He's not just some dude. Hes a dude whose programs are so optimized he will notice .4 ms of delay 😂

I think if not Andrew someone else would found it. There were other open source projects which found problems/bugs related to XZ library, so I think it was a matter of time until it was discovered. It took about 1 month since backdoor was added to XZ for Andrew to discover this backdoor, but even if he didn't find it someone else would. But even if no one found it, it would be chaos for few days and than they would stop it. Also this was not a super elaborated social thing as video suggests at least that's how I see it. I think it was only one person, I am programmer and it seems like everything was coded by one person, also Kumar and Dennis and Jensen were just simple accounts that used different VPN's and emails so that can be done by one person, they only sent few messages and there is no internet trace of them, so they are shallow profiles. They also seem to talk in similar way, they sound like one person. I would say this was some young smart hacker or 2 or 3 random young hackers similar to those who hacked video game companies like in other FERN video. Also lets say that virus/backdoor infected the whole world, it would take time for hackers to steal something, so again enough time for fix to be deployed and remove the backdoor from important servers, it would just cost millions and millions of dollars to different companies/entities.

​​​@@iFlyGood500ms, not .4 It's about a 10x time increased compared to the usual, per login. And with the testing he has been doing, he would've had dozens of logins. It is not hard to notice when, instead of something taking 0.1 seconds, it suddenly takes 5 seconds. And 5 seconds is also enough time to notice excessively high cpu load. Instead the important factor is, that he actually bothered to investigate what causes it.

Nerds save the world.

​@@turb00oAcoustic*

Facts

For sure

Fr better documentery's then Netflix

real

Facts

Vriend in Afrikaans

Even funnier The narrator is German

Last name. *

@@oscargreat. Last name*

@@Mmmmmmmmmmmnm Right. Without the period before "Last". 😃

I think it's an attack on the internet from Russia to get the U.S. nuclear bomb codes.

Definitely, i know some things about hardware in devices, but dont know anything about software, coding, how linux works etc. its crazy how he explained it so i can even understand it. Absolutely amazing

I mean not like he went into coding technical details and made it sound easy lol all he talked about is linux and the SSH. which is quite easy to understand id say.

FR

if they're not either unspeakably rude or nice but constantly swearing then be careful tbh

Hey, I object that! Well, at least to the polite part. I haven't published a lot of code so helpfulness is still kind of in the air 🤣

Also the Chinese name. Usual suspect Lol.

i am a fking nice developer..

it was 0.4 not 0.5

​@@CTEPORN mans just off by 0.1

@@Badgerinary I don't like misinformation.

to be fair a 0.5 second delay is very suspicious to anyone experienced in programming and its pretty common for malware to cause lag

@@CTEPORNcringe.

Indeed!

What he said! AND just SOME? 😭

German efficiency

Seriously, KZbin's the new, more relatable Netflix for me but like how much money and man hours did they put into this and how many views do they need to recoup

@@Myrdrrr Fern isn't the only high-tier KZbinr, lol. There's others like Melodysheep and LEMMiNO.

Thanks

Good clarification.

damn rlly didn't know that thx

I don't trust what you said. The way you said it doesn't make sense. The show "The good place" uses profanity humor. I learned that people might hide their profanities as humor type. How else does that meant?

I didn't know people didn't know this. "Forking" isn't exclusive to coding, and I thought the context made enough sense lol.

Lmao.

fr

Also, displaying social skills 🚩

See: Linus Torvalds mailing list rants

@@FCoFix that's how you know he's legit lol

Please most open-source maintainers who i reported issues to or contributed code to have been SUPER nice. I actually tended to be very polite as well, even with people who were clearly rude and frustrated, though with a project with a million users, it sometimes gets difficult. You sometimes get... special types of Karens, ones that cannot be put at ease. I'm sure you can vaguely imagine. Well at least i never took revenge on them, even if i was tempted to.

which is critizied at the end of the video

Yup, and you have to wonder... dhow many of these companies do their due diligence, checking the code produced by the thankless masses?

@@Twisted_Code They have external services like snyk. Don't really check individual lines of code but if someone does notice it's immediately taken care of

Well, the devs are fueled by their passion. And the largest companies do contribute to the projects. The real problem is companies like Huawei claiming that they developed something only to be based on open source projects, then proceed to earn money for their bad products on the premise of patriotism

bot

@@chaosthug7 Ur mother is a bot

@@chaosthug7 ur father!

@@ceoofgambling yep, not a bot.

