It is incredible that Andres Freund was able to stop this because he noticed a benchmark took 0.807s instead of 0.299s and decided to investigate. I've heard experts say that if not for him, this could have backdoored every major Linux distribution for a long time.
The attack was very, very well thought out. It took years for Jia Tan to get accepted as a maintainer, during which time they submitted quite a lot of real improvements, they clearly knew a lot about compression. Moreover they didn't even put the backdoor in the official repository but only in a release tarball. How many people test that the tarball signed by the maintainers is the same as the open source code that everyone can see? And how it got from the test file into the release binary was also very clever. Also AFAIK they were only focusing on Red Hat Linux and possibly also people who compile from sources (like an intelligence agency may do), it got into Debian by accident, Debian normally builds software from official repositories but in the case of xz, they were unusually building it from the release tarball.
my "armchair expert analysis" believes this type of dedication is that of a state sponsored threat level.. would you agree? and even if not, just for fun, which countries are likely contenders ? i was wondering if this was from "new" actors, maybe france, lebanon, SK maybe..?
Sadly, nobody is safe. State actors are the most persistent they don't mind if it takes years to build trust or to pressure someone who already has trust by threatening them or their family or friends. Below that we also got international criminal organizations who would also pressure people. It doesn't matter if it's closed source company infiltration or open source. Snowden documents showed this is what NSA for example does.
This highlights to me how dysfunctional the economics of vulnerability research is, open source devs are making some of the most critical code (even Microsoft relies on it for Xbox) but as passion projects while living on baked beans, never seeing fair recompense. Reporting vulnerabilities often a waste of time too, many vendors don't care or don't pay bounties. Vulnerability research is not being funded properly.
And that's if you're lucky! Remember when someone noticed that some local gov't website was leaking the names, addresses, and SSNs of every teacher in the school district, and the governor responded by threatening to throw the people who found it in jail?
worth noting the gaslighting and social engineering aspect of the attack used to get the maintainer to accept Jia Tan as a team member that preceded the backdoor for years!
Yeah! IIRC, it wasn’t just “Jia Tan” who was an agent of the enemy. Didn’t several other xz community members turn out to be sock puppets that were just there to help boost Jia’s standing in the community and advocate for Jia to be granted more power?
If somebody is wondering why this did not show up at code review, they hid the payload in the testing file and it was only incorporated into the finished binary, which was uploaded to the package servers, so if you would have build this package from source you would not have been susceptible to the attack. Also the libxc was overriding code from the sshd when beeing loaded as a static library, there where plans to change the sshd to dynamic library loading, which also would have prevented this attack
Also it's pretty hard to catch something when the attacker has lead developer credentials on a project without many developers. If it hadn't been this way they could have just hidden it in other ways.
Yes, and finding it was great. It's so important to test every new version compared to others in the same environment. If a "slowdown" occurs, it should be fully examined and understood.
We went from zero days to patiently, over a long timespan, intentionally planting in vulnerable code to construct a reliable attack vector in another program that relies on this program to be able to hack into all our computers and we are non the wiser... This genuinely scares me...
Yeah it was I understand linked through systemd. I thought about mentioning but the video was getting kind of long plus of course there are the systemd haters. :)
@@richardclegg8027 To systemd's credit - they were working on a change to only load that type of libraries when needed, which would have mitigated this issue as well... (And this is purely a case of some distros that integrated with systemd by loading a large library instead of writing a small amount of code to notify systemd.) (And the change is not needed to run OpenSSH, but it does give some nice extra functionality) OpenSSH is maintained by OpenBSD, which is extremely security aware...
It is super clever but I did not find any video on it. There is a lot to unpack so it would have been an hour long video that would not really be suitable for computerphile. The best resources I found were blog posts. You can go to the source code but it is hard going.
Insofar as this affects software projects, this can also affect hardware. Imagine a person dedicating this time measured in years getting embedded in a CPU development team and, say, working on a phone SoC or one of the newest microprocessors, injecting nefarious code into the design description.
