If aliens invade the earth there's probably a JB clip complaining how intergalatic security is such a failure

I mean, if you constantly complain about stuff, you're bound to be right about some of it.

To be fair it didn't take 2 years to notice the backdoor. Jia Tan just spent 2 years building up trust with the maintainer while at the same time studied carefully what kind of changes received far laxer reviews from Lasse. The backdoor actually got noticed in just few weeks after the release. Yes arguably by a lucky chance but imagine similar situation happened with a closed source software. Even though someone could observe the same symptoms that led to the discovery here, no one could have investigated the issue. In that scenario the person would propably have just reported the issue to the developers who then could have fixed the symptoms making the backdoor even more difficult to get noticed

Using this attack against open source is so disingenuous, we have seen close sourced companies fall victims to much less sophisticated attacks with much less planning and being owned for way longer. Has Prime forgotten the SolarWinds incident?

I think open source is still safer then private. I don't trust private entities to not put in backdoors and with no way to check they can always get away with it. At least with open source their is a chance that someone can find the backdoors when you find something suspicious. More independent eyes look at the code when they want to make contribute to the project. if you want to use a project and need good security you can learn the code to verify that it is safe, not so if the code is private. Open Source is not perfect but i still think it is superior to private code system.

We should probably purge our repositories of random encrypted binary blobs

12:41 Andres Freund was also paid by Microsoft to benchmark these opensource projects, true it likely wasn't directly his responsibility to go deep diving into this particular issue but point being that many big companies now rely on open source projects so they are actually paying people to keep an eye on them similar to their in-house projects

Not only this was an exploit, this was also a manipulation of a tired dev ☠️

I came into work one day, and Jason Wright who was the guy that wrote our ethernet drivers, was accused of backdooring the FreeBSD random number generator for the US government. Theo De Radt stopped everything, and his commits were evaluated. Jason had to make a public statement about conspiracy theories. I wish I could get accused of such a dastardly act.

Blow has a pretty good idea, but their is a huge missing piece in his reasoning: this was a multi-year social engineering job and the state-sponsored groups do the same in commercial companies.

I love how they worked on this exploit for a couple years, make it to the deployment stage, and an engineer that couldn't handle his code running a 1/2 second longer than expected completely unraveled all of their hard work and patience.

AI makes this thing even worse! There is an article about a guy who found that an AI hallucination was downloading a package that did not exist, so he made the package and he basically could do whatever he wanted with the thousands of people who downloaded his package unknowingly.

This is a success for open source software. It's often said that open source software is safe because there's always someone looking at the code to find exploits. Well someone looked at the code and found an exploit. Now the code is safer because of it.

A more transparent process will always look worse from a security stand point. Closed source has the benefit of saying "oh woops...bug.". With open source you can tell what the intent is.

It didn't take 2 years to catch Jia Tin. The malicious code was introduced by end of february. It did take days, or 2 weeks at most to catch it. Also he had to hide it in a binary blob. Hard to see how to do it in projects without binary blobs tbh I think the system is somehow more stable then people tend to think Edit: with npm its a different case though hahaha it gives me the chills to run some random packages

1:36 This isn't a opensource problem. It's a software supply chain issue. People be acting like the alternative was hacking on abandonware binaries.

There is no guarantee that closed source software doesn't have back-doors. In fact, given how many people Microsoft hires, it's much much easier to introduce the back-door into Windows. One data point is not sufficient for a conclusion.

1:30 xz was NOT infected for 2 years. It was Feb THIS YEAR.

This really wasn't a difficult prediction to make. It's been going on for a long time at this point. Remember the MIT people who tried to sneak a back door into the Linux kernel? Supply chain attacks on NPM packages? It's all the same thing, except this particular guy has been at it for a while it seems.

The opensource community is learning the concept of defense against dependencies. "Just use a library" - has a cost folks.

A larger anything has more effort put into security. Company or open source. The difference is that with open source you can know how much is being put into security. Does Windows have more auditing than Linux? we don't know but hackathons would suggest not.

