I think if not Andrew someone else would found it. There were other open source projects which found problems/bugs related to XZ library, so I think it was a matter of time until it was discovered. It took about 1 month since backdoor was added to XZ for Andrew to discover this backdoor, but even if he didn't find it someone else would. But even if no one found it, it would be chaos for few days and than they would stop it. Also this was not a super elaborated social thing as video suggests at least that's how I see it. I think it was only one person, I am programmer and it seems like everything was coded by one person, also Kumar and Dennis and Jensen were just simple accounts that used different VPN's and emails so that can be done by one person, they only sent few messages and there is no internet trace of them, so they are shallow profiles. They also seem to talk in similar way, they sound like one person. I would say this was some young smart hacker or 2 or 3 random young hackers similar to those who hacked video game companies like in other FERN video. Also lets say that virus/backdoor infected the whole world, it would take time for hackers to steal something, so again enough time for fix to be deployed and remove the backdoor from important servers, it would just cost millions and millions of dollars to different companies/entities.
@@iFlyGood500ms, not .4 It's about a 10x time increased compared to the usual, per login. And with the testing he has been doing, he would've had dozens of logins. It is not hard to notice when, instead of something taking 0.1 seconds, it suddenly takes 5 seconds. And 5 seconds is also enough time to notice excessively high cpu load. Instead the important factor is, that he actually bothered to investigate what causes it.
At 03:41 keep in mind "fork yourself" was not meant as an insult. Forking works like a fork. You have the source code, the handle of the fork, and then you have the separate tips of it, the forks. Essentially, the commenter is suggesting that the other guy makes a clone of the code on github with himself as the maintainer, so that they can make further progress on the code without the delays. If you and I were to make a paint type program, and we fork a program that has everything except the bucket tool and the brush tool, and you implement the brush tool in your fork, and I implement the bucket tool in mine, we now have 3 versions of the same code. 1. The base code, the original paint. 2. Your fork with the brush tool, probably named something like "yourname-paint-brush" 3. My fork with the bucket tool, probably named something like "mycodeisbetterthanyourslmaogoforkyourselfsuckiiiiiiit-bucket"
I don't trust what you said. The way you said it doesn't make sense. The show "The good place" uses profanity humor. I learned that people might hide their profanities as humor type. How else does that meant?
Seriously, RUclips's the new, more relatable Netflix for me but like how much money and man hours did they put into this and how many views do they need to recoup
Man, source citations in EVERY scene is just crazy professional. Higher standard than many 'professional' documentaries by bigger companies. Well done!
Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Dale valskov Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.
Please most open-source maintainers who i reported issues to or contributed code to have been SUPER nice. I actually tended to be very polite as well, even with people who were clearly rude and frustrated, though with a project with a million users, it sometimes gets difficult. You sometimes get... special types of Karens, ones that cannot be put at ease. I'm sure you can vaguely imagine. Well at least i never took revenge on them, even if i was tempted to.
@@Twisted_Code They have external services like snyk. Don't really check individual lines of code but if someone does notice it's immediately taken care of
Well, the devs are fueled by their passion. And the largest companies do contribute to the projects. The real problem is companies like Huawei claiming that they developed something only to be based on open source projects, then proceed to earn money for their bad products on the premise of patriotism
The efficiency of this Dale valskov is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work !!
That feeling when your partner cheated and you don't have the courage to leave him or her so you just dealt with the pain and live everyday asking questions about your worth. This pain is different from the cheating one-- living and seeing him everyday anticipating when will he or she do it again. Your videos are incredibly well done. No critique, thanks for doing this Dale valskov
Yeah I've always wondered how tf you put in code in there doing ssh key authentication whatever without people noticing that piece of code? It being not in the code but somewhere else makes sense
Yeah, according to the information provided in the source links from the official Red Hat website: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present."
Maintainers must be VERY critical now of binary blobs even if described as 'test data' if it can be accessed during the build process. Ideallying, building and testing will be completely separate and gapped environments
The real reason behind the suspicion of state sponsonred hackers, for us IT engineers, is not just the social engineering. It's how sophisticated the technical details of the attack really were. I myself don't fully understand all the details. But in essence it's a supply chain attack. It *only* triggers when specifically compiling SSH with xzutils in a Linux distro. Undetectable during code reviews. Some Linux distros weren't even affected because they didn't compile SSH the way that the attack expected. And the payload was hidden in the test suite. Many many details that would've made this attack close to unthinkable for nearly every hacker, except for state sponsored groups. It's unanimously agreed that it was state sponsored because it's just too multi layered.
Some test suits were disabled by first making the test fail silently if code doesn't compile on a specific platform, to make it easier to execute it on multiple platforms. Then a hidden period "." was committed, in theory visible by anyone, but just extremely hard to see, that disables a specific test by making the code not compile. Test cases that take binary input also existed. The binary input was placed in the repository as is, and nobody verified the contents of the binaries. All of these were red flags but they were given rigorous technical justification. Made by someone you don't expect to be malicious.
I don't know why it's assumed everywhere that "very sophisticated" means "state-sponsored". This makes no sense to me. It's of course possible, but just jumping to that conclusion without any sort of reasoning other than "it's really good" seems completely irrational. This exploit did not require billions in funding in any way. IMO it just makes it sound as if you believe the only hackers are 12yo script kiddies and not rational humans capable of setting an objective, constructing a plan and executing it over a couple of years. Not every exploit is a random tiny hole noticed by someone who then immediately fists through it, downloads all the user data, runs rm -rf * and then uploads it on a forum.
Yeah but they aren’t on my level and I’m not state sponsored check this amazing line of code Print(“Get Hacked”) What can I say am I a cyber threat or what
@@williamduncan7401 not to this level, this is just too organized, like stuxnet, pegasus, etc etc, i too like the idea of lone wolfs etc but this level of organization is just not common...
Or, you HAVE to hear me out, he has ADHD/ADD. Thinking that far ahead on something you enjoy or are super passionate about and then you get fixated on details. Sometimes reality is odd
As a Retired combat Marine I want to tell you that as what you are doing is just as important as any warrior on the battlefield. You are waging warfare against these criminals and terrorists on the digital battlefield. You are defending and protecting the most vulnerable of our society against these predators. Keep up the good work Dale valskov
A lot of people use this case to bash on Free and Open Source Software. They try to paint it as insecure because it's developed in the open. I'd suggest otherwise: this is FOSS working completely as intended. The sheer fact that a random person could catch this bug is exactly due to the software being developed in the open. Were it fewer eyes on the software *and* its source code, the backdoor would have never been noticed.