Think of the problems if NTP stratum 1 servers are inoperative, after a day there would be growing chaos all over as timed transactions get out of step.
Look up the npm left-pad incident. It was a tiny package that only did what the name says: add spaces to the left of a string. Easy to code yourself. However, it became an integral part of even npm itself - until the dev deleted it and everything came crashing down.
What concerns me is, is this the first time they have done this? What about other libraries and other platforms? Hmmm. I feel like this would be way harder to find in Windows.
Windows is not open source, and the employees are not anonymous, so the methods of attack would need to be quite different. But also, it would be impossible for a member of the public to find the attack.
Is there any system that would be able to flag this kind of unauthorized access if it happened in the wild? Couldn't you have another process that tries to match successful logins to authorized keys for that login (say you've disabled password login) and goes nuts if they don't match?
The problem with this is that most such systems work based on the logs that report who logged in - and in this case, the sshd is logging in but not (necessarily) reporting it, so you lose that tracking.
In this particular case technically I believe it is not even a login. The key is recognised, the command is run, the results are returned then the ssh continues and the login process fails. So the logger would see a failed access. If you run a server of any size you see a really large number of those.
dependency upon dependency upon dependency, makes work easier, software talking and sharing code with eachother simpler, and solves a lot of problems with maintenance, at a cost to creating exponential liability as every dependency tends to have its own set of dependencies partially solved by version locking dependencies, but then what about when they cause bugs for modern systems that may or not be fixed in modern versions? then you have to maintain it yourself at even more cost to your work
Very unlikely that this was a single individual: while the account was trying to appear Chinese, there's been analysis of the dates and times that 'Jia Tan' was and wasn't active, and that and some other clues make it look like they were based in Eastern Europe, so the attack was probably taken out by one of Russia's elite hacking groups in conjunction with the Russian State. I mean, the dates and times could _also_ be a red herring, but from what I understand Russian hacking groups are known for performing attacks like these. The NSA probably wouldn't do an attack like this, cause frankly there are probably easier ways it could go about getting a backdoor in major software, like just asking a major American tech corp to add one in (its happened before).
Just a clarification , OpenSSH itself was never not secure, it was the linux implementation that was the problem, OpenBSD and others where never impacted as the infrastructure around it is secure by default so the exploit could never work even tho it was there.
Jia Tan could be a real helper but then some agency just bought over their account. We Taiwanese, on the first frontline to China, have seen that on fan pages and stuffs like that, like A LOT.
This is false. The amount of bad code will increase but not the quality of it. This requires sophisticated coding skills which AI does not + social engineering, which AI is really bad at especially when it is specialists it has to convince.
Don't like this format where the subject is told like a nighttime story for children and leaving out so many important and interesting details about what happened
Yeah it's sad that there was more explanation on Debian version names than how someone got libxz to execute a test file in production without pushing anything blatantly malicious
Honestly I don't think you're the intended audience. The depth you are referring to couldn't fit in 14 minutes. I like an accessible format for people who don't necessarily watch 1hr+ talks about all intrinsic technical details. This bridge should be there to get more people involved
@@stickydoneit is a problem with these videos - what do I assume people know? Some viewers super technical and know the area really well. Some viewers don't know what ssh is. Hard to judge the level. Honestly I could talk for an hour about this hack but nobody would watch it. :)
@@richardclegg8027 I think people would definitely watch it-perhaps just a different (and probably smaller) audience than the people who watch a summary. It would still be fascinating to people interested in this stuff.
Just the other day, I read about North Koreans working (remotely and under false names) for US tech companies, trying to eventually steal confidential information, plant backdoors or install ransomware. They've apparently also been quite dedicated, delivering high-quality code for years in order to "gain trust" first. As the problem became more known in the US, they were said to have been shifting towards Germany in the past months. The level of dedication is similar to that of Jia Tan, but it could ofc still be pretty much anyone behind that.
