Sorry, that is bs, and its sad that you spread fud, you should check your facts before pumping a video in the wild. ❤ I don't like the change of the redis license but of course every developer can use, borrow, export and touch the code. The thing i can now not do anymore is take the code of redis and sell it to other people to make a shitload of money without doing any work 😅. Redis is harming the open source community with this step, sure, but much harder do big cloud companies hurt it with taking other peoples work for free and sell it for money.
Hi Nick. (maybe you already know) The increase of vm_map_max_count on Ubuntu is the first initiative from Gaming Linux Fr community to make Linux distributions better for gaming. Don't know what they will try next, but that's nice, and easy to participate.
I was a developer for one of the largest Minecraft multiplayer server networks and Minecraft has a notorious issue with cheaters. We developed a pretty sophisticated platform to detect an ban cheaters, which was a combination of heuristics that would calculate a score as to how likely each player was cheating and with what tools. Over a specific threshold they would just be banned automatically but below that, it would alert the moderators to go and watch their behavior live. However, the heuristics never encompassed anything machine learning related afaik, but I played with the thought back then. Glad that I am not the only one who wants to see AI being used for this :D
Training that AI would have been pretty easy, because each time someone was banned, an automatic replay of the entire round with each players actions was saved for evidence and dispute purposes (that replay system was an insane achievement all by itself)
the thing with Redis is that even their justification doesn't make any sense, if they wanted to prevent corporations from taking advantage of them they could have dual licensed with AGPLv3 and a custom commercial license, so much software does this (like Qt for instance) and it does the same thing as they wanted while still keeping it fully FOSS. They shot themselves in the foot for no reason.
same case for mongodb, but unlike mongodb which is ahead of time that forks and clones still aren't up to standard, redis had several alternatives (keyDB and dragonflyDB) that outperformed redis by orders of magnitude, while being 100% compatible with redis clients. This time with redis isn't just a tradeoff, it's total loss for them Note: dragonfly is still not fully FOSS yet, but it will by 2028
That isn't actually accurate - AGPL doesn't require cloud providers that provide "Redis as a service" to get a commercial license, while small companies - some of which pay Redis consulting fees - would need to expose all the data on their servers. AGPL is not the correct license to fight AWS taking your code, making it commodity and drying up your support and consultancy work.
@@fakecubedyeah? you can found a cloud company with nearly monopolistic advantages like aws, azure and google cloud? well, they should have hired you for consultancy work! 😂
One of the most worrying things about the whole xz situation is that the only reason they found out about the possible backdoor was that it slowed down some systems, which prompted certain people to investigate the cause of the slowdown, going down a deep rabbit hole. This means that if the programmer of the possible backdoor had been more competent and wrote faster code, then it might have never been detected at all.
That first sentence describes my life right now - finding a slight performance bug, figuring out why it's happening - and then not having a clue as to what can really be done... For instance, running WINE [or proton] and then loading up the browser after connecting to the internet leads to some strange behavior when the browser is closed and the network disconnected again: the CPU has an extra load on it that comes in pulses lasting for 15 seconds, before going quiet for about the same amount of time - though Iv'e seen pulsing as short as 1 second and as long as 2 minutes... I HOPE it's just a windows-ey thing that's happening as a result of 'svchost' getting a network connection, and NOT something strange packed into the casks these days! SOLUTION: Sanitize the session before and after using wine, when network traffic will be involved. Do this by resetting the shell, and the window manager - the method for which is distro and desktop dependent - and probably does not work in Wayland (I saw similar issues on Debian - but traced the excess undulating CPU usage to a "worker" process which was root protected.)
@@borg-dx1st Not yet, as it's got to be tested under more conditions. I can't blame wine or firefox or anything else in the chain, until I eliminate hardware / drivers as possible causes. And then there's distro, as I mentioned it happened under Debian, and I'm seeing it under Arch / Manjaro - but I don't see it on Kali. Though installing wine and anything under it is a tedious process on Kali... So yeah - one of many things to do after I rebuild my distro that i recently made - that has the back door in it x_x
As Linux gets more and more popular, hackers will find the beautiful platform more attractive as hacking fodder! Simple! But it's OpenSource, thus we WILL survive!🐧🐧🐧🐧
Tbh, Linux is super popular in the server market. So hackers have been very interested in it for a long time now. Desktop Linux is the one gaining popularity, servers are already!
@@tablettablete186 My bad. I overlooked that. My vision was blurred with penguin feathers, while trying to save their eggs over this Easter egg-hunting seasonal fiasco. But that solidifies that fact of LINUX's power, even more! The majority of super-servers out there is LINUX based. Desktop users will always be less careful. The hackers KNOW that!
@@brandonw1604 listen to YOUR answer, "a core maintainer, not a RANDOM hacker". Oh by the way social engineering comes in more flavors than all of Linux's distros added.
There is a lot of speculation around xz and how much CVEs could be waiting to pop up from the project, even before 5.6.x. The developer has been around for a while and have basically been confirmed to have been making dangerous commits before they all combined into this CVE. This backdoor specifically targets deb and rpm building, but we don't know if there is anything more that we need to be cautious about. For now, I'd advise reverting back to xz-5.4.6, then avoid downloading xz tarballs, unpacking those tarballs, and creating xz compressed tarballs. gz, bz2, and zst are suitable replacements. Stay safe, people.
@@scyth2 No, it's better to use the package manager from your distro to detect xz version than the app itself, since it is compromised. For example using apt: apt list --installed | grep xz
Damn, is it bad that I dont know the majority of ehat you just said? How can someone using Linux Mint woth very little knowledge protect themselves if possible
Note on redis, there are 2 licenses available, one is clearly source available and doesn't let you redistribute, the other does let you redistribute, but with the restriction that should you host the code as a service, you are required to also provide all tools used in combination to host said service.
Could someone explain to me why would an anti-cheat be installed on a user's computer? Shouldn't the anti-cheat be on the SERVER side instead of the client side? Feels useless in client side, because it's a downloaded binary, meaning the client can remove the protection, while the server one is... impossible without literal access to the server
cheating is usually done with the aid of a computer program on the gamer's pc. the server has no visibility into the gamer's pc. the anticheat software is looking for things that won't be happening by a human (buttons being pressed faster than humanly possible, programs running other than the game, etc).
@@SteveHazel If pressing buttons (or emulating/ automating them) too quickly is the problem, then couldn't the game client just ignore the inputs instead of needing to monitor kernel level events globally? I'm not sure all client side cheat exploits have as simple a solution, but I would like to think that the game servers should be able to identify invalid states reported by the (potentially modified or manipulated) game client for other cheats that aren't related to input automation. The problem of preventing user access to locally cached information about other players that should not be visible is kind of a hard problem, though.
As somebody who's never cheated at multiplayer games in his entire life, but has been accused of cheating in said games many times, it's actually quite difficult to tell the difference between a game being modified to play itself at a high level, and a human player who's actually that good or that lucky, based simply on input and results. I do think software, server-side, could be used to detect statistically implausible strings of luck and/or performance. Statistical analysis is how they catch cheaters at online chess, and even some cheaters at chess in in-person chess tournaments. The thing about cheaters is they don't cheat just a little bit, get a few good results, and then stop. And if they did do that, they aren't a serious problem anyway. Such anomalies don't really impact other players that much, and things work out as they should in the end. The cheaters that cause problems are the cheaters who keep cheating all the time. This can be detected statistically, using a variety of metrics. It wouldn't catch the cheater instantly, but it would catch them after a while with a high degree of confidence. The exact metrics used could be preprogrammed, or be determined based on some kind of self-trained AI model. Then it wouldn't matter the specific methods by which cheaters cheat. It might also be interesting not to ban cheaters, but put them into a sort of ladder, where they end up only playing against tougher and tougher opponents, and if they keep beating those, they will end up playing against just the other cheaters. Personally, I'd be very curious to see how far things could get, as cheaters try to out-cheat each other. Just as it would be interesting to see how effectively humans could play chess against each other, if the humans were assisted by their own chess computer engine. We know that computers can already play chess at a much higher level than humans can, but humans assisted by chess engines can actually be much better at choosing from the chess engine suggested moves, based on their experience. So I say, let the cyborgs fight each other, just put them in their own league by themselves where they won't bother anyone.
Arch was not affected because it does not directly link liblzma to openssh. It still pulled the contaminated source tarballs that affected debs and rpms, complete with the entire back door, although there’s no way to trigger it unless you had compiled your own version of openssh that links liblzma. It’s why arch now uses git directly. Arch got lucky, as did everyone else.
