As a Debian stable user I'd like to thank all the rolling guinea pigs out there!
@spicynoodle74198 ай бұрын
Except this exploit was discovered on Debian. I don't think Microsoft would use Debian Unstable on their servers. You aren't safe. Meanwhile, the exploit didn't even work on Arch because their ssh isn't compiled with XZ support
@OpenBASED8 ай бұрын
@@spicynoodle7419 I was refering to 11:21
@keenancarey70418 ай бұрын
You are very welcome XD
@BunnyKhatri-pd8zm8 ай бұрын
@@spicynoodle7419 why so serious?
@MarkusHobelsberger8 ай бұрын
@@spicynoodle7419 It was discovered on Debian Sid, not Stable. t. a fellow Debian Stable user
@ЮрийПронин-ч8ь8 ай бұрын
Just wanted to express my great respect and gratitude to all the contributors of Open Source Software. You people are amongst humanity's best. We are lucky that you do exist.
@fabienmargerie68158 ай бұрын
A big thanks bro, Linux community is the best. Another big thanks to all the persons who contribute to linux and his eco-system.
@whirl898 ай бұрын
It got caught by sheer luck by one guy no one else even gave it a thought if anything this show how vulnerable any open source software is for malicious interference. Edit: I read some really good reasonable replies and I can only admit you're right with open source and the opportunity serious exploits like this have a higher chance to be discovered then with closed source.
@Music-wu5de8 ай бұрын
I always find it funny that Americans pronounce it as "open sores".
@alexschexnayder86248 ай бұрын
Mmmm. I think this is one of those cases where it's a "both-and" situation that people will try to paint as being more one or more the other depending on their particular axe to grind.
@whirl898 ай бұрын
@@alexschexnayder8624 Youre right atleast in open source we have to chance for peer review where as closed source the companies can put in back doors willy nilly.
@snooks56078 ай бұрын
I wouldn't call it sheer luck since he was specifically in process of testing and looking at execution times, and how lucky would you have to be to discover this in closed source project? how many eyes are looking at individual lines of proprietary source code before it ships especially if you're not a multi-trillion dollar company and have deadlines? (edit: to expand, I mean the trillion dollar players know there's industrial espionage/sabotage going on and they can't fully trust their workforce, MS has 152000 employees in their tech divisions so they have processes in place to deal with the risks but having spent 25y in various small/mid-range software shops I can tell you they don't have the resources, inclination or skillset to guard against this level of infiltration and their software is also not going to be in use by the trillion dollar companies so they don't get testing from them unlike the core opensource projects that will, like in this case)
@terrydaktyllus13208 ай бұрын
A kid is playing in the road. You are driving you car down that road. I am stood by the road. The kid was not run over. Why? a) Because you braked in time, or b) Because I scooped the kid off the road in time. Answer - It doesn't matter, the kid survived. If the kid died, how it got killed would matter. Therefore how the exploit above was discovered doesn't matter. It was discovered before being used. Cyber-security worked. Deal with it.
@kpcraftster65808 ай бұрын
Discovered because the m$ guy noticed that the ssh connection took too many cpu cycles. Something which hardly anyone would bother to follow up and investigate, even if they noticed it. That's some real diligence and curiosity, right there.
@milohoffman2748 ай бұрын
Turns out, having a large parent project called "GNU", which develops all the little utilities, libraries, and programs that would not be worthy of much support if they were all separate individual projects makes lots of sense. Once again, RMS was right.
@BPL-Whipster7 ай бұрын
He is often right in technical matters.
@datanerdene7 ай бұрын
It’s a bit wierd to claim that Windows’s source-code isn’t audited. Of course they have ppl working on that. And the weakness they tried to use here could probably not happen with Windows, cause a burned out person would be fired or retired. And the fact that this was discovered randomly, is not really a good argument in favor of open source. 😅
@Music-wu5de7 ай бұрын
The other thing to note is that Windows is not "closed source" but "shared source" (for business partners, educational researchers, etc.) so It isn't like there aren't many eyes on the Windows sources.
@wernersmidt32987 ай бұрын
It's not audited by users.
@TheDotBot8 ай бұрын
Unfortunately there's nothing unusual about people trying to bully maintainers into giving up their packages. I've had that, and I know the guy doing it was attacking lots of others. I told him to fork it or get lost and he gave up, eventually. I have absolutely no idea why they do this... why the need to hustle more work for no personal gain? What's the point?
@kpcraftster65808 ай бұрын
"I told him to fork it or get lost" That is the correct response. Much better than just handing over the project to some strangers, for sure.
@electronicsacademy2D2E298 ай бұрын
Human being being the back door ... well said.
@soulstenance8 ай бұрын
Breaks my heart, really. We need to do better as a community to make sure this can't happen... 🥺🙏
@NdxtremePro8 ай бұрын
@@soulstenance I am not sure that is really the issue. As Jonathan Blow pointed out years ago, there are governments that hire people to do this type of thing full time as their job. Once you see it, you can ignore it, but you can't unsee it.
