I think if not Andrew someone else would found it. There were other open source projects which found problems/bugs related to XZ library, so I think it was a matter of time until it was discovered. It took about 1 month since backdoor was added to XZ for Andrew to discover this backdoor, but even if he didn't find it someone else would. But even if no one found it, it would be chaos for few days and than they would stop it. Also this was not a super elaborated social thing as video suggests at least that's how I see it. I think it was only one person, I am programmer and it seems like everything was coded by one person, also Kumar and Dennis and Jensen were just simple accounts that used different VPN's and emails so that can be done by one person, they only sent few messages and there is no internet trace of them, so they are shallow profiles. They also seem to talk in similar way, they sound like one person. I would say this was some young smart hacker or 2 or 3 random young hackers similar to those who hacked video game companies like in other FERN video. Also lets say that virus/backdoor infected the whole world, it would take time for hackers to steal something, so again enough time for fix to be deployed and remove the backdoor from important servers, it would just cost millions and millions of dollars to different companies/entities.
@@iFlyGood500ms, not .4 It's about a 10x time increased compared to the usual, per login. And with the testing he has been doing, he would've had dozens of logins. It is not hard to notice when, instead of something taking 0.1 seconds, it suddenly takes 5 seconds. And 5 seconds is also enough time to notice excessively high cpu load. Instead the important factor is, that he actually bothered to investigate what causes it.
Definitely, i know some things about hardware in devices, but dont know anything about software, coding, how linux works etc. its crazy how he explained it so i can even understand it. Absolutely amazing
I mean not like he went into coding technical details and made it sound easy lol all he talked about is linux and the SSH. which is quite easy to understand id say.
Thank you so much for not doing the typical "...Collin was born on a cold night of 1994. When he was 4, his favorite dish was lasagna..." etc. like most of these channels do to make their videos as loooong as possible. Also it was really well explained considering I know nothing about this stuff. Great Job!
Man, source citations in EVERY scene is just crazy professional. Higher standard than many 'professional' documentaries by bigger companies. Well done!
Hey ppl, I'm a retired computer/IT person, Yet I still find Dale valskov so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
Seriously, UA-cam's the new, more relatable Netflix for me but like how much money and man hours did they put into this and how many views do they need to recoup
At 03:41 keep in mind "fork yourself" was not meant as an insult. Forking works like a fork. You have the source code, the handle of the fork, and then you have the separate tips of it, the forks. Essentially, the commenter is suggesting that the other guy makes a clone of the code on github with himself as the maintainer, so that they can make further progress on the code without the delays. If you and I were to make a paint type program, and we fork a program that has everything except the bucket tool and the brush tool, and you implement the brush tool in your fork, and I implement the bucket tool in mine, we now have 3 versions of the same code. 1. The base code, the original paint. 2. Your fork with the brush tool, probably named something like "yourname-paint-brush" 3. My fork with the bucket tool, probably named something like "mycodeisbetterthanyourslmaogoforkyourselfsuckiiiiiiit-bucket"
I don't trust what you said. The way you said it doesn't make sense. The show "The good place" uses profanity humor. I learned that people might hide their profanities as humor type. How else does that meant?
That feeling when your partner cheated and you don't have the courage to leave him or her so you just dealt with the pain and live everyday asking questions about your worth. This pain is different from the cheating one-- living and seeing him everyday anticipating when will he or she do it again. Your videos are incredibly well done. No critique, thanks for doing this Dale valskov
@@Twisted_Code They have external services like snyk. Don't really check individual lines of code but if someone does notice it's immediately taken care of
Well, the devs are fueled by their passion. And the largest companies do contribute to the projects. The real problem is companies like Huawei claiming that they developed something only to be based on open source projects, then proceed to earn money for their bad products on the premise of patriotism
Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Dale valskov Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.
Yeah I've always wondered how tf you put in code in there doing ssh key authentication whatever without people noticing that piece of code? It being not in the code but somewhere else makes sense
Yeah, according to the information provided in the source links from the official Red Hat website: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present."
