>"I'm not a security researcher." >Saves the entire world from a cybersecurity disaster.

I love how this dev fucked up a years long nation-state led effort to backdoor linux because he was curious about why sshd was taking 500ms longer to start XD

Microsoft: SSH is milliseconds slower? Investigate! Microsoft: Teams takes 20 minutes to load? Working as intended.

There is something beautifully ironic about a Microsoft developer saving Linux.

Lesson learned: do not let people heckle you into releasing faster.

I like how this dev ssh'd so many times in his life such that he could detect millisecond level delays. Truly a working class man.

I feel so bad for the poor maintainer. He's been thanklessly working on this thing that the entire modern world depends on, almost completely alone and now he has to deal with this shit.

fun fact, "freund" is German for "friend". So a guy named friend, who is not a security researcher, saved us all from a huge security threat.

Imagine if this was a closed-source software. Undetected for years, if not decades. Infiltrating every "xxx" OS pc.

The amount of time and effort that was spent on social engineering and obscuring of the backdoor for this plan is insane and not in a fun way. We were so close to having Darth Sidus say “execute Order 66.”

this is why software being open source will always be a better option for privacy then closed source proprietary software.

Never updated so fast after it was found

NSA is about to have some stern words with Microsoft.

This developer that works for Microsoft just saved our computers. 👀

All intelligence agency: Don't worry guys there are still many backdoors available

TempleOS never has backdoors!

Makes me wonder what is not discovered.

This is modern day wizardry.

This had very little to no affect unless running a very recent version of unstable Debian or Fedora without a proper firewall on the attached network. Rolling release distros were patched immediately. Arch Linux was completely unaffected since they do not directly link openssh to liblzma, and thus this attack vector is not possible. Regardless of distro, it would need to be specifically targeted. Chances are the attack was never launched, the state actor or criminal organization behind it was very likely waiting on some scheduled release to go out, and then wait for some specific target or target machines to update to that release. This could have been worse, but it wasn't.

This video has the only honest title out of everything Ive seen on this topic. That man deserves a beer for how much he saved our asses from an inadvertent backdoor.

It shows weaknesses of open source, and it also shows strengths of open source. A well organised and long term infiltration was nonetheless thwarted by an open set of eyes. Well done Mr Freund!

Meanwhile a thousands of pre installed bloat backdoor hide so well in Apple macOS that never be reported

Pro tip: can’t get hacked on linux if you only use proprietary software backdoored by Microsoft and apple

in freund we trust

Most evil Linux hack ever

After the initial angry reaction, I’m starting to feel bad for poor Jia who wasted 2+ years infiltrating and contributing to open source, only to get busted a few weeks after having finally implemented it and the backdoor removed in a few hours. Sorry Jia but you suck at your job 😅

Don't worry. NSA is glad no one found the other ones.

I normally hate Microsoft with every fibre of my being, but the man who discovered this *_MUST_* be protected, *_AT ALL COSTS._* No telling what's gonna end up happening to him because he tore the veil on this backdoor wide open. Do not permit him and his livelihood to fall into obscurity!

Was just talking about waiting for your video on it 10 minutes before you uploaded this. You're glowing kinda bright

outstanding video, explain in excellent detail!, i saw that there was a few youtubers already talking about this but i wanted to wait for yours, you don't dissapoint! thank you!,

Excellent analysis. Thank you for taking the time to explain this so well.

The Linux Foundation should bring this project in-house. It's that important...

Thankyou for the technical analysis. This is what I came for.

Given the effort some group is putting in here makes you wonder that this is almost certainly not the only hustle they're running, just the one they got caught doing.

Excellent detailed coverage! Thank you!

really great videos, Thanks!!

This is why you don't trust commits from FMC

To summarize, the maintainer of xz utils was carefully social engineered by an APT who wanted to conduct a supply chain attack on that utility.

linux neckbeards went awfully quiet lately...

NSA just can't catch a break lately

I was waiting for Kenny to make a video on this.

So no head ?

Very well explained. Great job I’m glad use found this and reported

Really good breakdown of issue

Sayin “im not a security researcher”. while casually saving the entire world from a hacker.. im sure his Batman on weekends

After a system is compromised, it can call home and install extra stuff immediately, so even if you clean up the intial attack vector, the system remains compromised, so you need to reinstall it clean.

great breakdown of this. Thanks.

Quite a compelling narrative indeed! The intricate complexities of cybersecurity are starkly unveiled in this exposé. It's a stark reminder of the perpetual vigilance required to safeguard against such surreptitious incursions. Kudos to the elucidative presentation!