I agree to some extend (as a linux, blender, shotcut, obs, user, that tries to use as much open source as plausible) It is true, that it's incredible that some "random dude" could spot that (due to it being open source). Though with closed source, it is harder to put malware into the product itself. So it's sort of a 10% for something to very bad to happen vs a 90% that something mediocre is going to happen (value wise). But yea, long live open source
@@SpinyDisk It's not really all that much harder to infiltrate some closed-source software company, if you play your cards right. I'm willing to bet you my bone marrow that GAFAM companies have multiple state-sponsored plants each. I mean, aside from the information they're happy to provide the state with themselves.
Sure that might be FOSS working as intended, but there's never been a single security issue in Windows or any other closed-source software in the entire history of computing!
@@altragclosed-source software are closed-source because the company or people who develop those software want to make money out of them. Even if there has been any security issue about these software, nobody could tell and nobody would know because nobody see the source code. Or do you think the developer of closed-source software would announce to the public that their product has security issues, so that they can have less customers? If xz were a closed-source software and the backdoor were implemented by a random employee of the company working on the software, the backdoor would simply be implemented, and no one would have any clue. Not to mention actually finding out the security issue and fixing it. Imagine if Andres has no access to the suspicious source code, without any prove to validate his doubt, even a great engineer like him can do nearly nothing but admit that he himself is just being too sensitive and give up.
And still not knowing which date is Russian Christmas celebrated on (spoiler, it's on January 7th). But sure, "Russian hackers" sounds more impressive, then hackers from other countries. Sigh.
@@yulo8987 I am surprised that holidays are relevant at all because why would a hacker group or secret service really care about those... in such organizations there are no holidays... it's as stupid as claiming no one works in a hospital on Christmas eve...
Hey ppl, I'm a retired computer/IT person, Yet I still find Dale valskov so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
Awesome work, Dale valsko ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!
I never thought that the xz/Jia Tan drama would ever make it into Fern one day. On a more serious note, I am literally shaking over the fact that there can still be multiple cleverly hidden backdoors created with similar methods still in the wild. I know for a fact that no one will thoroughly review thousands of lines of generated code from a single PR for example when the diff is too large.
Can't these very smart LLM's be used to review code? I use it as a very quick check of new code to flush silly mistakes already, these may not write qual code yet, but it's a good, fast reviewer.
@@Nick_Sandman Depends on the model, but really, LLMs can never truly go beyond what we trained them on, we train them on good inputs but also bad ones. They can definitely check for minor issues across a large number of inputs, and are generally faster than a human. However, I doubt they would catch the most intricate ones. Even if they did, it would be a cat-and-mouse game; people will always find smarter ways to bypass any countermeasures.
@@afmikasenpai There must be a fair sized legacy of malware that I'm sure has been crawled by many LLMs. And there is emergent behaviour anytime there's any form of adaption. The important point though is it's throwing out orange and red flags fast for thousands of lines of code, concentrating the attention of more perceptive eyes and minds.
Fern manages to tell a tighter story because the story is as long as it needs to be. In mainstream media they have to drag things out to nearly an hour.
I enjoy fern but stop dick riding.... Mainstream media documentaries have had multiple accredited history professor's and show all sources like Fern does. They indeed fell off drastically but the hundreds and hundreds of history, animal planet and national geographic documentaries are some of the best researched piece's out there. They also have great narrators too. 90s and early 2000s had the best ones. I do agree the new ones just absolutely blow tho. Compared to new ones Fern does good but compared to the genre as a whole he's mediocre at best. And that's okay
this is why open source stuff is so important for the internet. without being able to actually look at the code and finding the backdoor, who knows how long it may have taken for anybody to figure it out let alone how long it would take for a fix to be implemented
@@collinsonOga not if you already work at said organisation or manage to apply and get hired there (probably not as hard as gaining the trust of a maintainer by actually volunteering valid code for years). And in any case, my rule of thumb is that if you can't see the code, you can just assume there is a backdoor (perhaps even by design by the company) since clearly there's something worth hiding. IMO non-libre software is inherently insecure since a corporation-the only purpose of which is to extract as much money from you as possible-is hardly where you want to place your trust.
The attack involved binary blobs. It could be argued that allowing files that are not open-source (or not even source-available) in an open-source project is a problem.
Thank you so much for not doing the typical "...Collin was born on a cold night of 1994. When he was 4, his favorite dish was lasagna..." etc. like most of these channels do to make their videos as loooong as possible. Also it was really well explained considering I know nothing about this stuff. Great Job!
as a linxu user I really feel like this video shows how important it was But xz was in rolling and only some were affected but imagine it getting into stable releases (It would've been a nightmare , and I mean absolute nightmare) the country which was behind it , literally could've started world war III if xz had gotten into mainstream distros absolute chills
apparently it did manage to reach production versions of both arch and Manjaro and almost reached debian with only a few weeks to release which would've been massive (idk how close it was to Ubuntu or RHEL but probably close), the performance issues were already fixed in an update that the dev testing performance didn't have and managed to catch it
The best part for me is where something like this is in the budget range of many non-state actors as well. The only real bottleneck is the relatively small amount of sufficiently skilled and motivated black hatters.
This is just an instance where a backdoor was discovered en route to seeing widespread deployment. This could've been one of several similar attacks, one of a multi-pronged scattershot attack that has redundancies involved. At the end of the day, it was a total fluke that Andreas caught this one - imagine all the other attacks that could be happening, or have already seen deployment, and those with access are just waiting for the right time to launch an attack - all the ones that there was no Andreas to catch.
Now consider the world of proprietary software: This was only discovered because someone *could* look at what goes on under the hood, and was compelled to do so by their curiosity. Imagine all the other attacks that could be happening, or have already seen deployment - all the ones where there isn't even a *possibility* of an Andreas to catch them, because their code is under lock and key. Swings and roundabouts, and for my part "security through obscurity" doesn't butter many parsnips.