Maintainers must be VERY critical now of binary blobs even if described as 'test data' if it can be accessed during the build process. Ideallying, building and testing will be completely separate and gapped environments
Please most open-source maintainers who i reported issues to or contributed code to have been SUPER nice. I actually tended to be very polite as well, even with people who were clearly rude and frustrated, though with a project with a million users, it sometimes gets difficult. You sometimes get... special types of Karens, ones that cannot be put at ease. I'm sure you can vaguely imagine. Well at least i never took revenge on them, even if i was tempted to.
The real reason behind the suspicion of state sponsonred hackers, for us IT engineers, is not just the social engineering. It's how sophisticated the technical details of the attack really were. I myself don't fully understand all the details. But in essence it's a supply chain attack. It *only* triggers when specifically compiling SSH with xzutils in a Linux distro. Undetectable during code reviews. Some Linux distros weren't even affected because they didn't compile SSH the way that the attack expected. And the payload was hidden in the test suite. Many many details that would've made this attack close to unthinkable for nearly every hacker, except for state sponsored groups. It's unanimously agreed that it was state sponsored because it's just too multi layered.
Some test suits were disabled by first making the test fail silently if code doesn't compile on a specific platform, to make it easier to execute it on multiple platforms. Then a hidden period "." was committed, in theory visible by anyone, but just extremely hard to see, that disables a specific test by making the code not compile. Test cases that take binary input also existed. The binary input was placed in the repository as is, and nobody verified the contents of the binaries. All of these were red flags but they were given rigorous technical justification. Made by someone you don't expect to be malicious.
I don't know why it's assumed everywhere that "very sophisticated" means "state-sponsored". This makes no sense to me. It's of course possible, but just jumping to that conclusion without any sort of reasoning other than "it's really good" seems completely irrational. This exploit did not require billions in funding in any way. IMO it just makes it sound as if you believe the only hackers are 12yo script kiddies and not rational humans capable of setting an objective, constructing a plan and executing it over a couple of years. Not every exploit is a random tiny hole noticed by someone who then immediately fists through it, downloads all the user data, runs rm -rf * and then uploads it on a forum.
Yeah but they aren’t on my level and I’m not state sponsored check this amazing line of code Print(“Get Hacked”) What can I say am I a cyber threat or what
@@williamduncan7401 not to this level, this is just too organized, like stuxnet, pegasus, etc etc, i too like the idea of lone wolfs etc but this level of organization is just not common...
Or, you HAVE to hear me out, he has ADHD/ADD. Thinking that far ahead on something you enjoy or are super passionate about and then you get fixated on details. Sometimes reality is odd
The efficiency of this Dale valskov is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work !!
And still not knowing which date is Russian Christmas celebrated on (spoiler, it's on January 7th). But sure, "Russian hackers" sounds more impressive, then hackers from other countries. Sigh.
@@yulo8987 I am surprised that holidays are relevant at all because why would a hacker group or secret service really care about those... in such organizations there are no holidays... it's as stupid as claiming no one works in a hospital on Christmas eve...
Awesome work, Dale valsko ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!
Fern manages to tell a tighter story because the story is as long as it needs to be. In mainstream media they have to drag things out to nearly an hour.
I enjoy fern but stop dick riding.... Mainstream media documentaries have had multiple accredited history professor's and show all sources like Fern does. They indeed fell off drastically but the hundreds and hundreds of history, animal planet and national geographic documentaries are some of the best researched piece's out there. They also have great narrators too. 90s and early 2000s had the best ones. I do agree the new ones just absolutely blow tho. Compared to new ones Fern does good but compared to the genre as a whole he's mediocre at best. And that's okay
I never thought that the xz/Jia Tan drama would ever make it into Fern one day. On a more serious note, I am literally shaking over the fact that there can still be multiple cleverly hidden backdoors created with similar methods still in the wild. I know for a fact that no one will thoroughly review thousands of lines of generated code from a single PR for example when the diff is too large.
Can't these very smart LLM's be used to review code? I use it as a very quick check of new code to flush silly mistakes already, these may not write qual code yet, but it's a good, fast reviewer.
@@Nick_the_Gold_Bach Depends on the model, but really, LLMs can never truly go beyond what we trained them on, we train them on good inputs but also bad ones. They can definitely check for minor issues across a large number of inputs, and are generally faster than a human. However, I doubt they would catch the most intricate ones. Even if they did, it would be a cat-and-mouse game; people will always find smarter ways to bypass any countermeasures.