Jia Tan, Jigar Kumar and Jansen Hans all start with Js so its the same person's different alts I think.

Never been happier to be running xz 5.4

What a great breakdown ! :O)

Been waiting for this

Just read a article about this and was hyped waiting for this vid

The very honest sounding jigar kumar😂

Good content, thanks 👌

This video digests the xz attack down to something I can manage to get my head around since I'm not a security researcher either. It's an interesting case because clearly it is both a technical attack *and* a social engineering attack on the xz-utils package. BTW, Homebrew has it for MacOS too. They did the downgrade option.

Now think about all the other backdoors...

So this is the "tests" backdoor method - I wonder how many more projects have extra "tests"

Thank you for the info

Love this channel

This is why you don't run bleeding edge

Autism saved the internet

Thanks NSA. 👍

Arch bros, we just can't stop winning.

A guy who works for Micro$loth yet never the less did a good deed. We salute you sir.

Does not matter if the source is open if there is nobody looking

All of this makes me wonder how many more of these backdoors are out there that nobody has found yet.

Good summary

Makes me wonder if we've missed any

NSA: "Oh no, one of our thousand back doors is now closed"

we can instruct the PowerShell in windows to not execute sny code except is signed . or we can also midify command prompt, terminat, powershell....and convert any code from unknown source into unexecutable code

I wonder how many other commonly used utilities have been backdoored this way, I imagine a lot of people are going to do a line by line code audit at some point (if not already) of these distros.

important tools like these should be marked as feature complete

Really scary how this could happen with opensource software, especially such commonly used one. Always thought that enough teustworthy eyes are upon it to prevent actions like this.

In a way I am glad this happened the way it did because we were really lucky and it could have been so much worse. We can also learn a lot from how this was done to reduce the risk of future successful backdoors like this, if we take the right lessons to heart.

I love this channel

The scary thing is AI is going to make sockpuppets much harder to detect when the AI can spend years building up their legends automatically :/

Freund = prounounced froind in english = friend in german

makes you wonder how many other packages in popular open source software (perhaps even linux distros) have state-actor backdoors in them that are to date unnoticed

4:34 I started with Gentoo, I know what it is like to work with. Especially, if you compile the kernel yourself. And this is pretty accurate xD

I hope this puts eyes on other widely used open source projects, its naive to think this is the only instance of a long con compromise. Especially if it is a state sponsored attack.

The green reddit has been spazzing out about this lol. Kinda useful in a sense so that I could check which ver of xz I had, but luckily it seems I am maybe safe.

makes me wonder how many of these attacks went unnoticed.

Nice video

I was waiting for mental outlaw to make a video on this topic and as always he never disappointed

Jia Tan totally sounds like the name of an FBI coder coding something they could never use.....

the guy who found it is too based to be merely human, we thank you friend

thanks for the quality breakdown

Stuff like this is *exactly why* core packages and utils roll out so slowly. Debian stable is still comfortably running 5.4.1, and the testing maintainers are no doubt going to fix the issue before it trickles down to the mainstream userland builds, the servers, etc.

I wonder how many comparable back doors keep remaining unnoticed.

I'm trying to get into it starting linux ect ... I've Seen vidéo talk about it and understant bit hère and there (liké 10/15 vid ) but this vid help Me understant thé hole shtick and was the better one 100% so thanks you g

this is just the shit someone found, imagine everything they haven't found/wont find

Yeah, this news is pretty crazy.

luckily only the unstable branch of debian was affected. it's funny that slow distros can increase safety by adding some lead time to new commits

i think the side channel attacks are much more complex and than what this attack was... but the potential damage this could do is arguably bigger. Imagine what kind of blatant malware is installed in closed source systems, they probably dont even need to bother to this extent to obfuscate and hide their malicious code...

Wow, what a story, just like a novel ;-)

Guy spent 2 years cooking this up just for some dude to just so happen to stumble on it before it could do any damage, i'd feel bad if jia tan wasnt so evil

This reminds me of that scene in Alias were Marshall is talking to his new pals at the CIA how he previously detected that SD-6 was breached by the CIA. He explained that he was playing video-games on the agency's servers when he noticed a drop in frames. I've always seen that scene as wholesome but unrealistic, but after this I guess that wasn't too farfetched after all.

This is the one they found. I wonder how many more exists. Clearly the process is the issue. In particular, this post build rearrangement of the production code through a validation process...

i love how that silicon valley show had hyper compressed data as part of their storyline, an idea that's actually legit