@soulstenance8 ай бұрын
@@NdxtremePro I am sure this is a multi-part issue. But social engineering/APT played a pretty big role from my understanding.
@NdxtremePro8 ай бұрын
@@soulstenance I'm sorry? Are you agreeing with me or disagreeing? Social Engineering is one of several tools used in this case, what I alluded to was Blow's hypothesis of many such actors without us knowing about them and know way to pinpoint them accurately. It doesn't matter what tools they use to get the job done, that is incidental to the point.
@soulstenance8 ай бұрын
@@NdxtremePro I agree that the attack was very complex but still stand by my statement that we, as a community, need to do better and support our hardworking devs wherever we can. And I include myself in that.
@hariharanjayashankar89325 ай бұрын
The thing is open source allows everyone to check code like this. But also allows malicious users tobjust as easily inject backdoors and such.
@noderunner_7 ай бұрын
Thanks for this balanced take. We as a community need to use this as a learning opportunity to harden our security instead of spreading fear over this backdoor that was so limited it probably didn't even get hit once in the wild.
@exnihilonihilfit63167 ай бұрын
Balanced... OK, if that's your term for "ignorant". We'd not only not heard of such an attack on Windows, it couldn't have happened (not that there aren't _other_ possible issues - like government enforced backdoors). This person in the video above makes assertions he cannot even begin to substantiate. That would require actual expert knowledge and investigation of the processes in both environments (OSS & MicroSoft). The Midwit's KZbinr. edit: He also asserted it's a group - another statement he can't substantiate. So, because at least a couple of usernames were used in the social engineering attack, it's a group of people? Critical thinking fail. Same situation with the "nation state" claim. Critical thinking fail, again. As stated before, Midwit's KZbinr.
@brians71007 ай бұрын
“you wouldn’t be allowed to look at the code” you also wouldn’t be allowed to edit the code…
@AndreaBorman8 ай бұрын
This is very worrying. It happens all the time on Windows. I was always told to use an antivirus program on Windows but I never did. I used Windows XP, Windows Vista and 7 and I never got any computer virus. I changed to Linux two years ago because I didn't want to upgrade to the horrible Windows 10 and 11. You don't expect this to happen on Linux and I was very worried when I heard about this. Though it said that the LTS versions of Ubuntu and stable versions of Debian are not effected. There are anti virus programs and firewalls for Linux. I don't use either. Though if things get very bad like it is on Windows maybe we will have to consider using them on Linux.
@flow57188 ай бұрын
I watch your videos and appreciate them, but have to respectfully disagree on this. Windows uses proprietary code that has official backdoors for the USG and plain old bugs that are exploited by hackers. What Windows does not have are unofficial malicious backdoors added by random dudes on the internet. OTOH, Linux and OSS have bugs that are exploited by hackers and backdoors added by random dudes on the internet. You gotta pick your poison.
@IvanIvanov-nn9os8 ай бұрын
You should absolutely expect it to happen with FOSS software, as with any other software, and no surprise, it happens. The key here is transparency and how decentralised community deals with it.
@Starchface8 ай бұрын
Indeed. I have never installed antivirus software on any of my machines, nor have they had any incidence of malware or infections-as far as I know! You can always argue that I could be ignorant of it, but prove it please. Being "safe" in this context depends much more on behavior than on OS or antivirus applications. I don't click anything in an e-mail or load the images for that matter. If I have a link to some web site, I paste it in, inspect the domain to make sure it is what is supposed to be, and edit out any unnecessary part of the link (which is often the majority). These and many other things do introduce minor inconvenience for me, but make it far safer. The machines of my friends/family are absolute disaster zones almost without exception. Many think the internet is like a glorified TV service, clicking everything in sight for laughs and giggles. I've given up trying to explain. Format and reinstall when the machine freezes solid is the play.
@bakters8 ай бұрын
" *Ubuntu and stable versions of Debian are not effected* " Even if they were affected, the fix would have been written very quickly. If you apply security fixes with any regularity, you'd be fine. Open source model, in general, is a difficult environment for hacks and exploits. Yes, you can see the code and use this knowledge to write malicious software, but then the "shelf life" of the said exploit can be quite short, since Open Source relies on code, not on binary compatibility. The end result is that even if you get a library full of known Linux viruses, it's really hard to make them run. Why, in this particular case they expended a lot of effort before they were able to take over the project, then they were caught before anything bad happened. Yes, people can be evil and not very wise, so stuff like that might happen again. Such is life. But it's very unlikely to turn into the Windows disaster scenario. Go for hardened security Linux systems, if you are really worried.
@shutdowncnn60868 ай бұрын
I used Windows for years. Started using Linux back in the mid 1990's (RedHat and Caldera) to learn more about the Linux way of doing things. After Windows 7 that was the final last straw for me. Linux takes more time to learn, so take notes on installs, fixes, maintenance procedures and eventually you will find your Linux system will have flawless run times measure in years. These days I play around running Gentoo and LFS when I have the time.
