XZ Exploits Prove Open Source Software Is Superior (And Also Vulnerable)

  Рет қаралды 19,445

DistroTube

DistroTube

Күн бұрын

Пікірлер: 288
@OpenBASED
@OpenBASED 8 ай бұрын
As a Debian stable user I'd like to thank all the rolling guinea pigs out there!
@spicynoodle7419
@spicynoodle7419 8 ай бұрын
Except this exploit was discovered on Debian. I don't think Microsoft would use Debian Unstable on their servers. You aren't safe. Meanwhile, the exploit didn't even work on Arch because their ssh isn't compiled with XZ support
@OpenBASED
@OpenBASED 8 ай бұрын
@@spicynoodle7419 I was refering to 11:21
@keenancarey7041
@keenancarey7041 8 ай бұрын
You are very welcome XD
@BunnyKhatri-pd8zm
@BunnyKhatri-pd8zm 8 ай бұрын
@@spicynoodle7419 why so serious?
@MarkusHobelsberger
@MarkusHobelsberger 8 ай бұрын
@@spicynoodle7419 It was discovered on Debian Sid, not Stable. t. a fellow Debian Stable user
@ЮрийПронин-ч8ь
@ЮрийПронин-ч8ь 8 ай бұрын
Just wanted to express my great respect and gratitude to all the contributors of Open Source Software. You people are amongst humanity's best. We are lucky that you do exist.
@fabienmargerie6815
@fabienmargerie6815 8 ай бұрын
A big thanks bro, Linux community is the best. Another big thanks to all the persons who contribute to linux and his eco-system.
@whirl89
@whirl89 8 ай бұрын
It got caught by sheer luck by one guy no one else even gave it a thought if anything this show how vulnerable any open source software is for malicious interference. Edit: I read some really good reasonable replies and I can only admit you're right with open source and the opportunity serious exploits like this have a higher chance to be discovered then with closed source.
@Music-wu5de
@Music-wu5de 8 ай бұрын
I always find it funny that Americans pronounce it as "open sores".
@alexschexnayder8624
@alexschexnayder8624 8 ай бұрын
Mmmm. I think this is one of those cases where it's a "both-and" situation that people will try to paint as being more one or more the other depending on their particular axe to grind.
@whirl89
@whirl89 8 ай бұрын
@@alexschexnayder8624 Youre right atleast in open source we have to chance for peer review where as closed source the companies can put in back doors willy nilly.
@snooks5607
@snooks5607 8 ай бұрын
I wouldn't call it sheer luck since he was specifically in process of testing and looking at execution times, and how lucky would you have to be to discover this in closed source project? how many eyes are looking at individual lines of proprietary source code before it ships especially if you're not a multi-trillion dollar company and have deadlines? (edit: to expand, I mean the trillion dollar players know there's industrial espionage/sabotage going on and they can't fully trust their workforce, MS has 152000 employees in their tech divisions so they have processes in place to deal with the risks but having spent 25y in various small/mid-range software shops I can tell you they don't have the resources, inclination or skillset to guard against this level of infiltration and their software is also not going to be in use by the trillion dollar companies so they don't get testing from them unlike the core opensource projects that will, like in this case)
@terrydaktyllus1320
@terrydaktyllus1320 8 ай бұрын
A kid is playing in the road. You are driving you car down that road. I am stood by the road. The kid was not run over. Why? a) Because you braked in time, or b) Because I scooped the kid off the road in time. Answer - It doesn't matter, the kid survived. If the kid died, how it got killed would matter. Therefore how the exploit above was discovered doesn't matter. It was discovered before being used. Cyber-security worked. Deal with it.
@kpcraftster6580
@kpcraftster6580 8 ай бұрын
Discovered because the m$ guy noticed that the ssh connection took too many cpu cycles. Something which hardly anyone would bother to follow up and investigate, even if they noticed it. That's some real diligence and curiosity, right there.
@milohoffman274
@milohoffman274 8 ай бұрын
Turns out, having a large parent project called "GNU", which develops all the little utilities, libraries, and programs that would not be worthy of much support if they were all separate individual projects makes lots of sense. Once again, RMS was right.
@BPL-Whipster
@BPL-Whipster 7 ай бұрын
He is often right in technical matters.
@datanerdene
@datanerdene 7 ай бұрын
It’s a bit wierd to claim that Windows’s source-code isn’t audited. Of course they have ppl working on that. And the weakness they tried to use here could probably not happen with Windows, cause a burned out person would be fired or retired. And the fact that this was discovered randomly, is not really a good argument in favor of open source. 😅
@Music-wu5de
@Music-wu5de 7 ай бұрын
The other thing to note is that Windows is not "closed source" but "shared source" (for business partners, educational researchers, etc.) so It isn't like there aren't many eyes on the Windows sources.
@wernersmidt3298
@wernersmidt3298 7 ай бұрын
It's not audited by users.
@TheDotBot
@TheDotBot 8 ай бұрын
Unfortunately there's nothing unusual about people trying to bully maintainers into giving up their packages. I've had that, and I know the guy doing it was attacking lots of others. I told him to fork it or get lost and he gave up, eventually. I have absolutely no idea why they do this... why the need to hustle more work for no personal gain? What's the point?
@kpcraftster6580
@kpcraftster6580 8 ай бұрын
"I told him to fork it or get lost" That is the correct response. Much better than just handing over the project to some strangers, for sure.
@electronicsacademy2D2E29
@electronicsacademy2D2E29 8 ай бұрын
Human being being the back door ... well said.
@soulstenance
@soulstenance 8 ай бұрын
Breaks my heart, really. We need to do better as a community to make sure this can't happen... 🥺🙏
@NdxtremePro
@NdxtremePro 8 ай бұрын
@@soulstenance I am not sure that is really the issue. As Jonathan Blow pointed out years ago, there are governments that hire people to do this type of thing full time as their job. Once you see it, you can ignore it, but you can't unsee it.