Actually, both are true. The exploit specifically checks for .deb or .rpm based x86_64 distros, including Debian, Ubuntu, Fedora, and RHEL. Arch got lucky in that it doesn't link openssh to liblzma via systemd, unlike Debian, but it also wasn't specifically targeted.
Regarding checking the version of xz, do not use xz to print the version itself, but check it using your package manager. You don’t want to run the malware to check itself
The Anti-Cheat that Helldiver 2 uses is quite good, from what I have experienced so far. It works on Linux when running through Proton and I haven't seen a single Hacker yet, even though I've been playing Helldivers for multiple hours a day since release.
Man, IG EA decided to completely pass on millions of dollars, I honestly was not expecting a company to actively break comparability for Linux gamers when market share is going up like this
For anyone on Arch or -based the package names you want are "xz" and "lib32-xz" as those include liblzma, version 5.6.1-2(latest) is safe, versions between that and 5.6.0 are not.
That's only safe from the recently discovered backdoor. The perpetrator had been maintaining xz for at least 2 years, probably more. Can't be sure that he hadn't put in more holes during those two years. Gentoo Linux had taken the extreme measure of masking everything after 5.4.2.
Sounds like when a fake web site suddenly pops up in a tab, then your heart sinks and then wipe the drives and change passwords, just like my early-February, 2024 incident. :( It was with Windows 11, but it doesn't matter, I still wiped the SSD, because of a suspected drive-by-malware-installation attempt.
Just to confirm, the SSH security issue only applies to distros that patch the base OpenSSH with liblzma. Arch, for example, does not patch OpenSSH and as such is not susceptible. However, Debian and some other distros do, so any and all Debian or Debian based installs should make sure they are not compromised, and fix it if they are. More info on the issue from Low Level Learning: ruclips.net/video/jqjtNDtbDNI/видео.html
Unfortunately, deb and rpm-based distros are what run most servers. No one's running Arch in prod unless they're very brave and have no compliance requirements.
@@za_wavbit yeah, just wanted to state this as it is mentioned in the video that rolling release like Arch and arch based distros should be wary. Hopefully this was caught before anyone really switched to the latest version though, and hopefully no one was compromised.
@@pranavbadrinathan6693For sure. I'm actually very concerned about people doing things like shipping an Alpine image but with glibc and libsystemd, or building random packages from tarballs they found because a Stackoverflow answer somewhere said to. Everyone should check all their systems and images, just in case.
@@za_wavbit the good thing about arch is that it teaches you how to fix it if anything breaks. So there is not a lot of bravery involved in running it in production, it's just the compliance thing and also people sticking to what they know, and most know the debian variants. In the almost 10 years of running arch on several PCs and servers, I had maybe 2 breakages that weren't my fault (systemd-boot changing syntax being one, a btrfs bug preventing mounting the system being another) and those I could have prevented if I read the news before updating. Still, reverting to a working system was easy and came without data loss.
@@AzureSoukyuuI think we're talking about different levels of "prod." Right now my company's environments probably have somewhere around 1500 pods running (mostly in prod; too lazy to check the exact number but I haven't seen any notifications telling me stuff's down). At moderate to large scale, everything build/deploy-related is automated, sometimes including package updates, so it's important to be able to just trust that it works. You can't just do that with Arch, if it breaks something even 1% of the time that's a huge issue. Arch is a great learning experience though; when I ran it on my PC, I managed to break glibc somehow, then had to figure out how to fix that (pacman-static is handy!). I might try it out again for serving a side project, next time I have a brilliant idea for a side project (that I'll probably abandon two months later).
The xz attack should be a wakeup call. We need companies that benefit from free software to start paying some money into supporting it, especially into securing supply chains. I also think the days of semi-anonymous contributors contributing to important open-source projects are numbered. We will need strong forms of identification to know who is contributing and to track what they do.
I feel like the increase in Linux market share is having the same effects as the increase in Mac market share in the early 2000s. As market share increases, more things like this will happen.
I think it is unrealistic to expect the open source ecosystem to change - RedHat and friends have made a lot of money from reusing code written by unpaid volunteers all around the globe. When the next best compression algorithm is created by some girl in an African jungle, they'll grab that and not pay her a dime - not because she's a woman or African but because that's what they do. But maybe next time they'll know better than to disable the valgrind static compiler checks...
What about people using the software. But most important don't fork, don't port the same shit into 100 different language, stick with C and C++ for libraries.
I saw a diagrammatic explanation by a professional reverse-software engineer, of how the hackers compromised the Linux kernel. It was NOT FKIN easy. Just goes to prove how much of a stalwart this Linux thingy is. We are strong. Have faith. We are COMMUNITY!
We still lack a good sdk for flatpaks. I don't really like the idea to compile a package for a native system and trick it to run on flatpak. A flatpak runtime that I import just like Android libs would be better.
That SSH vulnerability is scary. I'm luckily unaffected and I expect it to not be a problem for release Fedora. As for EA anti-cheat: kernel level anti-cheats like EAC do work on Linux (it even has a native Linux version). However, kernel level access on Linux means something completely different than it does on Windows. When running on Linux the anti-cheat runs in userspace, heavily containerized. Same story with the anti-cheat in Helldivers 2. EA not considering Steam Deck is entirely by choice. It can be done, it isn't super hard and I'm pretty sure the folks at Valve will happily sit down and work with any dev/publisher to get it working. After all, a game running well on the Deck is a nice selling point for everyone.
kernel level anti cheat such as ea anti cheat uses in bf2042 does not work on linux. It's developed in house by EA EAC is licensed to ea games and ea does not develop EAC. It's now owned by Epic
To be fair A.I. is being used for early detection of diseases and in other scientific applications such as searching through huge amounts of data to find patterns or specific targets of interest, it just doesn't get as widely publicised.
As the software ecosystem on Linux matures, even at a slow pace, more people will flock to the Linux world. Both the developers and the users should collaborate for steady improvements.
Ah yes, the good old times of dialers and scary-focused malware destroying all data left and right. Can’t get malware if browsing 4 sites takes 20 minutes! 😅 Call me new fashioned, but I find the internet (if one isn’t a moron and wildly clicks everything) much safer to navigate today - especially with all the backup and protective tools broadly and often built-in available! Although - as everything - hackers have become more boring and greedy. Everything‘s ransomware these days… 😒 Stay safe!
Redis: We want big cloud to start paying for Redis' development Big cloud: start foundation to pay for Redis fork development Truly a galaxy 5d chess with multidimensional time travel brain moment from Redis team
I think the xz vulnerability only affects ssh under systemd as far as people know, and I heard it doesn't affect arch. there are a very specific set of circumstances that trigger it.
It wasn't a random attacker it was the maintainer that forced control over the repo. The code was only looking for Deb or rpm so Arch and Gentoo was not affected.
@TheLinuxEXP, how about a video about linux specific 2-in-1 laptops situation? Like support for stylus, handwritten notetaking software, pdf annotation, drawing, etc.?
Arch has the bad version, and they issued an update for the xz library. However, since Arch does not patch openssh to need liblzma, seems to not be affected.
Additionally the malicious code seems to search for deb and rpm packages specifically. There's an interesting discussion about it in Gentoo's bugzilla.
Literally no one was affected, unless they were doing really stupid things with unstable versions of Debian or Fedora. And even then the "effect" was just a backdoor existing. There's no evidence anyone was using that backdoor on any systems anywhere. It was very likely the creators of it (probably a state actor) were waiting on release versions to ship, and then some particular target or target updating to that new release version. This got caught almost immediately, before any real production systems could possibly use the malicious xz version.
This BF V situation sucks because I have friends that I play Battlefield with and they have no clue what Linux is, and they just think I play on pc so it will be awkward to explain to them on why I can’t play with them anymore 😅
Yeah, most EA games are trash and garbage. They ran their company into the ground by making repetitive games over and over again and using the same engine for years. Last good EA games were command and conquer games and those style of games.
The benefit of open source is that it's caught at all. Closed source, for anything that's security-critical, has assets from government agencies working for them, whether known to the companies or not, and if somebody notices something, very often somebody higher up is also an asset, reassures the noticer, and covers it all up, so it doesn't get fixed and the public is unaware. Open source still has the problem with government agency assets getting into the code and management positions, but if somebody notices, they can and will go public with it, and somebody somewhere who _isn't_ working for some government agency will patch it and everyone can verify it's been patched.
