Except this exploit was discovered on Debian. I don't think Microsoft would use Debian Unstable on their servers. You aren't safe. Meanwhile, the exploit didn't even work on Arch because their ssh isn't compiled with XZ support

@@spicynoodle7419 I was refering to 11:21

You are very welcome XD

@@spicynoodle7419 why so serious?

@@spicynoodle7419 It was discovered on Debian Sid, not Stable. t. a fellow Debian Stable user

"I told him to fork it or get lost" That is the correct response. Much better than just handing over the project to some strangers, for sure.

Breaks my heart, really. We need to do better as a community to make sure this can't happen... 🥺🙏

@@soulstenance I am not sure that is really the issue. As Jonathan Blow pointed out years ago, there are governments that hire people to do this type of thing full time as their job. Once you see it, you can ignore it, but you can't unsee it.

@@NdxtremePro I am sure this is a multi-part issue. But social engineering/APT played a pretty big role from my understanding.

@@soulstenance I'm sorry? Are you agreeing with me or disagreeing? Social Engineering is one of several tools used in this case, what I alluded to was Blow's hypothesis of many such actors without us knowing about them and know way to pinpoint them accurately. It doesn't matter what tools they use to get the job done, that is incidental to the point.

@@NdxtremePro I agree that the attack was very complex but still stand by my statement that we, as a community, need to do better and support our hardworking devs wherever we can. And I include myself in that.

I second that!

I always find it funny that Americans pronounce it as "open sores".

Mmmm. I think this is one of those cases where it's a "both-and" situation that people will try to paint as being more one or more the other depending on their particular axe to grind.

@@alexschexnayder8624 Youre right atleast in open source we have to chance for peer review where as closed source the companies can put in back doors willy nilly.

I wouldn't call it sheer luck since he was specifically in process of testing and looking at execution times, and how lucky would you have to be to discover this in closed source project? how many eyes are looking at individual lines of proprietary source code before it ships especially if you're not a multi-trillion dollar company and have deadlines? (edit: to expand, I mean the trillion dollar players know there's industrial espionage/sabotage going on and they can't fully trust their workforce, MS has 152000 employees in their tech divisions so they have processes in place to deal with the risks but having spent 25y in various small/mid-range software shops I can tell you they don't have the resources, inclination or skillset to guard against this level of infiltration and their software is also not going to be in use by the trillion dollar companies so they don't get testing from them unlike the core opensource projects that will, like in this case)

A kid is playing in the road. You are driving you car down that road. I am stood by the road. The kid was not run over. Why? a) Because you braked in time, or b) Because I scooped the kid off the road in time. Answer - It doesn't matter, the kid survived. If the kid died, how it got killed would matter. Therefore how the exploit above was discovered doesn't matter. It was discovered before being used. Cyber-security worked. Deal with it.

He is often right in technical matters.

lets go

Haha

i will only like if you will leave a note on each one telling them how to boot into linux

@@nickwatchesyoutube I'll be installing something beginner friendly. They wont even notice

@@occultsupport wubuntu

The other thing to note is that Windows is not "closed source" but "shared source" (for business partners, educational researchers, etc.) so It isn't like there aren't many eyes on the Windows sources.

It's not audited by users.

> Imagine reporting to a proprietary software company that their product is having half a second delay from the previous version, would they even consider lookin at it? Now consider that exploit was developed by an insider. So even if the company considers it, it will be the author of the exploit fixing the issue.

Companies like google etc do VERY extensive automated checking on every line of source code used in most Linux distributions. This whole thing was an attempt to get by all the checking done on Linux source code. They knew if they put a backdoor in the actual source it would immediately be flagged by many places, that is why they had to use a binary in the testing system only.

The point is that you can. You have the choice to look at it! A lot of us (myself included) need to stop _talking_ and start _doing._ So you don't know code - big whoop, contribute in other ways, if you can, like donating to projects you enjoy or opening issues if they arise. The "Yeah, but" mentality won't solve anything, and neither will proprietary software.