Yeah, I was thinking that. "The guy that saved the internet" etc...great, but we only know about it because he did, by chance, spot something. Made me think probably 1 in 100. If so there are 99 other similar backdoors in good working order, undiscovered!
Game developer here. People underestimate how insane 500ms is. To give you an example, i create functionalities that must run under 1ms lol. Figure out now why would a Programmer notice 500ms delay. Still insane work by the final boss Andress 🗿........
I know this isn’t the type of topics you usually cover, but I would love to see your teams animation skills covering something like the last glacial maximum, or some other geographic phenomena that is difficult to understand/comprehend. It’s much easier to grasp with animation
This is how Germany produces RUclips videos. It’s top tier sponsored by our tax money 😂 However, I believe fern stopped cooperating with German public broadcasters a year ago
And the most crazy thing is the technical detail how the code was placed/hidden! I know that the technical stuft would be too much for a non-technical audience but how the backdoor was encoded was just wizard-level hacking!
Ohhh, xz! Wow I never thought Linux drama would make it into mainstream YT but here we are! Also how are you guys pumping out these high-quality videos so fast? Don't burn out, yall
@@wilx2703 Huh, didn't think of that. It's been what, 4 years since AI first came out and I'm still wrapping my head around the whole "using AI to do work" thing :P Though, I don't see any obvious signs of AI in the videos, and they have a LOT of fingers moving and other stuff that AI is generally bad at. I dunno
Either way China doesn't really celebrate Christmas all that much; so it would still be a false flag to have them offline then but not on CCP national holidays.
Everybody always makes fun of Linux nerds who get mad about a 5 nanosecond delay, but they are actually the real thankless heroes who keep computing alive
I swear to god fern has hands down the best animation editor for these vids and the art style for them is absolutely perfectly descriptive yet minimal at the same time I’m addicted to these animations, really helps follow the story! Thank you fern 💚
God I love this channel, I wish more channels could do animations like this. The content itself is also top tier but the animations on top are just so nice. Thank you Fern!
FACT: We don't have any idea what our software is doing behind our back! Imagine that these guys were bit more sophisticated programmers, like no CPU spikes or lagging. Chances are high that we would never figure that out. There were news in the past that some vulnerabilities are fixed after 20+ years!
i really appreciate how transparent you guys are about using AI voices (not that it’s inherently a bad thing to use them, but it’s always nice when people clarify). in the same vein, the “own opinion” marker is also a lovely touch! just makes it feel like you respect your audience that little bit more :)) really fascinating video !!
i was getting worried that i havent seen the notification that fern has uploaded until i checked the channel and saw the “(almost) weekly” everything makes sense now
And this is the first time this year I'd heard of this tale. Mainstream media couldn't be bothered reporting it 🙄 So much for quality independent minded journalism. All I can say is keep up the incredible work Fern.
Wow the details on your videos are amazing ! 1:08 I recognized the Linux Debian distro logo. I mean I know the story already but watching your video is like a new experience 🔥
I didn't hear about this in my country, I should have. This undoubted the most frightening thing to happen. If this had gone live, I shudder to think the amount of damage that could have been done. The number of lives that could have been ruined. Thank you, Andres. You are a true cyber hero!
Of course you didn't hear about it as it's more important to tell you what some D-list celebrity did that day or how Russia/China is going to start ww3 by attacking your country (if you live in Europe). Fear mongering and useless ''news'' stories is what people mostly are given.
Crazy how this channel doesn't even have a membership, the quality of the contents are insane like so insane, better than most of the informational documentation out there
Thank you Fern for bringing this to general public like me, who otherwise won't become aware of such good person and also the dangerous attack like this
It's funny how a Microsoft employee basically saved Linux when back in the days Microsoft was seen as "the devil" from Linux users. I"m happy how things have changed.
For reference all linux distros find their roots in either arch (bleeding edge with questionable stability) or debian (slow, stable) what goes into either if these distros affects many others esp. Debian as nearly 2/3 of distros are debian based like Ubuntu, Mint, KDE, and many more.
it's pretty damn impressive how you can sneak in backdoors like that, in open source projects where other skilled programmers are reviewing your contributions
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing geno****... But hey, they are allied to the west so the sheep will be told they are not the bad guys.
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what.
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep will altho still paint Russia as bad no matter what. Unsurprisingly an actual bad nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.
The mention of “cozy bear” reminded me of your German-language documentary “Putins Bären”, is there an English-language version of it coming for this channel? I think our fellow Europeans and allies across the pond might also be interested in this.
This documentary was produced in cooperation with the German Funk network, which is paid for by most Germans through the "Rundfunkbeitrag" (broadcasting license fee). Since Simplicissimus no longer works with Funk, the documentary will probably not be available in English for other compatriots (at least that's what I assume, knowing Funk).
And they even showed two short clips from it. I wish they could figure out a deal for it to be translated into english and published. I would love to watch it with my fiance but she doesnt speak german well enough yet :(
tbf, great patience is one of the steps in gaining power and control. you need to let things take their time, exactly like if you were never doing smth bad in the first place
A nice theory but Russians don't celebrate Christmas in December, the Russian Christmas is on 7th of January (the Russian Orthodox church uses a different calendar). Also Russians DO work on 31st of December but don't work in the first dayS of January, not only the first of January.
Russia doesn't use DST either, haven't used it since 2011. Jews altho do, and they have their holidays from 25th of Dec onwards and are known to be doing this kind of things.
15:09 yes but it also shows how this was caught. It was the community, as in Jia Tan, who did this, but it was also the community, Andre, that caught it. It goes both ways. And it’s a risk, don’t get me wrong on that, but you can’t blame the open community for causing the problems without also crediting the open community for why it was caught. I work with someone like Andre, and plan to share this video with him tomorrow. Wouldn’t be surprised if he knew Andre personally. There are dedicated people on both sides.
