What Happened To The Linux XZ Vulnerability?
HTML-код
- Опубликовано: 7 июн 2024
- A few months back we had the whole XZ vulnerability but whatever happened to the project did the problems get resolved, has the original developer come back, what sort of state is it in.
==========Support The Channel==========
► Patreon: brodierobertson.xyz/patreon
► Paypal: brodierobertson.xyz/paypal
► Liberapay: brodierobertson.xyz/liberapay
► Amazon USA: brodierobertson.xyz/amazonusa
==========Resources==========
Github Issue: github.com/tukaani-project/xz...
XZ Commit: github.com/tukaani-project/xz...
XZ Update: www.mail-archive.com/xz-devel...
Original Video: • The XZ Linux Backdoor ...
=========Video Platforms==========
🎥 Odysee: brodierobertson.xyz/odysee
🎥 Podcast: techovertea.xyz/youtube
🎮 Gaming: brodierobertson.xyz/gaming
==========Social Media==========
🎤 Discord: brodierobertson.xyz/discord
🐦 Twitter: brodierobertson.xyz/twitter
🌐 Mastodon: brodierobertson.xyz/mastodon
🖥️ GitHub: brodierobertson.xyz/github
==========Credits==========
🎨 Channel Art:
Profile Picture:
/ supercozman_draws
#Linux #OpenSource #FOSS #XZ #LinuxDesktop #CVE #Vulnerbaility
🎵 Ending music
Track: Debris & Jonth - Game Time [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Debris & Jonth - Game ...
Free Download / Stream: ncs.io/GameTime
DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation. Наука
Still can't believe this was found because some dev didn't like that ssh took longer to connect than usual.
so that means there are other exploits but have good performance.
some *Microsoft dev
@@davidyoder5890 Odd, given what microsoft software is often like. Still amazed that the visual studio team seem to consider ten seconds a good amount of time to load a relatively small project given how ludicrously fast modern hardware is...
@@davidyoder5890*some dev
Microsoft had nothing to do with this, microsoft didnt notice this - the dev did
Dont give the conglomerate anymore credit than they deserve
It's important to note that said developer took issue with 0.4 seconds of delay.
We got awfully lucky that the exploit was just a bit slow and that someone was pedantic enough to take issue with just that bit.
Recall made me forget about XZ
Kind of ironic isn't it?
I'd rather not have any open front-doors on my system either
Total Recall Quaid getting memory wiped moment.
This is important! Recall, now Adobe policy update, etc. You forget about something like this no matter how important because of the continuous news of new enshitification actions.
recall is like having a secure door but no walls.
Linux backdoor: Bigger scandal than Chernobyl.
Windows backdoor: A feature.
The backdoor has been detected by a Microsoft employee. LOL LOL
@@bertnijhof5413ironic how even Microsoft uses Linux
@@user-ks1oh2wx6o Because their biggest cash cow is no longer their operating system. These days I think they are more about cloud services and as of lately AI. Still ironic considering how they were back in the 90s...
Windows Backdoor?, more like a frontdoor
@@Unsyncable223 Or simply a door
Massive props to Lasse for going through years of code to ensure it was all safe to rely on going forward. That must've been really tedious and difficult. I hope he gets some proper support going forward
The problem is that the backdor was buggy so it could be discovered "easily". Maybe it wouldn't be discovered if I'd didn't cause problems. This fact scares me a lot.
well the next layer of protection was: i am nobody, the hackers aren't interested in my pc
@@Henry-sv3wv Your computer could still be used as a botnet
@@gljames24 well botnet can be detected easily
Not buggy. Just unoptimized. And it wasn't slow enough to detect from the users perspective. It was caught because some guy was running benchmarks and saw a substantial change in the time for a particular step.
@@Henry-sv3wvhackers are interested in your PC because a trustworthy noncriminal identity is very valuable. There's always demand for (potentially unwilling) money mules! 😉
Props to Lasse for his handling of the mess.
Man, jia works so hard on open source software, definitely my favorite FOSS person of the year
Jia tan wanted to open source so many servers! Or actually he just wanted to open them
Yes, Jia really embodies the work ethic; he (or the team) was working tirelessly to get what the wanted.