@@afmikasenpai There must be a fair sized legacy of malware that I'm sure has been crawled by many LLMs. And there is emergent behaviour anytime there's any form of adaption. The important point though is it's throwing out orange and red flags fast for thousands of lines of code, concentrating the attention of more perceptive eyes and minds.
As a Retired combat Marine I want to tell you that as what you are doing is just as important as any warrior on the battlefield. You are waging warfare against these criminals and terrorists on the digital battlefield. You are defending and protecting the most vulnerable of our society against these predators. Keep up the good work Dale valskov
A lot of people use this case to bash on Free and Open Source Software. They try to paint it as insecure because it's developed in the open. I'd suggest otherwise: this is FOSS working completely as intended. The sheer fact that a random person could catch this bug is exactly due to the software being developed in the open. Were it fewer eyes on the software *and* its source code, the backdoor would have never been noticed.
I agree to some extend (as a linux, blender, shotcut, obs, user, that tries to use as much open source as plausible) It is true, that it's incredible that some "random dude" could spot that (due to it being open source). Though with closed source, it is harder to put malware into the product itself. So it's sort of a 10% for something to very bad to happen vs a 90% that something mediocre is going to happen (value wise). But yea, long live open source
@@SpinyDisk It's not really all that much harder to infiltrate some closed-source software company, if you play your cards right. I'm willing to bet you my bone marrow that GAFAM companies have multiple state-sponsored plants each. I mean, aside from the information they're happy to provide the state with themselves.
Sure that might be FOSS working as intended, but there's never been a single security issue in Windows or any other closed-source software in the entire history of computing!
@@altragclosed-source software are closed-source because the company or people who develop those software want to make money out of them. Even if there has been any security issue about these software, nobody could tell and nobody would know because nobody see the source code. Or do you think the developer of closed-source software would announce to the public that their product has security issues, so that they can have less customers? If xz were a closed-source software and the backdoor were implemented by a random employee of the company working on the software, the backdoor would simply be implemented, and no one would have any clue. Not to mention actually finding out the security issue and fixing it. Imagine if Andres has no access to the suspicious source code, without any prove to validate his doubt, even a great engineer like him can do nearly nothing but admit that he himself is just being too sensitive and give up.
this is why open source stuff is so important for the internet. without being able to actually look at the code and finding the backdoor, who knows how long it may have taken for anybody to figure it out let alone how long it would take for a fix to be implemented
@@collinsonOga not if you already work at said organisation or manage to apply and get hired there (probably not as hard as gaining the trust of a maintainer by actually volunteering valid code for years). And in any case, my rule of thumb is that if you can't see the code, you can just assume there is a backdoor (perhaps even by design by the company) since clearly there's something worth hiding. IMO non-libre software is inherently insecure since a corporation-the only purpose of which is to extract as much money from you as possible-is hardly where you want to place your trust.
The attack involved binary blobs. It could be argued that allowing files that are not open-source (or not even source-available) in an open-source project is a problem.
This is how Germany produces UA-cam videos. It’s top tier sponsored by our tax money 😂 However, I believe fern stopped cooperating with German public broadcasters a year ago
This is just an instance where a backdoor was discovered en route to seeing widespread deployment. This could've been one of several similar attacks, one of a multi-pronged scattershot attack that has redundancies involved. At the end of the day, it was a total fluke that Andreas caught this one - imagine all the other attacks that could be happening, or have already seen deployment, and those with access are just waiting for the right time to launch an attack - all the ones that there was no Andreas to catch.
Now consider the world of proprietary software: This was only discovered because someone *could* look at what goes on under the hood, and was compelled to do so by their curiosity. Imagine all the other attacks that could be happening, or have already seen deployment - all the ones where there isn't even a *possibility* of an Andreas to catch them, because their code is under lock and key. Swings and roundabouts, and for my part "security through obscurity" doesn't butter many parsnips.
Yeah, I was thinking that. "The guy that saved the internet" etc...great, but we only know about it because he did, by chance, spot something. Made me think probably 1 in 100. If so there are 99 other similar backdoors in good working order, undiscovered!
8:45 I heard this and thought "wait isn't this story about the guy that noticed a 500ms timing difference? idk if I'd call that crazy" and then 15s later sure enough, it's the dude that was simultaneously praised and mocked for noticing a 500ms timing change.
