How a Hacker Saved The Internet

Поделиться
HTML-код
  • Опубликовано: 23 ноя 2024

Комментарии • 2,8 тыс.

  • @kibergo885
    @kibergo885 Месяц назад +19917

    fern vids feel like real youtube premium

  • @hibuddy1473
    @hibuddy1473 Месяц назад +9435

    Imagine working for 4 years on what could have been the biggest cyber attack in history just to get caught by some dude testing on his free time

    • @iFlyGood
      @iFlyGood Месяц назад +1596

      He's not just some dude. Hes a dude whose programs are so optimized he will notice .4 ms of delay 😂

    • @miso1995srb
      @miso1995srb Месяц назад

      I think if not Andrew someone else would found it. There were other open source projects which found problems/bugs related to XZ library, so I think it was a matter of time until it was discovered. It took about 1 month since backdoor was added to XZ for Andrew to discover this backdoor, but even if he didn't find it someone else would. But even if no one found it, it would be chaos for few days and than they would stop it.
      Also this was not a super elaborated social thing as video suggests at least that's how I see it. I think it was only one person, I am programmer and it seems like everything was coded by one person, also Kumar and Dennis and Jensen were just simple accounts that used different VPN's and emails so that can be done by one person, they only sent few messages and there is no internet trace of them, so they are shallow profiles. They also seem to talk in similar way, they sound like one person. I would say this was some young smart hacker or 2 or 3 random young hackers similar to those who hacked video game companies like in other FERN video.
      Also lets say that virus/backdoor infected the whole world, it would take time for hackers to steal something, so again enough time for fix to be deployed and remove the backdoor from important servers, it would just cost millions and millions of dollars to different companies/entities.

    • @DedmenMiller
      @DedmenMiller Месяц назад

      ​​​@@iFlyGood500ms, not .4
      It's about a 10x time increased compared to the usual, per login. And with the testing he has been doing, he would've had dozens of logins.
      It is not hard to notice when, instead of something taking 0.1 seconds, it suddenly takes 5 seconds. And 5 seconds is also enough time to notice excessively high cpu load.
      Instead the important factor is, that he actually bothered to investigate what causes it.

    • @turb00o
      @turb00o Месяц назад +512

      Nerds save the world.

    • @silvestersape
      @silvestersape Месяц назад

      ​@@turb00oAcoustic*

  • @ryanbrownie4634
    @ryanbrownie4634 Месяц назад +2682

    fun fact Andres Freund's , last name translates to friend in German . He is truly a friend the internet needed

    • @PunkDogCreations
      @PunkDogCreations Месяц назад +16

      Vriend in Afrikaans

    • @nk__
      @nk__ Месяц назад +53

      Even funnier
      The narrator is German

    • @oscargreat
      @oscargreat Месяц назад +6

      Last name. *

    • @Mmmmmmmmmmmnm
      @Mmmmmmmmmmmnm Месяц назад +4

      @@oscargreat. Last name*

    • @oscargreat
      @oscargreat Месяц назад +4

      @@Mmmmmmmmmmmnm Right. Without the period before "Last". 😃

  • @liveen
    @liveen Месяц назад +1186

    At 03:41 keep in mind "fork yourself" was not meant as an insult. Forking works like a fork. You have the source code, the handle of the fork, and then you have the separate tips of it, the forks. Essentially, the commenter is suggesting that the other guy makes a clone of the code on github with himself as the maintainer, so that they can make further progress on the code without the delays.
    If you and I were to make a paint type program, and we fork a program that has everything except the bucket tool and the brush tool, and you implement the brush tool in your fork, and I implement the bucket tool in mine, we now have 3 versions of the same code.
    1. The base code, the original paint.
    2. Your fork with the brush tool, probably named something like "yourname-paint-brush"
    3. My fork with the bucket tool, probably named something like "mycodeisbetterthanyourslmaogoforkyourselfsuckiiiiiiit-bucket"

    • @AT_AV_EDITZ
      @AT_AV_EDITZ Месяц назад +18

      Thanks

    • @bluerie._.3021
      @bluerie._.3021 Месяц назад +41

      Good clarification.

    • @zealousgoat
      @zealousgoat Месяц назад +11

      damn rlly didn't know that thx

    • @TheGoldNinja101
      @TheGoldNinja101 Месяц назад +3

      I don't trust what you said. The way you said it doesn't make sense. The show "The good place" uses profanity humor. I learned that people might hide their profanities as humor type. How else does that meant?

    • @epicXtrollface
      @epicXtrollface Месяц назад +31

      I didn't know people didn't know this. "Forking" isn't exclusive to coding, and I thought the context made enough sense lol.

  • @ismailosman5048
    @ismailosman5048 Месяц назад +848

    The fact that you explained it in a way that someone with no technical background would understand speaks volumes, thank you for another great video

    • @Doghuntdou
      @Doghuntdou Месяц назад

      I think it's an attack on the internet from Russia to get the U.S. nuclear bomb codes.

  • @P4INKiller
    @P4INKiller Месяц назад +2310

    A developer being polite and helpful?
    Major red flag right there.

    • @banditapattanaik3179
      @banditapattanaik3179 Месяц назад +25

      FR

    • @DavidJCobb
      @DavidJCobb Месяц назад +112

      if they're not either unspeakably rude or nice but constantly swearing then be careful tbh

    • @Twisted_Code
      @Twisted_Code Месяц назад +17

      Hey, I object that! Well, at least to the polite part. I haven't published a lot of code so helpfulness is still kind of in the air 🤣

    • @NCLDMR
      @NCLDMR Месяц назад +11

      Also the Chinese name. Usual suspect Lol.

    • @vaisakh_km
      @vaisakh_km Месяц назад +5

      i am a fking nice developer..

  • @wowoking2
    @wowoking2 Месяц назад +7028

    The production of some of these youtube videos nowadays is crazy

    • @s.4155
      @s.4155 Месяц назад +21

      Indeed!

