Next version will make SSH faster.

@@squarerootof2 It would be so funny if true

Fbi knows your location my italian friend

or open source communities will be more "careful", security is always catching up with the bad guy since you're defining rules of the game and they have to bend those rules and then you make a new rule with a patch and this goes on and on.

​@@squarerootof2for once the NSA will be putting it's resource to use in trying to help the people

Bruh.... I would have gotten away with it , if it wasn't for you meddling software engineer, bro is built different ...

this is not just the one there are many others planted everywhere cooking

yea and it was found in 3 days too.

Humans can detect 13ms of latency. This was ~40x more than that.

Imagine you normally send some 1000 files to server and every file took 100 ms, it will only take 100 sec. But you noticed that it gone up to 500 sec. That's pretty sus 500 ms increase in benchmark

Lmfao is that a Chad emoji? 🤣

@@ItsRyanStudios It's called 'moyai'. Very popular on Discord.

Indeed it is

The based chudcel be like: "SSH has fallen, millions must investigate"

​@@ItsRyanStudios Moai.. Haven't you played Civ V?! ;)

Is it? No one looks for small increases in power draw. Tens of thousands of people and bots look at benchmarks for common operations like SSH logins.

@@meepk633that’s literally what makes it a good analogy if you had been listening lmao. ‘No one’ looks for a slight difference in CPU usage on startup either. Thats why so many people were vulnerable to it. This one guy just so happened to look into it. Just like out of all the neighbors that one guy just so happened to look into it. It was a negligible difference and he still looked into it.

​@@RealNaisuCinema This backdoor was caught as soon as people started incorporating the compromised liblzma updates. Hardly anyone was vulnerable to it because of how quickly it was discovered. It was discovered quickly because people profile and test their apps continuously. Dumb luck was not required. He noticed the extra 600ms of latency and other fails on *every* SSH login. He looked for changes, found them, and determined what caused them. The camera analogy is stupid.

@@meepk633 you're a sad, sad hater. I feel sorry for you

@@meepk633 You're assuming a specific audience. Normally, I'm with you; analogies suck. They're used to patch a flawed understanding of the presenter's own knowledge. But the actual exploit was covered decently enough for a short video. The analogy expands it enough to reach an audience lacking your godlike knowledge and skills while keeping a reasonable hold on the core issue. As much as we all aspire to be you, we're just too stupid. Damnit, listen to me, defending analogies, of all things. Thanks for that.

Its probably China, Intel Architecture already has a backdoor.

Their previous attempt at adding a back to Linux was also denied.

Yeah, some state agency is _extremely pissed_ right now that their op was busted after two years of work, and before their backdoor could actually make it into the wild.

Why do you think the “exploit” has been publicly dropped by Alphabet?

​@@MaxPanicone of them anyway 😬

Meanwhile when I ask our guys why a server that took 20ms is now taking 20s: "there's no one here... must have been the wind"

Database programmers are a different breed, my dude.

Someone built a system utility that was ssh-ing all over the place like mad (the kind of use/abuse of common system utilities that mad system programmers, of which I was one in industry where they allowed it, are wont to design) -- and discovered one day in obsessive testing that its performance on a brand new, not yet stable release of Linux had become a dog. Well, THAT can't be tolerated... and voila, the backdoor setup was outed. The backdoor had given itself away by... irony of ironies... a SIDE CHANNEL, in this case its performance impact. Hurrah for obsessive utility polishers. By a Microsoft developer no less. Now I wish an obsessive Microsoft programmer would fix a rendering problem in Photo that's been around for more than a year and gathered numerous complaints, but again my problem isn't a security problem that could let a malicious actor into systems worldwide.

That's actually extremely significant if you're doing benchmarks and especially in databases, if an operation takes on average 10ms and now consistently takes 12-13 and this operation runs "all the time as often as possible", you can guess even my non-technical self will put the tinfoil hat and go on a hunt. Fren was going for the one edge case this had the barest chance of being detected

This adds up when a script is hammering a system with dozens of these over and over.

yeah , in these moments i realise i'm addicted to fireship videos...hopefully everything's okay with Dylan.