Just want to say I really appreciate how well annotated and researched your videos are. A breath of fresh air in the current internet to see opinion, AI content and sources clearly marked and referenced
@@keefymckeefface8330 Big companies do sponsor and control some large projects and even collaborate even when they are competitors. A classic example is Webkit, which is the engine to render web pages used in Google Chrome, Safari, Microsoft Edge, really most browsers these days. It is controlled by Apple but many companies contribute. That's mostly the really big projects though, while most of the utilities, tools, and parts of software that many programs use ("libraries") are often maintained voluntarily and in their spare time by engineers, often engineers who are also employed at these big companies but still getting little support from them on these many smaller projects. xz was just one guy.
really nice that you added a note when you switch to opinion rather than fact. too often there are documentaries that accidently pass off an opinion as a fact
fern vids feel like real youtube premium
Facts
For sure
Fr better documentery's then Netflix
real
Facts
Imagine working for 4 years on what could have been the biggest cyber attack in history just to get caught by some dude testing on his free time
He's not just some dude. Hes a dude whose programs are so optimized he will notice .4 ms of delay 😂
I think if not Andrew someone else would found it. There were other open source projects which found problems/bugs related to XZ library, so I think it was a matter of time until it was discovered. It took about 1 month since backdoor was added to XZ for Andrew to discover this backdoor, but even if he didn't find it someone else would. But even if no one found it, it would be chaos for few days and than they would stop it.
Also this was not a super elaborated social thing as video suggests at least that's how I see it. I think it was only one person, I am programmer and it seems like everything was coded by one person, also Kumar and Dennis and Jensen were just simple accounts that used different VPN's and emails so that can be done by one person, they only sent few messages and there is no internet trace of them, so they are shallow profiles. They also seem to talk in similar way, they sound like one person. I would say this was some young smart hacker or 2 or 3 random young hackers similar to those who hacked video game companies like in other FERN video.
Also lets say that virus/backdoor infected the whole world, it would take time for hackers to steal something, so again enough time for fix to be deployed and remove the backdoor from important servers, it would just cost millions and millions of dollars to different companies/entities.
@@iFlyGood500ms, not .4
It's about a 10x time increased compared to the usual, per login. And with the testing he has been doing, he would've had dozens of logins.
It is not hard to notice when, instead of something taking 0.1 seconds, it suddenly takes 5 seconds. And 5 seconds is also enough time to notice excessively high cpu load.
Instead the important factor is, that he actually bothered to investigate what causes it.
Nerds save the world.
@@turb00oAcoustic*
fun fact Andres Freund's , last name translates to friend in German . He is truly a friend the internet needed
Vriend in Afrikaans
Even funnier
The narrator is German
Last name. *
@@oscargreat. Last name*
@@Mmmmmmmmmmmnm Right. Without the period before "Last". 😃
At 03:41 keep in mind "fork yourself" was not meant as an insult. Forking works like a fork. You have the source code, the handle of the fork, and then you have the separate tips of it, the forks. Essentially, the commenter is suggesting that the other guy makes a clone of the code on github with himself as the maintainer, so that they can make further progress on the code without the delays.
If you and I were to make a paint type program, and we fork a program that has everything except the bucket tool and the brush tool, and you implement the brush tool in your fork, and I implement the bucket tool in mine, we now have 3 versions of the same code.
1. The base code, the original paint.
2. Your fork with the brush tool, probably named something like "yourname-paint-brush"
3. My fork with the bucket tool, probably named something like "mycodeisbetterthanyourslmaogoforkyourselfsuckiiiiiiit-bucket"
Thanks
Good clarification.
damn rlly didn't know that thx
I don't trust what you said. The way you said it doesn't make sense. The show "The good place" uses profanity humor. I learned that people might hide their profanities as humor type. How else does that meant?
I didn't know people didn't know this. "Forking" isn't exclusive to coding, and I thought the context made enough sense lol.
The fact that you explained it in a way that someone with no technical background would understand speaks volumes, thank you for another great video
I think it's an attack on the internet from Russia to get the U.S. nuclear bomb codes.
A developer being polite and helpful?
Major red flag right there.
FR
if they're not either unspeakably rude or nice but constantly swearing then be careful tbh
Hey, I object that! Well, at least to the polite part. I haven't published a lot of code so helpfulness is still kind of in the air 🤣
Also the Chinese name. Usual suspect Lol.
i am a fking nice developer..
The production of some of these youtube videos nowadays is crazy
Indeed!
What he said! AND just SOME? 😭
German efficiency
Seriously, RUclips's the new, more relatable Netflix for me but like how much money and man hours did they put into this and how many views do they need to recoup
@@Myrdrrr Fern isn't the only high-tier RUclipsr, lol. There's others like Melodysheep and LEMMiNO.
Man, source citations in EVERY scene is just crazy professional. Higher standard than many 'professional' documentaries by bigger companies. Well done!
Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Dale valskov Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.
04:46 devs/ maintainers being polite, the biggest red flag. 🚩
fr
Also, displaying social skills 🚩
See: Linus Torvalds mailing list rants
@@FCoFix that's how you know he's legit lol
Please most open-source maintainers who i reported issues to or contributed code to have been SUPER nice.
I actually tended to be very polite as well, even with people who were clearly rude and frustrated, though with a project with a million users, it sometimes gets difficult. You sometimes get... special types of Karens, ones that cannot be put at ease. I'm sure you can vaguely imagine. Well at least i never took revenge on them, even if i was tempted to.
Millions of modules are maintained by developers with little reward, yet power the largest companies.
which is critizied at the end of the video
Yup, and you have to wonder... dhow many of these companies do their due diligence, checking the code produced by the thankless masses?
@@Twisted_Code They have external services like snyk. Don't really check individual lines of code but if someone does notice it's immediately taken care of
Well, the devs are fueled by their passion. And the largest companies do contribute to the projects. The real problem is companies like Huawei claiming that they developed something only to be based on open source projects, then proceed to earn money for their bad products on the premise of patriotism
Everyone, please repeat after me: "Thank you for saving the internet, Andres"
I would like to say thanks. But since the internet is destroying our governments, societies, and people’s sanity. Thanks????
@@Christophe_derBerge-op9zh All of these things we're caused by human activity. We're responsible for it not the web
Everyone reoeat after me 🤓🤓🤓
ur not him bro
Thank you for saving the internet, Andres
The efficiency of this Dale valskov is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work !!