Valve already use AI/ML in VAC for Counter-Strike. John McDonald gave a pretty good talk on it at GDC 2018. They use match replay data and cheater-like heuristics to detect and deal with cheaters with almost perfect accuracy.
That does it for me. I have been generally happy with arch based Garuda linux but it was bitten by the recent xz issue. Been thinking about going back to Fedora for a while anyway.
Redis: I don't think their decision is really such a scandal. The last BSD release can be forked, so they are not revoking any rights from anybody. The new license is not open source, but it keeps their product auditable. I cannot take issue with that, even if I preferred Redis to remain OSS. The difference between the company behind Redis and say RedHat, Canonical and Docker to name a few is that Redis makes money rather immediately from the development work they do, while the companies I mentioned make money from their market position by capitalizing on the position and not on the products they create. If Redis cannot capitalize on their work, because other companies sell their product (as a service) without having to invest in the maintenance, it seems to be fair to demand a contribution from them. Of course the interest of the OSS community is secondary for all of them, but that's the nature of business. There are is much worse behavior from companies controlling the Linux foundation - the fact that they can hide behind the term "Linux foundation" really bugs me.
@@halfsourlizard9319barely. it's mostly DITW because the dev refuses to implement recovery records and crc/hash-based deduplication in archives. RAR on linux is unfortunately gaining popularity because it supports that plus more on enterprise machines
Genuine question, not flamebait: I don't understand the concern around the "source-available" licenses that only prevent selling the software as a service. If you're only using it as part of your stack and the license only restricts you from selling a hosted version of Redis as a service....why the rush to replace Redis? Is there something legal you're concerned about (if so, what specifically?) or is it more of a philosophical stance? And I think it's absurd to accuse Redis of trying to "monetize the hell out of it" when that's _exactly_ what AWS, Microsoft and the rest are doing by selling it as a service.
I strongly believe having multiplayer games running in a sandbox environment with the anti-cheat only scanning for exploits within the sandbox would be a good solution. Of course this is not exactly easy to implement because it involves implementing a separate anti-cheat tool that can deal with all parts of the sandbox that are exposed to the sandbox runtime. But, it's hell of a lot safer than kernel level anti-cheat and is quite possibly a better solution for all gamers regardless of platform.
I think the issue with that is that it’s too easy to cheat from outside the sandbox. Actually this is already an issue with external cheating hardware that pretends to be keyboard and mouse, but this would lower that barrier
They should do what chess does. Statistical analysis of results (and sometimes specific chess moves) over a period of a set number of games, which is too implausible as to not be cheating. Every so often, they will catch somebody at an in-person tournament with something in their shoe, or doing something in a bathroom. But most cheaters are caught, online and off, by statistical analysis. Multiplayer games could do this at the server level, looking at a variety of metrics, and see if somebody is cheating over time with a high confidence level. Then it wouldn't matter what the method is, all that matters is that cheating is suspected and mathematically proven. You could do this with some kind of AI that looks at non-cheating play at a high level of unassisted human play. Or you could have preprogrammed metrics. Either way, you wouldn't catch the cheaters immediately, but you would catch them inevitably. A little occasional cheating wouldn't matter enough to ruin the game for everyone else, but continual cheating would be result in bans. Or, simply put the cheaters in rooms together, through matchmaking, and have them try to out-cheat each other. When that stops being fun, they'll stop cheating, and eventually get put back into the regular rooms with everyone else, hopefully having learned their lesson.
@@shadowpenguin3482 Depends on the sandbox design. Which is why I think it's difficult to implement. I'm thinking something like a VM with only relevant hardware being exposed to it. Each game will have to come up with its own custom sandbox runtime to support something like this though. It's just an idea. But, I can see why it could be easier to trick.
The only reason I used Windows was for League of Legends. Since they are implementing a kernel level anti-cheat, I made the full switch to Linux. Completely done with Windows and invasive anti-cheats.
Is the affected lib xz already in the newest lmde 6 iso? Or am i safe? Only made a boot stick with that iso a month ago and hadnt time to install the os on my pc😅
All this centralization is no good. What if we all move in to Flatpack, and something bad will happen? Hope that at least Debian will still support and update debs packages, because open source charging fast forward.
It wouldn't surprise me if we eventually find out that all of these Windows exclusive anti-cheat decisions were part of a Microsoft campaign to re-secure their Windows gaming monopoly. Some of their marketing material (especially for "Secured Core" and "Pluton") makes a lot of references to the "XBox level security" of Windows 11.
How about talk about the lag issue with web browsers where when you load a page there's a 2ish second delay before the page actually starts to load. Internet also runs about half as fast for Steam downloads as windows. This effects every distro I have tried and on multiple systems. Google search indicates these are common issues.
I converted my Chromebook to Ubuntu Linux. sound driver not working well. I spent hours and hours to fix but it looks like there is no way to fix it. if someone know the solution then post here please.
This backdoor is another example that simply being open source does not make software secure. If source code is not audited properly, then the code is no more secure than closed source. Every change needs to be audited by multiple independent groups.
And what you said does not prove that it makes it less secure either. The fact that it's open source means anyone can look at the code and chances are it'll be a group of Lennox has Eggheads as it always is and has been thankfully hopefully will always be who resolve the problem like red on salsa often long before the public even gets wind of it or worst case if it takes him a little longer they still resolve the problem easily 10 to 100 times faster than micro crap even tries to resolve theirs which there's still some that's all this Windows 95 it's a problem and security vulnerability in Windows So you do the math which one is more secure to you one in which the people are on it like a boss or one in which a centralized hypocritical line corporations on it and drag their feet while making that os LESS and LESS user friendly with each new version that removes more control from the end user
It's no more or less secure. The difference is that with open source, there is transparency so when problems are discovered, everyone gets to know about them and then verify when they are patched. Plus, anyone can offer that patch. Closed source, if you find out about a vulnerability at all, it's usually after it's already being exploited by various governments and possibly criminal syndicates, and those organizations can potentially keep a vulnerability from ever being patched due to their infiltration of the companies shipping that closed source software. There's no public audit possible.
@fakecubed you apparently having difficulty understanding how to gauge whether or not something is more secure and operating system or not. Again anything can be hacked eventually it doesn't matter the operating system it does not matter the hardware chances are now it's how the support system or team of people respond to such a vulnerability or Hack That Matters and the Linux Eggheads of the Linux world have proven time and time again 99.99% of the time throughout the past two plus tickets straight that they will resolve problems eons faster than Microsoft and still faster than Apple facts don't care about your feelings or anyone else is on this matter. So yes that makes Linux more secure than other two operating system common computer worlds. Wendell from Level1techs will tell you the same damn thing and of course given that he has eons of Linux experience over me can delve into very thorough reasons why
To me it sounds like redis tried rto monetize the big cloud providers and those very providers forked it As far as i've read it wasn't aimed at the regular user
Arch should not affected by this as openssh is not related to liblzma. however it is still recommended that you update your system if you run v5.6.0-1 or 5.6.1-1 just in case.
16:05 I couldn't agree with you more on this! That would be a great use of AI, instead of installing super invasive anti-cheats on our computers that don't even work that well.
Bit surprised Ubuntu needed a user suggestion to make the gaming experience better. But great to see that they listen of course. Getting more gamers on Ubuntu is good for the stats.
You know, the snap store verification measures are practically the same used by Apple and Google in their mobile app stores, and those stores are still plagued with malicious apps.
the last part was very accurate and synonymous to our feelings, its like use it to make behavioral analysis and ai for such purpose rather than morphing people's face, and taking creative jobs like writers, painters etc etc, its liek creating a weapon to destroy rather than a tool to do some good.
I just want somebody to finally use AI for RUclips comments, to get rid of the same spam bots that always say the same thing every time for months and months.
I don’t think it’s very accurate to say anti-cheat solutions are useless because they’re playing catch-up, as anti-malware and security patches do the same, but an AI anticheat would be definitely more powerful. I also agree that AI is being front-ended as a lazy pass tool way too often when it would be way more useful as a backend product, similar to how radioactive materials can be terrible front end but great backend support.
The significance of Redis ditching FOSS (Free and Open Source Software) could potentially impact the future of Linux and the open-source community. This move may lead to the development of alternative solutions or forks of Redis, affecting the ecosystem and community around the platform. It could also raise questions about the balance between commercial interests and open-source principles in the software industry.