This reminds me of the Source Forge incident where somebody pulled his code of removing spaces at the ends of a string, and brought half of the internet down.
Assure you I am sober. This was recorded ten minutes before "the goodbye problem" video if you want to compare even if they are shown the other way round. :)
I used to watch computerphile back in the day for detailed explanations of exploits and neat things with computers, now though I feel like they just restate the news but months late and in worse detail, adding nothing new :(
@@SmileyEmoji42 Your point makes no sense. I'm LITERALLY an IT scientist, software and build processes IS my daily job. It doesn't change anything: the guy's storytelling was atrocious.
@@richardclegg8027 Really disappointed that this gem of internet history doesn't seem to ring anyone's bell anymore. What do kids learn in school today? ;D It's still worth looking up though. Just Google "I sit in Siberia and I have only telnet."
This was such an oversimplified explanation, it misses a few critical points. Well, what did I expect, it's like most of computerphile videos, guess I'm not the right audience.
You can speed up RUclips videos with the '>' key. At 1,5x the normal speed the video only takes 10 minutes, but even then I have the idea that the story can be told in 2 minutes, because it is very shallow.
no way is this an individual, imo the question is just which state was behind it, and realistically i think there are only 3 options and if i had to put money on which of those i would say USA/NSA
From what I remember reading about it at the time, the times the malicious user was sending emails, as well as other things like commit timestamps, would align with someone working a 9-5 out of eastern europe or western russia. That could, of course, just be another smoke screen.
@ircubic the timezones of their commits where all set to China's timezone but their activity lined up perfectly with someone working a 9-5 in Eastern Europe. There were a few commits made a minute or two apart where they were in the Russian timezone then suddenly in China, indicating they forgot to turn on a VPN for the first commit. The language of their computer was set to Russian. They notably took off Russian (not Chinese) holidays. There were small grammatical mistakes in English that would be common for a native Russian speaker to make but not a native Chinese speaker. All signs point to Russia's APT29 being the culprit.
Unlikely to be us/nsa but don't rule out a lone motivated individual who thinks they can steal 50 million in Bitcoin this way or just wants to see what their ex is up to.
Referring to a project which is being utilized in a lot of prominent software as a "wonky leg" is very disheartening to hear. Open source projects are ungrateful to maintain as is, and some proper recognition to the maintainer and person who discovered the backdoor would have been nice.
I think you’re taking it the wrong way. The project is a wonky leg because it doesn’t get the support it should due to its importance and widespread use. It isn’t a comment on the maintainer’s work but on the vulnerability that having only one guy taking care of it in their spare time brings with it.
@@realroadrunnrI understand where you are coming from, but I feel like minimizing somebody's work using a meme without properly explaining issues and abuse of these projects is just silly. Threat actors are able to plant themselves into these projects precisely because nobody cares to bring attention to how overworked and underappreciated these developers are. But then again this video is just for entertainment.
i love your video, but I find it very sad that the person who found it, Andres Freund, and the developer of XZ i can't even find the name, are not mentioned by name. This is very important, It's passionate individual who save the world... and they get nothing in return :(
I name both the developer Lasse Collin and the person who found the hack Andres Freund in the video. I may pronounce them badly but I made sure I did name both as both do an excellent job in different ways in this story.
Lol people talk like AI is somehow a technical genius. Brother, current AIs (if you can call them that) are trained on random internet data produced by random internet users. And as we should all recognise, most internet users are not smart people.
I would guess so, Atleast with AI you can throw as many resources at it as you want whereas human only have so much time and interest in reviewing OSS.
It is incredible that Andres Freund was able to stop this because he noticed a benchmark took 0.807s instead of 0.299s and decided to investigate. I've heard experts say that if not for him, this could have backdoored every major Linux distribution for a long time.