@agostinhomatos3217 ай бұрын
Just because other people cannot look into close software, doesn't mean open software is more secure. I don't see any major close software company like Microsoft, Apple, Google, etc., doing anything similar to the XZ exploit, they may be accused of keeping private information for their own use, but not what happened recently to open source. As the video states software developers are burned out and underpaid, so no company in the open source software will be ever viable for serious problems related to security that may occur with their software users, which in other words mean - use at your own risk.
@agostinhomatos3217 ай бұрын
"It was mostly due to "unreasonable luck" that Microsoft developer Andres Freund discovered it. He reposted on Mastodon the following words by Damien Miller: This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better."
@mrpix30118 ай бұрын
This is about communities. Healthy communities does exactly that spotting and exposing the issue.
@fingon62948 ай бұрын
In theory, yeah, it's open source; it can have many eyeballs on it. But, in practice, how many people are auditing it? Especially if it's some obscure package. The main purpose of the maintainers (package maintainers) is to package the stuff; they may be able to throw a glance at the source code, but are they doing an extensive security audit? I highly doubt that. Sure, some distros have dedicated security teams, but is that sufficient? Are they auditing the code of the packages? Again, I doubt that. Look at the Arch security team; it has eight people in it and they are unpaid volunteers. It's a lot of work. We, the Linux users, rely too much on good faith. We rely too much on the premise that someone is constantly checking the source code line by line.
@milohoffman2748 ай бұрын
Companies like google etc do VERY extensive automated checking on every line of source code used in most Linux distributions. This whole thing was an attempt to get by all the checking done on Linux source code. They knew if they put a backdoor in the actual source it would immediately be flagged by many places, that is why they had to use a binary in the testing system only.
@soulstenance8 ай бұрын
The point is that you can. You have the choice to look at it! A lot of us (myself included) need to stop _talking_ and start _doing._ So you don't know code - big whoop, contribute in other ways, if you can, like donating to projects you enjoy or opening issues if they arise. The "Yeah, but" mentality won't solve anything, and neither will proprietary software.
@Music-wu5de8 ай бұрын
@@milohoffman274That hasn't been true historically (HeartBleed, etc.) but if you want to continue believing that has changed, well ....
@milohoffman2748 ай бұрын
@Music-wu5de heartbleed was a decade ago, the tooling is much more advanced now.
@tylerdean9808 ай бұрын
If this is a concern for you, move to OpenBSD. They do actually check all the code line by line. But that level of paranoia isn't required for most people.
@oliverli96308 ай бұрын
100%!!! the funny thing is that the microsoft engineer was interested in helping. nevermind he did this for more fame or boost his status, open source software attracted him to come and help
@MarkusHobelsberger8 ай бұрын
The thing is - if I was him, I'd have reported this anonymously. While the fame might be a nice feeling this probably has not only made him friends :X
@snooks56078 ай бұрын
it wasn't some hobby thing, he's paid to do benchmarking and optimizing postgres for microsoft's azure cloud, he just noticed the numbers were off after updates
@IvanIvanov-nn9os8 ай бұрын
I don't see a conflict here. Probably, most free software developers are corporate developers during their salaried/waged hours, and in fact this is great.
@occultsupport8 ай бұрын
I'll install linux on an unsuspecting windows user's laptop for every 10 likes Edit: First victim is my own mother. The linux spares no one. She just surfs the web. I have installed linux mint and have themed it a bit so that it looks like windows. Lets see if she notices. Victim2: My dad has an old laptop. No one uses it. I should've installed linux on it a long time ago, but Im gonna do it rn. Im installing arch on it.
@mzakyr3428 ай бұрын
lets go
@nickwatchesyoutube8 ай бұрын
i will only like if you will leave a note on each one telling them how to boot into linux
@occultsupport8 ай бұрын
@@nickwatchesyoutube I'll be installing something beginner friendly. They wont even notice
@mzakyr3428 ай бұрын
@@occultsupport wubuntu
@t.crow95318 ай бұрын
Tell us more after 2 weeks, if she noticed anything lol
@Spootiful7 ай бұрын
They probably wouldn't have used it for something stupid as a botnet, but probably aimed for system and web access. You'd literally be able to steal whatever files and e-mails you wanted, provided you did it stealthily enough.
@what-about-bob8 ай бұрын
This attack was sophisticated in it's use of Social Engineering. Ever heard of "good cop, bad cop"? It's an interrogation and manipulation technique where the bad cop applies pressure whilst the (not really) "good" cop offers "help". This was definitely a team and, by use of that technique, most likely state sponsored.
@helloimatapir8 ай бұрын
Great video DT!
@redname8 ай бұрын
The most bizarre of it was a Microsoft guy who Discover the issue.