What are the main culprits of poor computer performance? I've been told if the drive your OS is saved to is close to full that can affect performance, but I'm sure there are a few other causes besides a crypto miner

You are so Correct! by watching KZbin videos we all the time run a payload for the bad guys.

@@jcozyyt If it's not malware then the machine may be just overheating and throttling to protect itself from permanent damage. A little cleaning, new thermal paste, etc. may help. If slowdowns are really serious (like "random" freezes for a minute or more), then it's often the HDD that's on its way out. SSDs usually fail more abruptly without many early symptoms. If you are getting complete crashes then check the RAM and the power supply.

​@@jcozyytbloatware installed if using windows. There are redundant processes or features that go unused typically (print spooler services, Bluetooth, Cortana, accessibility). Outdated drivers are also a big component of performance issues and vulnerabilities.

That cryptominer in the background is just called Windows xD

😂❤ Enjoy the backdoor

You may have switched the "arouse" binary with the "think" binary my friend. I'd do a check if I were you lol

Did she invite you to attack her backdoor?

​@@ThomasAndersonPhD dawgg

@@Whynot83848LMAO

It's all good because they help to spread the hack around. This makes people more alert 😊

And he said nothing in this video. Like we are all retarded.

@@sleepyearth :) you meant, give hackers idea and people forget it in 1 month?

@@vaisakhkm783 dude after a vulnerability is discovered its basically of no use for the hacker.

@@boltez6507 no, i meant now people will try get backdoor into other projects too

Nobel prize or at least some national recognition. This is better than any olympic gold medal.

Holy C 🗿

Terry laughing at us mortals.

0 Daily user

@@Lewdovico bcz it's now *only* an relic artefact for people who want to explore OS design from scratch.

Reported this loophole to Jia Tan. He is on the way to fix this "missing" backdoor 😂

Yeah, and we will help you maintain it

lol

Hardware backdoors exist.

@@samwalker7567 Just wire the transistors together manually then

@@Scratchfan321 lol😂😂

​@@pyromaniac2359 me: nothing going on here

@@pyromaniac2359 as a full time M$ admin I can confirm this statement is true.

500ms is pretty major for just pure SSH

0.1ms*@@pyromaniac2359

Since linux users are so toxic I will NEVER get it and it's YOUR FAULT. @@pyromaniac2359

XD

Its a new update for copilot bro

@@xeqqail3546 now with more bloatware and telemetry yippeeeeeeee

that's a good one 🤣🤣

superpower of fireship

Bro... I do that all the time 😢😢

obv AI

fireship probably - hey chatgpt i want to make a video on this topic explaining this incident to fat devs living in bad neighborhood, give me subsequent scenarios or real life but simplified analogies to help explain

that why i like fireship

we're screwed.

"random" because the smartest people in the world don't want the spotlight

xkcd 2347

welcome to the internet

And he doesn't get paid.

At the same time, it is all the fact that it is open source that the malicious code can be discovered. The amount of undiscovered backdoors in close source proprietary software can only be magnitudes more.

Or rather, it's becoming clear how vital it always was.

​@@kmlau1986💯 There's not a business justification for searching for backdoors in proprietary software until one is found, or unless you have specific wording in the EULA or if tighter-than-average regulations are involved (e.g HIPAA)

Software world is full of backdoors, the only difference is when you notice them

What coulda happen tho? As in for real what could have the malicious party done with that back door? can someone elaborate

The fun part was that Freud wasn't even an security expert.... He was one of the committer for Postgres Which made his discovery ever more impressive

He probably ran the same benchmarks so many times the discrepancy became obvious

Yeah, since he's a package maintainer, these are probably standard techniques he uses in everyday life. Still, I'm grateful for his dedication.

Except the guy who found it was one of the people who fix it for the stable release.

what if Freud is undercover counter-intelligence officer of opposing secret agency 😱

This guy said he isn't even a security researcher too :D

He wasn't, he was just a software engineer at MS who stumbled across it.

the guy that found it wasnt even a security researcher

Well he’s creative I’ll give em that, probably could make a transition to cybersecurity easily if he liked

That's the best part. He was just some random software engineer. And like every engineer he was annoyed by something not being as efficient as he wanted it to be.

haha what a legend.

funny you still watched

Same here, someone please exlain as if i was a toddler (cuz i am when it comes to computers)

@@dontsueme The analogy Jeff made at the end with the camera installed in your toilet is a really good explanation

really? even after he dumbed it down with that ridiculous and unnecessary analogy at the end about the landlord?(well...at least I _thought_ it was unnecessary, but people like you apparently are watching)

Not that we are aware of... minor but important distinction.