Makes you wonder if it has already happened and we don't know it.
No bounties or reward for that guy either afaik, there's a big gap in funding this kinda thing (I'd say more but NDAs)
Heroic work.
So how do we know there is no other unknown backdoor?
@@mal2ksc Based on how it was discovered I wonder if it would have been found if code just had some kind of timeout if to many request was coming in.
The attack was very, very well thought out. It took years for Jia Tan to get accepted as a maintainer, during which time they submitted quite a lot of real improvements, they clearly knew a lot about compression. Moreover they didn't even put the backdoor in the official repository but only in a release tarball. How many people test that the tarball signed by the maintainers is the same as the open source code that everyone can see? And how it got from the test file into the release binary was also very clever. Also AFAIK they were only focusing on Red Hat Linux and possibly also people who compile from sources (like an intelligence agency may do), it got into Debian by accident, Debian normally builds software from official repositories but in the case of xz, they were unusually building it from the release tarball.
my "armchair expert analysis" believes this type of dedication is that of a state sponsored threat level.. would you agree? and even if not, just for fun, which countries are likely contenders ?
i was wondering if this was from "new" actors, maybe france, lebanon, SK maybe..?
@@chillphil967:ahem:... 5eyes...
@@chillphil967 based on the names, it seems like China, but we don't know, it could be a diversion.
makes you wonder how much stuff is planted out there without getting caught and quietly exploited.
Sadly, nobody is safe. State actors are the most persistent they don't mind if it takes years to build trust or to pressure someone who already has trust by threatening them or their family or friends. Below that we also got international criminal organizations who would also pressure people. It doesn't matter if it's closed source company infiltration or open source.
Snowden documents showed this is what NSA for example does.
It was a Microsoft engineer benchmarking Postgres and saw that the connection times were slower.
xkcd 2347 is one of my favourites - it kind of describes me for the last 30 years too!
Whats your project?
Anti spam and phishing detection and reporting.
Kudos to everyone heroically maintaining packages with little thanks.
This highlights to me how dysfunctional the economics of vulnerability research is, open source devs are making some of the most critical code (even Microsoft relies on it for Xbox) but as passion projects while living on baked beans, never seeing fair recompense. Reporting vulnerabilities often a waste of time too, many vendors don't care or don't pay bounties. Vulnerability research is not being funded properly.
not only are companies not paying bounties for found vulnerabilities, they often perma ban the user that report the vulnerability
OpenSSH is also part of Windows by the way.
And that's if you're lucky! Remember when someone noticed that some local gov't website was leaking the names, addresses, and SSNs of every teacher in the school district, and the governor responded by threatening to throw the people who found it in jail?
worth noting the gaslighting and social engineering aspect of the attack used to get the maintainer to accept Jia Tan as a team member that preceded the backdoor for years!
Yes gaslighting is a manipulation technique. You hit to a great point. It's crazy how they managed to commit to project.
@user4gent416 talk about weird
Yeah! IIRC, it wasn’t just “Jia Tan” who was an agent of the enemy. Didn’t several other xz community members turn out to be sock puppets that were just there to help boost Jia’s standing in the community and advocate for Jia to be granted more power?
what do you mean by "gaslighting" in this context? just lying?
@@Mmmm1ch43l no, gaslighting.
If somebody is wondering why this did not show up at code review, they hid the payload in the testing file and it was only incorporated into the finished binary, which was uploaded to the package servers, so if you would have build this package from source you would not have been susceptible to the attack.
Also the libxc was overriding code from the sshd when beeing loaded as a static library, there where plans to change the sshd to dynamic library loading, which also would have prevented this attack
Also it's pretty hard to catch something when the attacker has lead developer credentials on a project without many developers.
If it hadn't been this way they could have just hidden it in other ways.
Yes, and finding it was great. It's so important to test every new version compared to others in the same environment. If a "slowdown" occurs, it should be fully examined and understood.