@soulstenance
@soulstenance 8 ай бұрын
@@NdxtremePro I am sure this is a multi-part issue. But social engineering/APT played a pretty big role from my understanding.
@NdxtremePro
@NdxtremePro 8 ай бұрын
@@soulstenance I'm sorry? Are you agreeing with me or disagreeing? Social Engineering is one of several tools used in this case, what I alluded to was Blow's hypothesis of many such actors without us knowing about them and know way to pinpoint them accurately. It doesn't matter what tools they use to get the job done, that is incidental to the point.
@soulstenance
@soulstenance 8 ай бұрын
@@NdxtremePro I agree that the attack was very complex but still stand by my statement that we, as a community, need to do better and support our hardworking devs wherever we can. And I include myself in that.
@hariharanjayashankar8932
@hariharanjayashankar8932 5 ай бұрын
The thing is open source allows everyone to check code like this. But also allows malicious users tobjust as easily inject backdoors and such.
@noderunner_
@noderunner_ 7 ай бұрын
Thanks for this balanced take. We as a community need to use this as a learning opportunity to harden our security instead of spreading fear over this backdoor that was so limited it probably didn't even get hit once in the wild.
@exnihilonihilfit6316
@exnihilonihilfit6316 7 ай бұрын
Balanced... OK, if that's your term for "ignorant". We'd not only not heard of such an attack on Windows, it couldn't have happened (not that there aren't _other_ possible issues - like government enforced backdoors). This person in the video above makes assertions he cannot even begin to substantiate. That would require actual expert knowledge and investigation of the processes in both environments (OSS & MicroSoft). The Midwit's KZbinr. edit: He also asserted it's a group - another statement he can't substantiate. So, because at least a couple of usernames were used in the social engineering attack, it's a group of people? Critical thinking fail. Same situation with the "nation state" claim. Critical thinking fail, again. As stated before, Midwit's KZbinr.
@brians7100
@brians7100 7 ай бұрын
“you wouldn’t be allowed to look at the code” you also wouldn’t be allowed to edit the code…
@AndreaBorman
@AndreaBorman 8 ай бұрын
This is very worrying. It happens all the time on Windows. I was always told to use an antivirus program on Windows but I never did. I used Windows XP, Windows Vista and 7 and I never got any computer virus. I changed to Linux two years ago because I didn't want to upgrade to the horrible Windows 10 and 11. You don't expect this to happen on Linux and I was very worried when I heard about this. Though it said that the LTS versions of Ubuntu and stable versions of Debian are not effected. There are anti virus programs and firewalls for Linux. I don't use either. Though if things get very bad like it is on Windows maybe we will have to consider using them on Linux.
@flow5718
@flow5718 8 ай бұрын
I watch your videos and appreciate them, but have to respectfully disagree on this. Windows uses proprietary code that has official backdoors for the USG and plain old bugs that are exploited by hackers. What Windows does not have are unofficial malicious backdoors added by random dudes on the internet. OTOH, Linux and OSS have bugs that are exploited by hackers and backdoors added by random dudes on the internet. You gotta pick your poison.
@IvanIvanov-nn9os
@IvanIvanov-nn9os 8 ай бұрын
You should absolutely expect it to happen with FOSS software, as with any other software, and no surprise, it happens. The key here is transparency and how decentralised community deals with it.
@Starchface
@Starchface 8 ай бұрын
Indeed. I have never installed antivirus software on any of my machines, nor have they had any incidence of malware or infections-as far as I know! You can always argue that I could be ignorant of it, but prove it please. Being "safe" in this context depends much more on behavior than on OS or antivirus applications. I don't click anything in an e-mail or load the images for that matter. If I have a link to some web site, I paste it in, inspect the domain to make sure it is what is supposed to be, and edit out any unnecessary part of the link (which is often the majority). These and many other things do introduce minor inconvenience for me, but make it far safer. The machines of my friends/family are absolute disaster zones almost without exception. Many think the internet is like a glorified TV service, clicking everything in sight for laughs and giggles. I've given up trying to explain. Format and reinstall when the machine freezes solid is the play.
@bakters
@bakters 8 ай бұрын
" *Ubuntu and stable versions of Debian are not effected* " Even if they were affected, the fix would have been written very quickly. If you apply security fixes with any regularity, you'd be fine. Open source model, in general, is a difficult environment for hacks and exploits. Yes, you can see the code and use this knowledge to write malicious software, but then the "shelf life" of the said exploit can be quite short, since Open Source relies on code, not on binary compatibility. The end result is that even if you get a library full of known Linux viruses, it's really hard to make them run. Why, in this particular case they expended a lot of effort before they were able to take over the project, then they were caught before anything bad happened. Yes, people can be evil and not very wise, so stuff like that might happen again. Such is life. But it's very unlikely to turn into the Windows disaster scenario. Go for hardened security Linux systems, if you are really worried.
@shutdowncnn6086
@shutdowncnn6086 8 ай бұрын
I used Windows for years. Started using Linux back in the mid 1990's (RedHat and Caldera) to learn more about the Linux way of doing things. After Windows 7 that was the final last straw for me. Linux takes more time to learn, so take notes on installs, fixes, maintenance procedures and eventually you will find your Linux system will have flawless run times measure in years. These days I play around running Gentoo and LFS when I have the time.
@agostinhomatos321
@agostinhomatos321 7 ай бұрын
Just because other people cannot look into close software, doesn't mean open software is more secure. I don't see any major close software company like Microsoft, Apple, Google, etc., doing anything similar to the XZ exploit, they may be accused of keeping private information for their own use, but not what happened recently to open source. As the video states software developers are burned out and underpaid, so no company in the open source software will be ever viable for serious problems related to security that may occur with their software users, which in other words mean - use at your own risk.