@ikhlasulkamal52458 ай бұрын
Imagine reporting to a proprietary software company that their product is having half a second delay from the previous version, would they even consider lookin at it? It need an absolute Giga Chad move to check their own software source code because a slight delay error. If the software is proprietary, then the Giga Chad cant even do anything beside reporting and hoping that the proprietary company is also a Giga Chad company.
@AM-yk5yd8 ай бұрын
> Imagine reporting to a proprietary software company that their product is having half a second delay from the previous version, would they even consider lookin at it? Now consider that exploit was developed by an insider. So even if the company considers it, it will be the author of the exploit fixing the issue.
@jsnjyn8 ай бұрын
Remember kids, if you don't read and understand the code, you're just shifting the burden of trust from a big corp to "some guy." Be safe out there.
@ottowedel7117 ай бұрын
very interesting man.... I will try to show this to people....thanks DT
@jamerivedeveloper32577 ай бұрын
I've been a Artix user for years now and as a Rolling release user I have found a bunch of something that just not work as intended and I found myself contributing in some way although I don´t involve in the development. As you said, discovering bugs is as important as correcting it because some of them are found just by sheer luck almost always. I know devs really appreciate the feedback when it's mostly done with kindness and enthusiasm.
@Fojony19857 ай бұрын
I'm moving to Windows after this. End.
@sekki25548 ай бұрын
This happend, because the source was open to everyone. Yes, in other scenarios you couldn‘t even tell, if someone submitted this type of code, but in this case, it really just happened because push access to a open source maintainer was permitted. This really didn‘t proof anything
@justsomeguy83858 ай бұрын
I sort of agree, but the open source nature of that package helped to facilitate this backdoor. You had some random person contributing to a project with no accountability and taking advantage of the good will of a burned out developer working for free. This is a not an issue with something like Windows or MacOS. That's not to say that those companies don't intentionally put in backdoors for the CIA and then have their developers sign an NDA or something, but it's very unlikely that something is just going to be snuck in past developers who have real accountability and actually care about their jobs at some big tech company with clout behind their name.
@bakters8 ай бұрын
" *some random person contributing to a project with no accountability* " That's not correct. They had to *build trust* first, with a lot of concerted effort. Only then they were able to take over. " *not an issue with something like Windows or MacOS* " How do you know? There could be a dude working on the code, who sneaks stuff in. You are not trying to tell me, that employees never cheat on their employers, are you?
@Redmage9138 ай бұрын
Dave Plummer sneaked Microsoft Bob into WinXP activation. We never knew until he told the story!
@ザウアークラウトマン8 ай бұрын
Have you ever looked into macOS/iOS security? There has been multiple cases of a vulnerability being submitted to Apple or released to the public with an exploit, and after it was supposedly fixed, the security researchers who found the vulnerability find out that with a few modifications their exploit still works! even kernel exploits
@justsomeguy83857 ай бұрын
@@bakters Build trust and having accountability are different things. There is clearly no accountability here.
@justsomeguy83857 ай бұрын
@@Redmage913 Assuming they used Git, there would have been accountability had someone found it because Dave Plummer is a real identity.
@Sim-rh4tj8 ай бұрын
If they had been attacking Windows by joining MS they may have succeeded, and we'd never know.
@mattlebutter91627 ай бұрын
And how exactly do you go about committing code against the Windows code base from your jiatan gmail account over VPN?
@igorgiuseppe18627 ай бұрын
no because the employee didnt report the bug because microsoft said he should, he reported because he found it by accident.
@TNO8217 ай бұрын
lol. We have decades of Windows being the dominant OS for desktop computing and exactly zero backdoors have ever been found, despite being the biggest target by far. At a certain point we all need to keep score and be accountable. Nation states and hacking groups absolutely try to infiltrate Microsoft, yet it has never resulted in a backdoor making its way into Windows.
@mattlebutter91627 ай бұрын
@@TNO821 the NSA sat on EternalBlue for a while. Kaspersky has recently fou d a "bugdoor" on iOs using undocumented registers which highly looks like it at least needed Apple insider knowledge. So definitely not far-fetched to imagine that the NSA has done so in other places and it is just not public/leaked yet.
@fokthewef7 ай бұрын
Most stupid thing said. Open source is always a danger. Just look how this was discovered.. if the person who created the exploit had done proper testing I doubt this would have been found. The fact that it was found had nothing to do with the open source community. In fact the Linux community has become so involved in their own bs belief that Linux is super safe that an exploit can exist in Linux without anyone knowing. Grow up
@RicardoGarciso-f3y8 ай бұрын
Hi DT, Thanks for your Video. I do agree with your post. I find OpenSource to be Superior to Propietary on the fact that it can be subject to Falsification (Popper) same as Science; it's Open to errors, failures, vulnerabilities... And find Propietary to be Inferior on the fact that it can't be tested and checked by independent observers... OpenSource can always be changed if proven wrong, so it's right until showed otherwise Propietary can't be changed outside their owners, so it can never be proven (objectively, openly) right
@UltraZelda648 ай бұрын
Put simply, they were targeting the Linux/SystemD monoculture, which I'm starting to see as no better than the good ol' Windows and Mac monocultures. This news made me less concerned about XZ or SSH and more concerned about the Linux world's increasing reliance on systemd. Years ago people raised the alarm on systemd's sprawling nature, complaining about its overreaching in so many parts of the system far beyond just the init system. Now, it's literally almost everywhere in Linux, almost every Linux distro -is infected with- uses systemd... and it is effectively being used as the glue to open a backdoor from a compression library to SSH. I'll be keeping up with the news over the next several years for any similar exploits and especially be watching the systemd security news like a hawk. If this becomes a a common theme, I'll be considering switching over to either a Linux distribution that doesn't use systemd, or some other OS like one of the BSDs. In the end, I agree that this is an overall win on the part of open source software, but it is still disturbing that this attack got as far as it did get.