@@no_name4796 free, open, FOSS... Ya know, maybe Jia had a point, maybe we should just skip forward and remotely install Linux into every computer in the planet. Must be why that MICROSOFT shill stopped our hero.
Software wants to be freeeee!
Put "backdoors are bad for security" on my tombstone because that shit killed me xD
And just to add my two cents, I think keeping the code in the git history could do more good than harm in that it keeps a record of what happened directly at the source. If the commits get purged and the backdoor gets re-added in a fork or down the line, I imagine it'd be easier to detect than if we had to rely on third-party accounts of "what really happened during the XZ backdoor of '24," y'know. If, as cybik says and I agree, people don't depend on the commit directly to reintroduce a backdoor / craft a similar one, then all we'd be doing is burning the records, leaving them lost to time. Again, that's just my personal perspective on things and I'm not directly involved in the project, so ¯\_(ツ)_/¯
The whole "what if somebody reintroduces the backdoor" comment was really inane to me. If you wanted to introduce a new backdoored xz, the very last thing you'd do would be to introduce the old backdoor!
Yeah, the reason brought up in the repo discussion is kinda ridiculous and made no sense but someone packaging and maliciously picking the 'wrong' commit to build and deploy would be very easy, purging the entirety of the code from the official repo would at least ensure there is no way to get that malicious code back into action in any simple way other than "look away while my packaging/build script adds these piles of files for no reason"
I'm hoping for a backdoor from my tomb...
@@TurtleKwitty @thenayancat8802
my thinking was more along the lines of someone being a jerk and reactivating the exploit while still grabbing the code from the official upstream, giving their build a veneer of legitimacy because "hey it comes from the official sources".
I'll take fair criticism, but calling it inane is a bit much.
while a lot of people put this as a "downside" for open source code, it's kinda open source working as intended. some bad actor put malicious code in the upstream. it was found out by a random person. it didn't have time to get into the stable branches. the bad actor was banned and the development continues.
Let's not forget that the bad actor was an agent of the dictatorship of West Taiwan
any credible source for that ?
and what evidence is there for that?
@@bazdarinothebizier9085
@@bazdarinothebizier9085 ☠️
XZ and now Recall, how many more dramas can we expect to see?
Nvm, we have Wayland
Most Wayland drama is just Gnome being asshats though.
@@MechanicaMenace And Nvidia.
@@thingsiplay I *have* to use nVidia for work so I'm well aware. Even on X11 they were arseholes. I'm pretty certain a lot of Xorg working with nVidia is still just because of workarounds in Xorg and not because NV finally added support for a 20 year old standard. Even back on XFree86 they were total cockwombles, and I was using Linux professionally then. Oh I get that nVidia hate more than most. But when it comes from "within" it's somehow more annoying.
As long as West Taiwan is allowed to persist, it will require the due diligence of decent human beings in the FOSS community.
What do I think? Poor Lasse, that's what I think! Dude's had to do some serious rummaging... Legend. Cheers Lasse
And don't forget, XKCD 2347. All of those amazing FOSS developers are not, for the most, a part of **ANY** supply chain. As you correctly said back then, no contract means no supply chain.
define contract
@@schwingedeshaehers Go go search for business 101
I think Tarballs by Jia would make an incredibly good metal song title. Might work on this later, IDK.
"you probably shouldn't be using arch and gentoo for production"
but what if I did?
i personaly would call you a masochist
I think gentoo is actually sometimes used in embedded systems.
@@efremkGTFO I mean, who doesn't use Arch on the work station?
I only use Arch because I don't use my computer for actually work.
Steam Decks
Remember guys, the backdoor only got caught because the code was open
That and the perpetrator was Chinese. Shoddy work gets noticed very quickly by people with actual intelligence.
The past few months have truly been a rollercoaster.
I saw Lasse's comments on his site, and assumed it would take _much_ longer to do a full code review.
Dude's a boss
It's great that it got caught in testing but we really shouldn't be patting ourselves on the back too much. The testing wasn't specifically looking for an issue like this, it got caught because one guy was on the ball and had the time to go digging when they noticed something they didn't like. The underlying problems that lead to this issue haven't been resolved and won't be anytime soon. Great job by Lasse going through all the code making sure it's clean, though.
