Linus Torvalds: Speaks on XZ Hack in Linux and Trust in Open Source Dev

nope. my distro was affected but me. i only trust the kernel and its updates but any packages. i always ether review package updates manually or when lazy wait a couple of weeks for the public to maybe report issues, well if its not a security update at least. so i was lucky tbh.

Nope not me. I always look into it first before installing anything new, and updates.

I was dumbly trying Opensuse tumbleweed

technically, but I had sshd disabled on tumbleweed

No,antix Linux was fine.

No, I think that's going to far. I think it's more reasonable to say that open source guarantees that problems _can_ be found, while proprietary source makes it all but impossible to find it. In this case, it's really a matter of infiltration and if the Manhattan Project could be infiltrated, you know that Microsoft can be. An important aspect here is that open source guarantees that whistleblowers can't be identified by the code that they have access to. If someone plants a logical bomb in some obscure piece of Windows, then the whistleblower will be instantly identified. But if it happens in Linux, then it might be an external researcher. I think that's very important.

@@jeschinstad All but impossible? So there are no security bulletins published regarding closed source applications like... ever?
But overall there is no guarantee that problems can be found whether you're talking about open or closed source. Open source at least allows for anyone to analyze the source code to look for potential issues. But that analysis is only as good as the tools being used or the people reviewing the code. Meaning if there is no static code analysis or code reviews occurring, vulnerabilities will slip by.
Leading to this question: what other vulnerabilities exist *today* that aren't being detected because the tools aren't good enough, if any are being run at all, code isn't being reviewed or reviewed properly, or the right conditions for exploit have yet to be found? Generally a vulnerability needs to occur to know what code patterns to look for, just as antivirus tools can only detect viruses known to those who prepare the signatures.
Plus the XZ vulnerability was a process exploit, not a code exploit, that just happened to occur in plain sight because no one was paying attention. The exploit didn't exist in the source code and the person responsible was taking advantage of the fact there was... no actual review happening on what was being checked in. And the downstream distros merely accepted that binary release archive as-is rather than pulling and building the source code - which would've prevented the exploit from going anywhere.
And the only reason it was caught "quickly" was due to someone running some kind of automated process that relied on XZ behaving a specific way.
"If someone plants a logical bomb in some obscure piece of Windows, then the whistleblower will be instantly identified. But if it happens in Linux, then it might be an external researcher. I think that's very important."
Instantly identified? Not even with the best audit tools would that be possible. It would probably still take months to identify an anonymous whistleblower unless the whistleblower was being very sloppy since there are likely a LOT of people at Microsoft with read access to the Windows source code repository.

Another thing is for sure, this wouldn’t have happened if it was closed source.

@@andyvirus2300 How so? The Russians were able to infiltrate the Manhattan Project, which is the most closed source project of all time.

@@jeschinstad I think/hope that @andyvirus2300 was referring to the backdoor being found, not the backdoor being rolled out.

Wishful thinking doesn't solve problems. Nobody is willing to pay for such work and there are just not enough volunteers with the required skills.

​@@gzoechi 100% correct. Also, with proprietary software, there's more reasons not to try this because you're not anonymous and can be prosecuted.

@@gzoechi tf their isn't, tons of developers do this with no issue. Otherwise anybody's code would be getting into everywhere. Instead of relying on one person like they did with xz, it should be spread amongst a few people to make sure shit doesn't go AWOL because of one rotten tomato.

​@@Derpingtonsherethe issue with xz was that nobody stepped up to help despite the maintainer asking for help.

@@Derpingtonshere For how many OS projects are you willing to voluntarily do this?
"Others should do that so that I can have flawless free software" - that won't fly.

What's with gnome

@@saadhabashneh5587 They fired their only shaman. They don't have a shaman now. :(

@@unstable-horse what 😂😂

@@saadhabashneh5587 They fired a member of the board and didn't tell anyone for two months.

KDE superiority

It's not a fun fact...
Maybe it's fun for you, but I want my 7.4 seconds back. Or I just wanna erase the memory of your comment.