@TheYehat8 ай бұрын
The good thing is that the whole situation will be used as a learning point. Yes, human nature is a weak spot in some cases, but the other side is that people learn and adapt. As for the comparison with the "good ol'" MS and Mac one can only wonder how many agencies have their backdoors well crafted and waiting there.
@minementalx8 ай бұрын
I think that's the best reply i read in a comment section about that topic. Mostly you see that this a "W" for FOSS, but don't want to talk about the root of the problem! And the nature of those comments are my biggest concern with Linux atm.
8 ай бұрын
This isn't a "systemd problem", it's a social engineering attack. The project was created and maintained by a hobbyist, and the attacker exploited the fact that he was having personal problems to be able to "contribute" for at least two years, plenty of time to quietly insert a backdoor. There's no amount of FOSS philosophy and principles that can save you from that.
@MarkusHobelsberger8 ай бұрын
There are still some non-SystemD distros out there. Heck, Distrowatch's long-time #1 entry MX doesn't use SystemD :) *written from an MX system*
@minementalx8 ай бұрын
@ Of course every maintainer could be attacked like that. The question is which environment makes it easy to do. Maybe the systemd way is too big and complex and has too many weak spots? But I'm just a noob reading about it. :D
@cenewton32217 ай бұрын
I wonder if the individuals responsible have been identified, where they're from, and if they'll be held accountable. The argument for proprietary software is they would never have been able to get the malicious code into the software in the first place. I do think that's true, but I also believe the OSS model works effectively as well.
@tfergo7 ай бұрын
Even thought something is open-source doesn't mean people actually check things. The funny thing about if XZ is, that even if somebody checked the sourcecode they wouldn't have found anything, since it was in the make files.
@htx80nerd8 ай бұрын
Thanks DT
@wolframio_8 ай бұрын
This is a clear case of "EL PUEBLO, UNIDO, JAMÁS SERÁ VENCIDO" wich tranlates to: the people, united, will never be defeated. idk, just sayin' haha :3c.
@laughingvampire75558 ай бұрын
the guy works for Microsoft by day and works for Postgres by night and he his ssh connection was taking more resources than usual so he explored that.
@timothyt.828 ай бұрын
The more open a system is, the better, because: 1. Its easisr to find exploits and issues, and 2. Its easier to fix the problem.
@raimg18167 ай бұрын
most fascinating is that none actually praise ppl who make all hard work for projects like THIS while evrone care is NEW relese of some distro.
@MichaelWilliams-lr4mb8 ай бұрын
This technically wasn't even in the source code. Binary code was inserted into the tarball. At least that's the way I understand the situation.
@htx80nerd8 ай бұрын
Non-systemd distros having a big day in the sun.
@tostadorafuriosa698 ай бұрын
well i meant he 5 which use them lmao
@htx80nerd7 ай бұрын
@@tostadorafuriosa69 MX Linux uses sysVinit by default.
@tostadorafuriosa697 ай бұрын
@@htx80nerd how many people use that?
@htx80nerd7 ай бұрын
@@tostadorafuriosa69 You're pretty far out of your element if you don't understand how popular MX Linux is.
@jamerivedeveloper32577 ай бұрын
@@tostadorafuriosa69 I use it. The speed you gain is ridiculous, also the robustness that come with a small chunk of code doing exactly one job is the reason the detractors wanted to keep the UNIX way. The huge surface of attack that systemd distro are gaining was proved with this incident. If systemd just focused in only being an init, this would not happened in first place!>P
@ReaperX77 ай бұрын
What we all should take away from this is this... Nefarious actors will attempt to get into any software project, open source or proprietary. It doesn't mean one is safer than the other, but it does mean we need to be more vigilant about how we treat code, both old code like X11 that is more in maintenance than actual development; as well as newer code like wayland which has developers pouring over it on a daily basis, and be more respectful towards the projects themselves to stop heckling developers about adding this and that feature as if we need it yesterday. We also should be more mindful of using patches that add functions to packages that weren't intended by the developers, such as the systemd dependency for OpenSSH, and take better care to reconsider if these patches are good, or a security risk inherently.