Y? Are we allowed to ask Y? Y not? As noted, purging the exploit from the repo doesn't mean it's gone-people have it. There might be reasons to remove it from the repo (citing AV programs for one), but keeping people from getting it isn't one of them. Very cool that this project has now been extremely carefully examined and all the maintained versions have been re-released cleanly.
Well, the good news is that xz is now the most robust, scrutinized and secure compression tool available anywhere.
Has there been any support funding towards XZ?
And i would like to know in what state similar packages are regarding to financial support, developer mental status and possibly backdooring risks.
The malicious actor failed this time, but i doubt they won't try again.
Perhaps it's time to take a closer look at what's included in your system and by who it's actually maintained.
Lasse said in faq that per finnish law private people and most companies can't ask for money without giving something in return - so donations don't seem to be a legal way to support xz right now
@@suncat530 Wait WHAT?
What if the "in return" is the year long maintenance and delivery of the XZ package?
@@suncat530I imagine that's just relating to asking for money in the sense of public donations, instead of personal gifts or favors? It would be completely insane if it applied to the latter as well.
the tried attack vector with the package should also be patched soon, a reason why they had to time it so "premature"
@@blinking_dodo Specifically not. In order to donate to a cause like that, the recipient must be a registered non-profit with a fund-raising permit.
I suppose there could be legal grey area there. Maybe they can sell... commercial licenses to xz :D And they're absolutely allowed to sell stickers mugs t-shirts and the like.
The XZ saga got me thinking about security regarding my not so important opensource gaming project, I made changes so the binaries would report what source they were built from and link back to our repo, my thoughts were to make it easier to identify unofficial builds that could have who knows what changes in them. As well as setting things up so my git commits are signed because it seemed like a good idea
11:23 ⚠️ flashbang warning ⚠️
Another interesting thing is how distros handle XZ now.
Intel's Clear Linux for example removed everything in their already small repos that relies on XZ and put a massive warning on the liblzma package name.
They didn't remove XZ itself because they specifically asked if people install Google Chrome via rpm2cpio in their forum.
Not to hold it against them, but just weeks before XZorcist, a bug removed people's entire user data and they suggested disabling auto-updates which is enabled by default.
Afaik I don't think they ever prominently warned people before or after that. At least it can be disabled before installating the distro and with a simple command.
Arch LTS (long term support) is stable enough for critical deployments. My Eth node's run Arch LTS, just because even a _simpler_ distro feels harder to use when you aren't used to it. But they can't go down and they don't.
There is a storage server company in the US that uses gentoo, but it doesnt update. There are thousands of these in TV/cinema production facilities around the world. Not going to name names, but I had one in my facility for about 7 years.
wow
The biggest linux backdoor would not be technically discovered. Its probably already been in operation undiscovered for many years. :)
Like the twenty biggest Windows backdoors (inserted by US insecurity agencies) and the dozen biggest equivalents in Apple code, and the alleged backdoors in Huawei products (this time the PRC being responsible).
Was there a bigger Linux vulnerability than XZ that actually managed to slip through?
The ones we don't know about.
Ask the NSA
Ask your local terror group or FBI office.
It wasn't malicious intent, but the Heartbleed Bug was a huge effing mess with millions of machines affected.
@@andersjjensen considering bugs as well yeah that was far worse, but I don't know of another malicious attack this big
For my company, I'm running production workloads on VPS with the SSH port open because I consider it secure. This exploit would have definitely hit me - when we got into the OS refresh season around August or September.
That being said - the Jia Tan exploit is very limited in scope and well protected - it would have only been accessible to wielders of a specific private key, which makes the whole thing smell like a terribly long game of spearfishing, which just for its cost means I'm not a target - I'm just too small.
Note: The 'e' in 'Lasse' is not silent. The name is a colloquial from or derivative of Lars (and similar names).