Also, code review is not always thorough. Is the bug fixed? Verified? Yes? Moving on...
Some infrastructure needed to make this exploit work was added with an "optimization" patch that was reverted after the discovery.
@JasonDoege Exactly! Especially in projects where just a "quick fix" is needed to solve the problem.
We went from zero days to patiently, over a long timespan, intentionally planting in vulnerable code to construct a reliable attack vector in another program that relies on this program to be able to hack into all our computers and we are non the wiser...
This genuinely scares me...
Xzutils was being loaded only on linux distros, not on openssh itself. It was relied by patches applied to ssh to work with systemd, afaik
Yeah it was I understand linked through systemd. I thought about mentioning but the video was getting kind of long plus of course there are the systemd haters. :)
@@richardclegg8027f'in SystemdOS...
@@richardclegg8027 To systemd's credit - they were working on a change to only load that type of libraries when needed, which would have mitigated this issue as well...
(And this is purely a case of some distros that integrated with systemd by loading a large library instead of writing a small amount of code to notify systemd.) (And the change is not needed to run OpenSSH, but it does give some nice extra functionality)
OpenSSH is maintained by OpenBSD, which is extremely security aware...
This reminds me of Clifford Stoll's story about tracking down an extra $0.75.
This issue is what finally convinced me to put all my personal stuff behind Tailscale and stop opening ports. This could have been so, so bad.
I was hoping for a deep-dive into the obfuscation. Do anyone know if some youtube channel has done an analysis of this yet?
It is super clever but I did not find any video on it. There is a lot to unpack so it would have been an hour long video that would not really be suitable for computerphile. The best resources I found were blog posts. You can go to the source code but it is hard going.
RUclips channel low level has this video: secret backdoor found in open source software (xz situation breakdown)
fern (documentary type video), LowLevelTV (technical) did cover this topic
Insofar as this affects software projects, this can also affect hardware. Imagine a person dedicating this time measured in years getting embedded in a CPU development team and, say, working on a phone SoC or one of the newest microprocessors, injecting nefarious code into the design description.
Those things are not normally done by distributed, effectively annonymous, private individuals. There would have to be an presence IRL.
I can’t imagine if some infrastructure sites like pip, npm, or docker went down, the world would grind to a halt
Think of the problems if NTP stratum 1 servers are inoperative, after a day there would be growing chaos all over as timed transactions get out of step.
my grocery store owner is truly terrified of npm going down one day
@@SeanBZAWe would have real Y2K catastrophes like planes falling out of the sky or the electric grid losing frequency lock causing a full blackout
Look up the npm left-pad incident. It was a tiny package that only did what the name says: add spaces to the left of a string. Easy to code yourself. However, it became an integral part of even npm itself - until the dev deleted it and everything came crashing down.
Wasn't that comic strip inspired by the leftpad 'incident'?
I think so yes.
Thank you for this story time.
he is such a story teller
Dr Clegg has such an unusual way of speaking, fascinating story!
A much more important question:
Have you read all of those books on your bookshelf?
Shared office so not all. :)
What concerns me is, is this the first time they have done this? What about other libraries and other platforms? Hmmm.
I feel like this would be way harder to find in Windows.
True, but harder to execute, as well, because employees go through some level of vetting beyond a skill check. Still, definitely not impossible.
Windows is not open source, and the employees are not anonymous, so the methods of attack would need to be quite different. But also, it would be impossible for a member of the public to find the attack.
Wasn’t it a Microsoft employee that found this issue and tracked it down.
Everything depends on third party code these days. Nobody wants to pay to reinvent the wheel
Actually, closed source software companies have been attacked like this in the past too. Also hardware companies.
Hiding things in regex can be intentional or by mistyping one character.
Don't know if you watched the whole video
Mistyping one character usually breaks the entire thing, not overwrites the code as it's compiling.