@agostinhomatos321
@agostinhomatos321 7 ай бұрын
"It was mostly due to "unreasonable luck" that Microsoft developer Andres Freund discovered it. He reposted on Mastodon the following words by Damien Miller: This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better."
@mrpix3011
@mrpix3011 8 ай бұрын
This is about communities. Healthy communities does exactly that spotting and exposing the issue.
@fingon6294
@fingon6294 8 ай бұрын
In theory, yeah, it's open source; it can have many eyeballs on it. But, in practice, how many people are auditing it? Especially if it's some obscure package. The main purpose of the maintainers (package maintainers) is to package the stuff; they may be able to throw a glance at the source code, but are they doing an extensive security audit? I highly doubt that. Sure, some distros have dedicated security teams, but is that sufficient? Are they auditing the code of the packages? Again, I doubt that. Look at the Arch security team; it has eight people in it and they are unpaid volunteers. It's a lot of work. We, the Linux users, rely too much on good faith. We rely too much on the premise that someone is constantly checking the source code line by line.
@milohoffman274
@milohoffman274 8 ай бұрын
Companies like google etc do VERY extensive automated checking on every line of source code used in most Linux distributions. This whole thing was an attempt to get by all the checking done on Linux source code. They knew if they put a backdoor in the actual source it would immediately be flagged by many places, that is why they had to use a binary in the testing system only.
@soulstenance
@soulstenance 8 ай бұрын
The point is that you can. You have the choice to look at it! A lot of us (myself included) need to stop _talking_ and start _doing._ So you don't know code - big whoop, contribute in other ways, if you can, like donating to projects you enjoy or opening issues if they arise. The "Yeah, but" mentality won't solve anything, and neither will proprietary software.
@Music-wu5de
@Music-wu5de 8 ай бұрын
@@milohoffman274That hasn't been true historically (HeartBleed, etc.) but if you want to continue believing that has changed, well ....
@milohoffman274
@milohoffman274 8 ай бұрын
@Music-wu5de heartbleed was a decade ago, the tooling is much more advanced now.
@tylerdean980
@tylerdean980 8 ай бұрын
If this is a concern for you, move to OpenBSD. They do actually check all the code line by line. But that level of paranoia isn't required for most people.
@oliverli9630
@oliverli9630 8 ай бұрын
100%!!! the funny thing is that the microsoft engineer was interested in helping. nevermind he did this for more fame or boost his status, open source software attracted him to come and help
@MarkusHobelsberger
@MarkusHobelsberger 8 ай бұрын
The thing is - if I was him, I'd have reported this anonymously. While the fame might be a nice feeling this probably has not only made him friends :X
@snooks5607
@snooks5607 8 ай бұрын
it wasn't some hobby thing, he's paid to do benchmarking and optimizing postgres for microsoft's azure cloud, he just noticed the numbers were off after updates
@IvanIvanov-nn9os
@IvanIvanov-nn9os 8 ай бұрын
I don't see a conflict here. Probably, most free software developers are corporate developers during their salaried/waged hours, and in fact this is great.
@occultsupport
@occultsupport 8 ай бұрын
I'll install linux on an unsuspecting windows user's laptop for every 10 likes Edit: First victim is my own mother. The linux spares no one. She just surfs the web. I have installed linux mint and have themed it a bit so that it looks like windows. Lets see if she notices. Victim2: My dad has an old laptop. No one uses it. I should've installed linux on it a long time ago, but Im gonna do it rn. Im installing arch on it.
@mzakyr342
@mzakyr342 8 ай бұрын
lets go
@nickwatchesyoutube
@nickwatchesyoutube 8 ай бұрын
i will only like if you will leave a note on each one telling them how to boot into linux
@occultsupport
@occultsupport 8 ай бұрын
@@nickwatchesyoutube I'll be installing something beginner friendly. They wont even notice
@mzakyr342
@mzakyr342 8 ай бұрын
@@occultsupport wubuntu
@t.crow9531
@t.crow9531 8 ай бұрын
Tell us more after 2 weeks, if she noticed anything lol
@Spootiful
@Spootiful 7 ай бұрын
They probably wouldn't have used it for something stupid as a botnet, but probably aimed for system and web access. You'd literally be able to steal whatever files and e-mails you wanted, provided you did it stealthily enough.
@what-about-bob
@what-about-bob 8 ай бұрын
This attack was sophisticated in it's use of Social Engineering. Ever heard of "good cop, bad cop"? It's an interrogation and manipulation technique where the bad cop applies pressure whilst the (not really) "good" cop offers "help". This was definitely a team and, by use of that technique, most likely state sponsored.
@helloimatapir
@helloimatapir 8 ай бұрын
Great video DT!
@redname
@redname 8 ай бұрын
The most bizarre of it was a Microsoft guy who Discover the issue.
@ikhlasulkamal5245
@ikhlasulkamal5245 8 ай бұрын
Imagine reporting to a proprietary software company that their product is having half a second delay from the previous version, would they even consider lookin at it? It need an absolute Giga Chad move to check their own software source code because a slight delay error. If the software is proprietary, then the Giga Chad cant even do anything beside reporting and hoping that the proprietary company is also a Giga Chad company.
@AM-yk5yd
@AM-yk5yd 8 ай бұрын
> Imagine reporting to a proprietary software company that their product is having half a second delay from the previous version, would they even consider lookin at it? Now consider that exploit was developed by an insider. So even if the company considers it, it will be the author of the exploit fixing the issue.
@jsnjyn
@jsnjyn 8 ай бұрын
Remember kids, if you don't read and understand the code, you're just shifting the burden of trust from a big corp to "some guy." Be safe out there.