That feeling when your partner cheated and you don't have the courage to leave him or her so you just dealt with the pain and live everyday asking questions about your worth. This pain is different from the cheating one-- living and seeing him everyday anticipating when will he or she do it again. Your videos are incredibly well done. No critique, thanks for doing this Dale valskov
The crazy thing is that backdoor wasn’t even inside the code itself. But was attached while the code was being deployed.
Yeah I've always wondered how tf you put in code in there doing ssh key authentication whatever without people noticing that piece of code?
It being not in the code but somewhere else makes sense
Yeah, according to the information provided in the source links from the official Red Hat website: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present."
Maintainers must be VERY critical now of binary blobs even if described as 'test data' if it can be accessed during the build process. Ideallying, building and testing will be completely separate and gapped environments
The real reason behind the suspicion of state sponsonred hackers, for us IT engineers, is not just the social engineering. It's how sophisticated the technical details of the attack really were. I myself don't fully understand all the details. But in essence it's a supply chain attack. It *only* triggers when specifically compiling SSH with xzutils in a Linux distro. Undetectable during code reviews. Some Linux distros weren't even affected because they didn't compile SSH the way that the attack expected. And the payload was hidden in the test suite. Many many details that would've made this attack close to unthinkable for nearly every hacker, except for state sponsored groups.
It's unanimously agreed that it was state sponsored because it's just too multi layered.
Some test suits were disabled by first making the test fail silently if code doesn't compile on a specific platform, to make it easier to execute it on multiple platforms. Then a hidden period "." was committed, in theory visible by anyone, but just extremely hard to see, that disables a specific test by making the code not compile.
Test cases that take binary input also existed. The binary input was placed in the repository as is, and nobody verified the contents of the binaries.
All of these were red flags but they were given rigorous technical justification. Made by someone you don't expect to be malicious.
I don't know why it's assumed everywhere that "very sophisticated" means "state-sponsored". This makes no sense to me. It's of course possible, but just jumping to that conclusion without any sort of reasoning other than "it's really good" seems completely irrational. This exploit did not require billions in funding in any way. IMO it just makes it sound as if you believe the only hackers are 12yo script kiddies and not rational humans capable of setting an objective, constructing a plan and executing it over a couple of years.
Not every exploit is a random tiny hole noticed by someone who then immediately fists through it, downloads all the user data, runs rm -rf * and then uploads it on a forum.
Yeah but they aren’t on my level and I’m not state sponsored check this amazing line of code
Print(“Get Hacked”)
What can I say am I a cyber threat or what
@@williamduncan7401 not to this level, this is just too organized, like stuxnet, pegasus, etc etc, i too like the idea of lone wolfs etc but this level of organization is just not common...
Or, you HAVE to hear me out, he has ADHD/ADD. Thinking that far ahead on something you enjoy or are super passionate about and then you get fixated on details. Sometimes reality is odd
Andres the Goat
daa
@@Sirbozo I believe you meant to say, "baa" 😉
@@MattipedersenBÆÆÆHH!
@@Mattipedersen da is yes in croatian, slovenian, serbian, basically all balkan languages, so maybe he meant it🤣
@@soda24612 you forgot the biggest language, russian
As a Retired combat Marine I want to tell you that as what you are doing is just as important as any warrior on the battlefield. You are waging warfare against these criminals and terrorists on the digital battlefield. You are defending and protecting the most vulnerable of our society against these predators. Keep up the good work Dale valskov
A lot of people use this case to bash on Free and Open Source Software. They try to paint it as insecure because it's developed in the open. I'd suggest otherwise: this is FOSS working completely as intended. The sheer fact that a random person could catch this bug is exactly due to the software being developed in the open. Were it fewer eyes on the software *and* its source code, the backdoor would have never been noticed.
I agree to some extend (as a linux, blender, shotcut, obs, user, that tries to use as much open source as plausible)
It is true, that it's incredible that some "random dude" could spot that (due to it being open source). Though with closed source, it is harder to put malware into the product itself. So it's sort of a 10% for something to very bad to happen vs a 90% that something mediocre is going to happen (value wise). But yea, long live open source
@@SpinyDisk It's not really all that much harder to infiltrate some closed-source software company, if you play your cards right. I'm willing to bet you my bone marrow that GAFAM companies have multiple state-sponsored plants each.
I mean, aside from the information they're happy to provide the state with themselves.
Sure that might be FOSS working as intended, but there's never been a single security issue in Windows or any other closed-source software in the entire history of computing!
@@altragclosed-source software are closed-source because the company or people who develop those software want to make money out of them. Even if there has been any security issue about these software, nobody could tell and nobody would know because nobody see the source code. Or do you think the developer of closed-source software would announce to the public that their product has security issues, so that they can have less customers? If xz were a closed-source software and the backdoor were implemented by a random employee of the company working on the software, the backdoor would simply be implemented, and no one would have any clue. Not to mention actually finding out the security issue and fixing it. Imagine if Andres has no access to the suspicious source code, without any prove to validate his doubt, even a great engineer like him can do nearly nothing but admit that he himself is just being too sensitive and give up.
@@altragif you were baiting, you did a very good job
fern just dropping banger after banger
bot
@@chaosthug7 Ur mother is a bot
@@chaosthug7 ur father!
@@ceoofgambling yep, not a bot.
After banger after banger after banger after banger after banger after banger after banger after banger after banger after banger after banger
52 sources! Thats a lot of research into just one video!
These guys spit facts, awesome research all around in all of their vids
And still not knowing which date is Russian Christmas celebrated on (spoiler, it's on January 7th). But sure, "Russian hackers" sounds more impressive, then hackers from other countries. Sigh.
@@yulo8987 I am surprised that holidays are relevant at all because why would a hacker group or secret service really care about those... in such organizations there are no holidays... it's as stupid as claiming no one works in a hospital on Christmas eve...
yeah and shows how major the event was, dominating open source and cyber security news for a few weeks
@@yulo8987to note, almost all the timezone celebrated it on 7 Jan from Russia to Ethiopia, and I doubt it's any further down in Africa
Hey ppl, I'm a retired computer/IT person, Yet I still find Dale valskov so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
Awesome work, Dale valsko ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!