‘One key leg’ or ‘wonky leg’
Well I said "wonky" but both work. :)
Is there any system that would be able to flag this kind of unauthorized access if it happened in the wild? Couldn't you have another process that tries to match successful logins to authorized keys for that login (say you've disabled password login) and goes nuts if they don't match?
The problem with this is that most such systems work based on the logs that report who logged in - and in this case, the sshd is logging in but not (necessarily) reporting it, so you lose that tracking.
Yes AppArmour and SELinux profiles, not new either but commercial pressure would get you laughed at for suggesting to use in any meetings
In this particular case technically I believe it is not even a login. The key is recognised, the command is run, the results are returned then the ssh continues and the login process fails. So the logger would see a failed access. If you run a server of any size you see a really large number of those.
@ Does it launch a shell? Hmm I guess tasks are always spawning those too.
There is no succesful login. The malicious code is executed as a side effect of rejecting the login
Could the backdoor be prohibited by App Armor or SE Linux?
This attack, no. A library is loaded into an application. The things you mentioned are about permissions what a program can do.
dependency upon dependency upon dependency, makes work easier, software talking and sharing code with eachother simpler, and solves a lot of problems with maintenance, at a cost to creating exponential liability as every dependency tends to have its own set of dependencies
partially solved by version locking dependencies, but then what about when they cause bugs for modern systems that may or not be fixed in modern versions? then you have to maintain it yourself at even more cost to your work
The quality of contributions lions get is usually bad enough that it doesn't get to exploits.
I thought you mistyped Linux or Linus but then I saw your profile picture. Beautiful mane you have there.
Lasse is in most cases the nickname for Lars. I've rarely seen it outside the Nordics!
Lars officially outnumbers Lasse 100 to 1 in Sweden, but I think more Lars-es than not accept the nickname.
trust and friendship seems to be a very difficult vector to protect it seems. =D
I remember hearing years ago the adage you can do more damage with a smile and a handshake than a gun a ski mask
the creator of debian was an animator on toy story
I have found no evidence to support this claim.
[citation needed]
Ian Murdock was *not* at Pixar. Bruce Perens is who you're thinking of, but came a bit after its creation.
This guy gave me motion sickness.
I thought maybe it was the videography, but no its how fidgetty he was. 😂
Very unlikely that this was a single individual: while the account was trying to appear Chinese, there's been analysis of the dates and times that 'Jia Tan' was and wasn't active, and that and some other clues make it look like they were based in Eastern Europe, so the attack was probably taken out by one of Russia's elite hacking groups in conjunction with the Russian State. I mean, the dates and times could _also_ be a red herring, but from what I understand Russian hacking groups are known for performing attacks like these. The NSA probably wouldn't do an attack like this, cause frankly there are probably easier ways it could go about getting a backdoor in major software, like just asking a major American tech corp to add one in (its happened before).
Jia as pronounced more like "jar" than like "gee ah" (with a British accent).
I'm mostly surprised someone was running sid on a large server with tons of traffic. That seems irresponsible.
I live in Nebraska and maintain tiny projects!
So you're saying this is all your fault? :P
@@Xeridanus : No, not unless you are using some rather niche russian software :)
absolutely wild!
Just a clarification , OpenSSH itself was never not secure, it was the linux implementation that was the problem, OpenBSD and others where never impacted as the infrastructure around it is secure by default so the exploit could never work even tho it was there.
Jia Tan could be a real helper but then some agency just bought over their account. We Taiwanese, on the first frontline to China, have seen that on fan pages and stuffs like that, like A LOT.
Wouldn't matter the origin of the name. I don't think anyone believes it was China/Taiwan
@@BAD_CONSUMER Why not? They have the means and motivation.
I didnt know Ronnie Barker was into computers.
And now with the advent of AI code "helpers", I would wager that the subtlety of similar near-undetectable injections will increase tenfold.