No, that means the backdoors you have haven't been disovered yet

I read the original comment as 'you might have been backdoored consensually' 😉

@@christianh2581 lol

If you use windows/microsoft products you are being backdoored consensually

the exploit doesn’t actually work on macOS though but in general that’s definitely a problem of using rolling release software, the same issue was also technically present in the latest arch release, but from what I’ve read the exploit doesn’t work on arch either

@@LosFarmosCTL Pretty sure you're right about Homebrew from what I've found-the general consensus appears to be that the FOSS world dodged a bullet by Freund discovering this in March and not May, by which point this version would have actually been deployed in the intended target-Ubuntu 24.04 LTS.

This is the better explanation of "If it is not broken, don't fix it" in the computer world.

@@GSBarlev yeah this feels very much like a long game attack that was supposed to end up in incredibly valuable targets and if they managed to slip it into a stable ubuntu release without anyone noticing… oh boy that could’ve been a disaster would be really interesting to know who was behind this, but since it’s probably some government agency ig we might never know

afaik not only homebrew on mac but also msys2 and cygwin on windows shipped the bad library but quickly reversed to a more trustable version

Get a life

@@GursimarSinghMiglani sure, thanks for telling me. Have a good day :)

To be clear, no openssh implementation uses xz as a dependency. It's these particular distros that patch xz into their ssh implementation. So at the end of the day is that these distros were 100% trusting xz to the point that they patched it into one of the most critical parts of their system, while in the meantime xz was being maintained by a single person who wasn't feeling well enough to really fulfill the role.

​@@seeibeand yet no one else volunteered to help, other than a state actor with malicious intent, so will anything change in 5 years when, inevitably, some other critical dependency with a single maintainer is also backdoored? No. Security is screwed by our apathy as a species. There are hundreds of other repos out there run by basically one guy, who's asking for help and no one comes because 1) They don't think they're qualified enough. 2) They don't have time/are too lazy to help. 3) They don't help unless they're being compensated somehow but the maintainer had no money to give them. 4) The original maintainer is a brilliant, but autistic asshole who does not play well with others, and thus can't convince others to stick around. 5) They're being overworked by a corporation to work on something else, and have nothing left to give. 6) They're happily ignorant of the precarious wobbly jenga tower our entire technological infrastructure is built on and trust software out of pure natievity. 7) They're aware of the issues and how to fix them but disagree with the maintainer on some design or philosophical difference and are too prideful to reconcile with them, so instead they fork the project and no one has started using the fork yet, because the old one still exists and gets updates. In short, nothing will change, and we keep on living praying that one day our technical debt as a species won't catch up to us.

@@seeibe Which makes it kinda funny that the only distro this specific backdoor wouldn't work on Arch because Arch doesn't do dumb stuff like that instead of requesting upstream enable something that could supplant the patch.

​@@Spartan322 I use arch btw

It is odd that a closed blob was allowed to ship with the code. But on a diff note, Linux is amazing in that it is designed so one can look deeper into any process.

exactly, these are the kind of targets these groups are seeking out. and the next exploits will only become more complex since they will look at what happened here and understand better how attacks can be obfuscated

Companies need to pay for the open source software they use already

@@ChamplooMusashi Hopefully white hats will keep a step or two ahead. Now that we're more alert about how something like this can happen, deltas between releases will be more thoroughly scrutinized. If something hefty changes or is added with no good explanation that can't be independently verified, the change will be put on hold.

Tell that to NPM projects 😂

@@seeibe Why, and which open source license are you referring to?

5.6.1-3 is also safe

Don't use xz -v directly, find out the version through grep

Yup, great summary. @Fireship: You erred on (2), OpenSSH does NOT use liblzma for compression. Kindly clarify that!