What's that Lasse? XZ has fallen down the well?!
this still highlights a huge problem with linux: packages and applications from thrid-parties that are reliant for modern distros to work. (you can't even download the linux source code without XZ) linux needs to become a proper operating system without all the tinker toy hobby projects being shoved down the users' throats. it needs to have an actually userland outside of gnu and systemd (lol) like freebsd, openbsd, netbsd, MacOS, and windows have been doing
these FOSS libraries and tools are used all over windows and macos too, maybe not as much in the core userland but definetly by applications
@@olnnnJust want to add, XZ library was added by MS to File Explorer last year.
Yes the default file exolorer, so it was able to open tar.gz files.
IMO test data should have annotated "source code" form.
I'm not convinced the original maintainer's health problems weren't a result of poisoning.
Now you're thinking like a Chinese does. It's hard for humans to think like dirty rats but you might be on to something here ...
Glad to hear they caught one Jia Tan masterpiece. Wonder if that was the only one?
Masterpiece? Not quite. Poor Chinese craftsmanship? Absolutely!
The root cause is not checking PRs with test changes closely enough.
I disagree this was caught via normal processes. This was caught because someone happened to notice something was taking longer than normal.
minizip now has a critical vulnerability
2024 - Aparently the state is "lets just remove all the doors":
Linux had xz,
Microsoft introduced Recall,
and mac had the side channel vulnerability (proberly minor for most users).
Could be that I have just been following it more this year.
I think Lasse handled the situation very well.
0:12 the biggest backdoor to be discovered.
"You probably shouldn't be using Arch and Gentoo for production"
Uh.... It's a two edged sword.
While Arch can be a stable "unstable" mess, it also fixes holes rather quickly.
For changing the distro on my server it's too late already, because I did so much extra work under the hood in terms of hardening.
It's scary that this happened but it could also happen in closed source software. To me this just highlights the importance of real monetary support for open source projects so we can get more eyes on the code and even more robust testing. And so this developer can take a fucking holiday without everything turning to shit :)
For comparison: xz is even used in the Linux kernel - often twice! (once as a kernel module & once to decompress the kernel itself).
But as far as I know, these are unrelated to the xz-utils repo & maintained differently.
6:09 "You can't stop the signal"
The only question I have is why something like xz exists in the first place, when there is software like tar, gzip and bzip2. Is there something xz brings that the other software, which btw have existed for ages and are nearly always present in most Linux and UNIX distributions?
I realize I may sound like a broken record for saying this, but it feels to me that xz is a solution to a non-existent problem, much like wayland or systemd are.
Tar is not a compression algo, it's an archive format. It does not compress, it assembles multiple files into one. You can then use XZ, Gzip, BZip etc to compress the tar archive after creation. The reason why XZ is so popular is because it's the best at what it does. It compresses/decompresses far faster than GZip and does a much better job than BZip2. The others does not even come close to it's performance and result.
@@danielberglv259 how about zstd?
@@triffid0hunter What about it? The mention was GZip and BZip2. That is why I compared those. But sure we also have Zstandard as a great contender:
It's faster than XZ, but does not compress as much. It also uses much more memory during compression. But like XZ it's a great algo, but since they are not 1/1 the use case will determine which is better. For a normal desktop use case it will not make much of a difference and you may be more interested in native support. But if you are compressing, decompressing and/or sending millions of data packages, size vs. speed vs. memory will be a huge factor and whichever requirement is most important will determine XZ vs. Zstandard
The reason to use xz is it has a better compression ratio in many cases than gzip, bzip2, or zstd. If I understand correctly, it is alao faster/less CPU intensive to compress than bzip2. It is, however, slower to compress and decompress than gzip.
TLDR: It's a better alternative to bzip2, in terms of compression performance and ration.
@@danielberglv259 I know what tar is, I was merely pointing out that there is already a good and proven way to assemble multiple files into an archive and then compress it. Why reinvent the wheel, other than to pack as much content onto a CD or DVD as possible?
Tools such as tar, gzip and bzip2 are ubiquitous and have literally been around for decades and while there may still be bugs lurking around in them, you can pretty much be sure that these bugs are few and far in between. Compared to that, the .xz format is like, 15 years old or so? Granted the compression used, lzma, is about as old as bzip2, but even then tar as a container format would be far superior to any other container format used for archiving.