@Batwam08 ай бұрын
I’m curious, what is preventing Jia Tan from packaging software with his secret sauce and publish all that on flathub or the snap store? Is it because of the sandboxing?
@Ad3ptwastaken7 ай бұрын
Hey when i use your dotfiles with i3 polybar doesnt appear and/or work
@yapdog7 ай бұрын
Open source is "superior," huh? So...... did an open source coder find the problem?
@arkeynserhayn83704 ай бұрын
Implied Faulty causal relationship fallacy.
@rafa65368 ай бұрын
I use Debian stable, really like it. Wanted SID but I think I don't have enough knowledge yet, and can't afford breakage. Good that there are custom repos and flatpaks for those just a few apps I need to be at current version. Before I had Windows and on the same hardware those apps are just way faster I noticed.
@joshuamorancy44828 ай бұрын
Hey DT, grateful for your videos brother. For your next video can you do a video on working with cron jobs. I love how you explain thoroughly different things on Linux as oppose to other KZbinr and would appreciate the vid if you could. Love
@laughingvampire75558 ай бұрын
1. the details of the exploit are still in research because it was too convoluted. 2. open source isn't vulnerable, people is. 3. people is especially weak when they don't take care of themselves.
@timothyt.828 ай бұрын
*people are
@mattmill308 ай бұрын
We never found out what happened to The Weavers of The Emperor's New Clothes
@Sunrise-d819i28 ай бұрын
We should make a global pay pool to donate to each open source devs for each patch as a way to say thanks.
@djyotta7 ай бұрын
Contributors: If you want a change upstream, open a PR. Maintainers: If the change is not acceptable, close it (or just comment as such). Contributors bear the burden of showing their work complies with project standards. Maintainers must reject all unsatisfactory change requests. They need not justify their refusal. If the contributor is pushy, the maintainer can remind them the the burden of work lies with the contributor, not the maintainer. Also, try get independent review. Maintainers probably shouldn't be reviewing code. It's a conflict of interest (ie, maintainer may not want the extra work in rolling a release conversely, may want the change and so overlook sloppy code)
@laughingvampire75558 ай бұрын
to me this is a plot of Microsoft trying to present themselves as good people for Open Source.
@cheako911558 ай бұрын
This sorry surprises me... IMHO the ppl most likely to identify an issue like this are also the ppl least likely to be able to communicate effectively. Like this issue I've identified in radv swapchain and the inability for intel arc to run new games like starfield.
@mattheww7977 ай бұрын
is their way to scan for the vulnerability?
@exnihilonihilfit63167 ай бұрын
Just check your version: xz --version Affected are only versions 5.6.0 and 5.6.1. ( _NOT_ 5.6.1-2 and 5.6.1-3, though)
@tsilb4 ай бұрын
Everyone needs to re-watch this in the context of CrowdStrike.
@JohnLamontanaro8 ай бұрын
exactly why i prefer grub over systemd
@fullsleevetats7 ай бұрын
"Group of individuals" is now proving to very likely to be the same individual, using multiple personas to try to push the XZ maintainer to hand over maintainership, so they could subvert it and thousands to millions of Linux machines. Can you imagine what would have happened if this wasn't caught for a month? For 6 months? Hundreds of millions of Linux devices could have been compromised.
@igorgiuseppe18627 ай бұрын
13:00 there is a big difference between knowing you are an guinea pig and chosing to be a guineapig. and be used as an guinea pig by others so they dont have to deal with bugs and exploits like this. should we disencourage people from being? no, we just need to make sure they understand what they are geting thenselves into.
@jonw8 ай бұрын
"Nation State" ding ding ding... I wonder which one, hmm.
@theperfectionist16078 ай бұрын
CN
@PaulG.x8 ай бұрын
USA
@Broly_18 ай бұрын
@@theperfectionist1607 Yes we both figured he was talking about Canada 😂
@exnihilonihilfit63167 ай бұрын
He also asserted it's a group - a statement he can't substantiate. So, because at least a couple of usernames were used in the social engineering attack, it's a group of people? Critical thinking fail. Same situation with the "nation state" claim. Critical thinking fail. Midwit.
@igorgiuseppe18627 ай бұрын
9:28 to be fair, in a proprietary software the developer would be paid to do this, so the burnout wouldnt be that great... or not, because proprietary software often just grab some free software on the internet, repack it with a different skin and pretend its a different produt.
@nsr-ints7 ай бұрын
They really did professional gaslighting to infiltrate XZ. Wow. Just wow.
@djyotta7 ай бұрын
I refuse to use github because it's not open. I don't want all my code hosted on a "platform" that may dictate to me what content I put on it. I therefore host my own services (eg. gogs) on my own hardware. Can't even trust cloud infrastructure since what AWS did to Parler
@exnihilonihilfit63167 ай бұрын
My condolences.
@The1RandomFool8 ай бұрын
The most interesting part to me is the years of social engineering and development put into this just to get caught immediately. I can't help but think if this were a closed source operating system this could have been hidden for far longer. Or already exists. What's ironic is someone from Microsoft found it, and parts of Windows are notoriously slow. Especially at my place of work.
