former president soon after taking office, eventually suing him for allegedly misleading banks and others about the value of his assets.
Ms. James eventually won the case on Feb. 16, with New York Supreme Court Justice Arthur Engoron ordering President Trump and Trump Organization executives to pay $350 million in damages, and barring the former president from doing business in the state for three years.
Judge Juan Merchan is presiding over a separate criminal trial involving President Trump in New York, in which the former president is accused of falsifying business records in order to conceal a $130,000 “hush money” payoff to an adult performer to stay quiet about their alleged affair.
The judge’s daughter, Loren Merchan, is president of Authentic Campaigns, a Chicago-based progressive political consulting firm whose top clients include Rep. Adam Schiff (D-Calif.), who was the lead prosecutor in Trump’s first impeachment trial, and the Senate Majority PAC, a major party fundraiser.
Authentic Campaigns, and thus the judge’s daughter, is actively making money from this sham attack against President Trump, rendering Judge Merchan conflicted out,” Trump spokesman Steven Cheung told The Post, adding that evidence of bias is even clearer now than it was in August when Merchan rejected Trump’s first recusal motion.
“The judge should do the right thing and immediately recuse himself in order to show the American people that the Democrats have not destroyed our justice system completely … him continuing to be involved in this Crooked Joe Biden-directed Witch Hunt is a complete violation of applicable rules, regulations and ethics.”
Evidently the family that TDSes together, stays together.
DEI — the identity-obsessed dogma that goes by “diversity, equity, and inclusion” — has now trained Google’s new AI to refuse to draw white people. What’s even more alarming is that it’s also infected the supply chain that makes the chips powering everything from AI to missiles, endangering national security.
The Biden administration recently promised it will finally loosen the purse strings on $39 billion of CHIPS Act grants to encourage semiconductor fabrication in the U.S. But less than a week later, Intel announced that it’s putting the brakes on its Columbus factory. The Taiwan Semiconductor Manufacturing Company (TSMC) has pushed back production at its second Arizona foundry. The remaining major chipmaker, Samsung, just delayed its first Texas fab.
This is not the way companies typically respond to multi-billion-dollar subsidies. So what explains chipmakers’ apparent ingratitude? In large part, frustration with DEI requirements embedded in the CHIPS Act.
Commentators have noted that CHIPS and Science Act money has been sluggish. What they haven’t noticed is that it’s because the CHIPS Act is so loaded with DEI pork that it can’t move.
The law contains 19 sections aimed at helping minority groups, including one creating a Chief Diversity Officer at the National Science Foundation, and several prioritizing scientific cooperation with what it calls “minority-serving institutions.” A section called “Opportunity and Inclusion” instructs the Department of Commerce to work with minority-owned businesses and make sure chipmakers “increase the participation of economically disadvantaged individuals in the semiconductor workforce.”
The department interprets that as license to diversify. Its factsheet asserts that diversity is “critical to strengthening the U.S. semiconductor ecosystem,” adding, “Critically, this must include significant investments to create opportunities for Americans from historically underserved communities.”
The department does not call speed critical, even though the impetus for the CHIPS Act is that 90 percent of the world’s advanced microchips are made in Taiwan, which China is preparing to annex by 2027, maybe even 2025.
Handouts abound. There’s plenty for the left—requirements that chipmakers submit detailed plans to educate, employ, and train lots of women and people of color, as well as “justice-involved individuals,” more commonly known as ex-cons. There’s plenty for the right—veterans and members of rural communities find their way into the typical DEI definition of minorities. There’s even plenty for the planet: Arizona Democrats just bragged they’ve won $15 million in CHIPS funding for an ASU project fighting climate change.
That project is going better for Arizona than the actual chips part of the CHIPS Act. Because equity is so critical, the makers of humanity’s most complex technology must rely on local labor and apprentices from all those underrepresented groups, as TSMC discovered to its dismay.
Tired of delays at its first fab, the company flew in 500 employees from Taiwan. This angered local workers, since the implication was that they weren’t skilled enough. With CHIPS grants at risk, TSMC caved in December, agreeing to rely on those workers and invest more in training them. A month later, it postponed its second Arizona fab.
Now TSMC has revealed plans to build a second fab in Japan. Its first, which broke ground in 2021, is about to begin production. TSMC has learned that when the Japanese promise money, they actually give it, and they allow it to use competent workers. TSMC is also sampling Germany’s chip subsidies, as is Intel.
Intel is also building fabs in Poland and Israel, which means it would rather risk Russian aggression and Hamas rockets over dealing with America’s DEI regime. Samsung is pivoting toward making its South Korean homeland the semiconductor superpower after Taiwan falls.
To be fair, Intel has had fabs in Israel since since 1996, and Tower Semiconductor has had fabs in Israel since the 1980s. Poland, to the best of my knowledge, has never had a fab.
In short, the world’s best chipmakers are tired of being pawns in the CHIPS Act’s political games. They’ve quietly given up on America. Intel must know the coming grants are election-year stunts — mere statements of intent that will not be followed up. Even after due diligence and final agreements, the funds will only be released in dribs and drabs as recipients prove they’re jumping through the appropriate hoops.