Just takes one bad library...

and also they don't get paid while companies makes millions with the work of others

@@ionrael This. Once again capitalism is at the root of these problems. Honestly there's not much difference between this backdoor and the bridge that recently collapsed, except that in this case we got lucky.

@@seeibe Another example of a surface-level understanding on complex economics. You can't just blame everything on "capitalism". "Human greed" would be a more fitting blight.

@dchri18 It's capitalism. Human greed is not the issue. It's the system which rewards particularly greedy individuals and propels them to the top which is the issue.

afaik Jia Tan also contributed to libarchive. They also maintained a unit testing library for C. People are scrambling code and trying to remove any of his contributions.

Learning that systemd is what exposed the distros to the problem, because it sidestepped the dependency checking done by OpenSSH folks … wow.

why does the attack not work on arch? It uses systemd as well by default, with a opened ssh server the system should be vulnerable, right?

@@marsimplodationbecause arch do not apply the patch to openssh to link it to systemd-notify, if just doesn't pass tell systemd about status changes of the running daemon.

@@MatheusKlSchYes, several projects they contributed to, part of how sophisticated this is. Why I think it is state sponsored, don't know which state though.

😂😂😂

oil up, be there at 8

what is up with the title? Did it change?

Ass wrecked

"non consensual backdoor attack" 💀💀💀💀💀​@@TuxikCE

Its probably this many kzbin.info/www/bejne/mZ2TYYN-prNonKc

Even this issue was barely detected. We got REALLY lucky. I wonder where else there is malicious code like this?

These companies have strict review rules for this. There is no code published from MS that is not reviewed, they even have a dedicated security review I think.

I thought my company also had "proper policy" and "strict reviews". 😉

If the software is open source with very few contributors, it's more likely.

Counterpoint: I'm surprised the NSA didn't notice this themselves: "Hey, there's this weird 500ms slowdown in our botnet playbooks. Someone needs to dig into that."

@@GSBarlev maybe because they are behind it?

More like god tier observation level haki.

@@michaelsills8038 more like autistic tier observation. blud got mad at the .020230248293 mili seconds of delay

This 🐐 develops postgres for a living. With all the db exploits he's probably seen over the years, this was probably a giant snooze-fest for him.

Making it was equally impressive, though. That level of dedication is really inspiring

Not really, several years ago my desktop computer got infected once and I noticed something was wrong right away because of slowness. Btw, I'm just a mediocre level programmer. This is the same. One developer noticed SSH was being slow and investigated it.

This channel doesn't really go in detail. But reports on important/cool stuff in a short format way. Great stuff really , because otherwise I would miss it :)

Primetime will upload a stream related to this

@@loopingdope he is like a week late lol :D ...

There are other channels that deep dive it

Yeah, it is worse than that though, the shorthand is wrong when it says sshd uses liblzma, it does not.

a bot liked your comment so much it copied it ten minutes later

Had to akshually

Real Linux has never been tried

I don't think it's quite that simple. It seems to be done on the distro level to patch the ssh implementation, as for example on Arch linux this doesn't happen even if you use systemd. For the redhat distros it makes sense, since they also develop systemd, although I'm not quite sure why debian and ubuntu also do this.

@@seeibe It is a complicated hack for sure, with many subtle aspects as to when the backdoor gets included or not. These include some fairly specific checks on the results of uname. As far as I understand it, the sshd code is uncompromised, as is the systemd code itself, the backdoor gets installed purely from the lzma library. What makes this backdoor possible is that systemd based systems load the ssh deamon into the same address space as liblzma. This allows the lzma initialisation code to replace some critical functions within the ssh deamon. I'm sure some design choices and availability of certain features within critical components will be reconsidered over the coming months. And do read Ken Thompsons "Reflections on Trusting Trust" (Turing award lecture in 1984).

I think your analysis is quite wrong. As far as I understood , Linux systems does not entirely rely on xz library by default. Such library, has been used by some distros for sshd, to let sshd being able to display messages to the end user, which is done by systemd. Systemd does not interact directly with the compromised library unless being patched for displaying messages. The reason why arch is not affected.

that reminds me of that one attack that hooked into libc, and basically proxied all functions of it, as a consequence it would filter out itself from any standard library level function output, like... files, pids, twas insane

To be clear, this wasn't a link against systemd, but rather systemd-notify. systemd is not a piece of software, its dozens of pieces of software. You also don't need to link anything to integrate with systemd - it talks to processes via signals and D-bus.