@ottowedel711
@ottowedel711 7 ай бұрын
very interesting man.... I will try to show this to people....thanks DT
@jamerivedeveloper3257
@jamerivedeveloper3257 7 ай бұрын
I've been a Artix user for years now and as a Rolling release user I have found a bunch of something that just not work as intended and I found myself contributing in some way although I don´t involve in the development. As you said, discovering bugs is as important as correcting it because some of them are found just by sheer luck almost always. I know devs really appreciate the feedback when it's mostly done with kindness and enthusiasm.
@Fojony1985
@Fojony1985 7 ай бұрын
I'm moving to Windows after this. End.
@sekki2554
@sekki2554 8 ай бұрын
This happend, because the source was open to everyone. Yes, in other scenarios you couldn‘t even tell, if someone submitted this type of code, but in this case, it really just happened because push access to a open source maintainer was permitted. This really didn‘t proof anything
@justsomeguy8385
@justsomeguy8385 8 ай бұрын
I sort of agree, but the open source nature of that package helped to facilitate this backdoor. You had some random person contributing to a project with no accountability and taking advantage of the good will of a burned out developer working for free. This is a not an issue with something like Windows or MacOS. That's not to say that those companies don't intentionally put in backdoors for the CIA and then have their developers sign an NDA or something, but it's very unlikely that something is just going to be snuck in past developers who have real accountability and actually care about their jobs at some big tech company with clout behind their name.
@bakters
@bakters 8 ай бұрын
" *some random person contributing to a project with no accountability* " That's not correct. They had to *build trust* first, with a lot of concerted effort. Only then they were able to take over. " *not an issue with something like Windows or MacOS* " How do you know? There could be a dude working on the code, who sneaks stuff in. You are not trying to tell me, that employees never cheat on their employers, are you?
@Redmage913
@Redmage913 8 ай бұрын
Dave Plummer sneaked Microsoft Bob into WinXP activation. We never knew until he told the story!
@ザウアークラウトマン
@ザウアークラウトマン 8 ай бұрын
Have you ever looked into macOS/iOS security? There has been multiple cases of a vulnerability being submitted to Apple or released to the public with an exploit, and after it was supposedly fixed, the security researchers who found the vulnerability find out that with a few modifications their exploit still works! even kernel exploits
@justsomeguy8385
@justsomeguy8385 7 ай бұрын
@@bakters Build trust and having accountability are different things. There is clearly no accountability here.
@justsomeguy8385
@justsomeguy8385 7 ай бұрын
@@Redmage913 Assuming they used Git, there would have been accountability had someone found it because Dave Plummer is a real identity.
@Sim-rh4tj
@Sim-rh4tj 8 ай бұрын
If they had been attacking Windows by joining MS they may have succeeded, and we'd never know.
@mattlebutter9162
@mattlebutter9162 7 ай бұрын
And how exactly do you go about committing code against the Windows code base from your jiatan gmail account over VPN?
@igorgiuseppe1862
@igorgiuseppe1862 7 ай бұрын
no because the employee didnt report the bug because microsoft said he should, he reported because he found it by accident.
@TNO821
@TNO821 7 ай бұрын
lol. We have decades of Windows being the dominant OS for desktop computing and exactly zero backdoors have ever been found, despite being the biggest target by far. At a certain point we all need to keep score and be accountable. Nation states and hacking groups absolutely try to infiltrate Microsoft, yet it has never resulted in a backdoor making its way into Windows.
@mattlebutter9162
@mattlebutter9162 7 ай бұрын
@@TNO821 the NSA sat on EternalBlue for a while. Kaspersky has recently fou d a "bugdoor" on iOs using undocumented registers which highly looks like it at least needed Apple insider knowledge. So definitely not far-fetched to imagine that the NSA has done so in other places and it is just not public/leaked yet.
@fokthewef
@fokthewef 7 ай бұрын
Most stupid thing said. Open source is always a danger. Just look how this was discovered.. if the person who created the exploit had done proper testing I doubt this would have been found. The fact that it was found had nothing to do with the open source community. In fact the Linux community has become so involved in their own bs belief that Linux is super safe that an exploit can exist in Linux without anyone knowing. Grow up
@RicardoGarciso-f3y
@RicardoGarciso-f3y 8 ай бұрын
Hi DT, Thanks for your Video. I do agree with your post. I find OpenSource to be Superior to Propietary on the fact that it can be subject to Falsification (Popper) same as Science; it's Open to errors, failures, vulnerabilities... And find Propietary to be Inferior on the fact that it can't be tested and checked by independent observers... OpenSource can always be changed if proven wrong, so it's right until showed otherwise Propietary can't be changed outside their owners, so it can never be proven (objectively, openly) right
@UltraZelda64
@UltraZelda64 8 ай бұрын
Put simply, they were targeting the Linux/SystemD monoculture, which I'm starting to see as no better than the good ol' Windows and Mac monocultures. This news made me less concerned about XZ or SSH and more concerned about the Linux world's increasing reliance on systemd. Years ago people raised the alarm on systemd's sprawling nature, complaining about its overreaching in so many parts of the system far beyond just the init system. Now, it's literally almost everywhere in Linux, almost every Linux distro -is infected with- uses systemd... and it is effectively being used as the glue to open a backdoor from a compression library to SSH. I'll be keeping up with the news over the next several years for any similar exploits and especially be watching the systemd security news like a hawk. If this becomes a a common theme, I'll be considering switching over to either a Linux distribution that doesn't use systemd, or some other OS like one of the BSDs. In the end, I agree that this is an overall win on the part of open source software, but it is still disturbing that this attack got as far as it did get.
@TheYehat
@TheYehat 8 ай бұрын
The good thing is that the whole situation will be used as a learning point. Yes, human nature is a weak spot in some cases, but the other side is that people learn and adapt. As for the comparison with the "good ol'" MS and Mac one can only wonder how many agencies have their backdoors well crafted and waiting there.
