I'm coming back to this again because of the xz exploit in ssh lol

Came here to pay homage to the prophet

Hardware backdoors are more of a concern than open-source kernel code. Especially when you consider the fact that the countries that are making these products have every reason to do so.

Yuri Bezmenov explicitly told us all this, including the "they'll purpose-build people to get hired and promoted whose only job then becomes to hold open all the doors". People are quick to forget and dismiss. Also there's literally a contest called Underhanded C Contest where participants are asked to submit harmless C code that has maximum security flaws hidden inside. Whoever's can't be found wins. It's been running for decades now. You have no idea what's possible y'all.

less than a min, 50 seconds to be precise, into the video the man has summarized xz backdoor

Windows Update basically disables millions of computers on a regular basis.

lzma moment

As a developer of OpenSource software I do agree with what he says. Most PR's introduce bugs, bad code quality, etc. If something is intentional I can't tell. But the more contributors a project has, the more it has bugs. One preseter at a conference once said, users are great at detecting problems, but they are horrible at providing solutions for them. But I still think OSS is great, for different reasons though.

The best solutions in my mind is usually open protocols with several implementations done by different people (and possible to do by yourself if you want to). A good open protocol democratizes software in most ways just as much as open software and source code does. I do like open source, but as Jon says you have to be skeptical of what you use and allow to run. I like OSS not for the security but for what it allows you to do and make with your software. I kinda feel Jon gives a bit too much to corporate closed source applications though. They might be harder to introduce a exploit into but closed source apps can hide their shitty code and that shitty code create exploits as well. People laugh at "security by obscurity" but it is an ok first line of defense. It is not good security, but it sets an ok first bar. A lot of companies rely too much on that bar though and don't have real security behind it. In OSS that bar is removed entirely.

The hardware back door situation mirrors the Microsoft situation that JB explained. In CPU companies, there are a lot of people cross checking everyone's work and more so for security stuff. I design hardware security stuff in CPUs you use and I've spent years identifying the back doors in specs (NIST, ISO mostly) and working around them. It's my head on the line if my logic is insecure and I'm fully aware of the forces trying to undermine hardware security. The motherboards and BIOS code are an easier entry point for government hackers. It's easier to pay off a few people in a factory to replace a network transceiver chip with your own. Security problems in CPUs are hardly new and have come around through traditional hacking methods rather than back door insertion and the vulnerabilities exist in the first place because of a necessary trade off between execution speed and side channel resistance. The danger in closed source whether for HW or SW is that with closed source, is that there is limited energy in the company for others to help you. Top tip, happening right now for people designing stuff to specs - try and find a constant time BCH error correction implementation in a secure sketch construct. Critical for your security, but no one sells a constant time BCH - it's unobtanium. So you need to design around that if you're in that position that you have to design it. HW security is hard work.

isn't every cpu already pwned with a backdoor directly by intel? there's a closed source computer inside every computer that has full access to everything, including the network, even while your pc is powered off. if you weren't aware of this lookup intel IME

My man Jon being a prophet once again.

Proving that knowledge is the best way to see the future.

Company spending massive money on security is a joke. Was working in few big IT companies as developer and even QA/Automation engineer. The careless approach for vulnerabilities is staggering. Some were as simple to fix as changing headers configuration in the server. When applied I was mailed/contacted by higher management this is not possible as application will not work. After suggesting that in that case we would have to redesign/rewrite piece of app, I was told no budget/resources/time for that. After time I stopped to care about it. There were assigning jr resources to fix vulnerabilities (maybe 2 resources at max), where all people with experienced were formed in teams of 8 or more to work on ADA/WCAG issues as this is "vital" for the business.

I think Jonathan Blow has been implementing all these backdoors recently just to prove his point.

There were recently an attack on the system one of our big food markets use to register sales. They had to shut down for several days, some even a week. Imagine if all our food markets had been connected to it. We would not be able to buy food. How many have food for a week at home now a days?

With closed source, the government can just tell them to insert the black box in their code and not tell anyone, with open source they have to sneak it in. I feel like it could be larger issue with closed source than with open source.