If you look at XZ and its history, most of it was hype, and still is. People analyzed the format and wrote entire articles about it and why it was fundamentally flawed by design.
Required reading, Thompson's "Reflections on Trusting Trust".
The obvious question is: how many back-doors are there in the ecosystem that haven't been identified? I'm hoping zero, but state-actors have had the time, money and inclination to do this for quite some time now.
This is one of the reasons I've wanted to switch to OpenBSD (but dam you, drivers) - the entire OS has been audited and is set up to lessen the impact of attack from unknown user-land programs. Linux, on the other hand, has tools from all over the place, with their use being distro-dependant. This makes it meaning it extremely hard for a group to audit the entire OS stack (OS being kernel + tool chain + operating environment).
Perhaps a good use-case for AI? the correlation of course being that creating just this kind of backdoor is *also* a good use-case for AI.
I don't see how AI would help tbh.
Zx is Amateurism in front of Recall Keyloggar
12:45 and more specifically 12:50 remind me of:
Steve Rogers: "Word is, you can find the cube"
Bruce Banner: "Is that the only word on me?"
Steve Rogers: "[The] only word I care about"
(from the first Avengers film)
As another sign that Lasse shows humour, he retroactively updated the NEWS file with changes to the backdoor.
By the way, I'm pretty sure the Finnish name Lasse is pronounced /LAHS-seh/ and not /LASS/.
I didn't know that you have to insert a trigger code into the build system to activate the backdoor. Still, it was a scary event.
The cleverness of the attack really is quite high. They targeted ssh through a library ssh doesn't even depend on, and it wasn't even in the code, but rather a binary blob that got smuggled onto the executable by the build system. The chance of a code security audit ever catching this was very low.
We got ridiculously lucky here, which makes me woried about the ones we haven't caught. Those small important libraries that, as XKCD put it, "are thanklessly maintained by a single person for 20 years", make quite a target for motivated actors with long term goals.
@@klti0815 why the chance of catch this was low?
@@klti0815 but if XZ was a high-budget project, wouldn't linking a random binary blob be suspicious? It seems reasonable that commiting binary files would put a lot of eyes on the commit that includes it and that an explanation for its use would be demanded. I'm not a professional developer though.
@kacperfilipek8461 an explanation was provided. It was smuggled in through decompression test cases. Having binary blobs as known-working or known-broken test assets for a compression tool isn't unreasonable, which is why they made a good cover.
it's astounding how a failed backdoor gets spun as a downside for opensource
meanwhile closed source has so many backdoors, they're running out of space and adding frontdoors instead
Another offtop but: You all thought NVK reaching Vulkan 1.3 conformance within like a year or two was impressive? Asahi Linux gets there within a month!
(yes Brodie, you have to do a video now)
and they did a lot of it by relying on the work done in NVK
@@kuhluhOG And their earlier OpenGL stuff. And the kernel driver.
Still, if you look at the timeline is just crazy. It goes something like this:
middle of February - full OpenGL driver for Asahi Linux is released
end of February - NVK reaches Vulkan 1.3 and is officially declared conformant
beginning of March - Honeykrisp is started
end of March - Honeykrisp reaches Vulkan 1.3 and is submitted to Khronos
beginning of June - Honeykrisp is officially conformant and we learn about it
lmao the alphabet at the end... although I think you're missing a Y in there.
That's on purpose
Well, Y not?
Makes you wonder how many contributors of other projects are part of similar schemes just waiting for the right time to strike.
„You shouldn’t be use Arch or Gentoo in production setting“ - I would even take it much further and say „You shouldn’t use distros that unnecessarily modify packages, like Debian or Ubuntu“.
I really think this video is below the belt in many aspects, in no way can the developer be blamed.
he was and is incredibly under appreciated, he is under funded and was unknown until people had issues with something he provides for free as i understand it.
If people are so dependent on him than fund him and give him the team he clearly needs.
We got so epically lucky with this one. This could have been **BAD**
We got lucky the creator was Chinese. Had it been made by someone with competence, we could have been in real trouble.
A rolling release is not a security problem, but not well tested software will be sooner or later a disaster.
We’re not even half way through 2024 and this year already gave us too much drama.
5:41 a new attack vector with old files in git history.
