Imagine how pissed off that guy who put the backdoor in is, years of work gone, all cos some guy wanted a fraction of a percentage more performance

Moral of the story is never come between a database engineer and performance.

remember: the best backdoor is already running, is everywhere, and no one knows about it

I must now change my password from "1234" to "12345" to protect myself.

I think Seytonic covered this a month ago. But it doesn't hurt to remind ourselves: 1. Social engineering is a thing, 2. Pay developers what they are worth.

To quote that old adage, "You have to be good all of the time. They only have to be lucky once."

The fact this was just discovered by chance really brings into question how many other packages have similar backdoors. This is the kind of stuff that should spur a major investigation.

Bro is flexing proper subtitles 😎 my guy

This is the biggest weakness with OSS, but also the greatest strength of it. Anyone can worm their way into a seemingly innocuous part of the Linux ecosystem and taint it. But also anyone and everyone can topple years of nefarious actions through simple curiosity.

The whole linux sphere has been talking about this a lot, but yeah, I think you're the first tech channel with a more general focus I've seen bring it up.

Two Thio videos in one day is a win in my books

The xz backdoor story is crazy.

Jia Tan is a Chinese name, Jigar Kumar is an Indian name. People who want to stay anonymous won't use their names, but also doesn't want to introduce a rival nation to investigate (so he didn't use a german name for example), so quite likely a hacker of russian origin. Isn't geopolitics wonderful.

As a software developer, I have no doubts that this kind of vulnerability (probably multiple) is already deployed everywhere, undetected. Never underestimate the power of social engineering, and these attacks being very easy to miss. Also I remember when ThioJoe had very few subscribers, I'm delighted to see the channel grow like this. I wonder if he remembers me 🤔

Drive-By Mining. You have to give these guys credit for being innovative.

Wouldn't be surprised if this has happened to other bits of open source software at some point.

We've gotten so spoiled with our technology, we need more code and more programs and more features to cover every base. Thing is, the more we have, the more hands and minds work on the code that run on our machines. That definitely comes with its risks. The truly scary thing to think about is that... logic dictates that the worst is yet to come.

2:20 norton disliked this video

As someone on the defensive line working at scale (170,000 users), you do what you can with the control that you've *got* to avoid these issues, but you are mostly at the mercy of others. Where you *really* need to focus your efforts as a defender is being able to detect *when* you've been breached. Our goals are pretty clear - detect within 10 minutes, contain within 60 minutes. That's how fast you need to be, and some would argue that's not fast enough.

At first I thought this video is quite a bit late. I've already seen multiple videos about this backdoor right around the time it was discovered. However I'm glad I watched till the end because this video provided some additional information and context I didn't know of yet.

I wouldn't really say this "just" happened, it was a decent bit ago, but yeah, it could have been bad. One thing that's kind of annoying though is, well actually sort of two things, but both are alarmism 1 : "HOW MANY MORE COULD EXIST THAT WE DON'T KNOW ABOUT?!?!?!" No, this was discovered like a month after the impacted version first released precisely *_because_* everyone had eyes on it. This is the point of open source, *_everyone_* is watching, so millions and millions of tax dollars mean nothing. One random dude doing some basic benchmarking spotted that what *_should_* have been a basically instant no-op was taking over half a second and a decent chunk of compute, then identified this backdoor years in the making. If you are wearing a bulletproof vest, then get shot, and it gets stopped, you don't then say "woah, imagine how many other times I've been shot and I don't even realize it! I mean sure this vest I put on specifically to stop it stopped it, but that was just pure chance!" 2 : "See?! Open source isn't more secure!", except, 2.1 : see above, 2.2 : this exploit specifically abused how XZ was being distributed to have what is basically a closed source component be delivered with the final product. We do not have the source code for the exploit so, definitionally, the exploit was not open source. Since it was part of the project, that means part of the project was not open source. This attack had to reinvent the wheel several times over to hide itself ( and, again, still got caught instantly ) precisely *_because_* it was in an open source repo. 2.3 : your jordans are fake; this argument relies on the tacit assertion that this is an attack that hasn't been carried out on proprietary software several dozen times over. Not finding a vulnerability or not having it disclosed isn't real security, it's just feigned security. The reality is this is a prime example of exactly why open source is so secure. Allllll of this time and money, full fledged psychological warfare, completely innovative attack vectors, etc. were all rendered completely and utterly meaningless because, against the millions and millions of nerds running automated checks and test scripts, they *_are_* utterly meaningless.