Interestingly this xz backdoor was implemented by some Chinese contributor Jia Tan which kind of puts a lot of their contribution under the microscope. (Thankfully I'm still on version 5.4.x)
@@crossscar-dev no, he meant 41. 41 and rawhide are currently the same thing. 40 wasn’t affected because fedora’s test infrastructure detected something was wrong, and the functionality the back door relies on was disabled. Still, the package was rolled back, just in case.
How can your system and data being randomly strewn about on someone else's computers (the cloud) make your data not at risk? If anything it opens it up to risk.
Happy about 24.04, because it's an LTS and thus, not a "throwaway" version. I dreaded non-LTS versions of Ubuntu, since Raring Ringtail, where you'll be deleting it sooner than a Windows installation, FFS!
redis is hardly worth even using anymore. nvme drives aaaaaalmost turn mysql into redis. i think redis sees it's end of life a comin' and is tryina cash in on big companies being the only ones interested in it anymore. new tiny companies won't use it any more i bet.
google docs, sheets, drive, calendar, gmail. if google wants to serve me ads, it can feel free - those are some quality apps. they beat office and anything linux has to offer hands down. does google know way too much about me - hell yes. do i care? kinda but nothing more sinister than ads happen.
11:10 This is why centralized app distribution is dumb and shouldn't be used at all. Get your software from its official source. Anything else is unneccesary risk.
I don't like the term "unverified", I would use "community packaged" or something. Sometime, the repackaging is open source so it doesn't really matter
Kernel anti cheat should not be run on any private system anyway, a few modifications here and there and it can do everything on your system for it is at root access. At this point just make competitive live service games server side, instead of letting the live service game be a headache on the user's PC side. Or just release a gaming OS for gamers already, we have a web browser for gamers already.
Rather then implementing an Anti-Cheat which only seems to look to see if your running wine, how about a Linux version of the game. The 5 largest game engines have the ability to build for Linux. Considering that it's a growing environment, this could grab market share, in an already crowded market.
I find it funny how "open" Oracle has become lately, kind of started this whole "close the source" trend back with Open Solaris. But now they are championing Centos forks and now Reddis.
Even after Ubuntu/Canonical reacted, they still had the same issue pop up again. They need to shut down Snaps until the fix the security vulnerabilities. I trust the Arch AUR far more than I just Snaps. But I know you can't help but schill for Snaps that are crap while crapping on the distro repositories that are safer, good, and simply work.
Redis license issue - Nick, you analysis is incorrect: the MongoDB Service Side Public License that Redis has chosen does not prevent people from copying the Redis source code, making changes ("forking") and distributing the resulting work to other people. The difference between the SSPL and the original BSD are mostly the same as the difference between GPL and BSD, including the requirement to deliver source code to third parties, the no sub-licensing (i.e. you can't license your part of software under a license different than the one you received) and the virality ("linking" causes the entire work to be considered derived, but SSPL throws out the term "linking" as too technical and replaces it with "other software components whose purpose is to interace with the original work") - so for all that, if you're OK with the GPL, you should be OK with the SSPL (some people do not consider the GPL as a "free" license, because it does not allow you to restrict the freedom of others, like BSD does, but that's on them). The SSPL only makes one more addition - which is the thing that drew the ire of the OSI and makes the SSPL so-called "not open source", and is the one thing that is supposed to force AWS to get a commercial license: if you offer the software "as a service" - i.e. make the software itself available for a fee, not creating a new product that uses the service internally, but just exposes the entire service itself as is, then you need to either get another license (and pay for it) or open source your entire support infrastructure, from UI to system operations. I don't like that approach, but I also don't like that AWS (and others) take the support & consult business model that open source companies have thrived on for years, and trashes it. Redis is a commercial company that have made available their main product for free to the community under the support & consult business model - like MySQL and many others before them. They do take code contributions from outside developers but the majority of Redis code was created in Redis Las and they don't deserve to be painted as people who "make use of open source volunteers and then do a 180 and try to monetize the h*** out of this and ditch open source". TL;DR - the fact that OSI labels SSPL as "not opensource" is nothing more than FUD by the major cloud providers, as the only difference between that and the GPL is section 13 that makes life harder for cloud providers.
I understand Linux is a very different thing, but it would be nice for an O’Neill cylinder design to operate in the same manner. -with the main basis being that it would be open to all and People would choose who goes up.
So to REGISTER a Snap, there will be humans involved? What about snap updates? This has been seen before, someone starting a pretty harmless application and then later makes an update that contains much less harmless behavior. So will they have humans involved for ALL Snap uploads?
Flatpak should NOT let apps say they are from the corpo that make them - edge for example. Says MS but is actually not, which is really confusing. Okay sure the app is made by ms, but is it "officially" distributed by them? No right? And I had zero way to find this info, since the links in the description too link to the official website! Like, why is that even a thing?? Not that I would touch edge with a 10 foot pole, but just to elucidate the point I was trying to make. With more malware looking towards linux users, and in general linux users are mostly technical ones, getting to even a single user can be a really successful campaign. It's high time Linux gained kernel level + OS level protections that other OSs have. There are some genuinely good security protections that other OSs deploy (complete driver isolation, unified write filter, etc for example).
Love your content, thanks for keeping us informed. But I kind of disagree on the Anticheat point you made. Kernel level anti cheat might be the best we have today. AI based anti cheat sounds promising, but we need a solution for cheating right now, the best we can get. Maybe AI based anticheat is not ready yet? Just my 2 cents. Keep up the great work ❤
Use SquareX to protect your browsing, email and OS with a suite of disposable tools: sqrx.io/tle_yt_v2
Sorry, that is bs, and its sad that you spread fud, you should check your facts before pumping a video in the wild. ❤
I don't like the change of the redis license but of course every developer can use, borrow, export and touch the code. The thing i can now not do anymore is take the code of redis and sell it to other people to make a shitload of money without doing any work 😅.
Redis is harming the open source community with this step, sure, but much harder do big cloud companies hurt it with taking other peoples work for free and sell it for money.
Andres Freund, who found and reported the xz backdoor, should be called "The XZorcist".
i saw this comment on brodies video lmao
Thanks!
Hi Nick.
(maybe you already know) The increase of vm_map_max_count on Ubuntu is the first initiative from Gaming Linux Fr community to make Linux distributions better for gaming.
Don't know what they will try next, but that's nice, and easy to participate.
Nice!!
I was a developer for one of the largest Minecraft multiplayer server networks and Minecraft has a notorious issue with cheaters. We developed a pretty sophisticated platform to detect an ban cheaters, which was a combination of heuristics that would calculate a score as to how likely each player was cheating and with what tools. Over a specific threshold they would just be banned automatically but below that, it would alert the moderators to go and watch their behavior live. However, the heuristics never encompassed anything machine learning related afaik, but I played with the thought back then. Glad that I am not the only one who wants to see AI being used for this :D
Training that AI would have been pretty easy, because each time someone was banned, an automatic replay of the entire round with each players actions was saved for evidence and dispute purposes (that replay system was an insane achievement all by itself)
Funny, nowadays people would be claiming you're close to AGI with that heuristic analysis 🙄
the thing with Redis is that even their justification doesn't make any sense, if they wanted to prevent corporations from taking advantage of them they could have dual licensed with AGPLv3 and a custom commercial license, so much software does this (like Qt for instance) and it does the same thing as they wanted while still keeping it fully FOSS.
They shot themselves in the foot for no reason.
same case for mongodb, but unlike mongodb which is ahead of time that forks and clones still aren't up to standard, redis had several alternatives (keyDB and dragonflyDB) that outperformed redis by orders of magnitude, while being 100% compatible with redis clients. This time with redis isn't just a tradeoff, it's total loss for them
Note: dragonfly is still not fully FOSS yet, but it will by 2028
That isn't actually accurate - AGPL doesn't require cloud providers that provide "Redis as a service" to get a commercial license, while small companies - some of which pay Redis consulting fees - would need to expose all the data on their servers. AGPL is not the correct license to fight AWS taking your code, making it commodity and drying up your support and consultancy work.
The same old problem with BSD type licenses. Somebody else will monetise your code and get to screw you over.
@@MattVickers You're not screwed over since you agreed to letting them monetize your code before contributing code, and you can monetize it also.
@@fakecubedyeah? you can found a cloud company with nearly monopolistic advantages like aws, azure and google cloud? well, they should have hired you for consultancy work! 😂
One of the most worrying things about the whole xz situation is that the only reason they found out about the possible backdoor was that it slowed down some systems, which prompted certain people to investigate the cause of the slowdown, going down a deep rabbit hole.