    • @Myrdrrr
      @Myrdrrr Месяц назад +16

      What he said! AND just SOME? 😭

    • @kopiedes
      @kopiedes Месяц назад +63

      German efficiency

    • @Natak222
      @Natak222 Месяц назад +40

      Seriously, RUclips's the new, more relatable Netflix for me but like how much money and man hours did they put into this and how many views do they need to recoup

    • @just_mdd4
      @just_mdd4 Месяц назад +19

      @@Myrdrrr Fern isn't the only high-tier RUclipsr, lol. There's others like Melodysheep and LEMMiNO.

  • @adoSrelliK
    @adoSrelliK Месяц назад +219

    Man, source citations in EVERY scene is just crazy professional. Higher standard than many 'professional' documentaries by bigger companies. Well done!

  • @amit_crickets_08
    @amit_crickets_08 10 дней назад +327

    Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Dale valskov Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.

  • @bhaskarjyotideka9243
    @bhaskarjyotideka9243 Месяц назад +5855

    04:46 devs/ maintainers being polite, the biggest red flag. 🚩

    • @The_Endless_Now
      @The_Endless_Now Месяц назад +95

      fr

    • @sam08g16
      @sam08g16 Месяц назад +720

      Also, displaying social skills 🚩

    • @FCoFix
      @FCoFix Месяц назад +176

      See: Linus Torvalds mailing list rants

    • @williamduncan7401
      @williamduncan7401 Месяц назад +85

      @@FCoFix that's how you know he's legit lol

    • @SianaGearz
      @SianaGearz Месяц назад +68

      Please most open-source maintainers who i reported issues to or contributed code to have been SUPER nice.
      I actually tended to be very polite as well, even with people who were clearly rude and frustrated, though with a project with a million users, it sometimes gets difficult. You sometimes get... special types of Karens, ones that cannot be put at ease. I'm sure you can vaguely imagine. Well at least i never took revenge on them, even if i was tempted to.

  • @lj1643
    @lj1643 Месяц назад +1069

    Millions of modules are maintained by developers with little reward, yet power the largest companies.

    • @overdev1993
      @overdev1993 Месяц назад +48

      which is critizied at the end of the video

    • @Twisted_Code
      @Twisted_Code Месяц назад +22

      Yup, and you have to wonder... dhow many of these companies do their due diligence, checking the code produced by the thankless masses?

    • @texastalent3300
      @texastalent3300 Месяц назад

      @@Twisted_Code They have external services like snyk. Don't really check individual lines of code but if someone does notice it's immediately taken care of

    • @Derekcreeperer
      @Derekcreeperer 27 дней назад +7

      Well, the devs are fueled by their passion. And the largest companies do contribute to the projects. The real problem is companies like Huawei claiming that they developed something only to be based on open source projects, then proceed to earn money for their bad products on the premise of patriotism

  • @JoeriBlomberg
    @JoeriBlomberg Месяц назад +5302

    Everyone, please repeat after me: "Thank you for saving the internet, Andres"

    • @Christophe_derBerge-op9zh
      @Christophe_derBerge-op9zh Месяц назад +55

      I would like to say thanks. But since the internet is destroying our governments, societies, and people’s sanity. Thanks????

    • @gratisgratos
      @gratisgratos Месяц назад

      ​@@Christophe_derBerge-op9zh All of these things we're caused by human activity. We're responsible for it not the web

    • @zephh_sk
      @zephh_sk Месяц назад +71

      Everyone reoeat after me 🤓🤓🤓

    • @illlllllllllllllkkkkkkkkkkkkkk
      @illlllllllllllllkkkkkkkkkkkkkk Месяц назад +42

      ur not him bro

    • @_SpinnySpiwal
      @_SpinnySpiwal Месяц назад +23

      Thank you for saving the internet, Andres

  • @desibalakup86
    @desibalakup86 10 дней назад +343

    The efficiency of this Dale valskov is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work !!

  • @ravindramalche2831
    @ravindramalche2831 10 дней назад +345

    That feeling when your partner cheated and you don't have the courage to leave him or her so you just dealt with the pain and live everyday asking questions about your worth. This pain is different from the cheating one-- living and seeing him everyday anticipating when will he or she do it again. Your videos are incredibly well done. No critique, thanks for doing this Dale valskov

  • @devrim-oguz
    @devrim-oguz Месяц назад +379

    The crazy thing is that backdoor wasn’t even inside the code itself. But was attached while the code was being deployed.

    • @halcyonramirez6469
      @halcyonramirez6469 Месяц назад +19

      Yeah I've always wondered how tf you put in code in there doing ssh key authentication whatever without people noticing that piece of code?
      It being not in the code but somewhere else makes sense

    • @kobonodziongo9951
      @kobonodziongo9951 Месяц назад +28

      Yeah, according to the information provided in the source links from the official Red Hat website: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present."

    • @isbestlizard
      @isbestlizard 28 дней назад +5

      Maintainers must be VERY critical now of binary blobs even if described as 'test data' if it can be accessed during the build process. Ideallying, building and testing will be completely separate and gapped environments

  • @HappyGick
    @HappyGick Месяц назад +1494

    The real reason behind the suspicion of state sponsonred hackers, for us IT engineers, is not just the social engineering. It's how sophisticated the technical details of the attack really were. I myself don't fully understand all the details. But in essence it's a supply chain attack. It *only* triggers when specifically compiling SSH with xzutils in a Linux distro. Undetectable during code reviews. Some Linux distros weren't even affected because they didn't compile SSH the way that the attack expected. And the payload was hidden in the test suite. Many many details that would've made this attack close to unthinkable for nearly every hacker, except for state sponsored groups.
    It's unanimously agreed that it was state sponsored because it's just too multi layered.

    • @Merthalophor
      @Merthalophor Месяц назад +73

      Some test suits were disabled by first making the test fail silently if code doesn't compile on a specific platform, to make it easier to execute it on multiple platforms. Then a hidden period "." was committed, in theory visible by anyone, but just extremely hard to see, that disables a specific test by making the code not compile.
      Test cases that take binary input also existed. The binary input was placed in the repository as is, and nobody verified the contents of the binaries.
      All of these were red flags but they were given rigorous technical justification. Made by someone you don't expect to be malicious.