I literally just got an ad from Google about “breaking” cyber security right after Andres discovered the SSH thing. *The irony.*
I never thought that the xz/Jia Tan drama would ever make it into Fern one day.
On a more serious note, I am literally shaking over the fact that there can still be multiple cleverly hidden backdoors created with similar methods still in the wild.
I know for a fact that no one will thoroughly review thousands of lines of generated code from a single PR for example when the diff is too large.
Can't these very smart LLM's be used to review code?
I use it as a very quick check of new code to flush silly mistakes already, these may not write qual code yet, but it's a good, fast reviewer.
@@Nick_Sandman smart LLM's can't even tell if a student's work is LLM generated or real
@@Nick_Sandman Depends on the model, but really, LLMs can never truly go beyond what we trained them on, we train them on good inputs but also bad ones. They can definitely check for minor issues across a large number of inputs, and are generally faster than a human. However, I doubt they would catch the most intricate ones. Even if they did, it would be a cat-and-mouse game; people will always find smarter ways to bypass any countermeasures.
@@jammaschan Aah, but the time-penalty of false positives is far less severe scanning for malware
@@afmikasenpai There must be a fair sized legacy of malware that I'm sure has been crawled by many LLMs.
And there is emergent behaviour anytime there's any form of adaption.
The important point though is it's throwing out orange and red flags fast for thousands of lines of code, concentrating the attention of more perceptive eyes and minds.
A video of 15 min from fern is better than if netflix made a doccumentary of 2 hours! Keep it up!!!!
Just learn german, and watch their german Videos on simplicissimus. They made videos on this quality for years.
Fern manages to tell a tighter story because the story is as long as it needs to be. In mainstream media they have to drag things out to nearly an hour.
I enjoy fern but stop dick riding.... Mainstream media documentaries have had multiple accredited history professor's and show all sources like Fern does. They indeed fell off drastically but the hundreds and hundreds of history, animal planet and national geographic documentaries are some of the best researched piece's out there. They also have great narrators too. 90s and early 2000s had the best ones. I do agree the new ones just absolutely blow tho. Compared to new ones Fern does good but compared to the genre as a whole he's mediocre at best. And that's okay
Absolutely agree! Fern packs more intrigue and info into 15 minutes than most shows do in hours - pure quality
It seemed like a AAA movie 🎉
this is why open source stuff is so important for the internet. without being able to actually look at the code and finding the backdoor, who knows how long it may have taken for anybody to figure it out let alone how long it would take for a fix to be implemented
In all fairness, it'll be harder to gain access to organization owned codebase. But once you can gain access, I recon it'd be disaster
@@collinsonOga not if you already work at said organisation or manage to apply and get hired there (probably not as hard as gaining the trust of a maintainer by actually volunteering valid code for years). And in any case, my rule of thumb is that if you can't see the code, you can just assume there is a backdoor (perhaps even by design by the company) since clearly there's something worth hiding. IMO non-libre software is inherently insecure since a corporation-the only purpose of which is to extract as much money from you as possible-is hardly where you want to place your trust.
Would agree with you in any other context. But this ain't it.
The attack involved binary blobs. It could be argued that allowing files that are not open-source (or not even source-available) in an open-source project is a problem.
@@BowmanFox Why? This project's downfall was allowing non source available code. Else this more than likely would have been caught
imagine working on something so powerful that can bring countries to there knees just to be caught by a guy noticing a 0.5 second delay
Thank you so much for not doing the typical "...Collin was born on a cold night of 1994. When he was 4, his favorite dish was lasagna..." etc. like most of these channels do to make their videos as loooong as possible. Also it was really well explained considering I know nothing about this stuff. Great Job!
as a linxu user I really feel like this video shows how important it was
But xz was in rolling and only some were affected
but imagine it getting into stable releases (It would've been a nightmare , and I mean absolute nightmare)
the country which was behind it , literally could've started world war III if xz had gotten into mainstream distros
absolute chills
apparently it did manage to reach production versions of both arch and Manjaro and almost reached debian with only a few weeks to release which would've been massive (idk how close it was to Ubuntu or RHEL but probably close), the performance issues were already fixed in an update that the dev testing performance didn't have and managed to catch it
True, the potential impact on stable releases could have been catastrophic-it's a relief it was caught in time
The best part for me is where something like this is in the budget range of many non-state actors as well. The only real bottleneck is the relatively small amount of sufficiently skilled and motivated black hatters.
It’s scary that one of these exploits could already be in major distros, and just simply wasn’t caught.
@@mtarek2005 arch (and manjaro based on arch) is rolling release. So it always has the newest packages that the user wants
This is just an instance where a backdoor was discovered en route to seeing widespread deployment. This could've been one of several similar attacks, one of a multi-pronged scattershot attack that has redundancies involved. At the end of the day, it was a total fluke that Andreas caught this one - imagine all the other attacks that could be happening, or have already seen deployment, and those with access are just waiting for the right time to launch an attack - all the ones that there was no Andreas to catch.
Now consider the world of proprietary software: This was only discovered because someone *could* look at what goes on under the hood, and was compelled to do so by their curiosity.
Imagine all the other attacks that could be happening, or have already seen deployment - all the ones where there isn't even a *possibility* of an Andreas to catch them, because their code is under lock and key.
Swings and roundabouts, and for my part "security through obscurity" doesn't butter many parsnips.
@@rossstewart9475bullshit, the hack wouldnt even get into the Software cuz its closed source
Yeah, I was thinking that. "The guy that saved the internet" etc...great, but we only know about it because he did, by chance, spot something. Made me think probably 1 in 100. If so there are 99 other similar backdoors in good working order, undiscovered!
The 3d animation is top tier even down to the accuracy of the inside of the pc you fly through truly great work
Game developer here. People underestimate how insane 500ms is. To give you an example, i create functionalities that must run under 1ms lol. Figure out now why would a Programmer notice 500ms delay. Still insane work by the final boss Andress 🗿........
I know this isn’t the type of topics you usually cover, but I would love to see your teams animation skills covering something like the last glacial maximum, or some other geographic phenomena that is difficult to understand/comprehend. It’s much easier to grasp with animation
Like the most recent video? I’d like to think he read your comment
I love it when David or Jonas are speaking, it kinda feels more like simpli that way
But the english pronounciation is annoying. It is really hard to listen through that accent.