@@milohoffman274That hasn't been true historically (HeartBleed, etc.) but if you want to continue believing that has changed, well ....

@Music-wu5de heartbleed was a decade ago, the tooling is much more advanced now.

If this is a concern for you, move to OpenBSD. They do actually check all the code line by line. But that level of paranoia isn't required for most people.

I watch your videos and appreciate them, but have to respectfully disagree on this. Windows uses proprietary code that has official backdoors for the USG and plain old bugs that are exploited by hackers. What Windows does not have are unofficial malicious backdoors added by random dudes on the internet. OTOH, Linux and OSS have bugs that are exploited by hackers and backdoors added by random dudes on the internet. You gotta pick your poison.

You should absolutely expect it to happen with FOSS software, as with any other software, and no surprise, it happens. The key here is transparency and how decentralised community deals with it.

Indeed. I have never installed antivirus software on any of my machines, nor have they had any incidence of malware or infections-as far as I know! You can always argue that I could be ignorant of it, but prove it please. Being "safe" in this context depends much more on behavior than on OS or antivirus applications. I don't click anything in an e-mail or load the images for that matter. If I have a link to some web site, I paste it in, inspect the domain to make sure it is what is supposed to be, and edit out any unnecessary part of the link (which is often the majority). These and many other things do introduce minor inconvenience for me, but make it far safer. The machines of my friends/family are absolute disaster zones almost without exception. Many think the internet is like a glorified TV service, clicking everything in sight for laughs and giggles. I've given up trying to explain. Format and reinstall when the machine freezes solid is the play.

" *Ubuntu and stable versions of Debian are not effected* " Even if they were affected, the fix would have been written very quickly. If you apply security fixes with any regularity, you'd be fine. Open source model, in general, is a difficult environment for hacks and exploits. Yes, you can see the code and use this knowledge to write malicious software, but then the "shelf life" of the said exploit can be quite short, since Open Source relies on code, not on binary compatibility. The end result is that even if you get a library full of known Linux viruses, it's really hard to make them run. Why, in this particular case they expended a lot of effort before they were able to take over the project, then they were caught before anything bad happened. Yes, people can be evil and not very wise, so stuff like that might happen again. Such is life. But it's very unlikely to turn into the Windows disaster scenario. Go for hardened security Linux systems, if you are really worried.

I used Windows for years. Started using Linux back in the mid 1990's (RedHat and Caldera) to learn more about the Linux way of doing things. After Windows 7 that was the final last straw for me. Linux takes more time to learn, so take notes on installs, fixes, maintenance procedures and eventually you will find your Linux system will have flawless run times measure in years. These days I play around running Gentoo and LFS when I have the time.

The thing is - if I was him, I'd have reported this anonymously. While the fame might be a nice feeling this probably has not only made him friends :X

it wasn't some hobby thing, he's paid to do benchmarking and optimizing postgres for microsoft's azure cloud, he just noticed the numbers were off after updates

I don't see a conflict here. Probably, most free software developers are corporate developers during their salaried/waged hours, and in fact this is great.

Balanced... OK, if that's your term for "ignorant". We'd not only not heard of such an attack on Windows, it couldn't have happened (not that there aren't _other_ possible issues - like government enforced backdoors). This person in the video above makes assertions he cannot even begin to substantiate. That would require actual expert knowledge and investigation of the processes in both environments (OSS & MicroSoft). The Midwit's KZbinr. edit: He also asserted it's a group - another statement he can't substantiate. So, because at least a couple of usernames were used in the social engineering attack, it's a group of people? Critical thinking fail. Same situation with the "nation state" claim. Critical thinking fail, again. As stated before, Midwit's KZbinr.

And how exactly do you go about committing code against the Windows code base from your jiatan gmail account over VPN?

no because the employee didnt report the bug because microsoft said he should, he reported because he found it by accident.

lol. We have decades of Windows being the dominant OS for desktop computing and exactly zero backdoors have ever been found, despite being the biggest target by far. At a certain point we all need to keep score and be accountable. Nation states and hacking groups absolutely try to infiltrate Microsoft, yet it has never resulted in a backdoor making its way into Windows.