You guys have actually worked at companies right? This idea that companies are _good_ at security is just so far removed from my experience. Companies do _not_ pay people for security; they pay people to create value; and preferably short term value. Security is _always_ a cost center in maintaining code bases. To the extent long term risks matter in practice it is almost solely either due to human due diligence despite incentives, or, because an organization's slacking off on a long term risk might be noticeable and _auditable_ in the short term and getting caught might really cause significant short term costs. Companies routinely do much less than the bare reasonably minimum because they know they're very unlikely to get caught, or if they are they'll suffer a slap on the wrist _most likely_ because they can plausibly claim everybody is just as vulnerable and security is impossible. The privacy of a corporate code overwhelmingly skews incentives towards cutting corners; managers do not and _cannot_ really measure diligence and security, and so if there's every _any_ kind of conflict between scheduling and security, there's always the incentive to cut corners because it's just not (sufficiently) measurable - and where it is measurable, those measurements turn into pretty kafkaesque security theater with an extremely slippery slope. This counts for corps of all sizes, including FAANG's; they may have more resources and a risk-reward bias that is a little more amenable towards spending at least a few dev hours on security and surely do better than average, but they're vulnerable due to OSS and other dependencies too (and have the scars to prove it), and spend microscopically to support those underlying projects despite that; i.e. they too are irrationally cutting corners because it's very hard to systematically tell waste from diligence. It's particularly amusing to hear this bit of cognitive dissonance from Blow, because he's a _prime_ example of the kind of thing large corps are surprisingly bad at despite the resource mismatch compared to OSS - he's a craftsman and chooses what he crafts because he understands it in a way a corporation with imperfect knowledge sharing between employees never can. What he does is exactly what corporations cannot due and that's why corporations spend untold billions on "security" and nevertheless have a terrible track record compared to the poor underfunded enthousiast in their garage. XZ's hack is notable also for its rarity _and note that even here - it very likely never worked!_ And let's not forget that this isn't strictly a dichotomy - (mostly) corporate OSS, certainly as long as it's truly a cooperation and not mere marketing - can exist and seems to work fine. OSS has problems for sure and I hope this close call causes changes in culture; but the idea that corporations maintaining secret code bases are somehow likely to do this better flies in the face of plainly observable security debacles virtually every day of the week. Corporations leveraging private secret code aren't just _also_ bad; they're obviously much _much_ worse at this than OSS.

His prediction was that a backdoor would be clandestinely added and then activated at an opportune time with no way to close it. He was right about the backdoor, he was wrong about it being kept secret.

But doesn't the same apply to proprietary software, how do we know that there's no backdoor in Facebook, Apple or MS apps?

i mean they kind of did catch xz before it made it to non-beta production

John: "it's easy." Meanwhile the attack: one of the most unpresedented, novel, conniving exploits in recent history

Thing with closed source is that these state actors are still there, as Jon said, but the community cannot even find the backdoor. This backdoor was found because it was open source, otherwise we would have never found it. Microsoft doesn't pay you to look for bugs, but to make them. They don't pay you to benchmark, but to change the unit the benchmarks use from milliseconds to minutes.

Guys don't use public roads, eventually someone is bound to have an accident.

The most interesting part of this to me is someone spent a few years and all that effort just to get caught immediately. If this were someone inside Microsoft and put something into Windows it could be undiscovered for a long time.

As novel as this attack was, it nearly succeeded (and others may yet) by exploiting the human factors. Pick an extremely widely-used low-level package with one maintainer and infrequent updates, use code vehicles that reviewers routinely gloss over, and use a system that has gotten comfortable with accepting collaboration from unvetted strangers that you never see or hear. I hope every maintainer of low-level system packages like xz are taking another look at commit history.

I am sorrry, but this is a horrible take. We are talking about one serious and very cleverly planned security breach involving years of trustbuilding and complex and layered planning. And it was found only because someone else was free to play with the code, test it, and catch it. Saying a no-brainer like there are malicious actors being motivated to attack OSS projects is not a new take. This one example attack vector that had a chance to happen for all these years happened once and got caught in short time without causing any significant damage (again, because someone could actually see the program). And neither making up the number of potential Linux kernel invulnerabilities from his 'backdoor" makes JBlow right about the current situation. He has extrapolated the overall security situation with a potential attack scenario that cannot happen in proprietary software by nature while dismissing all the other potential security issues with closed-source projects which has been realized orders of magnitude more. Is open-source software as secure as the FOSSnuts claim? No. Is it vulnerable to infiltration by ignorance or lack of motivation? Yes, absolutely. Is it still a much more secure development model than any model that closed-source software development can offer? Yes, by a large margin.