    • @williamduncan7401
      @williamduncan7401 Месяц назад +31

      I don't know why it's assumed everywhere that "very sophisticated" means "state-sponsored". This makes no sense to me. It's of course possible, but just jumping to that conclusion without any sort of reasoning other than "it's really good" seems completely irrational. This exploit did not require billions in funding in any way. IMO it just makes it sound as if you believe the only hackers are 12yo script kiddies and not rational humans capable of setting an objective, constructing a plan and executing it over a couple of years.
      Not every exploit is a random tiny hole noticed by someone who then immediately fists through it, downloads all the user data, runs rm -rf * and then uploads it on a forum.

    • @waterable5908
      @waterable5908 Месяц назад

      Yeah but they aren’t on my level and I’m not state sponsored check this amazing line of code
      Print(“Get Hacked”)
      What can I say am I a cyber threat or what

    • @BatteryProductions
      @BatteryProductions Месяц назад +58

      ​​@@williamduncan7401 not to this level, this is just too organized, like stuxnet, pegasus, etc etc, i too like the idea of lone wolfs etc but this level of organization is just not common...

    • @232salsa
      @232salsa Месяц назад +4

      Or, you HAVE to hear me out, he has ADHD/ADD. Thinking that far ahead on something you enjoy or are super passionate about and then you get fixated on details. Sometimes reality is odd

  • @rir-s8n
    @rir-s8n Месяц назад +3921

    Andres the Goat

    • @Sirbozo
      @Sirbozo Месяц назад +7

      daa

    • @Mattipedersen
      @Mattipedersen Месяц назад +9

      @@Sirbozo I believe you meant to say, "baa" 😉

    • @scamhunter2346
      @scamhunter2346 Месяц назад

      @@MattipedersenBÆÆÆHH!

    • @soda24612
      @soda24612 Месяц назад +7

      @@Mattipedersen da is yes in croatian, slovenian, serbian, basically all balkan languages, so maybe he meant it🤣

    • @Raphael-pt7rx
      @Raphael-pt7rx Месяц назад +4

      @@soda24612 you forgot the biggest language, russian

  • @KhushiKumari-jg3or
    @KhushiKumari-jg3or 10 дней назад +282

    As a Retired combat Marine I want to tell you that as what you are doing is just as important as any warrior on the battlefield. You are waging warfare against these criminals and terrorists on the digital battlefield. You are defending and protecting the most vulnerable of our society against these predators. Keep up the good work Dale valskov

  • @EQuivalentTube2
    @EQuivalentTube2 Месяц назад +430

    A lot of people use this case to bash on Free and Open Source Software. They try to paint it as insecure because it's developed in the open. I'd suggest otherwise: this is FOSS working completely as intended. The sheer fact that a random person could catch this bug is exactly due to the software being developed in the open. Were it fewer eyes on the software *and* its source code, the backdoor would have never been noticed.

    • @SpinyDisk
      @SpinyDisk Месяц назад +12

      I agree to some extend (as a linux, blender, shotcut, obs, user, that tries to use as much open source as plausible)
      It is true, that it's incredible that some "random dude" could spot that (due to it being open source). Though with closed source, it is harder to put malware into the product itself. So it's sort of a 10% for something to very bad to happen vs a 90% that something mediocre is going to happen (value wise). But yea, long live open source

    • @EQuivalentTube2
      @EQuivalentTube2 Месяц назад +33

      @@SpinyDisk It's not really all that much harder to infiltrate some closed-source software company, if you play your cards right. I'm willing to bet you my bone marrow that GAFAM companies have multiple state-sponsored plants each.
      I mean, aside from the information they're happy to provide the state with themselves.

    • @altrag
      @altrag Месяц назад +2

      Sure that might be FOSS working as intended, but there's never been a single security issue in Windows or any other closed-source software in the entire history of computing!

    • @Tony15246
      @Tony15246 Месяц назад

      ⁠​⁠@@altragclosed-source software are closed-source because the company or people who develop those software want to make money out of them. Even if there has been any security issue about these software, nobody could tell and nobody would know because nobody see the source code. Or do you think the developer of closed-source software would announce to the public that their product has security issues, so that they can have less customers? If xz were a closed-source software and the backdoor were implemented by a random employee of the company working on the software, the backdoor would simply be implemented, and no one would have any clue. Not to mention actually finding out the security issue and fixing it. Imagine if Andres has no access to the suspicious source code, without any prove to validate his doubt, even a great engineer like him can do nearly nothing but admit that he himself is just being too sensitive and give up.

    • @KidMorbid
      @KidMorbid Месяц назад +16

      @@altragif you were baiting, you did a very good job

  • @ceoofgambling
    @ceoofgambling Месяц назад +2997

    fern just dropping banger after banger

    • @chaosthug7
      @chaosthug7 Месяц назад +5

      bot

    • @ceoofgambling
      @ceoofgambling Месяц назад

      @@chaosthug7 Ur mother is a bot

    • @ceoofgambling
      @ceoofgambling Месяц назад +22

      @@chaosthug7 ur father!

    • @BartholomeusAnčjo
      @BartholomeusAnčjo Месяц назад +15

      @@ceoofgambling yep, not a bot.

    • @DAGGER-2
      @DAGGER-2 Месяц назад +4

      After banger after banger after banger after banger after banger after banger after banger after banger after banger after banger after banger

  • @superen123
    @superen123 Месяц назад +1885

    52 sources! Thats a lot of research into just one video!

    • @Gh0sTx85
      @Gh0sTx85 Месяц назад +107

      These guys spit facts, awesome research all around in all of their vids

    • @yulo8987
      @yulo8987 Месяц назад +38

      And still not knowing which date is Russian Christmas celebrated on (spoiler, it's on January 7th). But sure, "Russian hackers" sounds more impressive, then hackers from other countries. Sigh.