@@TNO821 the NSA sat on EternalBlue for a while. Kaspersky has recently fou d a "bugdoor" on iOs using undocumented registers which highly looks like it at least needed Apple insider knowledge. So definitely not far-fetched to imagine that the NSA has done so in other places and it is just not public/leaked yet.

Most stupid thing said. Open source is always a danger. Just look how this was discovered.. if the person who created the exploit had done proper testing I doubt this would have been found. The fact that it was found had nothing to do with the open source community. In fact the Linux community has become so involved in their own bs belief that Linux is super safe that an exploit can exist in Linux without anyone knowing. Grow up

"It was mostly due to "unreasonable luck" that Microsoft developer Andres Freund discovered it. He reposted on Mastodon the following words by Damien Miller: This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better."

well i meant he 5 which use them lmao

@@tostadorafuriosa69 MX Linux uses sysVinit by default.

@@htx80nerd how many people use that?

@@tostadorafuriosa69 You're pretty far out of your element if you don't understand how popular MX Linux is.

@@tostadorafuriosa69 I use it. The speed you gain is ridiculous, also the robustness that come with a small chunk of code doing exactly one job is the reason the detractors wanted to keep the UNIX way. The huge surface of attack that systemd distro are gaining was proved with this incident. If systemd just focused in only being an init, this would not happened in first place!>P

" *some random person contributing to a project with no accountability* " That's not correct. They had to *build trust* first, with a lot of concerted effort. Only then they were able to take over. " *not an issue with something like Windows or MacOS* " How do you know? There could be a dude working on the code, who sneaks stuff in. You are not trying to tell me, that employees never cheat on their employers, are you?

Dave Plummer sneaked Microsoft Bob into WinXP activation. We never knew until he told the story!

Have you ever looked into macOS/iOS security? There has been multiple cases of a vulnerability being submitted to Apple or released to the public with an exploit, and after it was supposedly fixed, the security researchers who found the vulnerability find out that with a few modifications their exploit still works! even kernel exploits

@@bakters Build trust and having accountability are different things. There is clearly no accountability here.

@@Redmage913 Assuming they used Git, there would have been accountability had someone found it because Dave Plummer is a real identity.

Just check your version: xz --version Affected are only versions 5.6.0 and 5.6.1. ( _NOT_ 5.6.1-2 and 5.6.1-3, though)

The good thing is that the whole situation will be used as a learning point. Yes, human nature is a weak spot in some cases, but the other side is that people learn and adapt. As for the comparison with the "good ol'" MS and Mac one can only wonder how many agencies have their backdoors well crafted and waiting there.

I think that's the best reply i read in a comment section about that topic. Mostly you see that this a "W" for FOSS, but don't want to talk about the root of the problem! And the nature of those comments are my biggest concern with Linux atm.

This isn't a "systemd problem", it's a social engineering attack. The project was created and maintained by a hobbyist, and the attacker exploited the fact that he was having personal problems to be able to "contribute" for at least two years, plenty of time to quietly insert a backdoor. There's no amount of FOSS philosophy and principles that can save you from that.

There are still some non-SystemD distros out there. Heck, Distrowatch's long-time #1 entry MX doesn't use SystemD :) *written from an MX system*

@ Of course every maintainer could be attacked like that. The question is which environment makes it easy to do. Maybe the systemd way is too big and complex and has too many weak spots? But I'm just a noob reading about it. :D

you got it!

CN

USA

​@@theperfectionist1607 Yes we both figured he was talking about Canada 😂

He also asserted it's a group - a statement he can't substantiate. So, because at least a couple of usernames were used in the social engineering attack, it's a group of people? Critical thinking fail. Same situation with the "nation state" claim. Critical thinking fail. Midwit.