Remember: As an open source maintainer, you should keep an eye on the stuff coming in and just not accept incoming stuff if you don't know WTF it even DOES. (That's the technical term.) But I also realise that if you have relinquished the nominal control to someone else, you're not culpable.

Nothing had made it to the news where I live regarding this. Some tech channels on YT I follow covered the bare bones when this was first discovered, yet the background you've provided has created such a broader and more chilling account of what was really happening.

This backdoor only affected amd64 systems (so ARM computers wouldn’t have been affected) and it would likely take some time before it got into Debian and Ubuntu LTS (used by a ton of servers), as they only receive non-security updates every ~2 years, so if it was discovered 1 month later, we would probably be fine.

When this happened it got me thinking maybe it's time for a big code audit?

the person should not have added a new maintainer that's why you shouldn't trust anyone it sucks that contribution was abused

Scary... I needed to check this

Zoinks!! Wow Scooby that was a close one.. Whew!

Those antivirus softwares are useless. We need more performance tweakers.

The mantainer needs acknowledgement too. Having a life helped to deter the attack.

Yup. How could we know if backdoors already have been installed? Until...they are discovered. It could be a million or it could be zero.

I'd heard of this, but not the full story. Essentially just heard "some guy was drag racing his computer for fun and noticed a tiny inefficiency which was a brand new back door, catastrophe prevented" and not all the cool details you gave! Thanks for this video.

I'm not a programmer and I immediately spotted the "." because I don't like when it's not tidy 😂

Wtf is up with your neck?) On 7:42 for example.

Imagine the backdoors and obfuscated malware code we _don't_ know about. Too much code to review in a time where people are barely paid to do the minimum requirements. A ticking timebomb.

“And I would have gotten away with it if it weren’t for that benchmarking kid!!”

Heard about this the other day on the 2.5 Admins Podcast and the Late Night Linux Podcast, good to hear from some other people. It's a pretty big deal.

Please note that Ubuntu is Debain under the hood.

You can do your own micro benchmarking and analysis with Process Monitor from sysinternals and run it as administrator. Picks up background accessing.

Microbenchmarking, huh? What do you think the odds are that a different state actor has been monitoring the codebase and looking for inserted backdoors. They might even have been behind the security enhancement to the other library that would've disabled the backdoor and only revealed it publicly when the backdoored library's release looked like it might be getting pushed forward.

I bet the NSA planted the ultimate backdoor into silicon long ago. It is absolute logical

I knew about the backdoor since the time it was discovered in March 2024. The backdoor was discussed, it seemed, everywhere, I also watched a few videos which explained what it was and the consequences if it weren't discovered in time.

Dee-bee'in? WTF??? It's Deb as in Deborah and Ian as in Ian. DebIan. How could you screw that up?!

I had heard about it but, like you said, it was only from tech news outlets. Thank you for making a bid about this!

you are late everyone was early

I love your coverage on topics like this. I find it so interesting and you do a great job of explaining the process. Great video.

idk what to comment (nice video thio, keep up the good job)

Wow ThioJoe. Second video for today. I ❤ it

Low Level Learning covered this right after discovery. His video is also worth watching.

This would make me paranoid about security if I wasn't already paranoid from the time I (temporarily, to test something) opened up SSH access over the internet to a Linux machine on my network and saw it immediately get hit with constant brute-force login attempts.

this is crazy i remember you telling me to tape batteries to my cat5 to make my internet go faster

This would have worked on servers connected to the internet by SSH. Nobody in their right mind should EVER expose port 22 directly to the internet.

Was aware of this but good it is still getting coverage. Really feels like this house of cards is not gonna stay up much longer.

First time I heard about this, thank you for sharing.

1:08 "A software" 🤦🏻‍♂ Software is a mass noun, just like hardware. You wouldn't say "The RTX 4090 is a hardware", so you shouldn't say "this backdoor was in a software" either, FFS.