    • @markuswunsch
      @markuswunsch Месяц назад

      @@yulo8987 I am surprised that holidays are relevant at all because why would a hacker group or secret service really care about those... in such organizations there are no holidays... it's as stupid as claiming no one works in a hospital on Christmas eve...

    • @mtarek2005
      @mtarek2005 Месяц назад +5

      yeah and shows how major the event was, dominating open source and cyber security news for a few weeks

    • @mtarek2005
      @mtarek2005 Месяц назад +10

      ​@@yulo8987to note, almost all the timezone celebrated it on 7 Jan from Russia to Ethiopia, and I doubt it's any further down in Africa

  • @Rm_bos
    @Rm_bos 10 дней назад +267

    Hey ppl, I'm a retired computer/IT person, Yet I still find Dale valskov so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.

  • @SandeepkushwahaKushwaha-kr9co
    @SandeepkushwahaKushwaha-kr9co 10 дней назад +244

    Awesome work, Dale valsko ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!

  • @Kulkogo
    @Kulkogo Месяц назад +46

    I literally just got an ad from Google about “breaking” cyber security right after Andres discovered the SSH thing. *The irony.*

  • @afmikasenpai
    @afmikasenpai Месяц назад +619

    I never thought that the xz/Jia Tan drama would ever make it into Fern one day.
    On a more serious note, I am literally shaking over the fact that there can still be multiple cleverly hidden backdoors created with similar methods still in the wild.
    I know for a fact that no one will thoroughly review thousands of lines of generated code from a single PR for example when the diff is too large.

    • @Nick_Sandman
      @Nick_Sandman Месяц назад +22

      Can't these very smart LLM's be used to review code?
      I use it as a very quick check of new code to flush silly mistakes already, these may not write qual code yet, but it's a good, fast reviewer.

    • @jammaschan
      @jammaschan Месяц назад +62

      @@Nick_Sandman smart LLM's can't even tell if a student's work is LLM generated or real

    • @afmikasenpai
      @afmikasenpai Месяц назад +13

      ​@@Nick_Sandman Depends on the model, but really, LLMs can never truly go beyond what we trained them on, we train them on good inputs but also bad ones. They can definitely check for minor issues across a large number of inputs, and are generally faster than a human. However, I doubt they would catch the most intricate ones. Even if they did, it would be a cat-and-mouse game; people will always find smarter ways to bypass any countermeasures.

    • @Nick_Sandman
      @Nick_Sandman Месяц назад +2

      @@jammaschan Aah, but the time-penalty of false positives is far less severe scanning for malware

    • @Nick_Sandman
      @Nick_Sandman Месяц назад +8

      @@afmikasenpai There must be a fair sized legacy of malware that I'm sure has been crawled by many LLMs.
      And there is emergent behaviour anytime there's any form of adaption.
      The important point though is it's throwing out orange and red flags fast for thousands of lines of code, concentrating the attention of more perceptive eyes and minds.

  • @Smyxy
    @Smyxy Месяц назад +850

    A video of 15 min from fern is better than if netflix made a doccumentary of 2 hours! Keep it up!!!!

    • @mpk4712
      @mpk4712 Месяц назад

      Just learn german, and watch their german Videos on simplicissimus. They made videos on this quality for years.

    • @KabobHope
      @KabobHope Месяц назад +23

      Fern manages to tell a tighter story because the story is as long as it needs to be. In mainstream media they have to drag things out to nearly an hour.

    • @HFFCANADA
      @HFFCANADA Месяц назад

      I enjoy fern but stop dick riding.... Mainstream media documentaries have had multiple accredited history professor's and show all sources like Fern does. They indeed fell off drastically but the hundreds and hundreds of history, animal planet and national geographic documentaries are some of the best researched piece's out there. They also have great narrators too. 90s and early 2000s had the best ones. I do agree the new ones just absolutely blow tho. Compared to new ones Fern does good but compared to the genre as a whole he's mediocre at best. And that's okay

    • @StarStreetMedia
      @StarStreetMedia Месяц назад +3

      Absolutely agree! Fern packs more intrigue and info into 15 minutes than most shows do in hours - pure quality

    • @levayv
      @levayv Месяц назад +1

      It seemed like a AAA movie 🎉

  • @igniviscos
    @igniviscos Месяц назад +494

    this is why open source stuff is so important for the internet. without being able to actually look at the code and finding the backdoor, who knows how long it may have taken for anybody to figure it out let alone how long it would take for a fix to be implemented

    • @collinsonOga
      @collinsonOga Месяц назад +26

      In all fairness, it'll be harder to gain access to organization owned codebase. But once you can gain access, I recon it'd be disaster

    • @williamduncan7401
      @williamduncan7401 Месяц назад +53

      @@collinsonOga not if you already work at said organisation or manage to apply and get hired there (probably not as hard as gaining the trust of a maintainer by actually volunteering valid code for years). And in any case, my rule of thumb is that if you can't see the code, you can just assume there is a backdoor (perhaps even by design by the company) since clearly there's something worth hiding. IMO non-libre software is inherently insecure since a corporation-the only purpose of which is to extract as much money from you as possible-is hardly where you want to place your trust.

    • @BowmanFox
      @BowmanFox Месяц назад +3

      Would agree with you in any other context. But this ain't it.

    • @bvd0
      @bvd0 Месяц назад +7

      The attack involved binary blobs. It could be argued that allowing files that are not open-source (or not even source-available) in an open-source project is a problem.

    • @Supoxone
      @Supoxone Месяц назад +4

      @@BowmanFox Why? This project's downfall was allowing non source available code. Else this more than likely would have been caught

  • @ZaminTheBest_cr
    @ZaminTheBest_cr Месяц назад +12

    imagine working on something so powerful that can bring countries to there knees just to be caught by a guy noticing a 0.5 second delay

  • @matijastevovic5636
    @matijastevovic5636 6 дней назад +4

    Thank you so much for not doing the typical "...Collin was born on a cold night of 1994. When he was 4, his favorite dish was lasagna..." etc. like most of these channels do to make their videos as loooong as possible. Also it was really well explained considering I know nothing about this stuff. Great Job!