I wouldn't be surprised if Windows has far *more* backdoors. macOS too. They are more expensive, sure. But they're also far, far, FAR HIGHER ROI. *Exponentially* so. The amount of checks in place in companies, even large companies, even *security-conscious* companies, does not outweigh the ROI value.

😂In my opinion, this isn't a very clever prediction. It boils down to "if humans collaborate, one might do something malicious". I mean, sure, but that's true of basically everything right. Eventually, a publisher will print a book with a hidden, offensive message in it that they didn't catch. Eventually, a government official will do something that is undemocratic, despite functioning in a democracy. Eventually, a twitch chatter will put some streamer's private information in their chat. I see these examples as equivalent to the prediction that "an open source project will have a malicious commit at some point and people won't catch it". I don't find any of the above to be particularly noteworthy predictions.

The downloading random packages from a package manager wasn't what happened in this case, though. xz/liblzma is a well known program/library. It's not a random package and it isn't distributed via a package manager like npm or cargo. Linux distributions make an active decision to pull that in into their system. But yes, there was someone injecting a vulnerability in an open source project. That part he did call. However, on the point of downloading random packages: I read somewhere that people use AI to generate code, but then it generates imports for packages that don't exist. Except then someone actually created a package of that name and it got downloaded many times. yay Luckily in this case it was a security researcher, but could just as well have been a malicious actor. Come to think of it the logs of package registries of all the 404s of non-existing packages would probably be really interesting to malicious actors.

Clearly, JBlow is JTan, and he would have used the backdoor to teach the entire IT community a lesson in cyber security by putting his KZbin-channel as a browser default page on every compromised machine on the world.

Do you guys really think that there aren't state agents in big tech doing the same in closed source software?

The whole point of open source was that you checked the source before you cloned and built the project, but that just isn't feasible in the modern day. It hasn't been in a long while, but people have relied on the hope that someone smart with enough time has checked the code for you and cared enough to find all the bugs. Which just isn't feasible, it never was.

Intelligence Agencies are just as likely to plant code in private code. In windows and macos it's by law 😂

The "people can sneak into closed-source companies too" argument is missing the point. Yes, the Linux kernel is well-observed, yes SSH is well observed, but attackers aren't going after well-maintained, well-staffed open source projects that everyone knows about. The reason this attack (almost) worked is because it targeted a tiny repo with only one maintainer which nonetheless sat upstream of everything.

My take: Ironically, this situation shows the weaknesses and strengths of open source: * Some operator finessed a nerd into handing over his project. * Some nerd noticed that the project was broken. * The nerd heroes assembled to save the project. I agree with Prime's take that in the closed source world, this would have never happened and instead there simply would be a "front door".

Dude made it 4 mins and 30 sec into a 20 min video and just wrapped it up right there. Dream SWE coworker.

Ken Thompson is first "Reflections on Trusting Trust" ?

Genuinely really happy with the comments on this video. The whole idea of open source is that you cant trust code that you can't see. Thats why the attacker obfuscated the code in a test data blob. Then, even with the incredibly complex obfuscation scheme, someone still managed to find the exploit. If anything this whole thing shows open source working basically as intended.

Re US Government Back vs Front Doors... Remember the Elliptic Curve backdoor.

this attack vector should be called Jia Tan Blow

It's worth remembering that the malicious code was detected primarily because the library was open source, while actually putting it in there was a process that took years. If a state sponsored actor wants to put the same type of code into Windows Server, they bribe/blackmail a sufficiently high up executive at Microsoft and Windows Server gets a back door.

9:16 Linux is also developed in old school mafia style trust hierarchy. Linus trusts some handful of very close colleagues and they themselves take pull requests (and review them) from few other people they trust and so on. It's like a priority (search) tree.