This is false. The amount of bad code will increase but not the quality of it. This requires sophisticated coding skills which AI does not + social engineering, which AI is really bad at especially when it is specialists it has to convince.
Well the end is a bit unsettling.
Don't like this format where the subject is told like a nighttime story for children and leaving out so many important and interesting details about what happened
I think videos like these that highlight that humans are still the biggest weakness in security are perfectly appropriate
Yeah it's sad that there was more explanation on Debian version names than how someone got libxz to execute a test file in production without pushing anything blatantly malicious
Honestly I don't think you're the intended audience. The depth you are referring to couldn't fit in 14 minutes. I like an accessible format for people who don't necessarily watch 1hr+ talks about all intrinsic technical details. This bridge should be there to get more people involved
@@stickydoneit is a problem with these videos - what do I assume people know? Some viewers super technical and know the area really well. Some viewers don't know what ssh is. Hard to judge the level. Honestly I could talk for an hour about this hack but nobody would watch it. :)
@@richardclegg8027 I think people would definitely watch it-perhaps just a different (and probably smaller) audience than the people who watch a summary. It would still be fascinating to people interested in this stuff.
Omg youtube started to translate the audio 🙉
His voice reminds me a little of the narrator from The Stanley Parable
I haven't seen that kind of paper since the 80s!
When's the feature film adaptation of this story coming? 😅
Jia Tan Mentioned.
How comes that computerphile doesnt even know the difference between backdoor and an exploit 😊-🌴
Story to scary kids sitting near fireplace in camp
Just the other day, I read about North Koreans working (remotely and under false names) for US tech companies, trying to eventually steal confidential information, plant backdoors or install ransomware. They've apparently also been quite dedicated, delivering high-quality code for years in order to "gain trust" first. As the problem became more known in the US, they were said to have been shifting towards Germany in the past months.
The level of dedication is similar to that of Jia Tan, but it could ofc still be pretty much anyone behind that.
AND I WOULD'VE GOTTEN AWAY WITH IT, IF IT HADN'T BEEN FOR YOU MEDDLING DEVELOPERS!
Could you please deactivate the automatic ai translations? They are annoying
I think that's through RUclips, and you can disable that on your end on the top right by clicking the CC button.
@danbopes6699 doesn't work on my phone. The dubbing is annoying
@@joshix833Go to settings > audio
Click the cogwheel, then audio track (6), then english.
yeeeees
This reminds me of the Source Forge incident where somebody pulled his code of removing spaces at the ends of a string, and brought half of the internet down.
it was on NPM and the package was called left pad, the author was disgruntled because NPM was forcing him to give his kik repo to the company kik
I was thinking the same!
Oh boy, the OpenBSD devs are gonna be pissed!
social engineering at its finest
when does an echo system become an eco system?
Ok, it doesn't surprise me at all.
Is he a bit pissed? He doesn't act like usual.
Assure you I am sober. This was recorded ten minutes before "the goodbye problem" video if you want to compare even if they are shown the other way round. :)
Got late, thanks for refreshing it 😊
I used to watch computerphile back in the day for detailed explanations of exploits and neat things with computers, now though I feel like they just restate the news but months late and in worse detail, adding nothing new :(
"unstable" 🤣
His narrative is meandering and convoluted. This is a much simpler story.
I agree. I stopped watching before the fifth minute due to how unsufferable the storytelling was.
@@nicnl255 Same. His talking style and mannerisms are eerily similar to a guy that I used to work with in IT. Both creepy.
Depends how much you understand, or want to understand, software and the build processes
@@SmileyEmoji42 Your point makes no sense.
I'm LITERALLY an IT scientist, software and build processes IS my daily job.
It doesn't change anything: the guy's storytelling was atrocious.
Thought it was colorful and entertaining. I would've just googled if I wanted a robotic summary.
No telnet? But what if I sit in Siberia and I have only telnet?