  • @Serizon_
    @Serizon_ Месяц назад +419

    as a linxu user I really feel like this video shows how important it was
    But xz was in rolling and only some were affected
    but imagine it getting into stable releases (It would've been a nightmare , and I mean absolute nightmare)
    the country which was behind it , literally could've started world war III if xz had gotten into mainstream distros
    absolute chills

    • @mtarek2005
      @mtarek2005 Месяц назад +38

      apparently it did manage to reach production versions of both arch and Manjaro and almost reached debian with only a few weeks to release which would've been massive (idk how close it was to Ubuntu or RHEL but probably close), the performance issues were already fixed in an update that the dev testing performance didn't have and managed to catch it

    • @StarStreetMedia
      @StarStreetMedia Месяц назад +2

      True, the potential impact on stable releases could have been catastrophic-it's a relief it was caught in time

    • @Name-ot3xw
      @Name-ot3xw Месяц назад +23

      The best part for me is where something like this is in the budget range of many non-state actors as well. The only real bottleneck is the relatively small amount of sufficiently skilled and motivated black hatters.

    • @Nzombii
      @Nzombii Месяц назад +5

      It’s scary that one of these exploits could already be in major distros, and just simply wasn’t caught.

    • @kelpdock8913
      @kelpdock8913 Месяц назад

      @@mtarek2005 arch (and manjaro based on arch) is rolling release. So it always has the newest packages that the user wants

  • @CharlesVanNoland
    @CharlesVanNoland Месяц назад +245

    This is just an instance where a backdoor was discovered en route to seeing widespread deployment. This could've been one of several similar attacks, one of a multi-pronged scattershot attack that has redundancies involved. At the end of the day, it was a total fluke that Andreas caught this one - imagine all the other attacks that could be happening, or have already seen deployment, and those with access are just waiting for the right time to launch an attack - all the ones that there was no Andreas to catch.

    • @rossstewart9475
      @rossstewart9475 Месяц назад +49

      Now consider the world of proprietary software: This was only discovered because someone *could* look at what goes on under the hood, and was compelled to do so by their curiosity.
      Imagine all the other attacks that could be happening, or have already seen deployment - all the ones where there isn't even a *possibility* of an Andreas to catch them, because their code is under lock and key.
      Swings and roundabouts, and for my part "security through obscurity" doesn't butter many parsnips.

    • @elrymoe
      @elrymoe Месяц назад +1

      ​@@rossstewart9475bullshit, the hack wouldnt even get into the Software cuz its closed source

    • @aquacruisedb
      @aquacruisedb Месяц назад +9

      Yeah, I was thinking that. "The guy that saved the internet" etc...great, but we only know about it because he did, by chance, spot something. Made me think probably 1 in 100. If so there are 99 other similar backdoors in good working order, undiscovered!

  • @DTD-ym5pg
    @DTD-ym5pg Месяц назад +58

    The 3d animation is top tier even down to the accuracy of the inside of the pc you fly through truly great work

  • @justamanofculture12
    @justamanofculture12 3 дня назад +2

    Game developer here. People underestimate how insane 500ms is. To give you an example, i create functionalities that must run under 1ms lol. Figure out now why would a Programmer notice 500ms delay. Still insane work by the final boss Andress 🗿........

  • @gappy10123
    @gappy10123 Месяц назад +27

    I know this isn’t the type of topics you usually cover, but I would love to see your teams animation skills covering something like the last glacial maximum, or some other geographic phenomena that is difficult to understand/comprehend. It’s much easier to grasp with animation

    • @cornfarts
      @cornfarts 26 дней назад

      Like the most recent video? I’d like to think he read your comment

  • @siresa3038
    @siresa3038 Месяц назад +51

    I love it when David or Jonas are speaking, it kinda feels more like simpli that way

    • @offtopic9632
      @offtopic9632 Месяц назад +5

      But the english pronounciation is annoying. It is really hard to listen through that accent.

    • @AQArchive
      @AQArchive Месяц назад +1

      @@offtopic9632 I really disagree. I think it's nice with some European accents in storytelling.

    • @rinmartell2678
      @rinmartell2678 26 дней назад

      @@offtopic9632at least they pronounce every german name correctly. The pronunciation of Freund may sound weird to you but it’s a German name.

    • @offtopic9632
      @offtopic9632 26 дней назад

      @@rinmartell2678 Yeah, but they butcher all other words that aren't german, so that's not a good bargain.
      I am german by the way.

  • @straferxdranzex
    @straferxdranzex Месяц назад +32

    Boy that was probably the sickest sponsor animation I have ever seen. Fern is just on another level.

    • @rinmartell2678
      @rinmartell2678 26 дней назад

      This is how Germany produces RUclips videos. It’s top tier sponsored by our tax money 😂 However, I believe fern stopped cooperating with German public broadcasters a year ago

  • @Psy45Kai
    @Psy45Kai Месяц назад +22

    And the most crazy thing is the technical detail how the code was placed/hidden! I know that the technical stuft would be too much for a non-technical audience but how the backdoor was encoded was just wizard-level hacking!

  • @nmrisrl11
    @nmrisrl11 Месяц назад +28

    I just found your channel this week, had to binge watch your old videos and I freaking love your contents fern!

  • @Ben-l2q9n
    @Ben-l2q9n Месяц назад +4

    No intro straight into it much appreciated.

  • @kaz49
    @kaz49 Месяц назад +364

    Ohhh, xz! Wow I never thought Linux drama would make it into mainstream YT but here we are!
    Also how are you guys pumping out these high-quality videos so fast? Don't burn out, yall

    • @wilx2703
      @wilx2703 Месяц назад +5

      a lot of AI probably

    • @LeonMulr
      @LeonMulr Месяц назад

      @@wilx2703most of ferns content is just reused from the German and Dutch channels. Just look in thier bio and u will find them

    • @kaz49
      @kaz49 Месяц назад +23

      @@wilx2703 Huh, didn't think of that. It's been what, 4 years since AI first came out and I'm still wrapping my head around the whole "using AI to do work" thing :P
      Though, I don't see any obvious signs of AI in the videos, and they have a LOT of fingers moving and other stuff that AI is generally bad at. I dunno

    • @LeonMulr
      @LeonMulr Месяц назад

      @@kaz49it is not. It’s just newly translated content from thier German chanal u can see it in thier channel bio

    • @FlawKills
      @FlawKills Месяц назад

      @@wilx2703nah. They already released this video a few months ago on their german channel and they have a huge team.