@minementalx
@minementalx 8 ай бұрын
I think that's the best reply i read in a comment section about that topic. Mostly you see that this a "W" for FOSS, but don't want to talk about the root of the problem! And the nature of those comments are my biggest concern with Linux atm.
8 ай бұрын
This isn't a "systemd problem", it's a social engineering attack. The project was created and maintained by a hobbyist, and the attacker exploited the fact that he was having personal problems to be able to "contribute" for at least two years, plenty of time to quietly insert a backdoor. There's no amount of FOSS philosophy and principles that can save you from that.
@MarkusHobelsberger
@MarkusHobelsberger 8 ай бұрын
There are still some non-SystemD distros out there. Heck, Distrowatch's long-time #1 entry MX doesn't use SystemD :) *written from an MX system*
@minementalx
@minementalx 8 ай бұрын
@ Of course every maintainer could be attacked like that. The question is which environment makes it easy to do. Maybe the systemd way is too big and complex and has too many weak spots? But I'm just a noob reading about it. :D
@cenewton3221
@cenewton3221 7 ай бұрын
I wonder if the individuals responsible have been identified, where they're from, and if they'll be held accountable. The argument for proprietary software is they would never have been able to get the malicious code into the software in the first place. I do think that's true, but I also believe the OSS model works effectively as well.
@tfergo
@tfergo 7 ай бұрын
Even thought something is open-source doesn't mean people actually check things. The funny thing about if XZ is, that even if somebody checked the sourcecode they wouldn't have found anything, since it was in the make files.
@htx80nerd
@htx80nerd 8 ай бұрын
Thanks DT
@wolframio_
@wolframio_ 8 ай бұрын
This is a clear case of "EL PUEBLO, UNIDO, JAMÁS SERÁ VENCIDO" wich tranlates to: the people, united, will never be defeated. idk, just sayin' haha :3c.
@laughingvampire7555
@laughingvampire7555 8 ай бұрын
the guy works for Microsoft by day and works for Postgres by night and he his ssh connection was taking more resources than usual so he explored that.
@timothyt.82
@timothyt.82 8 ай бұрын
The more open a system is, the better, because: 1. Its easisr to find exploits and issues, and 2. Its easier to fix the problem.
@raimg1816
@raimg1816 7 ай бұрын
most fascinating is that none actually praise ppl who make all hard work for projects like THIS while evrone care is NEW relese of some distro.
@MichaelWilliams-lr4mb
@MichaelWilliams-lr4mb 8 ай бұрын
This technically wasn't even in the source code. Binary code was inserted into the tarball. At least that's the way I understand the situation.
@htx80nerd
@htx80nerd 8 ай бұрын
Non-systemd distros having a big day in the sun.
@tostadorafuriosa69
@tostadorafuriosa69 8 ай бұрын
well i meant he 5 which use them lmao
@htx80nerd
@htx80nerd 7 ай бұрын
@@tostadorafuriosa69 MX Linux uses sysVinit by default.
@tostadorafuriosa69
@tostadorafuriosa69 7 ай бұрын
@@htx80nerd how many people use that?
@htx80nerd
@htx80nerd 7 ай бұрын
@@tostadorafuriosa69 You're pretty far out of your element if you don't understand how popular MX Linux is.
@jamerivedeveloper3257
@jamerivedeveloper3257 7 ай бұрын
@@tostadorafuriosa69 I use it. The speed you gain is ridiculous, also the robustness that come with a small chunk of code doing exactly one job is the reason the detractors wanted to keep the UNIX way. The huge surface of attack that systemd distro are gaining was proved with this incident. If systemd just focused in only being an init, this would not happened in first place!>P
@ReaperX7
@ReaperX7 7 ай бұрын
What we all should take away from this is this... Nefarious actors will attempt to get into any software project, open source or proprietary. It doesn't mean one is safer than the other, but it does mean we need to be more vigilant about how we treat code, both old code like X11 that is more in maintenance than actual development; as well as newer code like wayland which has developers pouring over it on a daily basis, and be more respectful towards the projects themselves to stop heckling developers about adding this and that feature as if we need it yesterday. We also should be more mindful of using patches that add functions to packages that weren't intended by the developers, such as the systemd dependency for OpenSSH, and take better care to reconsider if these patches are good, or a security risk inherently.
@Batwam0
@Batwam0 8 ай бұрын
I’m curious, what is preventing Jia Tan from packaging software with his secret sauce and publish all that on flathub or the snap store? Is it because of the sandboxing?
@Ad3ptwastaken
@Ad3ptwastaken 7 ай бұрын
Hey when i use your dotfiles with i3 polybar doesnt appear and/or work
@yapdog
@yapdog 7 ай бұрын
Open source is "superior," huh? So...... did an open source coder find the problem?
@arkeynserhayn8370
@arkeynserhayn8370 4 ай бұрын
Implied Faulty causal relationship fallacy.
@rafa6536
@rafa6536 8 ай бұрын
I use Debian stable, really like it. Wanted SID but I think I don't have enough knowledge yet, and can't afford breakage. Good that there are custom repos and flatpaks for those just a few apps I need to be at current version. Before I had Windows and on the same hardware those apps are just way faster I noticed.
@joshuamorancy4482
@joshuamorancy4482 8 ай бұрын
Hey DT, grateful for your videos brother. For your next video can you do a video on working with cron jobs. I love how you explain thoroughly different things on Linux as oppose to other KZbinr and would appreciate the vid if you could. Love
@laughingvampire7555
@laughingvampire7555 8 ай бұрын
1. the details of the exploit are still in research because it was too convoluted. 2. open source isn't vulnerable, people is. 3. people is especially weak when they don't take care of themselves.