This means that if the programmer of the possible backdoor had been more competent and wrote faster code, then it might have never been detected at all.
That first sentence describes my life right now - finding a slight performance bug, figuring out why it's happening - and then not having a clue as to what can really be done...
For instance, running WINE [or proton] and then loading up the browser after connecting to the internet leads to some strange behavior when the browser is closed and the network disconnected again: the CPU has an extra load on it that comes in pulses lasting for 15 seconds, before going quiet for about the same amount of time - though Iv'e seen pulsing as short as 1 second and as long as 2 minutes...
I HOPE it's just a windows-ey thing that's happening as a result of 'svchost' getting a network connection, and NOT something strange packed into the casks these days!
SOLUTION: Sanitize the session before and after using wine, when network traffic will be involved. Do this by resetting the shell, and the window manager - the method for which is distro and desktop dependent - and probably does not work in Wayland (I saw similar issues on Debian - but traced the excess undulating CPU usage to a "worker" process which was root protected.)
you open an issue for this? @@KomiyanVT
Not only that. The delay was merely 500ms. Unnoticeable to most of us muggles
@@borg-dx1st Not yet, as it's got to be tested under more conditions.
I can't blame wine or firefox or anything else in the chain, until I eliminate hardware / drivers as possible causes.
And then there's distro, as I mentioned it happened under Debian, and I'm seeing it under Arch / Manjaro - but I don't see it on Kali.
Though installing wine and anything under it is a tedious process on Kali...
So yeah - one of many things to do after I rebuild my distro that i recently made - that has the back door in it x_x
@@asgacc8789 Ahaha indeed. But yeah kudos to the person who figured it out. Certainly takes some wit and patience to dig up stuff like that
As Linux gets more and more popular, hackers will find the beautiful platform more attractive as hacking fodder! Simple! But it's OpenSource, thus we WILL survive!🐧🐧🐧🐧
Tbh, Linux is super popular in the server market. So hackers have been very interested in it for a long time now.
Desktop Linux is the one gaining popularity, servers are already!
The xz back door was added by a core maintainer. Not some random hacker.
@@tablettablete186 My bad. I overlooked that. My vision was blurred with penguin feathers, while trying to save their eggs over this Easter egg-hunting seasonal fiasco. But that solidifies that fact of LINUX's power, even more! The majority of super-servers out there is LINUX based. Desktop users will always be less careful. The hackers KNOW that!
@@brandonw1604 listen to YOUR answer, "a core maintainer, not a RANDOM hacker". Oh by the way social engineering comes in more flavors than all of Linux's distros added.
WHAT THE FUCK IS A USERBASEEEEEEE 🐧🐧🐧🐧🐧🐧🐧🐧🐧🐧🐃🐃🐃🐃🐃
There is a lot of speculation around xz and how much CVEs could be waiting to pop up from the project, even before 5.6.x. The developer has been around for a while and have basically been confirmed to have been making dangerous commits before they all combined into this CVE. This backdoor specifically targets deb and rpm building, but we don't know if there is anything more that we need to be cautious about. For now, I'd advise reverting back to xz-5.4.6, then avoid downloading xz tarballs, unpacking those tarballs, and creating xz compressed tarballs. gz, bz2, and zst are suitable replacements. Stay safe, people.
What command you used to detect your xz version?
@@Subh8081 `xz --version`
@@scyth2 No, it's better to use the package manager from your distro to detect xz version than the app itself, since it is compromised. For example using apt: apt list --installed | grep xz
@@arthurcastro9741 Yes, better still.
Damn, is it bad that I dont know the majority of ehat you just said? How can someone using Linux Mint woth very little knowledge protect themselves if possible
Note on redis, there are 2 licenses available, one is clearly source available and doesn't let you redistribute, the other does let you redistribute, but with the restriction that should you host the code as a service, you are required to also provide all tools used in combination to host said service.
Could someone explain to me why would an anti-cheat be installed on a user's computer?
Shouldn't the anti-cheat be on the SERVER side instead of the client side?
Feels useless in client side, because it's a downloaded binary, meaning the client can remove the protection, while the server one is... impossible without literal access to the server
Totally agree
yeah this already the way built in minecraft anti cheat works (yes there is a built in one.) And minecraft plugins also do it this way.
cheating is usually done with the aid of a computer program on the gamer's pc. the server has no visibility into the gamer's pc. the anticheat software is looking for things that won't be happening by a human (buttons being pressed faster than humanly possible, programs running other than the game, etc).
@@SteveHazel If pressing buttons (or emulating/ automating them) too quickly is the problem, then couldn't the game client just ignore the inputs instead of needing to monitor kernel level events globally? I'm not sure all client side cheat exploits have as simple a solution, but I would like to think that the game servers should be able to identify invalid states reported by the (potentially modified or manipulated) game client for other cheats that aren't related to input automation. The problem of preventing user access to locally cached information about other players that should not be visible is kind of a hard problem, though.
As somebody who's never cheated at multiplayer games in his entire life, but has been accused of cheating in said games many times, it's actually quite difficult to tell the difference between a game being modified to play itself at a high level, and a human player who's actually that good or that lucky, based simply on input and results. I do think software, server-side, could be used to detect statistically implausible strings of luck and/or performance. Statistical analysis is how they catch cheaters at online chess, and even some cheaters at chess in in-person chess tournaments.
The thing about cheaters is they don't cheat just a little bit, get a few good results, and then stop. And if they did do that, they aren't a serious problem anyway. Such anomalies don't really impact other players that much, and things work out as they should in the end. The cheaters that cause problems are the cheaters who keep cheating all the time. This can be detected statistically, using a variety of metrics. It wouldn't catch the cheater instantly, but it would catch them after a while with a high degree of confidence. The exact metrics used could be preprogrammed, or be determined based on some kind of self-trained AI model. Then it wouldn't matter the specific methods by which cheaters cheat.
It might also be interesting not to ban cheaters, but put them into a sort of ladder, where they end up only playing against tougher and tougher opponents, and if they keep beating those, they will end up playing against just the other cheaters. Personally, I'd be very curious to see how far things could get, as cheaters try to out-cheat each other. Just as it would be interesting to see how effectively humans could play chess against each other, if the humans were assisted by their own chess computer engine. We know that computers can already play chess at a much higher level than humans can, but humans assisted by chess engines can actually be much better at choosing from the chess engine suggested moves, based on their experience.
So I say, let the cyborgs fight each other, just put them in their own league by themselves where they won't bother anyone.
Arch seems not affected since the script in the malware only runs if the package is a deb or rpm... so there is "distro" intent, implicit in the code
Arch was not affected because it does not directly link liblzma to openssh. It still pulled the contaminated source tarballs that affected debs and rpms, complete with the entire back door, although there’s no way to trigger it unless you had compiled your own version of openssh that links liblzma. It’s why arch now uses git directly. Arch got lucky, as did everyone else.
Actually, both are true. The exploit specifically checks for .deb or .rpm based x86_64 distros, including Debian, Ubuntu, Fedora, and RHEL.
Arch got lucky in that it doesn't link openssh to liblzma via systemd, unlike Debian, but it also wasn't specifically targeted.
Regarding checking the version of xz, do not use xz to print the version itself, but check it using your package manager. You don’t want to run the malware to check itself
The Anti-Cheat that Helldiver 2 uses is quite good, from what I have experienced so far. It works on Linux when running through Proton and I haven't seen a single Hacker yet, even though I've been playing Helldivers for multiple hours a day since release.
Yeah I’ve been having a great time as well !
Man, IG EA decided to completely pass on millions of dollars, I honestly was not expecting a company to actively break comparability for Linux gamers when market share is going up like this
EA Games
Piss off everyone!
Thank you very much for keeping us up to date
For anyone on Arch or -based the package names you want are "xz" and "lib32-xz" as those include liblzma, version 5.6.1-2(latest) is safe, versions between that and 5.6.0 are not.
That's only safe from the recently discovered backdoor. The perpetrator had been maintaining xz for at least 2 years, probably more. Can't be sure that he hadn't put in more holes during those two years.
Gentoo Linux had taken the extreme measure of masking everything after 5.4.2.
@@PanduPoluan maybe there's more, I was just relaying from the arch security advisory
The second that xz issue came up yesterday I rebooted out of 40 back to my 39 install and fdisk-ed that drive. Talk about a reaction 😆
Sounds like when a fake web site suddenly pops up in a tab, then your heart sinks and then wipe the drives and change passwords, just like my early-February, 2024 incident. :( It was with Windows 11, but it doesn't matter, I still wiped the SSD, because of a suspected drive-by-malware-installation attempt.