Explained very well. Heard from another youtuber but he made it all the way more complex

this old af

So what I'm getting here is that they found out that XZ had one dev, and that dev was a target because of their health. And then they put pressure there to get themselves as maintainer. xkcd memes are just reality, I feel I see this with all software closed or open. There's like one thing that everyone relies on but has zero resources put towards it. It would be nice to see these distros run by big teams to go over what they use. And send resources to software like XZ.

You're late to the party, bro

Take a look at a book by Clifford Stoll, The Cuckoo's Egg. Awesome book based on a first hand account of a sysadmin's take down of a major hacking group in the 80s. The admin spotted micro theft of CPU time on a mainframe he managed. It really is worth a read. Not too technical, just enough to explain the operation of the earliest hackers.

God saved almost all of the servers in the world.

Thanks, ThioJoe

fireship covered this on the 1st april. and following that i was LowLevelProgramimng, primeigine and others Linux enthusiast covered this topic. i think you are late in this one :)

this a re-up? this is old news.

I remember back when the Linux snobs swore up and down that it was secure. Of course back then it was, compared to Windows. Fast forward.......!

Are we sure the attack was planned beforehand? Maybe the guy who had the maintainer role changed his mind or his account got stolen? Because waiting 2 years to do this doesn't make much sense

Great explanation and I heard about this threat about a month ago on another channel.

Performance is number one Safety Third

Warns about one malware, advertises another.

ThioJoe got a 2 vid in a day Streak

Yay, another video about the xz backdoor…

It's no different than being forced to not delay Microsoft "updates" beyond a certain point... Windows 10 has been around how long? And they are still finding vulnerabilities? FFS test your crap ahead of time (where it doesn't malfunction in the presentation). Allow us to remove Edge, Cortana, Game bar and other crap we don't use that eats up drive space. I have a potato laptop with a SS drive that is HALF filled with the operating system... I don't use more than half of that junk. Everything else I have to relegate to an external drive because Windows takes control. f them.

It would take a real developer from a real os like Windows to do the job for the devs of that bootleg Linux os. 😂

I just want to point out that this video's use of XKCD 2347: dependency might be breaking the creative common's noncommercial license since you make money on KZbin. Hopefully Randall Munroe (a pretty respectable fellow IMO) wouldn't mind such a brief commercial use of the comic, but you should be more careful

Bitdefender is good stuff, I have Win 10 on two desktops, but I'm usually on either machine using the main hard drive which one is Linux Mint's LMDE 6, and the other machine is Linux Mint's 21.3 Cinnamon. I have Bitdefender on my Mini PC that has Win 11 Pro on it, I have Bitdefender on my phone also, it's one I recommend to clients of mine also. It's a shame they don't make a version for Linux that would have caught this XZ problem. I rarely use Windows, so this one hit close to home hitting Linux with a well used tool.

stuff like this is why I'm so serious about secure coding. Put as many self-checks in your software as possible. For example, something that might've protected against this attack: don't load libraries that don't match the checksum you expect. if that library that was used by SSH had been checked for integrity (which likely could have been done with libraries SSH was already using, since it's already doing some cryptography) this attack would have failed

The US Government has programmers. The Army has programmers. I almost went the programming rout when I joined up, but I went into a different MOS. They created America's Army, the game. The US Government (and other governments around the world) should be writing their own operating systems.

Code review seems to be an achilles heel for open source projects. On the face of it, the idea seems ironclad - all submitted code's there for everyone to scrutinize and understand before its committed to main. However... not every project has 100% diligent code reviewers. Most people are more concerned with getting their pet features and bug fixes in, not reviewing the code of others. Especially with somewhat obscure yet intrinisic apps like XZ. Plus, there's often no way to vet who is contributing code to the project. Anyone can play, even malicious actors.