@timothyt.82
@timothyt.82 8 ай бұрын
*people are
@mattmill30
@mattmill30 8 ай бұрын
We never found out what happened to The Weavers of The Emperor's New Clothes
@Sunrise-d819i2
@Sunrise-d819i2 8 ай бұрын
We should make a global pay pool to donate to each open source devs for each patch as a way to say thanks.
@djyotta
@djyotta 7 ай бұрын
Contributors: If you want a change upstream, open a PR. Maintainers: If the change is not acceptable, close it (or just comment as such). Contributors bear the burden of showing their work complies with project standards. Maintainers must reject all unsatisfactory change requests. They need not justify their refusal. If the contributor is pushy, the maintainer can remind them the the burden of work lies with the contributor, not the maintainer. Also, try get independent review. Maintainers probably shouldn't be reviewing code. It's a conflict of interest (ie, maintainer may not want the extra work in rolling a release conversely, may want the change and so overlook sloppy code)
@laughingvampire7555
@laughingvampire7555 8 ай бұрын
to me this is a plot of Microsoft trying to present themselves as good people for Open Source.
@cheako91155
@cheako91155 8 ай бұрын
This sorry surprises me... IMHO the ppl most likely to identify an issue like this are also the ppl least likely to be able to communicate effectively. Like this issue I've identified in radv swapchain and the inability for intel arc to run new games like starfield.
@mattheww797
@mattheww797 7 ай бұрын
is their way to scan for the vulnerability?
@exnihilonihilfit6316
@exnihilonihilfit6316 7 ай бұрын
Just check your version: xz --version Affected are only versions 5.6.0 and 5.6.1. ( _NOT_ 5.6.1-2 and 5.6.1-3, though)
@tsilb
@tsilb 4 ай бұрын
Everyone needs to re-watch this in the context of CrowdStrike.
@JohnLamontanaro
@JohnLamontanaro 8 ай бұрын
exactly why i prefer grub over systemd
@fullsleevetats
@fullsleevetats 7 ай бұрын
"Group of individuals" is now proving to very likely to be the same individual, using multiple personas to try to push the XZ maintainer to hand over maintainership, so they could subvert it and thousands to millions of Linux machines. Can you imagine what would have happened if this wasn't caught for a month? For 6 months? Hundreds of millions of Linux devices could have been compromised.
@igorgiuseppe1862
@igorgiuseppe1862 7 ай бұрын
13:00 there is a big difference between knowing you are an guinea pig and chosing to be a guineapig. and be used as an guinea pig by others so they dont have to deal with bugs and exploits like this. should we disencourage people from being? no, we just need to make sure they understand what they are geting thenselves into.
@jonw
@jonw 8 ай бұрын
"Nation State" ding ding ding... I wonder which one, hmm.
@theperfectionist1607
@theperfectionist1607 8 ай бұрын
CN
@PaulG.x
@PaulG.x 8 ай бұрын
USA
@Broly_1
@Broly_1 8 ай бұрын
​@@theperfectionist1607 Yes we both figured he was talking about Canada 😂
@exnihilonihilfit6316
@exnihilonihilfit6316 7 ай бұрын
He also asserted it's a group - a statement he can't substantiate. So, because at least a couple of usernames were used in the social engineering attack, it's a group of people? Critical thinking fail. Same situation with the "nation state" claim. Critical thinking fail. Midwit.
@igorgiuseppe1862
@igorgiuseppe1862 7 ай бұрын
9:28 to be fair, in a proprietary software the developer would be paid to do this, so the burnout wouldnt be that great... or not, because proprietary software often just grab some free software on the internet, repack it with a different skin and pretend its a different produt.
@nsr-ints
@nsr-ints 7 ай бұрын
They really did professional gaslighting to infiltrate XZ. Wow. Just wow.
@djyotta
@djyotta 7 ай бұрын
I refuse to use github because it's not open. I don't want all my code hosted on a "platform" that may dictate to me what content I put on it. I therefore host my own services (eg. gogs) on my own hardware. Can't even trust cloud infrastructure since what AWS did to Parler
@exnihilonihilfit6316
@exnihilonihilfit6316 7 ай бұрын
My condolences.
@The1RandomFool
@The1RandomFool 8 ай бұрын
The most interesting part to me is the years of social engineering and development put into this just to get caught immediately. I can't help but think if this were a closed source operating system this could have been hidden for far longer. Or already exists. What's ironic is someone from Microsoft found it, and parts of Windows are notoriously slow. Especially at my place of work.
@gottagowork
@gottagowork 8 ай бұрын
As I saw somenone mention elsewhere... Microsoft: xz utils spending 500ms - let's investigate. ms teams taking 15 minutes to start - works as intended.
@RWBHere
@RWBHere 8 ай бұрын
Hang on. Back up a little: If a researcher at Microsoft found it, then it had to be out there already, likely for weeks. It must be on countless devices already. Sure, it has been patched by now, but how many users update their software daily? Many computers are only turned on occasionally, and updated even less frequently. (I have a number of computers around here which haven't been used for days, weeks, and, in the case of two devices, several months.) It'll be around on some computers for a very long time.