Just to confirm, the SSH security issue only applies to distros that patch the base OpenSSH with liblzma. Arch, for example, does not patch OpenSSH and as such is not susceptible. However, Debian and some other distros do, so any and all Debian or Debian based installs should make sure they are not compromised, and fix it if they are.
More info on the issue from Low Level Learning: ruclips.net/video/jqjtNDtbDNI/видео.html
Unfortunately, deb and rpm-based distros are what run most servers. No one's running Arch in prod unless they're very brave and have no compliance requirements.
@@za_wavbit yeah, just wanted to state this as it is mentioned in the video that rolling release like Arch and arch based distros should be wary.
Hopefully this was caught before anyone really switched to the latest version though, and hopefully no one was compromised.
@@pranavbadrinathan6693For sure. I'm actually very concerned about people doing things like shipping an Alpine image but with glibc and libsystemd, or building random packages from tarballs they found because a Stackoverflow answer somewhere said to. Everyone should check all their systems and images, just in case.
@@za_wavbit the good thing about arch is that it teaches you how to fix it if anything breaks. So there is not a lot of bravery involved in running it in production, it's just the compliance thing and also people sticking to what they know, and most know the debian variants. In the almost 10 years of running arch on several PCs and servers, I had maybe 2 breakages that weren't my fault (systemd-boot changing syntax being one, a btrfs bug preventing mounting the system being another) and those I could have prevented if I read the news before updating. Still, reverting to a working system was easy and came without data loss.
@@AzureSoukyuuI think we're talking about different levels of "prod." Right now my company's environments probably have somewhere around 1500 pods running (mostly in prod; too lazy to check the exact number but I haven't seen any notifications telling me stuff's down). At moderate to large scale, everything build/deploy-related is automated, sometimes including package updates, so it's important to be able to just trust that it works. You can't just do that with Arch, if it breaks something even 1% of the time that's a huge issue.
Arch is a great learning experience though; when I ran it on my PC, I managed to break glibc somehow, then had to figure out how to fix that (pacman-static is handy!). I might try it out again for serving a side project, next time I have a brilliant idea for a side project (that I'll probably abandon two months later).
Thanks for the heads up! got some updates to run
shoulda called the fork Freedis
New number who freedis?
We have already Redict
Freedis and Freedat, it's like advertising free software. thumbs up 👍
The xz attack should be a wakeup call. We need companies that benefit from free software to start paying some money into supporting it, especially into securing supply chains. I also think the days of semi-anonymous contributors contributing to important open-source projects are numbered. We will need strong forms of identification to know who is contributing and to track what they do.
I feel like the increase in Linux market share is having the same effects as the increase in Mac market share in the early 2000s. As market share increases, more things like this will happen.
Lol no. We need improved quality assurance of contributions , not reduced privacy of contributors.
I think it is unrealistic to expect the open source ecosystem to change - RedHat and friends have made a lot of money from reusing code written by unpaid volunteers all around the globe. When the next best compression algorithm is created by some girl in an African jungle, they'll grab that and not pay her a dime - not because she's a woman or African but because that's what they do.
But maybe next time they'll know better than to disable the valgrind static compiler checks...
What about people using the software. But most important don't fork, don't port the same shit into 100 different language, stick with C and C++ for libraries.
No, why reduce privacy? That's never the answer
I saw a diagrammatic explanation by a professional reverse-software engineer, of how the hackers compromised the Linux kernel. It was NOT FKIN easy. Just goes to prove how much of a stalwart this Linux thingy is. We are strong. Have faith. We are COMMUNITY!
Is there somewhere we can find this?
@@resultingrun5928low level learning
It was probably point of Low-Level Learning's latest videos
@@resultingrun5928 Dude, the algorithm keeps deleting my answer to you!
@@savagepro9060 Damn
We still lack a good sdk for flatpaks. I don't really like the idea to compile a package for a native system and trick it to run on flatpak. A flatpak runtime that I import just like Android libs would be better.
That SSH vulnerability is scary. I'm luckily unaffected and I expect it to not be a problem for release Fedora.
As for EA anti-cheat: kernel level anti-cheats like EAC do work on Linux (it even has a native Linux version). However, kernel level access on Linux means something completely different than it does on Windows. When running on Linux the anti-cheat runs in userspace, heavily containerized. Same story with the anti-cheat in Helldivers 2. EA not considering Steam Deck is entirely by choice. It can be done, it isn't super hard and I'm pretty sure the folks at Valve will happily sit down and work with any dev/publisher to get it working. After all, a game running well on the Deck is a nice selling point for everyone.
kernel level anti cheat such as ea anti cheat uses in bf2042 does not work on linux. It's developed in house by EA
EAC is licensed to ea games and ea does not develop EAC. It's now owned by Epic
To be fair A.I. is being used for early detection of diseases and in other scientific applications such as searching through huge amounts of data to find patterns or specific targets of interest, it just doesn't get as widely publicised.
As the software ecosystem on Linux matures, even at a slow pace, more people will flock to the Linux world. Both the developers and the users should collaborate for steady improvements.
Fedora 41 barely exists. Current version is 39 and beta version of 40 publicly available.
That was my question when I read 41
squareX looks very interesting and helpful! thanks for another awesome tip!
The internet is really scary place nowadays!! I like it when I first started many years ago, call me old fashioned I like dial up better.
Ah yes, the good old times of dialers and scary-focused malware destroying all data left and right. Can’t get malware if browsing 4 sites takes 20 minutes! 😅
Call me new fashioned, but I find the internet (if one isn’t a moron and wildly clicks everything) much safer to navigate today - especially with all the backup and protective tools broadly and often built-in available!
Although - as everything - hackers have become more boring and greedy. Everything‘s ransomware these days… 😒
Stay safe!
@@TomJakobW When I first started there was no internet just terminals, and bulletin boards. Not that I used them that much. 😀
That’s a wild take.
@@trevorford8332bulletin boards and terminals are the internet. The internet existed for years before the Web.
Hey Nick, thank you for being the best Linux news channel on the 'tube, you rock!
Gracias por la noticias 👍
Redis: We want big cloud to start paying for Redis' development
Big cloud: start foundation to pay for Redis fork development
Truly a galaxy 5d chess with multidimensional time travel brain moment from Redis team
I think the xz vulnerability only affects ssh under systemd as far as people know, and I heard it doesn't affect arch. there are a very specific set of circumstances that trigger it.
the backdoor only affects debian and rpm packages. There is literally s check in the backdoor for thst.
Obligatory I use Arch btw ... but that's kinda hilarious ... although I wouldn't wish exploits even on the savages that use shitty RPM distros.
It wasn't a random attacker it was the maintainer that forced control over the repo.
The code was only looking for Deb or rpm so Arch and Gentoo was not affected.
@TheLinuxEXP, how about a video about linux specific 2-in-1 laptops situation? Like support for stylus, handwritten notetaking software, pdf annotation, drawing, etc.?
Linus Torvalds said that GPL3 violates everything GPL2 stood for. He was right.
Arch has the bad version, and they issued an update for the xz library. However, since Arch does not patch openssh to need liblzma, seems to not be affected.
OMG I was so worried.
Additionally the malicious code seems to search for deb and rpm packages specifically. There's an interesting discussion about it in Gentoo's bugzilla.
Literally no one was affected, unless they were doing really stupid things with unstable versions of Debian or Fedora. And even then the "effect" was just a backdoor existing. There's no evidence anyone was using that backdoor on any systems anywhere. It was very likely the creators of it (probably a state actor) were waiting on release versions to ship, and then some particular target or target updating to that new release version. This got caught almost immediately, before any real production systems could possibly use the malicious xz version.
This BF V situation sucks because I have friends that I play Battlefield with and they have no clue what Linux is, and they just think I play on pc so it will be awkward to explain to them on why I can’t play with them anymore 😅
EA should actually start with Apex, and give me an excuse to never go back to that trashfire. Skipping the last few seasons has felt really good.
There are already enough reasons not to play any EA games,, so it's amusing to see the company itself giving a helping foot-in-mouth hand.
Yeah, most EA games are trash and garbage. They ran their company into the ground by making repetitive games over and over again and using the same engine for years. Last good EA games were command and conquer games and those style of games.
It also affects Opensuse Tumbleweed but not leap or entreprise.
That malicious code being added is quite concerning, although I guess the benefit of open source is that is it caught quicker.