  • @torrotorrentazos1307
    @torrotorrentazos1307 Месяц назад +153

    14:01 Russian Christmas is on January 7th, not on December 25th

    • @user-Camjja
      @user-Camjja Месяц назад +2

      👀

    • @whohan779
      @whohan779 Месяц назад +29

      Either way China doesn't really celebrate Christmas all that much; so it would still be a false flag to have them offline then but not on CCP national holidays.

    • @HappyGick
      @HappyGick Месяц назад

      I think this was an european or USA hacker. The western holidays just give it away.

    • @rogerkamben389
      @rogerkamben389 Месяц назад +50

      Who else have UTC+2 & UTC+3 (due to daylight savings) and could plausibly celebrate western holidays/calendar? = Israel

    • @jinjunliu2401
      @jinjunliu2401 Месяц назад +31

      @@rogerkamben389 Christmas is not a public holiday in Israel, so it wouldn't make sense based on that

  • @anthonypierson1593
    @anthonypierson1593 Месяц назад +222

    0:20 ah yes the ssh graph we all have on our computers

    • @filthyE
      @filthyE Месяц назад

      _SSH intensifies_

    • @user-qu1xl3ee1d
      @user-qu1xl3ee1d Месяц назад +19

      Just a way to show something in a simple way

    • @tailex7792
      @tailex7792 Месяц назад

      0:38 0:39 ​@@user-qu1xl3ee1d

    • @StarCo11
      @StarCo11 Месяц назад +12

      You mean Windows Task Manager graphs 📈

    • @swefd
      @swefd Месяц назад +1

      😂

  • @alex15095
    @alex15095 Месяц назад +27

    Everybody always makes fun of Linux nerds who get mad about a 5 nanosecond delay, but they are actually the real thankless heroes who keep computing alive

  • @pacesxo
    @pacesxo Месяц назад +6

    Would love to hear fern’s rendition of who Edward Snowden is and what he’s done

  • @LucyDropp
    @LucyDropp Месяц назад +39

    I swear to god fern has hands down the best animation editor for these vids and the art style for them is absolutely perfectly descriptive yet minimal at the same time I’m addicted to these animations, really helps follow the story! Thank you fern 💚

    • @PunkDogCreations
      @PunkDogCreations Месяц назад

      Don't swear to God's holy name. It is blasphemous.

  • @rukitryuki
    @rukitryuki Месяц назад +19

    For this quality of animation I think fern should have at least 10-15M subs

  • @Tejonesss
    @Tejonesss Месяц назад +14

    God I love this channel, I wish more channels could do animations like this. The content itself is also top tier but the animations on top are just so nice. Thank you Fern!

  • @Internet_guy69
    @Internet_guy69 Месяц назад +3

    Fern's videos really make me feel that I'm experiencing a creator's potential to the best

  • @spaceman117X
    @spaceman117X 5 дней назад +1

    FACT: We don't have any idea what our software is doing behind our back!
    Imagine that these guys were bit more sophisticated programmers, like no CPU spikes or lagging.
    Chances are high that we would never figure that out.
    There were news in the past that some vulnerabilities are fixed after 20+ years!

  • @flaursey
    @flaursey Месяц назад +33

    i really appreciate how transparent you guys are about using AI voices (not that it’s inherently a bad thing to use them, but it’s always nice when people clarify). in the same vein, the “own opinion” marker is also a lovely touch! just makes it feel like you respect your audience that little bit more :)) really fascinating video !!

    • @5DPixel
      @5DPixel Месяц назад

      yeah, I kind of thought that but not sure who else he’d get to speak

    • @flaursey
      @flaursey Месяц назад

      @@5DPixel oh i don’t mind the use of AI voices if they don’t have anyone else, it’s just nice to see they clarified it was AI

  • @Solar9391
    @Solar9391 Месяц назад +61

    fern uploading is like finding $100 in your pocket

  • @龱
    @龱 Месяц назад +15

    Well, I was supposed to do homework, but this is much more interesting

  • @kayl.3s33
    @kayl.3s33 Месяц назад +1

    i was getting worried that i havent seen the notification that fern has uploaded until i checked the channel and saw the “(almost) weekly” everything makes sense now

  • @t_albino
    @t_albino 4 дня назад

    And this is the first time this year I'd heard of this tale. Mainstream media couldn't be bothered reporting it 🙄 So much for quality independent minded journalism.
    All I can say is keep up the incredible work Fern.

  • @unknownchristian341
    @unknownchristian341 Месяц назад +18

    Right when lunch is ready, THANKS

  • @just_mdd4
    @just_mdd4 Месяц назад +114

    Bro's videos are RUclips Red quality - like VSauce!

    • @Steamrick
      @Steamrick Месяц назад +3

      when's the last time vsauce made anything other than a short?...

    • @just_mdd4
      @just_mdd4 Месяц назад +2

      @@Steamrick That's why I specifically mentioned RUclips Red.

  • @DisconexionOfficial
    @DisconexionOfficial Месяц назад +19

    Dude this guy NEEDS his own Netflix series.

    • @rushe-1
      @rushe-1 Месяц назад

      this is a tax paid channel related to a big network

    • @wilddannyify
      @wilddannyify Месяц назад

      @@rushe-1how so ??

  • @dheylinantigua
    @dheylinantigua Месяц назад +2

    Wow the details on your videos are amazing ! 1:08 I recognized the Linux Debian distro logo. I mean I know the story already but watching your video is like a new experience 🔥

  • @bob75896
    @bob75896 Месяц назад +1

    I’m so glad your vids popped up on my feed one day! I love the animation!