There have been several instances of bugs found in Linux, that have been around for years, that allow complete bypass or permissions checks. Who knows if they were planted intentionally. Very likely they have been actively exploited for almost as long as they existed.

He does raise some good points. So really the solution is to reduce surface area and create paradigms that are designed to be secure if it truly is something so important.

It's way easier to target userspace than kernel. There's a lot less oversight.

There are active actors in open and closed source projects introducing bugs, stealing credentials, etc. That doesn't matter since we all know that is true and that the amount of security issues introduced by mistake is so much larger. This is why you have multiple layers of protection. Military computer are air gapped from the internet. You run custom builds of the os and the stack. Firewalls, tracking, anomaly detection. You have layers upon layers of protection.

Quite eye opening

in frameworks like react the codebase is so vast and complicated by the day, i'm sure there's not enough bug fixer or checker to go through all of it on continued basis, and not to mention purposefully adding bugs is much easier than finding & testing and fixing a bug

I think this applies to all important software... (Not just open source)

you feel experience in his voice.

Vindicated with XZ's recent backdoor.

Most developers are going to value portability > security, so package managers and OSS is not going away anytime soon, just more security products as a bandaid solution

3 things: 1. If a large PR brings in a significant feature but introduces a security vulnerability its still a significant contribution. Bugs are often introduced as a result of oversight by the contributer, so this effectively just means spy programs are buiding FOSS software (yes bugs are bad but that leads me to point 2) 2. Its the responsibility of FOSS maintainers to catch bugs. 3. Its the responsibility of the people depending on that FOSS software to contribute in the ability of FOSS developers to work on the project or contribute their own additions. The lack of 3 is what is wrong with the FOSS landscape at this time. Companies use and abuse amazing FOSS tools that some developers put years and years of their lives into to get no money out of it. Sure, some are well off enough to build these tools and have enough time, but these backdoors and other cybersecurity issues result from a lack of contributers, and a lack of contributers comes from a lack of incentives. FOSS can only be good AND free if it can attract contributions. If these megacorporations never help with that then this problem will persist; they cannot have their cake and eat it too.

well, we can fall into the Ken Thomson Backdoor problem, very interesting topic. Also don't forget that Intel shipped a running working copy of Minix in the Management Engine running on ring 3. So the exploits and backdoors are everywhere, even beyond our reach.

I’m sure this happens, but I don’t think it happens in the Linux kernel much. Those guys care more than most product managers. And further. In a company bugs happen because they have deadlines. That does not happen in open source

Really accurate

I came back here today because the log4j fiasco reminded me of this talk/conversation

I predicted all this years ago. NPM!!!!

I don't like how he counters differing opinion by just saying those people aren't giving examples. But also the he just claims to have experience, and also doesn't give examples. I get that we KNOW he has experience but that doesn't mean he's not just using that as a card to play. Not to say he's lieing, but to say if he gets passionate about something he could internally be biased towards his past, not use it to construct the right answer. If he constructed, he could show receipts so to speak.

with sqlite they dont have this problem (at source code level). Its open source but they dont accept external contributions.

Surely it would be easier for governments to just direct companies within their nations to develop software back doors. The issue with FOSS is literally any researcher can just go and look at the source code and test it for bugs. Whereas if say Microsoft was directed to implement such a feature you have the devs involved and the upper management as a point of failure.