The benefit of open source is that it's caught at all. Closed source, for anything that's security-critical, has assets from government agencies working for them, whether known to the companies or not, and if somebody notices something, very often somebody higher up is also an asset, reassures the noticer, and covers it all up, so it doesn't get fixed and the public is unaware.
Open source still has the problem with government agency assets getting into the code and management positions, but if somebody notices, they can and will go public with it, and somebody somewhere who _isn't_ working for some government agency will patch it and everyone can verify it's been patched.
in closed source world, it would be a feature not a bug
Valve already use AI/ML in VAC for Counter-Strike. John McDonald gave a pretty good talk on it at GDC 2018. They use match replay data and cheater-like heuristics to detect and deal with cheaters with almost perfect accuracy.
Valkey is not a first fork, the first fork is Redict which did much more than Valkey.
That does it for me. I have been generally happy with arch based Garuda linux but it was bitten by the recent xz issue. Been thinking about going back to Fedora for a while anyway.
Redis: I don't think their decision is really such a scandal. The last BSD release can be forked, so they are not revoking any rights from anybody. The new license is not open source, but it keeps their product auditable. I cannot take issue with that, even if I preferred Redis to remain OSS. The difference between the company behind Redis and say RedHat, Canonical and Docker to name a few is that Redis makes money rather immediately from the development work they do, while the companies I mentioned make money from their market position by capitalizing on the position and not on the products they create. If Redis cannot capitalize on their work, because other companies sell their product (as a service) without having to invest in the maintenance, it seems to be fair to demand a contribution from them. Of course the interest of the OSS community is secondary for all of them, but that's the nature of business.
There are is much worse behavior from companies controlling the Linux foundation - the fact that they can hide behind the term "Linux foundation" really bugs me.
Lzma is the compression algorithm of 7zip, right?
Yes. Xz utils started as a frontend of the lzma sdk (which still sees new releases today) in 2008.
7zip still exists!?!
@@halfsourlizard9319barely. it's mostly DITW because the dev refuses to implement recovery records and crc/hash-based deduplication in archives. RAR on linux is unfortunately gaining popularity because it supports that plus more on enterprise machines
Genuine question, not flamebait: I don't understand the concern around the "source-available" licenses that only prevent selling the software as a service. If you're only using it as part of your stack and the license only restricts you from selling a hosted version of Redis as a service....why the rush to replace Redis? Is there something legal you're concerned about (if so, what specifically?) or is it more of a philosophical stance?
And I think it's absurd to accuse Redis of trying to "monetize the hell out of it" when that's _exactly_ what AWS, Microsoft and the rest are doing by selling it as a service.
I strongly believe having multiplayer games running in a sandbox environment with the anti-cheat only scanning for exploits within the sandbox would be a good solution. Of course this is not exactly easy to implement because it involves implementing a separate anti-cheat tool that can deal with all parts of the sandbox that are exposed to the sandbox runtime. But, it's hell of a lot safer than kernel level anti-cheat and is quite possibly a better solution for all gamers regardless of platform.
I think the issue with that is that it’s too easy to cheat from outside the sandbox.
Actually this is already an issue with external cheating hardware that pretends to be keyboard and mouse, but this would lower that barrier
They should do what chess does. Statistical analysis of results (and sometimes specific chess moves) over a period of a set number of games, which is too implausible as to not be cheating. Every so often, they will catch somebody at an in-person tournament with something in their shoe, or doing something in a bathroom. But most cheaters are caught, online and off, by statistical analysis.
Multiplayer games could do this at the server level, looking at a variety of metrics, and see if somebody is cheating over time with a high confidence level. Then it wouldn't matter what the method is, all that matters is that cheating is suspected and mathematically proven. You could do this with some kind of AI that looks at non-cheating play at a high level of unassisted human play. Or you could have preprogrammed metrics. Either way, you wouldn't catch the cheaters immediately, but you would catch them inevitably. A little occasional cheating wouldn't matter enough to ruin the game for everyone else, but continual cheating would be result in bans.
Or, simply put the cheaters in rooms together, through matchmaking, and have them try to out-cheat each other. When that stops being fun, they'll stop cheating, and eventually get put back into the regular rooms with everyone else, hopefully having learned their lesson.
@@shadowpenguin3482 Depends on the sandbox design. Which is why I think it's difficult to implement. I'm thinking something like a VM with only relevant hardware being exposed to it. Each game will have to come up with its own custom sandbox runtime to support something like this though.
It's just an idea. But, I can see why it could be easier to trick.
For Ubuntu fix, this is thanks to Gaming Linux France (GLF), and specifically to Chevek.
in my opinion, instead of "registrate" use register; or "devaluate" use devalue.
I have that in helldivers 2, will try it cheers
The only reason I used Windows was for League of Legends. Since they are implementing a kernel level anti-cheat, I made the full switch to Linux. Completely done with Windows and invasive anti-cheats.
@dreaper5813 I'm glad I have better things to do and never got into any games.
Is the affected lib xz already in the newest lmde 6 iso? Or am i safe? Only made a boot stick with that iso a month ago and hadnt time to install the os on my pc😅
Good on Redis, tbh. And also, banning blockchain apps seems like a decent stopgap for the snap store malware problem and should be permanent.
Impressed by SquareX
All this centralization is no good. What if we all move in to Flatpack, and something bad will happen? Hope that at least Debian will still support and update debs packages, because open source charging fast forward.
Going to be the same as it ever was, n+1 package standards.
It wouldn't surprise me if we eventually find out that all of these Windows exclusive anti-cheat decisions were part of a Microsoft campaign to re-secure their Windows gaming monopoly. Some of their marketing material (especially for "Secured Core" and "Pluton") makes a lot of references to the "XBox level security" of Windows 11.
How about talk about the lag issue with web browsers where when you load a page there's a 2ish second delay before the page actually starts to load. Internet also runs about half as fast for Steam downloads as windows. This effects every distro I have tried and on multiple systems. Google search indicates these are common issues.
I converted my Chromebook to Ubuntu Linux. sound driver not working well. I spent hours and hours to fix but it looks like there is no way to fix it. if someone know the solution then post here please.
Thanks Nick.
This backdoor is another example that simply being open source does not make software secure. If source code is not audited properly, then the code is no more secure than closed source. Every change needs to be audited by multiple independent groups.
And what you said does not prove that it makes it less secure either. The fact that it's open source means anyone can look at the code and chances are it'll be a group of Lennox has Eggheads as it always is and has been thankfully hopefully will always be who resolve the problem like red on salsa often long before the public even gets wind of it or worst case if it takes him a little longer they still resolve the problem easily 10 to 100 times faster than micro crap even tries to resolve theirs which there's still some that's all this Windows 95 it's a problem and security vulnerability in Windows
So you do the math which one is more secure to you one in which the people are on it like a boss or one in which a centralized hypocritical line corporations on it and drag their feet while making that os LESS and LESS user friendly with each new version that removes more control from the end user
It's no more or less secure. The difference is that with open source, there is transparency so when problems are discovered, everyone gets to know about them and then verify when they are patched. Plus, anyone can offer that patch.
Closed source, if you find out about a vulnerability at all, it's usually after it's already being exploited by various governments and possibly criminal syndicates, and those organizations can potentially keep a vulnerability from ever being patched due to their infiltration of the companies shipping that closed source software. There's no public audit possible.
@fakecubed you apparently having difficulty understanding how to gauge whether or not something is more secure and operating system or not. Again anything can be hacked eventually it doesn't matter the operating system it does not matter the hardware chances are now it's how the support system or team of people respond to such a vulnerability or Hack That Matters and the Linux Eggheads of the Linux world have proven time and time again 99.99% of the time throughout the past two plus tickets straight that they will resolve problems eons faster than Microsoft and still faster than Apple facts don't care about your feelings or anyone else is on this matter. So yes that makes Linux more secure than other two operating system common computer worlds.
Wendell from Level1techs will tell you the same damn thing and of course given that he has eons of Linux experience over me can delve into very thorough reasons why
To me it sounds like redis tried rto monetize the big cloud providers and those very providers forked it
As far as i've read it wasn't aimed at the regular user
Arch should not affected by this as openssh is not related to liblzma. however it is still recommended that you update your system if you run v5.6.0-1 or 5.6.1-1 just in case.
16:05 I couldn't agree with you more on this! That would be a great use of AI, instead of installing super invasive anti-cheats on our computers that don't even work that well.
Bit surprised Ubuntu needed a user suggestion to make the gaming experience better. But great to see that they listen of course. Getting more gamers on Ubuntu is good for the stats.