Yes this is plausible. A build script could be added that fishes the binaries out of the git history. Since it wouldn't be adding new blobs, and since it wouldn't say download anything from the wider net, it would stand a better chance of flying under the radar than if it did those things. The original maintainer is so sharp that he would spot it, but what if there's a fork somewhere...
Antivirus concern - hey people build XZ on Windows too. Including on machines at premises of large companies which have a mandatory antivirus with no exceptions and no disabling allowed. If you drive, and your vehicle is from 2010s, it has XZ in it. And the dashboard and headunit applications exist both for the target hardware/OS, as well as a debugging version that just runs on Windows.
I don't know if it's plausible for the project, but ideally yes one would purge that from git history.
> yes, it is paranoia
Hey, fair enough XD
(Yes, I'm the cybik in there :P)
I was talking with my dad about this and came to the conclusion that this was likely caught and fixed before causing great harm because it was open source. So many come to the conclusion from this that open source is inherently compromised as a system. I think that’s untrue
Actual content startscat 4:20.
Actually, maybe it is a good reason to create antivirus for Linux. Antivirus would detect this binary blob and other similar blobs and alert the user.
I would think it's an advantage for a virus scanner to be able to look through the source code itself directly
@@Aeroxima maybe, but you can't believe that app you running is build from the current git tree of some repository. Anybody could change the source code before compiling.
@@elzabethtatcher9570 I'm more thinking checking the source, then just using means already in place to run stuff built from it properly. At least knowing the source is good would be a start even if nothing else, but if you really want you could compile everything (I just don't see the point compared to using checksums)
THIS! 👆 I'm not a programmer and can't audit code. I would totally like a real time scanner for checking code on demand and in the background to save me from a bad day or a distraction. "Check the source", "the best AV is common sense" wouldn't save you from situations like this one, and not all people that would like to use Linux know how to audit code (and shouldn't need to if we really want Linux to be a real alternative to M$).
Don't add systemd dependencies to openssh. Simple as that.
Um, actually ;) I have it on good authority it's not paranoia if they are really out to get you.
Zif this was the only attempt.
So how that original finnish dev is then? Ok and got money all of those 3rd vendors or what exactly?
I think there is an argument that git bisect should be instructed to skip these.
And that is a good argument because it's reasonably plausible that someone might do that by accident. That said, the odds of them also getting the spiked build files, that were only shipped with the tarball, which are prerequisite for the exploit to work, is fairly low.
Gentoo actually has excellent tooling for production use for binary packages and distributed compilation and binary hosts etc. But this isn't the point of your video so I'll let it go and move on 😉
"It was caught during testing stage, as it should"
You make it sound like it was caught by debian people or debian devs during testing. Remember, this backdoor was caught by a microsoft employee during postgres benchmarking, and it was caught solely because backdoor was buggy and was degrading performance for that user.
This backdoor could very easily be not caught at all, and there is no reason to praise debian testers here. In fact, catching such backdoor is not a job for testers, because good backdoor would have no bugs and so would be undetectable. It is a policy issue, one of big projects using small projects and giving them no help or oversight in return. To my current knowledge, there is no action to fix this issue atm.
Garuda Dragonized has the malicious xz files 5.6.1
I figured it had already been fully resolved, but it's shit like this why so many people push RIFS. Don't get me wrong, it's sometimes necessary, but more often than not, you can just refactor.
is the missing Y in the alphabet on the board in the background on purpose?
probably, as it makes a xz at the end.
@@progCan to me it looks more like an accident where he forgot about the y and thought xz were next to each other in the alphabet 🤔
Why is he still seemingly doing all of this on his own? Why is there not an absolute Army of programmers stepping up to help? Maybe there is and I just don't see it. But it seems like the issue began because everything was on one guy's shoulders. And now there's a massive undertaking of code review and a bunch of fixing that needs to be done and it's still being done by the same guy that was burned out originally? Am I missing something? Is somebody at least paying him a buttload of money?
Reality is often disappointing
This is why I'm scared to start open source projects. It looks like you either abandon it and let down people using it, or grind away at it forever till you burn out, unless maybe you can pass the curse onto some unlucky chap who would then be in the same position
Maybe some like maintaining more than the equivalent of doing a startup, but maybe not everyone
@@Aeroxima "let down people using it" - if they are not paying you, they are being let down only by their own unrealistic expectations.