I can relate to what Jonathan is saying. A few years back there was a movie that portrays his exact sentiments. It's called Blackhat. The harsh reality is although the movie itself being a fictitious story it is also very believable and can happen realistically. The everyday people have no idea what organizations such as the CIA, the Kremlin and others are capable of doing and they've been perfecting this since the 40s and even earlier! Everything is vulnerable! Just as was said in The Matrix, paraphrased: "Everything relies on a system and that system relies on another system... right down to the Power Grid itself! If I was in a position to plan a strategic attack that would not escalate to "total destruction" but yet enough to cripple another entity (nation). I would target their infrastructure by knocking out their power grid, water supply lines, and food lines and I would do it in a manner to where it can all easily be repaired with minimal damage done to that system for there to be minimal cost to repair and to rebuild that infrastructure. The world is a stage and that stage is analogous to a chess board and the pieces are moving! In a well thought out game, the objective in the end is either to put your opponent into checkmate or to cause a stalemate. Now throughout that game it may be premature to force an early checkmate as it may be more beneficial to just keep putting them in check while slowly manipulating them in having to guard against it by sacrificing their pieces in the process. In some ways Open Source does have potential for research and academic purposes however in the real world just like everything else, there are always vulnerabilities and the amount of them within Open Source or the possible or the combinatorial doorways to them is much greater than in a closed system. Take for example, a power generating system where all of its computers and databases that manage all of its internal machinery to operate properly is a closed system, in other words it could be considered an analog system in that yes it does have its own intranet but it is not directly connected to nor will it ever be connected to the internet making it less vulnerable. For there to be an attack on that system, there must be a physical presence. Anything that is connected to the internet is vulnerable as it is a part of the playing field. There are no written programs that are guaranteed to be 100% full proof from attack. Why? Because every program at the end of its compilation or interpretation is converted down to assembly a.k.a machine code. Even your compilers are not without bugs! Even your assemblers although very solid can still have bugs. And the machine code or binaries are instructions for a piece of hardware to do a specific set of tasks within a specific order. This is even true within modern processors that implement out of order executions. It is still based on a lower lying system and at this stage of the game is the pipeline of a CPU and its stages. Fetch (and or Prefetch). Decode, Execute, Read, Branch Prediction, Write Back... As this is a generalization of the modern pipelines. And even your hardware is not guaranteed to be without bugs, nor the microcode that propagates the pipeline stages. A line goes high or low and bits are set or turned off. Then all of the muxes & demuxes switch their lanes. Values are then passed into the ALUs, a calculation or a set of calculations is/are performed and another instruction or set of instructions takes placed based on some condition of the previous results or by the next incoming instruction or set of instructions. Wash, rinse and repeat! We are dealing primarily with Voltages and Currents. It's no different than when you walk into your living room, kitchen, bedrooms or bathrooms and turn on or off the light switch on your wall. This is a two state system that is called a binary system. It is Log Base 2 and 2^n mathematics in conjunction with Logic, Truth Tables, and Boolean Algebra. And according to Lambda Calculus the Binary Number System itself with an infinite number of digit placements is said and proven to be Turing Complete. When something is Turing Complete, it is capable of being programmed to mimic or emulate another or different machine that is able to do computations. This all relies on mathematics, physics, and numbers along with their properties, rules, laws, theorems, postulates, proofs, and axioms. Numbers don't actually exist in nature, they are a product of the mind as they are conceptual. If one can imagine it, who's to say that it can not be done? Take the simplest and first expression within mathematics even without the use of "numbers" y = x. This is the identity expression and equation. This is a linear equation and within this expression of equality there is perfect symmetry and reflection. This expression has all levels of mathematics embedded within it. The line to this equation by using the slope-intercept form y=mx+b has a slope of 1 and a y-intercept of 0 as they are both understood due to the identity properties of both multiplication and addition as well as exponentiation: a*1 = a, a+0 = a, a^1 = a. And with that we have a diagonal line that bisects the X and Y axes within the 2D Cartesian Plane. The slope of the equation m is more than just rise over run. It is also dy/dx which is one of the foundations of Calculus without the notation of limits themselves. Here slope is defined as rise/run and can be determined by any two points on that line by (y2-y1)/(x2-x1) where dy = y2-y1 and dx = x2-x1. More than just the properties of linearity, your trigonometric functions are also embedded within y=x as well. Since the slope of this line is 1, and we know that the X & Y axes makes a 90 degree or PI/2 angle with their intersection as they are perpendicular to each other, we also know that the angle below the line y=x and above the +x axis is 45 degrees or PI/4. What trig function has an output of 1 when its angle is either 45 degrees or PI/4? That's quite simple: tan(t). So we can substitute y = mx+b with y = tan(t)x + b and we have not changed the linear equation. We also know from trig that tan = sin/cos. We can then rewrite this as y = (sin(t)/cos(t))x + b and still have not changed the function. We can see that dy = sin(t) and dx = cos(t) since tan(t) = m and m = dy/dx. Even the number PI is embedded within this equation. The Pythagorean Theorem and the Equation to Circles are Embedded within this equation. The main reason to this is one of the properties of mathematics that is normally overlooked. It is present within multiplication and addition, but not within division or subtraction, and that is the Associative Property where Order doesn't matter. Order only matters when you are doing the Inverse of Associativity. Y=X is the same as X=Y. No need for parenthesis. 3+2 = 5 and 2+3 = 5. 3-2 = 1 and 2-3 = -1. Do you see the symmetry and reflection? 3-2 and 2-3 are opposites. The results are 1 and -1. These values are 180 degrees PI radians from each other. They have the same magnitude but a different direction. I don't want you to think this is a math course, but I had to lay down some principles with a foundation for one to fully understand the implications of what Jonathan is saying. Everything that is done within computers relies on the physical components and the behavior of electrical current that is being supplied and drawn from that system, and this is nothing more than a physics problem which completely relies on mathematics and numbers and how we relate them to the physical world or nature. That system can always be manipulated! There are governments and there are billion dollar industries and or corporations out there and they spend millions and even hundreds of millions and in some rare cases even billions to "protect or to expand their assets" and they will higher some of the best minds to find the best exploits that will go unnoticed and hidden or possibly even to cover their tracks leaving no evidence behind... We've been doing this since at least WWII within the modern era of computer systems and spy and espionage have been happening since Cain and Abel! As he has stated he's been in the industry for 20+ years, he's very intelligent and capable and yet there are people out there that their skill set is way above his pay grade! Not to insult him for his years of dedication, work and success, but there are people out there that would make him look like a novice. So if he is giving you warning, you should heed it with caution!