There should be 5.6.1-3 available already :)

The Microsoft dev used Debian SID (the unstable testing branch of Debian) for his testing. He noticed in his benchmarks that loging into SSH took about a second instead of the normal 0.2 seconds which made him try and find out why that was the case. It was in the normal testing Debian repo's as well as in a bunch of other testing repos (Fedora 40 and 41, I am sure others as well), but not on any of the stable releases yet, although it was a close one for Debian I believe which was supposed to release in a couple of weeks. The main thing is that servers typically don't use those testing releases for obvious reasons. It was also in a couple of rolling releases (Arch, OpenSuse Tumbleweed, ...), but they quickly patched it after it was found out. There are only a handful of rolling release distros that had this in their repos and people using those or the testing branches tend to update more often (why would you otherwise use a rolling release distro?). But yes, some of those rolling releases had the backdoor xz package for a couple of weeks before it got found out. It's less of an issue on those though, the Arch openssh isn't linked to the correct package (not sure about OpenSuse) and people are less likely to log into ssh on their desktop machines where these rolling releases are generally used. To be clear, I am NOT saying this isn't an issue, it clearly is, but all in all it was dealt with without too much problems. I don't think they could have used their exploit for too many things, it was clearly meant to be rolled out on server machines. But it could have been way worse if that Microsoft dev didn't stumble upon it by accident. Not a lot of people would have actually tried to find the root cause of why a loging into SSH took about a second longer than usual.

@@MaartenT and even if it had gotten to stable they probably wouldn't have started popping everyone's boxes because they would've been discovered that much quicker, they likely had some specific government/industry targets in mind (and if they had tried to infiltrate everything I wonder how many places could they have actually even reached, most debian/fedora boxes are sitting inside networks that if they even have internet facing ssh it's usually a router or bastion host running a stripped down non-desktop grade OS)

As I saw somenone mention elsewhere... Microsoft: xz utils spending 500ms - let's investigate. ms teams taking 15 minutes to start - works as intended.

*people are

What worries me, is that MS employee discovered it by "chance" because what are the odds the way he found it, really. Worrying is who organized it.. not saying anything but MS isn't exactly an open source proponent to start with.

And the only reason he found it was a bug causing it to go slow. The real kicker is, once in and distributed, the payload could be updated and maintained without anyone ever knowing as the source code never needed to be touched again. For this to happen at Microsoft, the foreign bad actor(s) had to be flown over, get a job, and then get lucky enough to be assigned a project where such an exploit could be implemented. There is practically zero chance of that happening due to the security scrutiny present. I don't believe in the "deliberate backdoor" thing, as that would have been found out eventually, and put to use by others and thus found. The problem with this one was it was a sleeper exploit; pretty much designed to be able to shut down the entire internet on command. Say, by Putler...

My condolences.

Amen

But He could only investigate the Problem, because the *tar File contained open Code. If He had to deal with a Binary instead, He would not be able to Look into it. He would most likely never have discovered the cause

@@Cyanwasserstoff you are partially right: that made it much easier to pull the thread and see clearly who did what and how. BUT once there is a suspicion that something is dodgy with a library or a binary, it's only a matter of time before someone reverse engineers it, cf. the Apple bugdoor a few months ago, discovered by Kaspersky.

@@mattlebutter9162 Reverse Engineering is not simple and having the program base code not available makes the process way more time and human resources intense. We can already make ourselves a picture how long the nouveau team struggled to reverse engineer the drivers for Nvidia cards. We are talking about years and without the change from Nvidia to open-source partly, the open-source driver would never even come slightly close to the proprietary one, despite the enormous effort of reverse engineering

Was suprised to hear DT call it Microsoft's product. They already own T-SQL which is used by default with MS SQL Server

@@yeabuddy1610 Isn't T-SQL just the SQL language implementation for the SQL Server database engine? PostgreSQL isn't that.

If it happened in proprietary software it could still have been found, but in this case being open source made it a lot easier to analyse and get more eyeballs onto it