I don't really get where the criticism of open source is coming from. It's working exactly as intended. If xz was some proprietary Apple or Google software, the exploit would never have been caught (or more likely would be an intended "feature"). Windows is most likely filled to the brim with backdoors of a similar nature. At least with open source someone finds it eventually, and this one didn't even take that long. It only affected people who use bleeding edge distros for like two months. Virtually no server or important infrastructure was affected.

the same issue applies to closed source. but in that case of close source software, less people can vet the code. so even with this, open source is still better imho.

Ah yes, the legendary team of security specialists that are highly paid and highly motivated to make sure that there are no exploits in the company software that can focus only on that, because security of software is a priority for every company

People keep talking about how elaborate the plan was, how they invested years into it yet they barely mention that it still failed. The most elaborate well thought out plan of what would have been the greatest hack in history failed against that so called "bad open source security". If they invested years into working at Google and tried to inject malicious code into Android would they have succeeded? Billion dollar companies like CD Project, Rockstar and EA got hacked so many times during the past 3 years, give me a break... The reason why they went after Linux is not because it's easier to attack, it's because it would have been the most impactful, 99% of all servers today run on Linux after all.

Minor accuracy thing that needs to be said: The xz exploit was deployed and almost discovered immediately. The social engineering part started 2 years ago, but there was no indication that "Jia Tan" was a malicious actor until the malware was uploaded. Additionally, reproducible builds would have negated this kind of attack.

Just contradicting JB immediately here: the XZ-debacle also is kind of a WIN of open source resilience because it WAS audited. This whole thing was discovered in a month after it came out! It was released for sure, it was out in the open and blew up. Imagine how closed source would have dealt with that... would we ever heave heard about this? I will guarantee that we would not have, unless we pay for some enterprise-grade security BS...

The idea that the bigger the company has more security "auditing" is wrong. I worked for a startup (multi-million) from the USA, whose product is literal about cybersecurity, and every 2-3 months some hacker would ask for money because they found issues… even simple stuff like wordpress, and bugs like ignoring permissions completely went years without any insider finding it. Sure, maybe I got unlucky… but I've been doing this for a long time… so…

"Why did it take 2 years for someone to catch xz?" ... How long did it take to catch the problem with cab files? How long did it take to catch other compromised proprietary software? Would we even hear about it? Come on man... "How do we prevent" supply chain attacks? Vigilance. No matter what, no matter how. It's a wash on all fronts. Anomaly detection. Optimization becomes a fucking security feature. We're gonna have AI run the products in VMs and look for weird shit like cloud based antiviruses do except on gigasteroids.

Well, ThePrimeagen, the xz/liblzma bug was found just some weeks after it was planted - the two binaries was uploaded to the repo 240309. Furthermore, the same problem is in closed source software, but we cant inspect the code. Count the number of intentional backdoors in closed source software/firmware that have been found - hard coded admin passwords etc.

To clarify: Prime is wrong here, it didn't take 2 years for backdoor to be found, it was the attacker who contributed legit code for 2 years to get commit rights. Backdoor was adde to the package ~1 month ago, and found by some guy reading the code (good luck with reading closed source). It also didn't make it to stable branches of Debian or Fedora (the two affected distros), so the damage is minimal.

"It's not gonna last that long," says the guy who doesn't even realize the sheer amount of great software he uses daily that's built with and relies on FOSS from the early days of the craft, let alone the many open-source protocols and licenses and initiatives that have allowed the field to progress as a whole, for everyone's benefit. Jonnathan really blows on this one.

Open Source needs to do better at code reviewing department. All of this makes "meanness" of Linus (Torvalds) all the more reasonable. The man is so dedicated that he goes out of his way to creatively insult the contributor (of bad code). I mean what would you rather have : no "political correctness" or xz like scenarios. When it comes to defect/bugs found in critical software, false positives may be "controversial" at worse but false negatives are absolutely dangerous.

With outsourcing, it is even easier to Inject a team of Malicious Players by a Malicious (state) actor.

It's so funny when a dude asks explain it in terms of backetballs and Prime reads it as basketball

Auditable is not the same as being audited. I hope one day we have an everyday Joe OS that is fully audited by common sense and field experts. Not just by a compliance checklist or "trust me bro".

People unironically think "AI" is the answer to all problem...