@gottagowork8 ай бұрын
As I saw somenone mention elsewhere... Microsoft: xz utils spending 500ms - let's investigate. ms teams taking 15 minutes to start - works as intended.
@RWBHere8 ай бұрын
Hang on. Back up a little: If a researcher at Microsoft found it, then it had to be out there already, likely for weeks. It must be on countless devices already. Sure, it has been patched by now, but how many users update their software daily? Many computers are only turned on occasionally, and updated even less frequently. (I have a number of computers around here which haven't been used for days, weeks, and, in the case of two devices, several months.) It'll be around on some computers for a very long time.
@MaartenT8 ай бұрын
The Microsoft dev used Debian SID (the unstable testing branch of Debian) for his testing. He noticed in his benchmarks that loging into SSH took about a second instead of the normal 0.2 seconds which made him try and find out why that was the case. It was in the normal testing Debian repo's as well as in a bunch of other testing repos (Fedora 40 and 41, I am sure others as well), but not on any of the stable releases yet, although it was a close one for Debian I believe which was supposed to release in a couple of weeks. The main thing is that servers typically don't use those testing releases for obvious reasons. It was also in a couple of rolling releases (Arch, OpenSuse Tumbleweed, ...), but they quickly patched it after it was found out. There are only a handful of rolling release distros that had this in their repos and people using those or the testing branches tend to update more often (why would you otherwise use a rolling release distro?). But yes, some of those rolling releases had the backdoor xz package for a couple of weeks before it got found out. It's less of an issue on those though, the Arch openssh isn't linked to the correct package (not sure about OpenSuse) and people are less likely to log into ssh on their desktop machines where these rolling releases are generally used. To be clear, I am NOT saying this isn't an issue, it clearly is, but all in all it was dealt with without too much problems. I don't think they could have used their exploit for too many things, it was clearly meant to be rolled out on server machines. But it could have been way worse if that Microsoft dev didn't stumble upon it by accident. Not a lot of people would have actually tried to find the root cause of why a loging into SSH took about a second longer than usual.
@snooks56078 ай бұрын
@@MaartenT and even if it had gotten to stable they probably wouldn't have started popping everyone's boxes because they would've been discovered that much quicker, they likely had some specific government/industry targets in mind (and if they had tried to infiltrate everything I wonder how many places could they have actually even reached, most debian/fedora boxes are sitting inside networks that if they even have internet facing ssh it's usually a router or bastion host running a stripped down non-desktop grade OS)
@locatemarbles8 ай бұрын
Too much code for too few maintainers. In the chronically underfunded foss space minimalism is not a choice, it is a necessity. Otherwise it can't grow and scale safely.
@kristofru7 ай бұрын
I think that some people might think that Linux has become too important to remain free and open source, and they may be right. Linux would have to be forked.
@CTimmerman7 ай бұрын
So you're saying the XZ exploit could happen at the place that discovered the exploit because their devs have enough freedom to develop themselves and the community?
@musashimiyamoto90357 ай бұрын
Based DT.
@m.75678 ай бұрын
I finally gave up on Manjaro after the window manager just stopped working for the second time in a year. Decades long linux user and I couldn't figure out what's wrong. Tried so many distros, none of them work well on a 4090. Probably because Linux devs are poor and can't afford it. Maybe Ubuntu 24.04 will work.
@laughingvampire75558 ай бұрын
well, as a developer let me tell you, this would have never even lasted this long in a closed source project, because in ever pull request there are peer reviews that check the code does what the ticket requires, nothing less, nothing more, and if you see those changes in the test you will question it. In closed source the only way to make this happen is if there is intention from the entire team.
@mattlebutter91628 ай бұрын
Sorry but i think you are wrong: it definitely got inserted because of Linux being open-source. However, it got busted NOT because Linux is open-source but because a dev investigated perf issues.
@Cyanwasserstoff8 ай бұрын
But He could only investigate the Problem, because the *tar File contained open Code. If He had to deal with a Binary instead, He would not be able to Look into it. He would most likely never have discovered the cause
@mattlebutter91627 ай бұрын
@@Cyanwasserstoff you are partially right: that made it much easier to pull the thread and see clearly who did what and how. BUT once there is a suspicion that something is dodgy with a library or a binary, it's only a matter of time before someone reverse engineers it, cf. the Apple bugdoor a few months ago, discovered by Kaspersky.
@Cyanwasserstoff7 ай бұрын
@@mattlebutter9162 Reverse Engineering is not simple and having the program base code not available makes the process way more time and human resources intense. We can already make ourselves a picture how long the nouveau team struggled to reverse engineer the drivers for Nvidia cards. We are talking about years and without the change from Nvidia to open-source partly, the open-source driver would never even come slightly close to the proprietary one, despite the enormous effort of reverse engineering
@adjbutler8 ай бұрын
There are governments that run Linux.... do you think they don't have people reviewing the security of Linux every day?