I now have some projects that I maintain, essentially tools that I use and need. I maintain, solely because I use them. If that changes, I will update the github and let someone else fork the project.
So don't be afraid to make FOSS software, it is people that have crazy expectations on volunteer work.
This thing really reminds me of Terry Davis and yes the glowies were really after him.
X-Zed,
imagine being bri'ish
Bot oh a wa tuh
@@polinskitom2277 oi bruv
I disagree with Arch and Gentoo not being suitable to be run on a productive server. I know a couple, who run like that for years perfectly fine. Do you have practical experience of the opposite? Rolling distros are perfectly fine for that.
it's surprising Jia Tan's github account isn't nuked, i guess they're hoping to get his IP or something? do hope they get caught, deserves jail time! getting discovered so early gotta hurt tho ha! years down the drain.
It's probably a good idea for an incident as big as this, to just make a new project with a new git history to avoid all of the issues.
with all new untrusted maintainers, great idea
@@luimu Didn't say that
This makes you lose the ability to use git blame. It's fairly useful to know wether some behavior is recent or has been there for 10 years. So that, plus the fact that everyone has to re-clone the project, sounds like too much trouble to be worth it.
Could the FBI work with Microsofts' Github and check whether they can identify the bad actor?
The backdoor has been detected by a Microsoft employee. LOL LOL
My tuppence: people (on in particular) should go to jail over this.
I would delete the 5.6.0 and 5.6.1 releases. Problem solved. lol
Not problem solved. That Lasse went over the last 10 years of development with a fine tooth comb and review every single outside patch, one more time, with his "security hat on" is how you declare "problem solved". Because there was more than the backdoor itself to consider here: The project's credibility as a whole came under fire. Intel, among others, did some very stupid and rash things before the situation was fully understood and thus the peanut gallery at large have been out with the torches and pitchforks.
ironic how microsoft saved linux, they could have let it there so that linux would fall and they could sell windows server
An employee. Who once they spotted the issue, would have definitely reported it whether on company time or on their free time. Microsoft can do absolutely NOTHING to stop the employee. Like how, XZ is not a trade secret, it cannot fall under NDAs, the codebase is public knowledge.
Hard to believe they didnt purge the code... the reason given in the discussion is absolutely nonsense BUT someone making a build/packaging script for a distro could very easily use the bad commits and slip in the activation code in the build script. That wouldn't pass any type of review if if wasnt part of the official repo though hence wanting to purge it
Might be nice to know what happened to person that started this mess. I mean is he back in the business working his craft with his team. I suppose some criminal group is always working to those ends but like........... well you know. This was big, did justice get served?
anyone is a state actor, dont trust any people, trust is compromised.
"He could be in this very room. It could be you! It could be me!" -Spy
The full name of JIa Tan was Jia Cheong Tan, an anagram for "CIA agent John"
I'm much more inclined to belive this came out of a country with a flag that is mostly red. Not because I belive NSA/CIA/Homeland Security wouldn't do this, but because I believe they already have, and they're hiding in plain view in the source code.
Abcdefg
And this is why we can't trust systemd
you've ruined my favorite t-shirt
you are retelling the story to make it more favorable for open source. This was caught purely by accident... No one was looking at that repo. It was pure luck.
I'm abbreviating the story lol, go look at my early video on the topic. Everybody knows this was found because someone got bothered by a few second performance drop in SSH
Let's not forget that big software projects by big companies also have entire branches that only the people who work on them look at. Sometimes those people are just one person. And in a big company it is not hard for a state actor to get a plant. Don't think for a second that Microsoft doesn't have NSA people covertly working there.
how is it luck
@@VioletRMWe got lucky that Jia Tan was bad at malware development
1st
ya still milking the topic
i was curious about what happened after the issue was found. so the video is useful
@@suncat530 well useful 2 months ago
@@Algeriawindows69 But the full story about how the cleanup phase went didn't materialise until this week when Lasse published his extensive review.
we still milking XZ champ?