1:50 “u can’t prevent this from happening in the future” it’s so easy to prevent this from happening: u just need world peace + egality~ it’s easy

Open source is not altruistic, but the same goes for proprietary software. Just because the approach to get something like this done is different does not mean backdoors can't exist in proprietary software. Especially smaller scale proprietary software, where there is no one to audit the code and no one to even notice the small little hints which malware leave behind. This comment is not about defending open source, or proprietary (god forbid). Ig this is just me saying that I have another reason to just rebuild my whole linux system with only the things that I know very well, maybe even freebsd idk. I can never be a 100% safe, but at least I can try to be *that* close to perfection.

The XZ exploit was in the wild for less than 2 months. That's kind of amazing. But you never know how many state actors exist in large commercial software projects, and you'd never know if a backdoor got put in there.

This is where CLEAN CODE comes in and we say NO to AWK decryption algorithms and especially autotools! Also, blow has an opinion about every god damn subject humanity can think of, and some of the time he is right.

I'm actually kinda captivated by the genius behind it, like a series of function calls that could have a bad data thing, but when all combined that does something else, or even on having a binary file that you replace bits of to turn into another thing entirely, I'm now just staring at my computer with shifty eyes... I've been a professional software developer for almost 7 years, at least me and my team are obsessed with hard-typing variables and return values wherever possible, and adding checks and tests to make sure things are acting EXACTLY the way I intend them.

11:00 Intel ME and other security coprocessors are the front door for the US govt

Number of fucking times ive named something wrong and its made it into production

Going closed source doesn't solve the problem. All software depends on 3rd party software. Instead of inserting bugs into open source, they will just insert bugs into dependent closed source. If they can't get access or get hired at those companies, then they'll build 3rd party software with latent bugs designed to be embedded in closed software.

I know it's easy to say this now, but it's not like we didn't all know this. We know that we all trust software that we can't possibly verify. We know that there are probably back doors in closed source and open source OSes alike. We just keep on going because we don't know what to do and it's easier to ignore it.

Not sure how I feel about this take. For every oss exploit like this, there are dozens of similar ones at private companies. With events like the state actors at Twitter and the chaos of Solar Winds, it’s hard to believe OSS is fundamentally insecure. I like the focus on incentives and how they differ in OSS and enterprise. I think the incentive to profit and grow at all costs is common enough to balance out any disadvantage OSS has. The insane nature of the XZ exploit isn’t a death sentence for open source. It shows how high the bar is to do such

The whole argument is missing one most crucial point. Companies can willingly put backdoors into their closed source software, that then goes to be redistributed. In that scenario the community has no way of knowing or checking it, because they have no access to code. That skips the entire "malicious actor part"...

My response to Blow is that I'm less concerned about an individual adding a backdoor into a closed source projecet for their own selfish gain, and more about the company itself deliberately creating a backdoor for corporate gain. This backdoor was found in xz only because it was open source. Had it been closed source and instigated by the company that owned it, we'd never have known. What open source demonstrated is that it is possible to implement a backdoor into open source, but the amount of effort to obfuscate it is gargantuan, and they still got discovered. It's terrifying how far they got, but they still got caught.

Johnathan Blow even predicted my birth

Well, AKSHUALLY this could be preventable in the future, or at a very minimum the chances of this to happen again could be minimized, IF Linux distros would stop redistributing pre-cooked tarballs (or worse, patching them downstream with other libraries) AND/OR a standard is set in the build system of all major OSS repos. Hackers tend to target the "low hanging fruits", and all of the above points would clearly qualify as such. Standards and a bit of hygiene would drastically reduce the surface of attack. If it takes too much effort to pull off, the chances of something like this to happen again would be really low. The fact that this happened in an open source project means that we have the possibility to watch this situation evolve and observe the measures that are taken to prevent this type of attack from happening again. If this was Microsoft, Apple or something else, no one would have a clue.. BTW, it didn't took years to discover this backdoor. It took three months or so (which is still enough to cause some wreckage). This attack was planned and took years to pull off, but the actual commits of malicious code/binaries are months old, not years.

Run everything in sandboxes. Zones in Solaris/illumos was right. Bring back Unix.