@MaartenT
@MaartenT 8 ай бұрын
The Microsoft dev used Debian SID (the unstable testing branch of Debian) for his testing. He noticed in his benchmarks that loging into SSH took about a second instead of the normal 0.2 seconds which made him try and find out why that was the case. It was in the normal testing Debian repo's as well as in a bunch of other testing repos (Fedora 40 and 41, I am sure others as well), but not on any of the stable releases yet, although it was a close one for Debian I believe which was supposed to release in a couple of weeks. The main thing is that servers typically don't use those testing releases for obvious reasons. It was also in a couple of rolling releases (Arch, OpenSuse Tumbleweed, ...), but they quickly patched it after it was found out. There are only a handful of rolling release distros that had this in their repos and people using those or the testing branches tend to update more often (why would you otherwise use a rolling release distro?). But yes, some of those rolling releases had the backdoor xz package for a couple of weeks before it got found out. It's less of an issue on those though, the Arch openssh isn't linked to the correct package (not sure about OpenSuse) and people are less likely to log into ssh on their desktop machines where these rolling releases are generally used. To be clear, I am NOT saying this isn't an issue, it clearly is, but all in all it was dealt with without too much problems. I don't think they could have used their exploit for too many things, it was clearly meant to be rolled out on server machines. But it could have been way worse if that Microsoft dev didn't stumble upon it by accident. Not a lot of people would have actually tried to find the root cause of why a loging into SSH took about a second longer than usual.
@snooks5607
@snooks5607 8 ай бұрын
@@MaartenT and even if it had gotten to stable they probably wouldn't have started popping everyone's boxes because they would've been discovered that much quicker, they likely had some specific government/industry targets in mind (and if they had tried to infiltrate everything I wonder how many places could they have actually even reached, most debian/fedora boxes are sitting inside networks that if they even have internet facing ssh it's usually a router or bastion host running a stripped down non-desktop grade OS)
@locatemarbles
@locatemarbles 8 ай бұрын
Too much code for too few maintainers. In the chronically underfunded foss space minimalism is not a choice, it is a necessity. Otherwise it can't grow and scale safely.
@kristofru
@kristofru 7 ай бұрын
I think that some people might think that Linux has become too important to remain free and open source, and they may be right. Linux would have to be forked.
@CTimmerman
@CTimmerman 7 ай бұрын
So you're saying the XZ exploit could happen at the place that discovered the exploit because their devs have enough freedom to develop themselves and the community?
@musashimiyamoto9035
@musashimiyamoto9035 7 ай бұрын
Based DT.
@m.7567
@m.7567 8 ай бұрын
I finally gave up on Manjaro after the window manager just stopped working for the second time in a year. Decades long linux user and I couldn't figure out what's wrong. Tried so many distros, none of them work well on a 4090. Probably because Linux devs are poor and can't afford it. Maybe Ubuntu 24.04 will work.
@laughingvampire7555
@laughingvampire7555 8 ай бұрын
well, as a developer let me tell you, this would have never even lasted this long in a closed source project, because in ever pull request there are peer reviews that check the code does what the ticket requires, nothing less, nothing more, and if you see those changes in the test you will question it. In closed source the only way to make this happen is if there is intention from the entire team.
@mattlebutter9162
@mattlebutter9162 8 ай бұрын
Sorry but i think you are wrong: it definitely got inserted because of Linux being open-source. However, it got busted NOT because Linux is open-source but because a dev investigated perf issues.
@Cyanwasserstoff
@Cyanwasserstoff 8 ай бұрын
But He could only investigate the Problem, because the *tar File contained open Code. If He had to deal with a Binary instead, He would not be able to Look into it. He would most likely never have discovered the cause
@mattlebutter9162
@mattlebutter9162 7 ай бұрын
@@Cyanwasserstoff you are partially right: that made it much easier to pull the thread and see clearly who did what and how. BUT once there is a suspicion that something is dodgy with a library or a binary, it's only a matter of time before someone reverse engineers it, cf. the Apple bugdoor a few months ago, discovered by Kaspersky.
@Cyanwasserstoff
@Cyanwasserstoff 7 ай бұрын
@@mattlebutter9162 Reverse Engineering is not simple and having the program base code not available makes the process way more time and human resources intense. We can already make ourselves a picture how long the nouveau team struggled to reverse engineer the drivers for Nvidia cards. We are talking about years and without the change from Nvidia to open-source partly, the open-source driver would never even come slightly close to the proprietary one, despite the enormous effort of reverse engineering
@adjbutler
@adjbutler 8 ай бұрын
There are governments that run Linux.... do you think they don't have people reviewing the security of Linux every day?
@adjbutler
@adjbutler 8 ай бұрын
I can confirm it didn't work on NixOS
@dyvel
@dyvel 7 ай бұрын
Any Chinese Russian or Iranian country would be interested in planting that backdoor. Not to talk about that United States.
@wyfyj
@wyfyj 7 ай бұрын
Gentoo is rolling release and stable
@htx80nerd
@htx80nerd 8 ай бұрын
Obsessed techs make the world go round. Lazy techs make the world the worst place.
@trp225
@trp225 8 ай бұрын
With closed sourced code, maybe you can look at the code but it is not legal to do so. Only open source is legal...
@darknetworld
@darknetworld 8 ай бұрын
Yeah there is video about the windows os has spyware that link to third party. Back in old days that has no happen only there was change. Same with the vscode editor. Although it open src there still collecting data. Another thing is might be next thing is A.I spyware like those GPT. As we seen in the news that leak from big tech people are trying out.
@hiru92
@hiru92 8 ай бұрын
i get 5.6.1-2 patch in few hours on arch
@MarkusHobelsberger
@MarkusHobelsberger 8 ай бұрын
There should be 5.6.1-3 available already :)
@bikrammahato6528
@bikrammahato6528 8 ай бұрын
Hey DT, Make a Video about GPU passthrugh in qemu.
@snooks5607
@snooks5607 8 ай бұрын
15:15 huh? I'm no corporate fanboy and yea they have telemetry and that dictionary helper thing that sends keyboard input to them which could be considered a "keylogger" etc but they admit to all of that, I actually doubt they have surreptitious spyware features because imagine the shit storm if some reverse engineer actually located a provably malicious built-in feature that's spying on every windows user including government workers etc? especially since MS anyway has a proprietary distribution channel to just push anything on specific user they or the spooks want to spy on.. could just mask it as a 3rd party driver update for some deniability, why risk ruining everything by hiding spyware in the default install? automated updates are the future-proof backdoor for any OS
@robertmaxa6631
@robertmaxa6631 7 ай бұрын
Debian stable wasn't affected.