So in the name of embedding the racist poison of social justice, the CHIPS Act, ostensibly designed to increase America’s share of cutting-edge semiconductor manufacturing, is actually driving new fab construction out of America.
This is a big, big story that doesn’t seem to be getting the sort of attention that a big story should.
An Israeli airstrike that demolished Iran’s consulate in Syria on Monday killed two Iranian generals and five officers, according to Iranian officials. The strike appeared to signify an escalation of Israel’s targeting of military officials from Iran, which supports militant groups fighting Israel in Gaza, and along its border with Lebanon.
Some clarification: Given the location…
…what Israel hit was not a consulate, but Iran’s embassy in Syria. An embassy enjoys certain privliges in international law, though generally those protections apply to the host country (in this case Syria) than a hostile third party (Israel). So let’s just throw this out there:
Since the war in Gaza began nearly six months ago, clashes have increased between Israel and Iran-backed Hezbollah militants based in Lebanon. Hamas, which rules Gaza and attacked Israel on Oct. 7, is also backed by Iran.
Israel, which rarely acknowledges strikes against Iranian targets, said it had no comment on the latest attack in Syria, although a military spokesman blamed Iran for a drone attack early Monday against a naval base in southern Israel.
Israel has grown increasingly impatient with the daily exchanges of fire with Hezbollah, which have escalated in recent days, and warned of the possibility of a full-fledged war. Iranian-backed Houthi rebels in Yemen have also been launching long-range missiles toward Israel, including on Monday.
The airstrike in Syria killed Gen. Mohammad Reza Zahedi, who led the elite Quds Force in Lebanon and Syria until 2016, according to Iran’s Revolutionary Guard. It also killed Zahedi’s deputy, Gen Mohammad Hadi Hajriahimi, and five other officers.
A member of Hezbollah, Hussein Youssef, also was killed in the attack, an official with the militant group told The Associated Press. The official spoke on condition of anonymity in line with group’s rules. Hezbollah has not publicly announced the death.
By the rules of international law, hitting Iran’s embassy is the same as hitting a target in Iran’s own soil. Now, Iran has been funding and supporting terrorist attacks on Israel for decades, funding both Hamas and Hezbollah as part of a proxy war against Israel, and Israel has hit targets inside Iran before, albeit with covert actors rather than airstrikes. Even so, this would seem to be a significant escalation in the proxy war between Iran and Israel.
I don’t any of this amounts to anything close to a war crime. But it may amount to a mistake.
But, weirdly, the world at large doesn’t seem to be treating it as such. There are stories about it, but The All Powerful Algorithm doesn’t seem to be pushing them to the front page. You would think the Iran-loving Obama retread’s guiding Biden’s foreign policy establishment would have encouraged more outraged bleating, but if they have it seems pretty muted.
Likewise, there are no stories about it from conservative media in my inbox.
Even the dark “Biden is going to abandon Israel and side with Iran” muttering types don’t seem to have made much of it.
This is a dog that isn’t barking, and I don’t know why.
If you know what to make of it, feel free to note in the comments below.
A newly discovered backdoor found in the xz liblzma library of XZ Utils, the XZ format compression utilities included in most Linux distributions, targets the RSA implementation of OpenSSH.
For those outside of tech, that sentence was an unreadable jumble of acronyms. For those inside tech, a chill probably ran down their spine, as those technologies are everywhere. Anytime anyone buys something online, they’re going to be using SSH to create a secure channel to pass transaction information. [As a commenter noted, SSH is a command tool rather than Secure Socket Layer (SSL), which is used for encrypted transactions. Mental typo. My bad. – LP.] Depending on how many distros are using that library, the consequence range from “bad” to “really, really bad.”
A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns.
The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and software engineer at Microsoft.
“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored,” he shared via the oss-security mailing list.
According to Red Hat, the malicious injection in the vulnerable versions of the libraries is obfuscated and only included in full in the download package.
“The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present,” they added.
“The resulting malicious build interferes with authentication in sshd via systemd.”
I’m just going to note for the record that a whole lot of longtime Linux programmers absolutely hated the introduction of systemd. I don’t have deep enough Linux chops to take a side in this controversy, or know whether systemd was a significant factor in allowing the exploit to work.
Moving on:
The malicious script in the tarballs is obfuscated, as are the files containing the bulk of the exploit, so this is likely no accident.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” [for errors caused by the injected code in v5.6.0],” Freund commented.
One silver lining is that the problem doesn’t look to be as widespread as it could be.
“Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.”
Red Hat says that the vulnerable packages are present in Fedora 41 and Fedora Rawhide, and have urged users of those distros to immediately stop using them.
“If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps,” they said, and added that no versions of Red Hat Enterprise Linux (RHEL) are affected.
Since Red Hat is usually the default for big E-commerce platforms, it looks like this exploit is merely “bad” rather than “really, really bad,” which means its not nearly as bad as, say, Log4J was. Your Amazons and eBays are probably safe from the exploit.
The people who are likely going to be hurt by this exploit are mom and pop E-commerce sites using their webhost’s “build an E-commerce site using these easy tools” feature. The smaller the site, the more likely they’re using a free distro, some of which may have this vulnerability.
Whatever the site, they should run an updated software composition analysis tool on stacks and build-chains to see if they’re vulnerable.