​@@AJ5 it took you 7+ seconds to read a couple of sentences?

No way you can read it faster than 5 seconds. I just set up a timer and tried to break my own 7.4s record. Best I did was 6.6s
Let's see you try, Mr. Verac the Fast Reader!!!!

You and millions of other people.

​@@AJ5 +time to write your comment

Exactly, maintainers of critical parts should have to be IDed. GitHub could do it, distros would have to look after it..

Another problem is package maintainers of distros using precompiled files from github releases, which in the case of xz contained the malicious code while the repo itself didn't, if I'm not mistaken. Feel free to correct me

@@cornelisvanlenten5954 depends on distro, in case of debian such is strictly forbidden, people got banned on their ftp servers for uploading precompiled stuff.

1. You don't know when there's a backdoor in your proprietary OS. Period.
2. Just because something is open source doesn't mean it's audited from security prospective, but that it can be examined when needed to, by millions around the world, and some of them can do the job.
3. Once an issue is identified and/or fixed, one can patch their system on their own if they wanted to, without waiting for Microsoft and Crowdstrike to publish an update.

⁠​​⁠​​⁠
1. You don’t know if there is a backdoor in your free software either.
2. Because it’s open source it doesn’t means it’s monitored, but it sure means that everyone and their mother can attack it, while there is no one to defend it.
3. Patching assume you know what you’re doing, and if that’s the case, it doesn’t matter if you’re on windows or Unix, you can patch or rollback.

There are many reasons why someone might dislike Windows, but disliking Windows because of "viruses" and using a Mac instead sounds a lot like someone who has bought into apple propaganda, where they lie to their customers and claim that Macs can't get viruses. The simple truth is that viruses are developed for the platform that has the most market share. Windows gets more viruses because it has the largest market share for desktop PCs. If Macs had the largest market share, they would get the most viruses. If Linux had the most market share, then it would get the most viruses. Additionally, this is a very outdated mindset, as viruses that spread easily are far less common today, in part due to how battle-tested windows is now, as well as the fact that it now includes an anti-virus by default. Most bad actors rely on social engineering attacks now.

@@Johncw87 Not only that, Windows is in a market position for basically every demographic, every budget, every use-case. The barrier to entry into a Mac is pretty high compared to Windows.

@@Johncw87 Firstly, he said he switched to Linux and Torvalds is his hero. I believe you are right about Macs, but Linux is safer by design. Also Microsoft could have created and freely given Microsoft Defender from the start. I mean, if you argue Windows is much safer because it includes an antivirus, why didn't MS do that in 1995??? It put a lot of effort into a free web browser, and frankly that rush is the source of many insecurities today! They put security in the hands of psychopaths like John McAfee. And all this history is "outdated"???

@@michalsvihla1403 but that's totally because of anticompetitive practices, with what amounted to power of a monopoly. And of course Apple is just as bad if not worse. Linux is the answer, why are you making this Mac vs. PC?

@@squirlmy I don't know why you are asking me why Microsoft didn't create an antivirus in 1995. I'm not a mind reader. Maybe they put their focus into what they thought was the most profitable? Like most companies?
The threats that people have to deal with today are nothing like how it was back in the late 90s and early 2000s. The attitude toward security most companies had at the time was very poor. The internet as a whole had yet to transition to using HTTPS everywhere. It has improved quite a bit over time, as more software companies were forced to become more security conscious. This dramatic improvement in security across the board is why the perception that "windows machines are full of viruses" is outdated.
I don't recall exactly when this happened, but a hacker was charged with the task of obtaining privilege escalation on a Windows machine and on a Mac. They managed to achieve it on both, but it was much easier to do on the Mac. They only needed a single exploit that was easy to find. They needed multiple exploits chained together to do the same on Windows, and it took much longer to find them. This is because the easy exploits have been found and patched already on Windows. Macs don't have that battle-hardening experience that Windows does, simply because not very many hackers targeted it.