@MerkDolf
@MerkDolf 8 ай бұрын
The more you challange people that your house is invasion proof the mor people will try to prove you wrong.
@CEOofGameDev
@CEOofGameDev 8 ай бұрын
exploit takes 2 years to be implemented, gets shut down in about 3 months. That's all you need to know, really...
@lian_drake
@lian_drake 8 ай бұрын
Well, PostgreSQL isn't a Microsoft product, it's an open source database engine
@yeabuddy1610
@yeabuddy1610 8 ай бұрын
Was suprised to hear DT call it Microsoft's product. They already own T-SQL which is used by default with MS SQL Server
@lian_drake
@lian_drake 8 ай бұрын
@@yeabuddy1610 Isn't T-SQL just the SQL language implementation for the SQL Server database engine? PostgreSQL isn't that.
@mrcomment6035
@mrcomment6035 8 ай бұрын
This Microsoft employee is the modern Robin Hood. He takes money from the rich and helps the poor (free) 🤭
@progste
@progste 7 ай бұрын
Meanwhile windows users laughing with their personal NSA buddy!
@hamdi-kadri
@hamdi-kadri 8 ай бұрын
The same type of backdoor on a proprietary software would have taken years to be found, if ever!
@steves9250
@steves9250 8 ай бұрын
If it happened in proprietary software it could still have been found, but in this case being open source made it a lot easier to analyse and get more eyeballs onto it
@Danielddiniz
@Danielddiniz 7 ай бұрын
Great point on how many backdoors might have exist in closed source software like M$ Windows and MacOs, even some that can be mandated by some government. With open source software, is like our country’s constitutions: “All the power belongs to the people!”
@Mtylgd
@Mtylgd 7 ай бұрын
Thanks Microsoft!
@TomTrval
@TomTrval 7 ай бұрын
open source != community developed
@noam65
@noam65 8 ай бұрын
Linux development is far too fast paced for its own good.
@Paul_I_S
@Paul_I_S 7 ай бұрын
👍
@kristofru
@kristofru 7 ай бұрын
This is not about open vs closed source software. Linux won the OS war a long time ago.
@PaulG.x
@PaulG.x 8 ай бұрын
And that nation could be the USA
@lh8228
@lh8228 8 ай бұрын
It's a backdoor, not an exploit!
@exnihilonihilfit6316
@exnihilonihilfit6316 7 ай бұрын
well, it's a social exploit :D
@arkhikun
@arkhikun 8 ай бұрын
Why are you at an angle
@j03y__
@j03y__ 8 ай бұрын
I vote nation state
@TheYehat
@TheYehat 8 ай бұрын
What are the odds MS employee "found" this by chance? Because it is really a rare pick based on what he published. Strange, strange coincidences.
@Winnetou17
@Winnetou17 8 ай бұрын
From outside, that's a reasonable take to have. If you dig deeper, it seems to be highly unlikely. Most of the people covering the story didn't even mention that the guy was from Microsoft.
@TheYehat
@TheYehat 8 ай бұрын
@@Winnetou17 True, not to mention most "techies" covering the story are blind about MS employee found this on MS owned Github. Now everyone's obliged to thank MS for saving the day.
8 ай бұрын
The "Microsoft employee" is a PostgreSQL dev, who uses SSH daily. His name is Andres Freund, the info on him is publicly available as is the info on how the backdoor works. If you noticed that a software that you use every single day was suddenly slower for no apparent reason and in your job security is very important, wouldn't you wonder why is it happening?
@Music-wu5de
@Music-wu5de 8 ай бұрын
Odds better than an open source committer found it you mean? Lol........
@TheYehat
@TheYehat 8 ай бұрын
@@Music-wu5de Enjoy the MS shit dude.
@GhostCoder83
@GhostCoder83 8 ай бұрын
#archlinux RULES
SECURITY: The xz Trojan and NixOS
23:15
LibrePhoenix
Рет қаралды 9 М.
Install XZ-Utils BACKDOOR On Kali Linux
17:50
Douglas Habian
Рет қаралды 326
Twin Telepathy Challenge!
00:23
Stokes Twins
Рет қаралды 133 МЛН
За кого болели?😂
00:18
МЯТНАЯ ФАНТА
Рет қаралды 3,5 МЛН
Quilt Challenge, No Skills, Just Luck#Funnyfamily #Partygames #Funny
00:32
Family Games Media
Рет қаралды 39 МЛН
Why Do I Use Linux Instead Of BSD?
16:00
DistroTube
Рет қаралды 107 М.
Is CachyOS The Ideal Desktop Linux Distro?
21:02
DistroTube
Рет қаралды 19 М.
What Everyone Missed About The Linux Hack
20:24
Theo - t3․gg
Рет қаралды 288 М.
Linus Torvalds: Speaks on Linux and Hardware SECURITY Issues
9:24
Self Hosting Has Changed My Life - What I Self Host
17:31
The Linux Cast
Рет қаралды 113 М.
Free Software Is Under Attack! (Will You Help Defend It?)
32:02
DistroTube
Рет қаралды 45 М.
revealing the features of the XZ backdoor
9:29
Low Level
Рет қаралды 284 М.
Why Open Source and Give Software Away?
16:10
Chris Titus Tech
Рет қаралды 30 М.
Learn These 3 Commands To Go From Terminal Noob To Power User
19:31
Free and Open Source software licenses explained
15:24
The Linux Experiment
Рет қаралды 92 М.
Twin Telepathy Challenge!
00:23
Stokes Twins
Рет қаралды 133 МЛН