Bro I don't want to sound cheesy but everyone has the ability to become smart/great at something. It's just depends on you if you are willing to put in the hard work and the hours. Never ever talk yourself down.

It has nothing to do with you bro, disconnect yourself from whatever is going on. Andres is'nt always perfect, he just had a moment of ascension, there are times like that, where you connect with ultra cosmic consciousness and pay attention to detail and depth.

@elimcfly350 or, you can conclude that a good person can make a lot of difference in the right moment.

Define smart? Do you think this guy can lay bricks to hold up the roof of a house? Or is it only a matter of learning the fundamentals that build knowledge?

I was mostly joking, fellas. I also didn't know that this dude is an engineer at Microsoft who was just doing part of his job, since this video never mentions that. I thought he was just a hobbiest running benchmarks for funsies. That's why I was thinking "dang, this dude is on a WHOLE other level of nerd."

cowsay bless you

Haha yep "anyone can review the code" doesn't mean that anyone actually has or is

OSS Auditing is the Academic Reproducibility of the tech industry: was done in the past, is no longer done unless there is a big issue because the volume is too high and the code (experiments) too complex.

always has been

@@ispamalot I was gonna post the same when I saw your comment rorschach

It's the temple

When everything else fail, pray.

CHRIST IS KING

Fireship was too chicken to just say China 🇨🇳 and we all we know it’s

isnt a 'rogue' state whichever the US say it is?

@@JH-bb8in > we all know Falsified by one example: me.

yea, they been asking for backdoor for years. tho they are fail to own faults as most cyber attacks on USA was due to usa backdoors. water systems, power gird, and ect. A backdoor will always be used by your enemies or bad actors that finds it. its like a kid that cries each time he hits himself why he got hurt. If theirs a door it will always be used no matter how hard you hide it.

@@armynyus9123 wasn't counting NPCs like you

oil up bro be there at 9 🙏😭

1:01

Do you think it was consensual?

Is that skull emoji slanted?

What's even more terrifying no lube was used. No one is safe these days.

If the hacker is a state actor with a particular target using one of the rolling release distros, they may already have been successful. Who knows.

At same time is sad that only one guy is responsible for a major library that internet depends upon, and the only help he got was from a rogue agent...

good luck finding backdoors in closed source software, it's way harder to audit a black box, i guess security through obscurity is the real thing

@@ismbks Good luck patching them

Some rando state actor wouldn’t just be able to contribute into closed source, so your point is really weak

@@Cassp0nk Yeah, instead the american alphabet bois get to dictate to microsoft windows, solaris, unix where and how to put backdoors. Open source is your best bet at not getting backdoored by anyone. Closed source in current year is an almost guaranteed way to get backdoored.

and there is me where i tolerate more than 3 years a wifi disconection for more than 15 seconds if you use more than 15 devices on wifi network...

bring out the ping, get the top, last but not least ps aux

I remember he said that the CPU spiked and there was too much delay (500 ms) even when the username was wrong.

Well the thing is that it is not in fact a Linux distribution. Terry did his own thing.

HolyC FTW

MISTAR BIST MRBREST IS THAT YOU ???? I NEED MONEY!!!

moistcritical looking ahh comment

@@taahaseois.8898 Yep. More importantly it doesn't have internet, because internet isn't necessary.

Yeah, it was widely reported he was a benchmarker.

Personal computers are often behind NAT, so even if you were compromised it wouldn't really matter

relatable

That shit sounds ridiculous until you actually work for government contractors or major companies. Then this becomes a very real reality where you are not even allowed to put your own chargers into walls or they start using their own contractors for building renovations. JetBrains for example bought up some big apartment buildings in europe for their new headquarters and they did NOT use local renovation services but selected their own in order to prevent espionage 😅

​@michaeljb3107NSA would put their backdoors where they can't be attributed back to them. They're more subtle than that.

@michaeljb3107ever heard of the intel management enigine on all modern intel (and amd) cpus? NSA is already in the cpu