A simpler way to put this is that NDA and secrecy is an inherent security risk in software.

*German developers scrutiny

linux 👉 lee-nux
linux 👉 lie-nux
in german language li is only lee, never lie. english has that ambiguity

@@ksheer I never knew. Thanks!

I dunno i didn’t think it rhymes with p*nis

Don’t forget “lih-nux”

It's how you properly pronounce his name

Sigh. It was not a Microsoft worldwide crash. It was a Crowdstrike worldwide crash that happened (in this case) to only affect Windows.

@@stargazer7644 And Windows is a Microsoft product!!! In blame for this specific, particular, "crash", MS has only tangential responsibility, another word that comes to mind is circumstantial, BUT it shows the world depends too much on Microsoft Windows! Also MS has a history of being an anticompetitive force in the marketplace, even if you don't think it a monopoly (maybe not technically a monopoly), and the ecosystem where security patches need to be rushed out is faulty, even if nothing can be done at this point.

right. and in the rush to diminish Microsoft's responsibility, many people are overlooking the fact that the world economy is overly dependent on Windows, and they've developed a faulty security ecosystem, that depends on rushing out patches from third-parties like Crowdstrike. If this happened to Linux, it would be limited to specific distros. Even if it was Red Hat, the damage would be less. BSD, even less. It didn't just "happen" to be with Windows. As much as the specific problem might have been one Crowdstrike goof, the larger problem is that too many computers are running Windows!

@@squirlmy This exact thing has also happened to Linux. Crowdstrike runs on Linux too. This particular problem was in a config file for Windows named pipes. If it had been in a file that goes out to all sensors it wouldn't have just been Windows related.

I have no idea what the exact ratio is but I'd say most people contribute to FOSS or similar projects with good intentions. But bad actors draw most attention despite being relatively small in comparison.

yes, but to get oneself in the position of being an important host, and interviewer really has to be a bit aggressive. This is a problem in all interview media. Charlie Rose is a good example. The people who are good listeners, are rarely in positions where they can interview important people. And honestly, Linus isn't the most exciting orator. lol

Don't know exactly, but this is the full interview from FSF ua-cam.com/video/cPvRIWXNgaM/v-deo.html
It says "open source summit NA" on the title.

@@ema7318 Good link. The first slide says North America. If you search for Open Source Summit 2024 - the stage looks to be the same.

@@ema7318 at 0:43 Dirk says they are in Seattle.

@@Terra101 😂 thanks 🙏 didnt watch from the beginning 😅

@@ema7318 It happens :)

We are humans, not animals buddy.

@@flailofthelord Humans are just a subset of the larger set of all animals.

@@nihorothereal braindead comment

Why is that important in this instance? We are discussing bad actors in the open source community and your response is "WeLl microsOFT dId ThiS hUrbYDeRbY" You just come off as an asshat. Need I say more?

They don't trust them... were forced to allow 3rd party vendors into ring 0 by the Europeen Union regulatory body.

Thats a bit too easy of an awnser

The person who discovered XZ attack, Andres Freund, worked at Microsoft lol

Tons of company are allowed to send patches through windows update.
What is the most shocking is how many large companies have zero process for staging the deployment of Windows Update patches to critical systems.

@@hashtag9990 sorry but I do. I know many others too that would disagree with you as well.

Clearly someone that doesn't contribute anything to anything. No clue.

Always was. Thankfully L4 (in various forms from OKL4 to seL4) is deployed all over the place. Most people just don't realize it.

@@grey5626 - It's the first time I've heard of L4 actually.

Please elaborate

@@Nichiyoobiko I don't know exactly what OP means, but it might be something like:
- Code too hard and too long to read

​@@alan5506That applies to any sufficiently complex software program whether open source or proprietary. The difference is that with open source _anybody_ can look at it (though realistically it’s anybody with software development skills), while for proprietary software only the owning company’s software developers can look at it … and that only if the company allocates the budget for them to do so.