🐧Tux should tell his wife and the rest of the Linux community that this is Easter, an 🥚egg-hunting season for humans!
Very funny 😂
You know, the snap store verification measures are practically the same used by Apple and Google in their mobile app stores, and those stores are still plagued with malicious apps.
the last part was very accurate and synonymous to our feelings, its like use it to make behavioral analysis and ai for such purpose rather than morphing people's face, and taking creative jobs like writers, painters etc etc, its liek creating a weapon to destroy rather than a tool to do some good.
I just want somebody to finally use AI for RUclips comments, to get rid of the same spam bots that always say the same thing every time for months and months.
About the AI as a anti-cheat thing:
YES!!! THANK YOU! Finally someone who also sees how it should be done!
Will there be an ARM based tuxedo laptop after Snapdragon x elite is released?
I really want an ARM based system, but don't want windows spyware
Nobara 39 is at XZ version 5.4.4
Why no Firefox extension square x? 😭
What shall we replace Redis with, I wonder if Valkey or even MySQL X plugin.
with nvme drives, there's no point to anything beyond mysql. at least for meeee.
I don’t think it’s very accurate to say anti-cheat solutions are useless because they’re playing catch-up, as anti-malware and security patches do the same, but an AI anticheat would be definitely more powerful. I also agree that AI is being front-ended as a lazy pass tool way too often when it would be way more useful as a backend product, similar to how radioactive materials can be terrible front end but great backend support.
The significance of Redis ditching FOSS (Free and Open Source Software) could potentially impact the future of Linux and the open-source community. This move may lead to the development of alternative solutions or forks of Redis, affecting the ecosystem and community around the platform. It could also raise questions about the balance between commercial interests and open-source principles in the software industry.
Interestingly this xz backdoor was implemented by some Chinese contributor Jia Tan which kind of puts a lot of their contribution under the microscope.
(Thankfully I'm still on version 5.4.x)
2:58 Fedora 41? Did I just time travel?
He meant fedora 40.
@@crossscar-dev no, he meant 41. 41 and rawhide are currently the same thing. 40 wasn’t affected because fedora’s test infrastructure detected something was wrong, and the functionality the back door relies on was disabled. Still, the package was rolled back, just in case.
@@npgoalkeeperoh from my understanding it was fedora 40 but ok
How can your system and data being randomly strewn about on someone else's computers (the cloud) make your data not at risk? If anything it opens it up to risk.
Happy about 24.04, because it's an LTS and thus, not a "throwaway" version. I dreaded non-LTS versions of Ubuntu, since Raring Ringtail, where you'll be deleting it sooner than a Windows installation, FFS!
It will be interesting if the Redis fork will live on instead of Redis.
Google "Redis vs. KeyDB vs. Dragonfly vs. Skytable"
All of them are better than Redis, no need to fork anything, 2 of those are drop in replacements.
redis is hardly worth even using anymore. nvme drives aaaaaalmost turn mysql into redis. i think redis sees it's end of life a comin' and is tryina cash in on big companies being the only ones interested in it anymore. new tiny companies won't use it any more i bet.
That's usually how it goes.
It's interesting how in the video Microsoft Edge is not a verified Flatpak application.
Because it is not. It is not supported by MicroSoft.
Why on Earth would any Linux user want to run any Chrome / Chromium-based browser?
@@halfsourlizard9319I run edge for Copilot, as it dosen't work well on ff. Maybe there are some workarounds
google docs, sheets, drive, calendar, gmail. if google wants to serve me ads, it can feel free - those are some quality apps. they beat office and anything linux has to offer hands down. does google know way too much about me - hell yes. do i care? kinda but nothing more sinister than ads happen.
@@halfsourlizard9319millions do. Not everyone is a paranoid basement dwelling incel.
Nick: this video is square-
Me: space
Nick: X!
Me: whu-
11:10 This is why centralized app distribution is dumb and shouldn't be used at all. Get your software from its official source. Anything else is unneccesary risk.
I don't like the term "unverified", I would use "community packaged" or something. Sometime, the repackaging is open source so it doesn't really matter
Kernel anti cheat should not be run on any private system anyway, a few modifications here and there and it can do everything on your system for it is at root access. At this point just make competitive live service games server side, instead of letting the live service game be a headache on the user's PC side. Or just release a gaming OS for gamers already, we have a web browser for gamers already.
Rather then implementing an Anti-Cheat which only seems to look to see if your running wine, how about a Linux version of the game. The 5 largest game engines have the ability to build for Linux. Considering that it's a growing environment, this could grab market share, in an already crowded market.
I find it funny how "open" Oracle has become lately, kind of started this whole "close the source" trend back with Open Solaris. But now they are championing Centos forks and now Reddis.
thank you for saying for saying what package's version i should check to be safe, but not show me how it's spelled.
lucky to be on ubuntu 22.04 with that ould version of xz utils... phew
good video as always i will use ubuntu if remove snap completely
Literally this. It's almost as shit as that time that Canonical injected adware searches in that goofy GUI search thingy.
Even after Ubuntu/Canonical reacted, they still had the same issue pop up again. They need to shut down Snaps until the fix the security vulnerabilities. I trust the Arch AUR far more than I just Snaps. But I know you can't help but schill for Snaps that are crap while crapping on the distro repositories that are safer, good, and simply work.
Redis license issue - Nick, you analysis is incorrect: the MongoDB Service Side Public License that Redis has chosen does not prevent people from copying the Redis source code, making changes ("forking") and distributing the resulting work to other people. The difference between the SSPL and the original BSD are mostly the same as the difference between GPL and BSD, including the requirement to deliver source code to third parties, the no sub-licensing (i.e. you can't license your part of software under a license different than the one you received) and the virality ("linking" causes the entire work to be considered derived, but SSPL throws out the term "linking" as too technical and replaces it with "other software components whose purpose is to interace with the original work") - so for all that, if you're OK with the GPL, you should be OK with the SSPL (some people do not consider the GPL as a "free" license, because it does not allow you to restrict the freedom of others, like BSD does, but that's on them).
The SSPL only makes one more addition - which is the thing that drew the ire of the OSI and makes the SSPL so-called "not open source", and is the one thing that is supposed to force AWS to get a commercial license: if you offer the software "as a service" - i.e. make the software itself available for a fee, not creating a new product that uses the service internally, but just exposes the entire service itself as is, then you need to either get another license (and pay for it) or open source your entire support infrastructure, from UI to system operations.
I don't like that approach, but I also don't like that AWS (and others) take the support & consult business model that open source companies have thrived on for years, and trashes it. Redis is a commercial company that have made available their main product for free to the community under the support & consult business model - like MySQL and many others before them. They do take code contributions from outside developers but the majority of Redis code was created in Redis Las and they don't deserve to be painted as people who "make use of open source volunteers and then do a 180 and try to monetize the h*** out of this and ditch open source".
TL;DR - the fact that OSI labels SSPL as "not opensource" is nothing more than FUD by the major cloud providers, as the only difference between that and the GPL is section 13 that makes life harder for cloud providers.
I understand Linux is a very different thing, but it would be nice for an O’Neill cylinder design to operate in the same manner.
-with the main basis being that it would be open to all and People would choose who goes up.
Is it possible to improve Linux with Devian?
So to REGISTER a Snap, there will be humans involved? What about snap updates? This has been seen before, someone starting a pretty harmless application and then later makes an update that contains much less harmless behavior. So will they have humans involved for ALL Snap uploads?
Flatpak should NOT let apps say they are from the corpo that make them - edge for example. Says MS but is actually not, which is really confusing. Okay sure the app is made by ms, but is it "officially" distributed by them? No right? And I had zero way to find this info, since the links in the description too link to the official website! Like, why is that even a thing??
Not that I would touch edge with a 10 foot pole, but just to elucidate the point I was trying to make.
With more malware looking towards linux users, and in general linux users are mostly technical ones, getting to even a single user can be a really successful campaign. It's high time Linux gained kernel level + OS level protections that other OSs have. There are some genuinely good security protections that other OSs deploy (complete driver isolation, unified write filter, etc for example).
Manjaro pushed an update of the XZ stuff today.
Love your content, thanks for keeping us informed. But I kind of disagree on the Anticheat point you made. Kernel level anti cheat might be the best we have today. AI based anti cheat sounds promising, but we need a solution for cheating right now, the best we can get. Maybe AI based anticheat is not ready yet? Just my 2 cents. Keep up the great work ❤