  • @amphiptered.5355
    @amphiptered.5355 Месяц назад +7

    I didn't hear about this in my country, I should have. This undoubted the most frightening thing to happen. If this had gone live, I shudder to think the amount of damage that could have been done. The number of lives that could have been ruined.
    Thank you, Andres. You are a true cyber hero!

    • @LethalWalou
      @LethalWalou 24 дня назад

      Of course you didn't hear about it as it's more important to tell you what some D-list celebrity did that day or how Russia/China is going to start ww3 by attacking your country (if you live in Europe). Fear mongering and useless ''news'' stories is what people mostly are given.

  • @ComPare_
    @ComPare_ Месяц назад +14

    Crazy how this channel doesn't even have a membership, the quality of the contents are insane like so insane, better than most of the informational documentation out there

  • @jrchmgn.
    @jrchmgn. Месяц назад +8

    I can watch fern's ad from start to finish, it's like it is perfectly embedded in the video. Nice job!.

  • @volbia12
    @volbia12 19 дней назад +1

    Everytime I see news about a huge find in cybersecurity I can't help but think how many dozens are just never detected even by professionals.

  • @wasifalmeem4651
    @wasifalmeem4651 Месяц назад +1

    The production quality of this video WOW absolutely perfection

  • @vq4s
    @vq4s Месяц назад +10

    Hackers mentality >>> any other mentality

  • @A_Random_Hippo
    @A_Random_Hippo Месяц назад +4

    The opposite of Curiosity killed the cat. Good job Andres!

  • @vishvajeetramanuj9450
    @vishvajeetramanuj9450 Месяц назад +4

    Thank you Fern for bringing this to general public like me, who otherwise won't become aware of such good person and also the dangerous attack like this

  • @Mahfeo
    @Mahfeo Месяц назад +9

    please dont stop this form of content. it is educational and eye opening. Big love from western australia

  • @TimStandardRacingSuspension
    @TimStandardRacingSuspension 25 дней назад

    This is hands down one of my favorite videos of all time! AMAZING work on this one and can't thank you enough for putting this out!!

  • @dvlfish6756
    @dvlfish6756 Месяц назад +7

    Please continue to make videos about hackers! fern's just hit different.

  • @plokko1
    @plokko1 Месяц назад +3

    It's funny how a Microsoft employee basically saved Linux when back in the days Microsoft was seen as "the devil" from Linux users.
    I"m happy how things have changed.

  • @wh0_am_152
    @wh0_am_152 Месяц назад +6

    For reference all linux distros find their roots in either arch (bleeding edge with questionable stability) or debian (slow, stable) what goes into either if these distros affects many others esp. Debian as nearly 2/3 of distros are debian based like Ubuntu, Mint, KDE, and many more.

    • @SpinyDisk
      @SpinyDisk Месяц назад

      I use arch btw (I swear to god I have a live)

    • @StanleyRBLX
      @StanleyRBLX 10 дней назад

      ehh, arch is pretty stable but nothing beats debian

  • @enil88
    @enil88 Месяц назад +1

    it's pretty damn impressive how you can sneak in backdoors like that, in open source projects where other skilled programmers are reviewing your contributions

  • @TimG...
    @TimG... 22 дня назад +1

    It's crazy how close we skate to the brink of disaster on various levels like this. Thank you, Adres Freund!

  • @goatknight777
    @goatknight777 Месяц назад +10

    you already know this gonna be a banger

  • @warez_90
    @warez_90 Месяц назад +30

    Day off on December 25 (catholic Christmas) does not line up with Russia - they don’t even have a holiday on that day. 14:45

    • @jozsefk9
      @jozsefk9 27 дней назад

      Good catch!

    • @LethalWalou
      @LethalWalou 24 дня назад

      Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing geno****... But hey, they are allied to the west so the sheep will be told they are not the bad guys.

    • @LethalWalou
      @LethalWalou 24 дня назад

      Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.

    • @LethalWalou
      @LethalWalou 24 дня назад

      Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what.

    • @LethalWalou
      @LethalWalou 24 дня назад

      Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep will altho still paint Russia as bad no matter what. Unsurprisingly an actual bad nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.

  • @Sorblex
    @Sorblex Месяц назад +55

    The mention of “cozy bear” reminded me of your German-language documentary “Putins Bären”, is there an English-language version of it coming for this channel?
    I think our fellow Europeans and allies across the pond might also be interested in this.

    • @saschaheldt1131
      @saschaheldt1131 Месяц назад +15

      This documentary was produced in cooperation with the German Funk network, which is paid for by most Germans through the "Rundfunkbeitrag" (broadcasting license fee).
      Since Simplicissimus no longer works with Funk, the documentary will probably not be available in English for other compatriots (at least that's what I assume, knowing Funk).

    • @murmeldin
      @murmeldin Месяц назад +4

      Yeah, it would be great if they would translate their documentary, but it could be not possible because of the licenses...

    • @gfrewqpoiu
      @gfrewqpoiu Месяц назад +1

      And they even showed two short clips from it.
      I wish they could figure out a deal for it to be translated into english and published.
      I would love to watch it with my fiance but she doesnt speak german well enough yet :(

  • @Mutrax4706
    @Mutrax4706 Месяц назад +1

    tbf, great patience is one of the steps in gaining power and control. you need to let things take their time, exactly like if you were never doing smth bad in the first place

  • @electroplayz2141
    @electroplayz2141 28 дней назад +2

    Bro waited half a second and found out theres a problem
    Im over here waiting an entire minute for anything to load 😭

  • @P1xelzMCBE
    @P1xelzMCBE Месяц назад +11

    Andrés be cooking

  • @helloMoto-k2
    @helloMoto-k2 Месяц назад +20

    I see Fern I click. You're amazing

  • @yulo8987
    @yulo8987 Месяц назад +11

    A nice theory but Russians don't celebrate Christmas in December, the Russian Christmas is on 7th of January (the Russian Orthodox church uses a different calendar). Also Russians DO work on 31st of December but don't work in the first dayS of January, not only the first of January.