i was here

So basically after seeing plenty jb videos, it seems he is the only real programmer on earth

Fact that he has exact numbers 💀

Log4j

I do not agree with what is said in this video. Open source software means that anyone in the WORLD can watch and contribute to the source code, so obviously people that have DIFFERENT INTERESTS. If one people tries to add some new code it can be seen and reviewed by anyone, whereas in a closed source project most likely nobody will ever check it (if it was validated by the manager or quality team). Also it's not because that it's open source that you can publish anything, you also have to go through a validation process like in a private company. With closed source project you're BLINDLY TRUSTING the software producer, you have no way to actually check the source code efficiently, so it's obviously bad in a security point of view.

If open source software, such as Linux, makes systems inherently vulnerable, why are organizations like the NSA betting on it?

7:27 to all the naysayers.

easier said than done

I don't know enough about this but I would like to think that if there is a problem more eyes on the code at all times would find and report it before the closed environment would. Either way I can see his point, One requires more effort in order to be compromised and if you get caught you basically need a new spy. On the online project you can skip that step and go full on offense. But if the people checking the code did their job properly you would have highly competent spies improving your code for free, because in order to be merged they would need a big impressive feature working big enough to hide the bugs so if these were found It would be a win win for the users. It would be a bummer to lose great software like blender, OBS, VLC, Audacity or Linux

DUDE did this age well (see "Linux got wrecked by non-consensual backdoor attack")

Note: with git you can do git blame and see who added that code

A multi-kernel built with a less cryptic language than C would provide a lot more safety IMO. It pains me that Linux is so huge and complicated.

huh , that call was correct afterall

Yeah, people will try, but they will often fail, at least with projects like Linux. Linus is very strict on what pr's he includes, and there is a lot people (at least for large active projects) that work on, and look at the code.