Then you don't get into any computer I run. :)
@@richardclegg8027 Really disappointed that this gem of internet history doesn't seem to ring anyone's bell anymore. What do kids learn in school today? ;D It's still worth looking up though. Just Google "I sit in Siberia and I have only telnet."
This was such an oversimplified explanation, it misses a few critical points. Well, what did I expect, it's like most of computerphile videos, guess I'm not the right audience.
👍
PLEASE DEACTIVATE AUTODUBING IT IS SO BAD
Sorry the buildup is far too slow. Got bored and left after 7 minutes of being told nothing.
You can speed up RUclips videos with the '>' key. At 1,5x the normal speed the video only takes 10 minutes, but even then I have the idea that the story can be told in 2 minutes, because it is very shallow.
Not an airport, mate
The KGB deployed sleeper agents that were dormant sometimes for decades. So, for a state actor a period of 2 to 3 years is really just short term...
LOL
nice
no way is this an individual, imo the question is just which state was behind it, and realistically i think there are only 3 options and if i had to put money on which of those i would say USA/NSA
Dart*
If you're familiar with this story you'd know that it's almost certainly not the US
From what I remember reading about it at the time, the times the malicious user was sending emails, as well as other things like commit timestamps, would align with someone working a 9-5 out of eastern europe or western russia. That could, of course, just be another smoke screen.
@ircubic the timezones of their commits where all set to China's timezone but their activity lined up perfectly with someone working a 9-5 in Eastern Europe. There were a few commits made a minute or two apart where they were in the Russian timezone then suddenly in China, indicating they forgot to turn on a VPN for the first commit.
The language of their computer was set to Russian. They notably took off Russian (not Chinese) holidays.
There were small grammatical mistakes in English that would be common for a native Russian speaker to make but not a native Chinese speaker.
All signs point to Russia's APT29 being the culprit.
Unlikely to be us/nsa but don't rule out a lone motivated individual who thinks they can steal 50 million in Bitcoin this way or just wants to see what their ex is up to.
Referring to a project which is being utilized in a lot of prominent software as a "wonky leg" is very disheartening to hear.
Open source projects are ungrateful to maintain as is, and some proper recognition to the maintainer and person who discovered the backdoor would have been nice.
I think you’re taking it the wrong way. The project is a wonky leg because it doesn’t get the support it should due to its importance and widespread use. It isn’t a comment on the maintainer’s work but on the vulnerability that having only one guy taking care of it in their spare time brings with it.
@@realroadrunnrI understand where you are coming from, but I feel like minimizing somebody's work using a meme without properly explaining issues and abuse of these projects is just silly.
Threat actors are able to plant themselves into these projects precisely because nobody cares to bring attention to how overworked and underappreciated these developers are.
But then again this video is just for entertainment.
@ you are right, he could’ve (and should’ve) spent more time on explaining what the actual issue was in terms of “how could this even happen?”.
I am referring to xkcd 2346 if you want to see what I am getting at which is explicitly about how under appreciated that maintainer is.
i love your video, but I find it very sad that the person who found it, Andres Freund, and the developer of XZ i can't even find the name, are not mentioned by name.
This is very important, It's passionate individual who save the world... and they get nothing in return :(
12:21
watch again, they are both mentioned
I name both the developer Lasse Collin and the person who found the hack Andres Freund in the video. I may pronounce them badly but I made sure I did name both as both do an excellent job in different ways in this story.
I wonder whether current AI technology and models can review the codes in terms of security and efficiency.
I think the false-positive rate is quite high at the moment.
It's already been happening for at least 18 months or so
Lol people talk like AI is somehow a technical genius. Brother, current AIs (if you can call them that) are trained on random internet data produced by random internet users. And as we should all recognise, most internet users are not smart people.
I would guess so, Atleast with AI you can throw as many resources at it as you want whereas human only have so much time and interest in reviewing OSS.
But who will be reviewing the AI?
First comment
f.
* "day-mon"