    • @LethalWalou
      @LethalWalou 24 дня назад

      Russia doesn't use DST either, haven't used it since 2011. Jews altho do, and they have their holidays from 25th of Dec onwards and are known to be doing this kind of things.

  • @ashish11chawda
    @ashish11chawda 20 дней назад

    Great work on the ad of Brilliant, I'd have just skipped if it was the usual screen recording of courses
    And always love your videos 🙌🏻

  • @nik_evdokimov
    @nik_evdokimov Месяц назад

    Thanks for sharing such a huge story about which many of us haven't heard and, if not for this video, would never hear about

  • @danieldavis9359
    @danieldavis9359 Месяц назад +17

    6:45 sponsor skip

    • @SqualidsargeStudios
      @SqualidsargeStudios Месяц назад +2

      It should be renamed to forced ads, cuz that’s that that annoying nonsense is

    • @ProulxS
      @ProulxS Месяц назад +1

      @@SqualidsargeStudios But then we would have to rename Sponsorblock that allows us to skip the sponsor segment...

    • @TommyGee.
      @TommyGee. Месяц назад +2

      i actually clicked the link and might buy it... the ad is working 😮

    • @spongebobpopsicle9397
      @spongebobpopsicle9397 Месяц назад +1

      @@SqualidsargeStudiosA youtuber's gotta eat, you know? (sorry if you received any offense)

  • @triciac.5078
    @triciac.5078 Месяц назад +15

    15:09 yes but it also shows how this was caught. It was the community, as in Jia Tan, who did this, but it was also the community, Andre, that caught it. It goes both ways.
    And it’s a risk, don’t get me wrong on that, but you can’t blame the open community for causing the problems without also crediting the open community for why it was caught. I work with someone like Andre, and plan to share this video with him tomorrow. Wouldn’t be surprised if he knew Andre personally. There are dedicated people on both sides.

  • @SpiritedAlways
    @SpiritedAlways Месяц назад +6

    I love these fern productions! Always so high quality. But I can't take the AI voices. Breaks the immersive storytelling somehow.

    • @Steamrick
      @Steamrick Месяц назад +1

      And who would you suggest to cast as 'the villain'?

    • @just_mdd4
      @just_mdd4 Месяц назад +1

      @@Steamrick MrBeast's 42.
      Just kidding, lol. That's a great question you've asked.

  • @EmperorChaos350
    @EmperorChaos350 Месяц назад

    This is my first time watching one of Fern’s videos, by far one of my favorite RUclipsrs every.

  • @benjaletzke4475
    @benjaletzke4475 Месяц назад

    Just want to say I really appreciate how well annotated and researched your videos are. A breath of fresh air in the current internet to see opinion, AI content and sources clearly marked and referenced

  • @azmirhossin7550
    @azmirhossin7550 Месяц назад +5

    First thought it was sponser ad 0:02

  • @LOLyoujustgotrickrolled
    @LOLyoujustgotrickrolled Месяц назад +7

    fern becoming *the* G.O.A.T of documentaries 🔥

    • @LOLyoujustgotrickrolled
      @LOLyoujustgotrickrolled Месяц назад

      @MangoDeluxe99 imma edit it then

    • @yulo8987
      @yulo8987 Месяц назад

      For 'the GOAT' they don't bother to fact-check. Russians don't celebrate Christmas in December, the official holiday is in January.

    • @Riskw-mk1lo
      @Riskw-mk1lo Месяц назад

      you should see "the G.O.A.T" movie

  • @DarknessIsaGoober
    @DarknessIsaGoober Месяц назад +18

    1:38 what are those numbers at the bottom left

  • @AestusReborn
    @AestusReborn 27 дней назад +1

    Fern: makes normal video
    Also Fern in that same video: here's where they live

  • @JSeriously
    @JSeriously Месяц назад +1

    Many of your videos I have no interest in, but I watch them because you do such an excellent job- and I am never disappointed.

  • @saschaberger3212
    @saschaberger3212 Месяц назад +4

    Wie kann eine so wichtige Position ehrenamtlich sein? Maintainer meine ich

    • @keefymckeefface8330
      @keefymckeefface8330 Месяц назад +5

      open source- its essentially 99.99999999 percent voluntary. As near all as to be all in terms of real work done.

    • @desmond-hawkins
      @desmond-hawkins Месяц назад

      @@keefymckeefface8330 Big companies do sponsor and control some large projects and even collaborate even when they are competitors. A classic example is Webkit, which is the engine to render web pages used in Google Chrome, Safari, Microsoft Edge, really most browsers these days. It is controlled by Apple but many companies contribute. That's mostly the really big projects though, while most of the utilities, tools, and parts of software that many programs use ("libraries") are often maintained voluntarily and in their spare time by engineers, often engineers who are also employed at these big companies but still getting little support from them on these many smaller projects. xz was just one guy.

    • @iFlyGood
      @iFlyGood Месяц назад +3

      Pretty wild to think that amazing pieces of work are accomplished by people for fun and not for money.

    • @elrymoe
      @elrymoe Месяц назад +1

      Bist du dumm ? Is halt open source

    • @cockinyoursis7992
      @cockinyoursis7992 Месяц назад

      ​@@iFlyGoodIf you have a Passion in Live, you do it simple as it is.

  • @EmiratesGaming-lf8nm
    @EmiratesGaming-lf8nm Месяц назад +11

    HOW DOES THIS GUY ALWAYS SLIDE IN THE SMOOTHEST SPONSER SECTION

  • @mocko69
    @mocko69 Месяц назад +6

    If one was caught, it makes you wonder how many such backdoors are completely unnoticed

  • @AwareOCE
    @AwareOCE 23 дня назад

    Such an amazingly well done documentary, best thing I've seen on RUclips in a while!

  • @DylanElmer
    @DylanElmer Месяц назад

    Didn’t think you could put a Sponsor in this beautifully designed and written video!

  • @Gusburg
    @Gusburg Месяц назад +4

    really nice that you added a note when you switch to opinion rather than fact. too often there are documentaries that accidently pass off an opinion as a fact