JB is simply wrong here, and it's sad to see someone with such capability and insight in other respects fall for such naivety. A thought should be followed to its eventual *final* conclusion, not just the next logical one. 'Expense' means absolutely fsckin' nothing for a state actor when it comes to deliberately orchestrating the insertion of code to further facilitate the exfiltration of data, the future exploitation of a software system, etc. Inserting an 'agent' or whatever to a corporation for whatever purpose is purely a tertiary concern for a governing agency which presides over the soil on which a corporation conducts its primary operations. The corporation will always have a financial motive first -- not the concerns of the general populous -- and thus is easily bought off through any of a number of options. Simple preferential treatment for an upcoming contract auction is often adequate enough to buy oversight over many smaller corporations and the bigger ones aren't much more difficult. Conversely, hiring, training, monitoring, and deploying assets to introduce complicated security flaws into OSS projects in the hopes that the bugs will go unnoticed by many millions of others in a community for an adequate period of time and ensuring that they remain able to make changes to safeguard those flaws in the event that other code is introduced which inhibits the facilitation of them is decidedly more expensive over time. You can pay a corporation to overlook something in a private codebase, or even just dictate that they engineer something in a specific manner to maintain compatibility with self-designed platform restrictions -- and you don't even need to explain your reasons -- and they will gladly make those accommodations so as to guarantee the financially-beneficial relationship. You cannot, however, exercise that kind of influence over a continuously fluctuating populous in a diverse and complex group of communities, especially as other agencies are apt to do the exact same thing. The bottom-line here is that it will always be easier, more efficient, and overall more effective to influence private codebases than public ones. OSS is not, by any means, impervious to malevolent meddling, but it will always be 'never worse' than private codebases. The acquisition & privatization of many major OSS projects proves this point pretty effectively.

xz-utils backdoor says “Hello”

The man was right, XZ was backdoored 😂😢

7:27

damn, he saw the future

1:35 someone already tread this with the Linux kernel... and failed. Same with PHP, though it got a little further, but not into an official release. The thing with any reputable open source project is that they review every incoming change and look for this. They can see every single line that was changed, and check what it does. Yes it is possible, but it is unlikely to happen, and would easily be noticed and removed if it did happen.

first he says: 'how do you think that's not a thing?' without providing any reason to doubt serious maintainers who review all those check-ins of code YET he still asserts that: 'i guarantee you that there are at least 17 serious exploits in linux kernel'. He might be right, but i don't like that he is so sure about some arbitrary unfounded things, yet so skeptical about some others.

There is nothing you can do against secret agencies. I'm a cybersec student, that's literally the first thing your teacher will tell you: "Accept that you are already owned". OSS can be intoxicated, yes, but the good it raises to the world is too fucking big. You can not pretend that it will not last just because it has flaws, spoiler alert Sherlock: Everything have flaws, specially humans.

I've said it before and I'll say it again. Comparing a tiny open source project without much oversight to Windows is ridiculous and is like comparing apples to oranges. Compare the LINUX KERNEL to WINDOWS and then we're talking. The Linux kernel has tons of oversight (Microsoft, Google, Meta, AMD, Intel etc all contribute to it, have maintainers from those companies and is used extensively by these companies). With Windows the security team is actually shrinking as Microsoft is focused on their most profitable businesses like cloud/Azure and AI so it's quite easy to get hired if you're competent and introduce a backdoor.