@adjbutler8 ай бұрын
I can confirm it didn't work on NixOS
@dyvel7 ай бұрын
Any Chinese Russian or Iranian country would be interested in planting that backdoor. Not to talk about that United States.
@wyfyj7 ай бұрын
Gentoo is rolling release and stable
@htx80nerd8 ай бұрын
Obsessed techs make the world go round. Lazy techs make the world the worst place.
@trp2258 ай бұрын
With closed sourced code, maybe you can look at the code but it is not legal to do so. Only open source is legal...
@darknetworld8 ай бұрын
Yeah there is video about the windows os has spyware that link to third party. Back in old days that has no happen only there was change. Same with the vscode editor. Although it open src there still collecting data. Another thing is might be next thing is A.I spyware like those GPT. As we seen in the news that leak from big tech people are trying out.
@hiru928 ай бұрын
i get 5.6.1-2 patch in few hours on arch
@MarkusHobelsberger8 ай бұрын
There should be 5.6.1-3 available already :)
@bikrammahato65288 ай бұрын
Hey DT, Make a Video about GPU passthrugh in qemu.
@snooks56078 ай бұрын
15:15 huh? I'm no corporate fanboy and yea they have telemetry and that dictionary helper thing that sends keyboard input to them which could be considered a "keylogger" etc but they admit to all of that, I actually doubt they have surreptitious spyware features because imagine the shit storm if some reverse engineer actually located a provably malicious built-in feature that's spying on every windows user including government workers etc? especially since MS anyway has a proprietary distribution channel to just push anything on specific user they or the spooks want to spy on.. could just mask it as a 3rd party driver update for some deniability, why risk ruining everything by hiding spyware in the default install? automated updates are the future-proof backdoor for any OS
@robertmaxa66317 ай бұрын
Debian stable wasn't affected.
@MerkDolf8 ай бұрын
The more you challange people that your house is invasion proof the mor people will try to prove you wrong.
@CEOofGameDev8 ай бұрын
exploit takes 2 years to be implemented, gets shut down in about 3 months. That's all you need to know, really...
@lian_drake8 ай бұрын
Well, PostgreSQL isn't a Microsoft product, it's an open source database engine
@yeabuddy16108 ай бұрын
Was suprised to hear DT call it Microsoft's product. They already own T-SQL which is used by default with MS SQL Server
@lian_drake8 ай бұрын
@@yeabuddy1610 Isn't T-SQL just the SQL language implementation for the SQL Server database engine? PostgreSQL isn't that.
@mrcomment60358 ай бұрын
This Microsoft employee is the modern Robin Hood. He takes money from the rich and helps the poor (free) 🤭
@progste7 ай бұрын
Meanwhile windows users laughing with their personal NSA buddy!
@hamdi-kadri8 ай бұрын
The same type of backdoor on a proprietary software would have taken years to be found, if ever!
@steves92508 ай бұрын
If it happened in proprietary software it could still have been found, but in this case being open source made it a lot easier to analyse and get more eyeballs onto it
@Danielddiniz7 ай бұрын
Great point on how many backdoors might have exist in closed source software like M$ Windows and MacOs, even some that can be mandated by some government. With open source software, is like our country’s constitutions: “All the power belongs to the people!”
@Mtylgd7 ай бұрын
Thanks Microsoft!
@TomTrval7 ай бұрын
open source != community developed
@noam658 ай бұрын
Linux development is far too fast paced for its own good.
@Paul_I_S7 ай бұрын
👍
@kristofru7 ай бұрын
This is not about open vs closed source software. Linux won the OS war a long time ago.
@PaulG.x8 ай бұрын
And that nation could be the USA
@lh82288 ай бұрын
It's a backdoor, not an exploit!
@exnihilonihilfit63167 ай бұрын
well, it's a social exploit :D
@arkhikun8 ай бұрын
Why are you at an angle
@j03y__8 ай бұрын
I vote nation state
@TheYehat8 ай бұрын
What are the odds MS employee "found" this by chance? Because it is really a rare pick based on what he published. Strange, strange coincidences.
@Winnetou178 ай бұрын
From outside, that's a reasonable take to have. If you dig deeper, it seems to be highly unlikely. Most of the people covering the story didn't even mention that the guy was from Microsoft.
@TheYehat8 ай бұрын
@@Winnetou17 True, not to mention most "techies" covering the story are blind about MS employee found this on MS owned Github. Now everyone's obliged to thank MS for saving the day.
8 ай бұрын
The "Microsoft employee" is a PostgreSQL dev, who uses SSH daily. His name is Andres Freund, the info on him is publicly available as is the info on how the backdoor works. If you noticed that a software that you use every single day was suddenly slower for no apparent reason and in your job security is very important, wouldn't you wonder why is it happening?
@Music-wu5de8 ай бұрын
Odds better than an open source committer found it you mean? Lol........