@@offtopic9632 I really disagree. I think it's nice with some European accents in storytelling.
@@offtopic9632at least they pronounce every german name correctly. The pronunciation of Freund may sound weird to you but it’s a German name.
@@rinmartell2678 Yeah, but they butcher all other words that aren't german, so that's not a good bargain.
I am german by the way.
Boy that was probably the sickest sponsor animation I have ever seen. Fern is just on another level.
This is how Germany produces RUclips videos. It’s top tier sponsored by our tax money 😂 However, I believe fern stopped cooperating with German public broadcasters a year ago
And the most crazy thing is the technical detail how the code was placed/hidden! I know that the technical stuft would be too much for a non-technical audience but how the backdoor was encoded was just wizard-level hacking!
AlMoSt like MS themselves did it, eh?
I just found your channel this week, had to binge watch your old videos and I freaking love your contents fern!
No intro straight into it much appreciated.
Can't even wait like 10 seconds? Wow
Ohhh, xz! Wow I never thought Linux drama would make it into mainstream YT but here we are!
Also how are you guys pumping out these high-quality videos so fast? Don't burn out, yall
a lot of AI probably
@@wilx2703most of ferns content is just reused from the German and Dutch channels. Just look in thier bio and u will find them
@@wilx2703 Huh, didn't think of that. It's been what, 4 years since AI first came out and I'm still wrapping my head around the whole "using AI to do work" thing :P
Though, I don't see any obvious signs of AI in the videos, and they have a LOT of fingers moving and other stuff that AI is generally bad at. I dunno
@@kaz49it is not. It’s just newly translated content from thier German chanal u can see it in thier channel bio
@@wilx2703nah. They already released this video a few months ago on their german channel and they have a huge team.
14:01 Russian Christmas is on January 7th, not on December 25th
👀
Either way China doesn't really celebrate Christmas all that much; so it would still be a false flag to have them offline then but not on CCP national holidays.
I think this was an european or USA hacker. The western holidays just give it away.
Who else have UTC+2 & UTC+3 (due to daylight savings) and could plausibly celebrate western holidays/calendar? = Israel
@@rogerkamben389 Christmas is not a public holiday in Israel, so it wouldn't make sense based on that
0:20 ah yes the ssh graph we all have on our computers
_SSH intensifies_
Just a way to show something in a simple way
0:38 0:39 @@user-qu1xl3ee1d
You mean Windows Task Manager graphs 📈
😂
Everybody always makes fun of Linux nerds who get mad about a 5 nanosecond delay, but they are actually the real thankless heroes who keep computing alive
Would love to hear fern’s rendition of who Edward Snowden is and what he’s done
I swear to god fern has hands down the best animation editor for these vids and the art style for them is absolutely perfectly descriptive yet minimal at the same time I’m addicted to these animations, really helps follow the story! Thank you fern 💚
Don't swear to God's holy name. It is blasphemous.
For this quality of animation I think fern should have at least 10-15M subs
God I love this channel, I wish more channels could do animations like this. The content itself is also top tier but the animations on top are just so nice. Thank you Fern!
Fern's videos really make me feel that I'm experiencing a creator's potential to the best
FACT: We don't have any idea what our software is doing behind our back!
Imagine that these guys were bit more sophisticated programmers, like no CPU spikes or lagging.
Chances are high that we would never figure that out.
There were news in the past that some vulnerabilities are fixed after 20+ years!
i really appreciate how transparent you guys are about using AI voices (not that it’s inherently a bad thing to use them, but it’s always nice when people clarify). in the same vein, the “own opinion” marker is also a lovely touch! just makes it feel like you respect your audience that little bit more :)) really fascinating video !!
yeah, I kind of thought that but not sure who else he’d get to speak
@@5DPixel oh i don’t mind the use of AI voices if they don’t have anyone else, it’s just nice to see they clarified it was AI
fern uploading is like finding $100 in your pocket
Well, I was supposed to do homework, but this is much more interesting
i was getting worried that i havent seen the notification that fern has uploaded until i checked the channel and saw the “(almost) weekly” everything makes sense now
And this is the first time this year I'd heard of this tale. Mainstream media couldn't be bothered reporting it 🙄 So much for quality independent minded journalism.
All I can say is keep up the incredible work Fern.
Right when lunch is ready, THANKS
Bro's videos are RUclips Red quality - like VSauce!
when's the last time vsauce made anything other than a short?...
@@Steamrick That's why I specifically mentioned RUclips Red.
Dude this guy NEEDS his own Netflix series.
this is a tax paid channel related to a big network
@@rushe-1how so ??
Wow the details on your videos are amazing ! 1:08 I recognized the Linux Debian distro logo. I mean I know the story already but watching your video is like a new experience 🔥
I’m so glad your vids popped up on my feed one day! I love the animation!
I didn't hear about this in my country, I should have. This undoubted the most frightening thing to happen. If this had gone live, I shudder to think the amount of damage that could have been done. The number of lives that could have been ruined.
Thank you, Andres. You are a true cyber hero!
Of course you didn't hear about it as it's more important to tell you what some D-list celebrity did that day or how Russia/China is going to start ww3 by attacking your country (if you live in Europe). Fear mongering and useless ''news'' stories is what people mostly are given.
Crazy how this channel doesn't even have a membership, the quality of the contents are insane like so insane, better than most of the informational documentation out there
I can watch fern's ad from start to finish, it's like it is perfectly embedded in the video. Nice job!.
Everytime I see news about a huge find in cybersecurity I can't help but think how many dozens are just never detected even by professionals.
The production quality of this video WOW absolutely perfection
Hackers mentality >>> any other mentality
The opposite of Curiosity killed the cat. Good job Andres!
Thank you Fern for bringing this to general public like me, who otherwise won't become aware of such good person and also the dangerous attack like this
please dont stop this form of content. it is educational and eye opening. Big love from western australia
This is hands down one of my favorite videos of all time! AMAZING work on this one and can't thank you enough for putting this out!!
Please continue to make videos about hackers! fern's just hit different.
It's funny how a Microsoft employee basically saved Linux when back in the days Microsoft was seen as "the devil" from Linux users.