His initial point about open source software allowing anyone to insert bugs for personal/national gain is a very good point, I fully agree with that. There are thousands of projects that people just download and put in their project with nearly no oversight or validation. But to then say, the Linux kernel must MUST have exploits injected into it, is a WILD idea. Linux development is highly funded, with hundreds of some of the most experienced developers in charge of PRs and fixes. Changes are highly controlled. By the time a change of any kind actually gets to the real kernel, it has gone through more eyes, and more skilled eyes, and more re-writes, than any of the software developed at an Amazon or Microsoft. If you wrote an exploit in a sneaky way, chances are it'll get re-written before being committed. I hate to sound like a Linux stand, because of course there are issues with Linux. But secret security bugs is a laughably unlikely issue. On top of that, the Linux kernel is funded almost exclusively for security and stability reasons, since it's funded to be used for servers by million/billion dollar companies around the world. There are not incentives to skip security because that is why it is being made. Unlike a Windows or AWS (etc). I can't write a piece of code and get it in the Linux kernel, probably ever in my life. To me, the best defense against exploits is the sheer magnitude of eyes on the product. Linux has far more people watching not only the code, but what happens on deploys, thousands of deploys of different kinds. So not only would it be unlikely to get code in, but also how long will it be vulnerable. It would be easier to compromise the small group of say Microsoft developers for the Windows kernel. I also would guess that a far better attack location would be the application layer. You can get exactly what you want from it. But maybe that's more for just data. But to acknowledge what Jonathan is trying to say here, defense is harder than attack. I get that. Someone could input attacks that are very very very hard to see. And there is no software developer that would identify them in the PR. But exploits seem to come regardless of the developer's intentions. For decades software releases with exploits that compromise security and stability. I don't see how discovering exploits in Microsoft's windows or other well-funded private development firms, is any different from attempting to inject exploits. The main difference being, many people are atleast watching Linux, and the last couple decades would say that opensource project has a much more solid history with fewer bugs/exploits.

The png crop bug on android and windows. That went unnoticed for quite some time. And it really should have been obvious for all those years. But we're not expecting decent code from companies like google.

Yeah, Jonathan just can't be wrong on this.

6:52 Ironic that Jonathan is the one not knowing what he is talking about, because this is absolutely true, every company I have ever talked to that majorly contributes to Linux is invested in committing security patches to the kernel, and reviewing their code. In fact, most such companies produce both open- and closed-source software, so Jonathan's argument is dead in the water to begin with. Companies are hesitant to open-source software because maintaining it is expensive, but maintaining software is expensive to begin with whether it is open source or not, that's why experienced developers get paid so much.

BlowGODS....

With closed-source you don't even need to review or ask anybody. You as an NSA shitter show up with a warrant and put whatever backoors into Windows that you want. I prefer having 1% chance of discovering a zero-day with my own eyes to 0% when using proprietary software

I don't see it all about the vetting, etc. Those doing their job, their vetting is influenced by stress, etc. A lot of open source projects are passion projects and care more about the resulting code than the developers at commercial companies. What is a problem: accepting code from random persons, all with their own motivations, on the Internet probably requires a higher level of vetting then within the same company. But if you are Microsoft... that also goes out of the window(s).

"node-ipc" ♿

so what? you wana say close source software makes more sense to use? ah, sorry. you are creating games and all of them are close sourced :)

I understand Blow's point here. But what do we do? OSS ain't going anywhere, and this problem is only going to get worse. Say the Russians, or the Chinese, or the NSA all have compromised the Linux kernel, or highly used NPM or PIP packages. What realistically can anyone do?

Ah the good old Blow, I forgot how big his ego was. He's kinda not lying tho, OSS can have problems, good luck finding zerodays in OSS with many lines (even on Closed Source tho), nobody got times for that except people with malicious intent. But hey... Crypto AG existed, so Closed Source or Companies are not so safe, because it's more opaque, I kinda understand the argument "we can see the code"... but like he said, too many lines and you ar e more susceptible to malicious injection in OSS. Still interesting to listen to the guy.

Voice clone of Donald Trump 😮

He's right but I don't see how this is an argument against open source specifically. It is an argument against bad software development practices.

Against DDOS we can protect by router with right firewall. 7:25 You are wrong. Problem is not length of code in kernel. Problem is that kernel is in C. Better language is Cext it is C with few extensions. Such extensions cause that program source is shorter, faster, more secure.

This starts out early being a bad take, because Open source and package managers have already existed for 10+ years and it's only gotten more popular. To say that "it won't last long" is to not be able to see the forest for the trees. Are there potential security concerns? Sure, but all software has security concerns, I'm not convinced that open source is some how more dangerous than other software, especially if it's being actively maintained and scrutinized.

So is this dudes opinion about package managers based of a global system of spys? hahaha

Shut up bro. Give examples. You are the one not giving evidence.

"Most servers are linux" complete bullshit