After banger after banger after banger after banger after banger after banger after banger after banger after banger after banger after banger

Yeah I've always wondered how tf you put in code in there doing ssh key authentication whatever without people noticing that piece of code? It being not in the code but somewhere else makes sense

Yeah, according to the information provided in the source links from the official Red Hat website: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present."

Maintainers must be VERY critical now of binary blobs even if described as 'test data' if it can be accessed during the build process. Ideallying, building and testing will be completely separate and gapped environments

Some test suits were disabled by first making the test fail silently if code doesn't compile on a specific platform, to make it easier to execute it on multiple platforms. Then a hidden period "." was committed, in theory visible by anyone, but just extremely hard to see, that disables a specific test by making the code not compile. Test cases that take binary input also existed. The binary input was placed in the repository as is, and nobody verified the contents of the binaries. All of these were red flags but they were given rigorous technical justification. Made by someone you don't expect to be malicious.

I don't know why it's assumed everywhere that "very sophisticated" means "state-sponsored". This makes no sense to me. It's of course possible, but just jumping to that conclusion without any sort of reasoning other than "it's really good" seems completely irrational. This exploit did not require billions in funding in any way. IMO it just makes it sound as if you believe the only hackers are 12yo script kiddies and not rational humans capable of setting an objective, constructing a plan and executing it over a couple of years. Not every exploit is a random tiny hole noticed by someone who then immediately fists through it, downloads all the user data, runs rm -rf * and then uploads it on a forum.

Yeah but they aren’t on my level and I’m not state sponsored check this amazing line of code Print(“Get Hacked”) What can I say am I a cyber threat or what

​​@@williamduncan7401 not to this level, this is just too organized, like stuxnet, pegasus, etc etc, i too like the idea of lone wolfs etc but this level of organization is just not common...

Or, you HAVE to hear me out, he has ADHD/ADD. Thinking that far ahead on something you enjoy or are super passionate about and then you get fixated on details. Sometimes reality is odd

daa

@@Sirbozo I believe you meant to say, "baa" 😉

@@MattipedersenBÆÆÆHH!

@@Mattipedersen da is yes in croatian, slovenian, serbian, basically all balkan languages, so maybe he meant it🤣

@@soda24612 you forgot the biggest language, russian

I would like to say thanks. But since the internet is destroying our governments, societies, and people’s sanity. Thanks????

​@@Christophe_derBerge-op9zh All of these things we're caused by human activity. We're responsible for it not the web

Everyone reoeat after me 🤓🤓🤓

ur not him bro

Thank you for saving the internet, Andres!

These guys spit facts, awesome research all around in all of their vids

And still not knowing which date is Russian Christmas celebrated on (spoiler, it's on January 7th). But sure, "Russian hackers" sounds more impressive, then hackers from other countries. Sigh.

@@yulo8987 I am surprised that holidays are relevant at all because why would a hacker group or secret service really care about those... in such organizations there are no holidays... it's as stupid as claiming no one works in a hospital on Christmas eve...

yeah and shows how major the event was, dominating open source and cyber security news for a few weeks

​@@yulo8987to note, almost all the timezone celebrated it on 7 Jan from Russia to Ethiopia, and I doubt it's any further down in Africa

Just learn german, and watch their german Videos on simplicissimus. They made videos on this quality for years.

Fern manages to tell a tighter story because the story is as long as it needs to be. In mainstream media they have to drag things out to nearly an hour.

I enjoy fern but stop dick riding.... Mainstream media documentaries have had multiple accredited history professor's and show all sources like Fern does. They indeed fell off drastically but the hundreds and hundreds of history, animal planet and national geographic documentaries are some of the best researched piece's out there. They also have great narrators too. 90s and early 2000s had the best ones. I do agree the new ones just absolutely blow tho. Compared to new ones Fern does good but compared to the genre as a whole he's mediocre at best. And that's okay

Absolutely agree! Fern packs more intrigue and info into 15 minutes than most shows do in hours - pure quality

It seemed like a AAA movie 🎉

I agree to some extend (as a linux, blender, shotcut, obs, user, that tries to use as much open source as plausible) It is true, that it's incredible that some "random dude" could spot that (due to it being open source). Though with closed source, it is harder to put malware into the product itself. So it's sort of a 10% for something to very bad to happen vs a 90% that something mediocre is going to happen (value wise). But yea, long live open source

@@SpinyDisk It's not really all that much harder to infiltrate some closed-source software company, if you play your cards right. I'm willing to bet you my bone marrow that GAFAM companies have multiple state-sponsored plants each. I mean, aside from the information they're happy to provide the state with themselves.