I'm still going to use Arch, btw

I think there is a very important difference between what happened with xz and what Blow is talking about. With xz, yes there was a very sophisticated and thorough long-con at play, with building up trust and all that, but when the time came, a huge bomb was dropped into the source code, in a way that once noticed, malicious intent becomes extremely obvious. What Blow seems to be talking about is more subtle, where the actors over time build up potential exploits using a series of what is essentially fairly common mistakes. A buffer overflow, a hiccup in sanitization, missing null checks etc., building up to what can in combination become an exploit, and the "best" thing is that in this case, if done right, the actor has plausible deniability.

we just proved the open source effectiveness. I understand his perspective, open source uncovers more issues than it generates though. If this was in Microsoft, we would never know about it. Open source lives by being out in the open.

The idea that closed source software has a higher degree of QA is bonkers to me. With open source, everyone can see your homework, so you put in the extra effort. Most commercial software is something that passes whatever often under defined requirements their manager puts up, so they can go to lunch. It might work to pass the user test, but unless someone thought to add a security requirement, guaranteed it's not in there. There's just not enough time for a developer to do ANYTHING that isn't on the requirements list.

Open source is auditable, which is a great thing. The problem is that is is not auditED. Big difference

It's not just Open Source. Every major company has state sponsored actors working there. At least with Open Source you have hope of finding it.

He uses windows.... Why should we listen to a windows using beta

He didn't predict it, he GAVE THE IDEA! *dramatic chipmunk turns around*.

It didn't take 2 years, it took a few month. It's still bad but it's better than a closed source. If it was a closed source project, I'd bet no one would ever catch it.

partly, it was good ol social engineering. Considering how fast they pushed for adoption, it was less about the "edging" and more about targeting whoever they wanted to target with that.

3:34 "No single human or AI would ever been able to spot it" Yeah, except of course the fucking guy who actually did spot it...

On the other hand... The Jia Tan group had to go through such impossibly complex hoops to try to obfuscate his exploit and spent ~2 years prepping... yet with open source, we were able to find this problem and shut it down within less than a month of when it was active and before it was in widespread use in distributions. Jia Tan is now called out and all his commits to open source are being evaluating -- and his group will be proscecuted if/when found. I believe there are many more back doors in closed source than open source... and... these are very difficult to find and probably impossible to prosecute.

How do you know what's happening in closed source code either? Microsoft shipped with NSA backdoors throughout their history, at least with open source you do have that audit trail and ability to review the code. Where this broke down with xz was that they manipulated the process to include closed source binaries. Open source has a problem in that it is highly reliant on altruistic developers acting as gatekeepers, an often unpaid and under-appreciated workforce. But it still has major benefits over the alternatives.

And in 1984, Ken Thompson already predicted it with his essay "Reflections on Trusting Trust". > The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. > I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect

1:33 - It wasn't in the code for two years. It was in the code barely long enough to make it into a couple of bleeding edge distributions. And it was found because some random person had access to the source and could audit it when he noticed some unusual behavior. So don't diss the person who tells you "because its auditable". How many back doors do you think Windows has?

The video is only 3 months old. GKH banned the University of Minnesota from lkml in 2021, because they tried to confirm basically the same theory for Linux kernel development, with a less sophisticated attack.

The wisdom of this man. Like splurging that web devs dont know how to code while streaming his editor with a series of nested if statements 5 levels deep.

The guy of "Open source is audible" is right. We accidentally caught XZ. If it was closed source, we could never know and it may have passed. At the end of the day, yeah this type of shit will keep happening and we need that more people look into that stuff. I don't know how we'll do it and even if we find a way to make it super audible (like, really audible. Actual people looking into it, frequently) this shit will still happen from time to time. We shouldn't fear security flaws, not in a sense of "OMG WHAT WE GONNA DO BWAAAAAAAAAAAAAAAAAAAA", that's not the way to find solutions.

Hey Jon Blow, go audit windows then lol, the biggest clown on the internet.

Jonathan Blow was super clever to even operate the Jia Tan account to prove the point. My hat's off to him. Point taken.

The best way to hide is in plain sight, confirm state level espionage

How is commercial closed source software not vulnerable against the same kind of attack? You can also figure out their supply chain and perform some social engineering to place people at the right positions. Just take a look at coporate jenkins pipelines and their complexity; with enough bad will and patience you can plant an exploit everywhere