I"m happy how things have changed.
For reference all linux distros find their roots in either arch (bleeding edge with questionable stability) or debian (slow, stable) what goes into either if these distros affects many others esp. Debian as nearly 2/3 of distros are debian based like Ubuntu, Mint, KDE, and many more.
I use arch btw (I swear to god I have a live)
ehh, arch is pretty stable but nothing beats debian
it's pretty damn impressive how you can sneak in backdoors like that, in open source projects where other skilled programmers are reviewing your contributions
It's crazy how close we skate to the brink of disaster on various levels like this. Thank you, Adres Freund!
you already know this gonna be a banger
Day off on December 25 (catholic Christmas) does not line up with Russia - they don’t even have a holiday on that day. 14:45
Good catch!
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing geno****... But hey, they are allied to the west so the sheep will be told they are not the bad guys.
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what. Unsurprisingly an actual evil nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep although will automatically paint Russia as the evil no matter what.
Not to mention that Russia hasn't used DST since 2011, meaning that the time zone switch between UTC +2 and +3 doesn't match Russia either. Sheep will altho still paint Russia as bad no matter what. Unsurprisingly an actual bad nation in middle-east fits the time zones and uses DST, as well as has religious holidays at those times... The same nation that is now bombing several different countries and committing ge... n0**c!de... But hey, they are allied to the west so the sheep will trust them.
The mention of “cozy bear” reminded me of your German-language documentary “Putins Bären”, is there an English-language version of it coming for this channel?
I think our fellow Europeans and allies across the pond might also be interested in this.
This documentary was produced in cooperation with the German Funk network, which is paid for by most Germans through the "Rundfunkbeitrag" (broadcasting license fee).
Since Simplicissimus no longer works with Funk, the documentary will probably not be available in English for other compatriots (at least that's what I assume, knowing Funk).
Yeah, it would be great if they would translate their documentary, but it could be not possible because of the licenses...
And they even showed two short clips from it.
I wish they could figure out a deal for it to be translated into english and published.
I would love to watch it with my fiance but she doesnt speak german well enough yet :(
tbf, great patience is one of the steps in gaining power and control. you need to let things take their time, exactly like if you were never doing smth bad in the first place
Bro waited half a second and found out theres a problem
Im over here waiting an entire minute for anything to load 😭
Andrés be cooking
I see Fern I click. You're amazing
A nice theory but Russians don't celebrate Christmas in December, the Russian Christmas is on 7th of January (the Russian Orthodox church uses a different calendar). Also Russians DO work on 31st of December but don't work in the first dayS of January, not only the first of January.
Russia doesn't use DST either, haven't used it since 2011. Jews altho do, and they have their holidays from 25th of Dec onwards and are known to be doing this kind of things.
Great work on the ad of Brilliant, I'd have just skipped if it was the usual screen recording of courses
And always love your videos 🙌🏻
Thanks for sharing such a huge story about which many of us haven't heard and, if not for this video, would never hear about
6:45 sponsor skip
It should be renamed to forced ads, cuz that’s that that annoying nonsense is
@@SqualidsargeStudios But then we would have to rename Sponsorblock that allows us to skip the sponsor segment...
i actually clicked the link and might buy it... the ad is working 😮
@@SqualidsargeStudiosA youtuber's gotta eat, you know? (sorry if you received any offense)
15:09 yes but it also shows how this was caught. It was the community, as in Jia Tan, who did this, but it was also the community, Andre, that caught it. It goes both ways.
And it’s a risk, don’t get me wrong on that, but you can’t blame the open community for causing the problems without also crediting the open community for why it was caught. I work with someone like Andre, and plan to share this video with him tomorrow. Wouldn’t be surprised if he knew Andre personally. There are dedicated people on both sides.
I love these fern productions! Always so high quality. But I can't take the AI voices. Breaks the immersive storytelling somehow.
And who would you suggest to cast as 'the villain'?
@@Steamrick MrBeast's 42.
Just kidding, lol. That's a great question you've asked.
This is my first time watching one of Fern’s videos, by far one of my favorite RUclipsrs every.
Just want to say I really appreciate how well annotated and researched your videos are. A breath of fresh air in the current internet to see opinion, AI content and sources clearly marked and referenced
First thought it was sponser ad 0:02
fern becoming *the* G.O.A.T of documentaries 🔥
@MangoDeluxe99 imma edit it then
For 'the GOAT' they don't bother to fact-check. Russians don't celebrate Christmas in December, the official holiday is in January.
you should see "the G.O.A.T" movie
1:38 what are those numbers at the bottom left
I think its reference numbers that point to a source
Sources....
2, 5, 6, 7
Sources and pages
[2, 5, 6, 7]
Fern: makes normal video
Also Fern in that same video: here's where they live
Many of your videos I have no interest in, but I watch them because you do such an excellent job- and I am never disappointed.
Wie kann eine so wichtige Position ehrenamtlich sein? Maintainer meine ich
open source- its essentially 99.99999999 percent voluntary. As near all as to be all in terms of real work done.
@@keefymckeefface8330 Big companies do sponsor and control some large projects and even collaborate even when they are competitors. A classic example is Webkit, which is the engine to render web pages used in Google Chrome, Safari, Microsoft Edge, really most browsers these days. It is controlled by Apple but many companies contribute. That's mostly the really big projects though, while most of the utilities, tools, and parts of software that many programs use ("libraries") are often maintained voluntarily and in their spare time by engineers, often engineers who are also employed at these big companies but still getting little support from them on these many smaller projects. xz was just one guy.
Pretty wild to think that amazing pieces of work are accomplished by people for fun and not for money.
Bist du dumm ? Is halt open source
@@iFlyGoodIf you have a Passion in Live, you do it simple as it is.
HOW DOES THIS GUY ALWAYS SLIDE IN THE SMOOTHEST SPONSER SECTION
German efficiency
@@ipga13🇩🇪
If one was caught, it makes you wonder how many such backdoors are completely unnoticed
Such an amazingly well done documentary, best thing I've seen on RUclips in a while!
Didn’t think you could put a Sponsor in this beautifully designed and written video!
really nice that you added a note when you switch to opinion rather than fact. too often there are documentaries that accidently pass off an opinion as a fact