Sure that might be FOSS working as intended, but there's never been a single security issue in Windows or any other closed-source software in the entire history of computing!

⁠​⁠@@altragclosed-source software are closed-source because the company or people who develop those software want to make money out of them. Even if there has been any security issue about these software, nobody could tell and nobody would know because nobody see the source code. Or do you think the developer of closed-source software would announce to the public that their product has security issues, so that they can have less customers? If xz were a closed-source software and the backdoor were implemented by a random employee of the company working on the software, the backdoor would simply be implemented, and no one would have any clue. Not to mention actually finding out the security issue and fixing it. Imagine if Andres has no access to the suspicious source code, without any prove to validate his doubt, even a great engineer like him can do nearly nothing but admit that he himself is just being too sensitive and give up.

@@altragif you were baiting, you did a very good job

Can't these very smart LLM's be used to review code? I use it as a very quick check of new code to flush silly mistakes already, these may not write qual code yet, but it's a good, fast reviewer.

@@Nick_the_Gold_Bach smart LLM's can't even tell if a student's work is LLM generated or real

​@@Nick_the_Gold_Bach Depends on the model, but really, LLMs can never truly go beyond what we trained them on, we train them on good inputs but also bad ones. They can definitely check for minor issues across a large number of inputs, and are generally faster than a human. However, I doubt they would catch the most intricate ones. Even if they did, it would be a cat-and-mouse game; people will always find smarter ways to bypass any countermeasures.

@@jammaschan Aah, but the time-penalty of false positives is far less severe scanning for malware

@@afmikasenpai There must be a fair sized legacy of malware that I'm sure has been crawled by many LLMs. And there is emergent behaviour anytime there's any form of adaption. The important point though is it's throwing out orange and red flags fast for thousands of lines of code, concentrating the attention of more perceptive eyes and minds.

In all fairness, it'll be harder to gain access to organization owned codebase. But once you can gain access, I recon it'd be disaster

@@collinsonOga not if you already work at said organisation or manage to apply and get hired there (probably not as hard as gaining the trust of a maintainer by actually volunteering valid code for years). And in any case, my rule of thumb is that if you can't see the code, you can just assume there is a backdoor (perhaps even by design by the company) since clearly there's something worth hiding. IMO non-libre software is inherently insecure since a corporation-the only purpose of which is to extract as much money from you as possible-is hardly where you want to place your trust.

Would agree with you in any other context. But this ain't it.

The attack involved binary blobs. It could be argued that allowing files that are not open-source (or not even source-available) in an open-source project is a problem.

@@BowmanFox Why? This project's downfall was allowing non source available code. Else this more than likely would have been caught

This is how Germany produces KZbin videos. It’s top tier sponsored by our tax money 😂 However, I believe fern stopped cooperating with German public broadcasters a year ago

Now consider the world of proprietary software: This was only discovered because someone *could* look at what goes on under the hood, and was compelled to do so by their curiosity. Imagine all the other attacks that could be happening, or have already seen deployment - all the ones where there isn't even a *possibility* of an Andreas to catch them, because their code is under lock and key. Swings and roundabouts, and for my part "security through obscurity" doesn't butter many parsnips.

​@@rossstewart9475bullshit, the hack wouldnt even get into the Software cuz its closed source

Yeah, I was thinking that. "The guy that saved the internet" etc...great, but we only know about it because he did, by chance, spot something. Made me think probably 1 in 100. If so there are 99 other similar backdoors in good working order, undiscovered!

But the english pronounciation is annoying. It is really hard to listen through that accent.

@@offtopic9632 I really disagree. I think it's nice with some European accents in storytelling.

@@offtopic9632at least they pronounce every german name correctly. The pronunciation of Freund may sound weird to you but it’s a German name.

@@rinmartell2678 Yeah, but they butcher all other words that aren't german, so that's not a good bargain. I am german by the way.