Arch never linked the XZ library to SSH because they are not stupid. Also they came out with the fix removing it lightning fast. Fear must sell youtube. lol At least when Microsoft bros get the Idea to hate on Linux. The funny part is Windows has all this kinds of stuff in as a feature for the NSA. lol SO yeah. open source still better.

starts watching video, 'seems interesting', sees embedded ad that can't be skipped. Presses big red X to close window. YT'ers need to understand that embedding ads in their own videos is crippling their channel. Lots of viewers like me just stop watching at that point. When you prioritize revenue over message, you are a shill "Do not recommend channel" clicked

If you know how games used to be installed and you overload them so that they run and they were also write-protected and and and and had to take care of loading loading commands, interposing command cells and and you had to create a special software icon for that which pre-loaded you to start the game. It doesn't run on servers anymore, it shouldn't be online anymore, but you can if you overload it and they think everything is OK and we have the old driver and this shit runs, it runs in the background and otherwise the thing would be like a wall, you are safe as long as it is on they can't f***** each other and you can transfer everything. Maximum on a season ticket, well, you can give yourself rights and everything on, it means security, the old one is there, what do you want, remove x2 x4x4, you have to get it running otherwise do the system. Too fast is stupid, you. 50 x50 uhh, the files have to be huge, that's no use with a little more fan

Not going to lie, but I was lost about a minute into the video because I know squat about computers. I just dig your videos because they always show up in my feed. Who knows, maybe I am slowly learning things. What would be the point of doing something that malicious? To put that much time and effort into something that destructive, there must have been something to gain, was it money? A form of terrorism? It’s sad that people with that kind of talent can’t do something good with it

Old news. This was reported on like a month ago. Sleeping under a rock I see....

Just because my detective brain in up due to watching T.V. I thought, wouldn't it be a good idea to check the original creator behind the program as well? These people went as far as to plan this much, just maybe he was in it all along too. P.S. Do not take this comment siriously.

Maybe packages that are being maintained by one burned out guy who only does it sporadically as a hobby and isn't consistently communicative or responsive should get phased out of use instead of kept as pieces of vital infrastructure. Just saying, there's a lesson here, and we're not learning it fast enough: when you create software people really depend on for important things, don't set yourself up for one random guy's old piece of software to be put into a multiplier-effect position where it can cause absolutely horrible consequences in a widespread manner.

This KZbin algorithm is much worse than previous algorithms because it showed me this video in suggestion feed after two days the upload day even after being subscribed. plz ignore my grammar mistakes (I got no degree in grammar; I practically hate it I mean I hate grammar not degree though I use fahrenheit.)

A backdoor in xz could be absolutely horrible

I saw this with another OSS project where Bitcoin mining was added to a library which was being used by a commercial project which was used by the company I used to work at. Our Anti-virus caught it being installed by the Dev and the company that put out the update had to release a new update.

I have an idea. Make all softwrre open source. Use AI to score how human readable all files are. If a file scores too poorly it isn't considered open source.. Open source projects are scored by how human readable their least human readable file is.. If everyone can read everything *easily* then things are more safe. So no. You may not have binary files on your github.

Both advantage and disaadvantage of open source software... in the end good. If it would be skillful programmer in company like Microsoft, the backdoor could have been there for years.

I heard about this vulerability. I think this only shows that even free (as in freedom) and opensource projects need to implement test suites that can capture these kind of attacks beforehand, unfortunately to maintain these is not a single person's task. IMO the solution here would be for more people to volunteer in these critical components, employees of other software companies with possible conflict of interest or not.

Why does your throat look weird?

It was the CIA - they try to do this all the time and have direct access to the companies and developers.

What I wonder and want to discuss that I haven't seen anyone else mention is... will this break the trust for Linux? I already know of people that do not trust it, and honestly I'm starting to feel the same. I'm wondering what the general population thinks

1:45 Small nitpick: Debian's name is a contraction of Ian Murdock, the founder, and his then girlfriend Debra's name, so it's pronounced deb-ee-an, not dee-bee-an.

Just casually acts like every server on the internet uses Java. That said, this kind of supply chain attack showcases one of the biggest challenges of open source software, in my opinion.

The worst hack ever? Maybe. But with swell robotics everywhere, Ai jobloss is the only thing I worry about anymore. Anyone else feel the same? Should we cease Ai?

This sounds like it could have been very widespread since Windows uses some Linux architecture as does OSX. (Please correct if I'm wrong.)

This just further proves the attack on Flash was nonsense. The Heartbleed Bug, which had already been patched, is nothing compared to real backdoors.

Hey, Can you make a video explaining the modded KZbin and Spotify apk? It's really fascinating in my opinion. Thanks.