​@@offtopic9632 it's called having character, turn on subtitles and mute the video

a lot of AI probably

@@wilx2703most of ferns content is just reused from the German and Dutch channels. Just look in thier bio and u will find them

@@wilx2703 Huh, didn't think of that. It's been what, 4 years since AI first came out and I'm still wrapping my head around the whole "using AI to do work" thing :P Though, I don't see any obvious signs of AI in the videos, and they have a LOT of fingers moving and other stuff that AI is generally bad at. I dunno

@@kaz49it is not. It’s just newly translated content from thier German chanal u can see it in thier channel bio

@@wilx2703nah. They already released this video a few months ago on their german channel and they have a huge team.

apparently it did manage to reach production versions of both arch and Manjaro and almost reached debian with only a few weeks to release which would've been massive (idk how close it was to Ubuntu or RHEL but probably close), the performance issues were already fixed in an update that the dev testing performance didn't have and managed to catch it

True, the potential impact on stable releases could have been catastrophic-it's a relief it was caught in time

The best part for me is where something like this is in the budget range of many non-state actors as well. The only real bottleneck is the relatively small amount of sufficiently skilled and motivated black hatters.

It’s scary that one of these exploits could already be in major distros, and just simply wasn’t caught.

@@artemis.nnnnnbbbbb arch (and manjaro based on arch) is rolling release. So it always has the newest packages that the user wants

Don't swear to God's holy name. It is blasphemous.

Can't even wait like 10 seconds? Wow

AlMoSt like MS themselves did it, eh?

👀

Either way China doesn't really celebrate Christmas all that much; so it would still be a false flag to have them offline then but not on CCP national holidays.

I think this was an european or USA hacker. The western holidays just give it away.

Who else have UTC+2 & UTC+3 (due to daylight savings) and could plausibly celebrate western holidays/calendar? = Israel

@@rogerkamben389 Christmas is not a public holiday in Israel, so it wouldn't make sense based on that

yeah, I kind of thought that but not sure who else he’d get to speak

@@5DPixel oh i don’t mind the use of AI voices if they don’t have anyone else, it’s just nice to see they clarified it was AI

_SSH intensifies_

Just a way to show something in a simple way

0:38 0:39 ​@@user-qu1xl3ee1d

You mean Windows Task Manager graphs 📈

😂

I think it was just referring to starting an SSH session, which can take seconds normally so noticing an extra 500ms isn't much in this context. Obviously, latency in gaming or ping of 500ms is massive

Of course you didn't hear about it as it's more important to tell you what some D-list celebrity did that day or how Russia/China is going to start ww3 by attacking your country (if you live in Europe). Fear mongering and useless ''news'' stories is what people mostly are given.

Like the most recent video? I’d like to think he read your comment

True

I use arch btw (I swear to god I have a live)

ehh, arch is pretty stable but nothing beats debian

I think its reference numbers that point to a source

Sources....

2, 5, 6, 7

Sources and pages

{2,5,6,7}

This documentary was produced in cooperation with the German Funk network, which is paid for by most Germans through the "Rundfunkbeitrag" (broadcasting license fee). Since Simplicissimus no longer works with Funk, the documentary will probably not be available in English for other compatriots (at least that's what I assume, knowing Funk).

Yeah, it would be great if they would translate their documentary, but it could be not possible because of the licenses...

And they even showed two short clips from it. I wish they could figure out a deal for it to be translated into english and published. I would love to watch it with my fiance but she doesnt speak german well enough yet :(

this is a tax paid channel related to a big network

@@rushe-1how so ??

Sources

They correspond to the references in the description

2 5 6 7 8 2 9 10 11

Or they could be the crazy hand

LMFAO CLEVER ASF

when's the last time vsauce made anything other than a short?...

@@Steamrick That's why I specifically mentioned KZbin Red.

And who would you suggest to cast as 'the villain'?

@@Steamrick MrBeast's 42. Just kidding, lol. That's a great question you've asked.

Good catch!

Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing geno****... But hey, they are allied to the west so the sheep will be told they are not the bad guys.

Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.

Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what.

Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep will altho still paint Russia as bad no matter what. Unsurprisingly an actual bad nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.

open source- its essentially 99.99999999 percent voluntary. As near all as to be all in terms of real work done.

@@keefymckeefface8330 Big companies do sponsor and control some large projects and even collaborate even when they are competitors. A classic example is Webkit, which is the engine to render web pages used in Google Chrome, Safari, Microsoft Edge, really most browsers these days. It is controlled by Apple but many companies contribute. That's mostly the really big projects though, while most of the utilities, tools, and parts of software that many programs use ("libraries") are often maintained voluntarily and in their spare time by engineers, often engineers who are also employed at these big companies but still getting little support from them on these many smaller projects. xz was just one guy.

Pretty wild to think that amazing pieces of work are accomplished by people for fun and not for money.

Bist du dumm ? Is halt open source

​@@iFlyGoodIf you have a Passion in Live, you do it simple as it is.