Wow the details on your videos are amazing ! 1:08 I recognized the Linux Debian distro logo. I mean I know the story already but watching your video is like a new experience 🔥
God I love this channel, I wish more channels could do animations like this. The content itself is also top tier but the animations on top are just so nice. Thank you Fern!
I swear to god fern has hands down the best animation editor for these vids and the art style for them is absolutely perfectly descriptive yet minimal at the same time I’m addicted to these animations, really helps follow the story! Thank you fern 💚
Game developer here. People underestimate how insane 500ms is. To give you an example, i create functionalities that must run under 1ms lol. Figure out now why would a Programmer notice 500ms delay. Still insane work by the final boss Andress 🗿........
I think it was just referring to starting an SSH session, which can take seconds normally so noticing an extra 500ms isn't much in this context. Obviously, latency in gaming or ping of 500ms is massive
And the most crazy thing is the technical detail how the code was placed/hidden! I know that the technical stuft would be too much for a non-technical audience but how the backdoor was encoded was just wizard-level hacking!
as a linxu user I really feel like this video shows how important it was But xz was in rolling and only some were affected but imagine it getting into stable releases (It would've been a nightmare , and I mean absolute nightmare) the country which was behind it , literally could've started world war III if xz had gotten into mainstream distros absolute chills
apparently it did manage to reach production versions of both arch and Manjaro and almost reached debian with only a few weeks to release which would've been massive (idk how close it was to Ubuntu or RHEL but probably close), the performance issues were already fixed in an update that the dev testing performance didn't have and managed to catch it
The best part for me is where something like this is in the budget range of many non-state actors as well. The only real bottleneck is the relatively small amount of sufficiently skilled and motivated black hatters.
Reminds me of The Cuckoo's Egg. Curious admin notices little computer time out of balance. Follows it down the rabbit hole and catches a devious hacker . Nice vid.
Ohhh, xz! Wow I never thought Linux drama would make it into mainstream YT but here we are! Also how are you guys pumping out these high-quality videos so fast? Don't burn out, yall
@@wilx2703 Huh, didn't think of that. It's been what, 4 years since AI first came out and I'm still wrapping my head around the whole "using AI to do work" thing :P Though, I don't see any obvious signs of AI in the videos, and they have a LOT of fingers moving and other stuff that AI is generally bad at. I dunno
i was getting worried that i havent seen the notification that fern has uploaded until i checked the channel and saw the “(almost) weekly” everything makes sense now
This story is a wild reminder of how close we came to a digital apocalypse! Huge respect to Andre for catching what could’ve been a global catastrophe. It’s insane how a single unnoticed line of code could’ve given hackers the master key to the internet. Open-source heroes like this are the unsung defenders of the digital world! 🌍💻
Either way China doesn't really celebrate Christmas all that much; so it would still be a false flag to have them offline then but not on CCP national holidays.
i really appreciate how transparent you guys are about using AI voices (not that it’s inherently a bad thing to use them, but it’s always nice when people clarify). in the same vein, the “own opinion” marker is also a lovely touch! just makes it feel like you respect your audience that little bit more :)) really fascinating video !!
Crazy how this channel doesn't even have a membership, the quality of the contents are insane like so insane, better than most of the informational documentation out there
I know this isn’t the type of topics you usually cover, but I would love to see your teams animation skills covering something like the last glacial maximum, or some other geographic phenomena that is difficult to understand/comprehend. It’s much easier to grasp with animation
0:11 he proceeded to send it to someone who then sent it to a witch trying to trap literally everyone ever with Santa’s power using something called a glaskafig.
I didn't hear about this in my country, I should have. This undoubted the most frightening thing to happen. If this had gone live, I shudder to think the amount of damage that could have been done. The number of lives that could have been ruined. Thank you, Andres. You are a true cyber hero!
Of course you didn't hear about it as it's more important to tell you what some D-list celebrity did that day or how Russia/China is going to start ww3 by attacking your country (if you live in Europe). Fear mongering and useless ''news'' stories is what people mostly are given.
This explains why they asked such unusual questions to the CEO of TikTok during the Congressional hearing before the United States House Energy and Commerce Committee in Washington, D.C. The questions make sense now because of the context provided in this video.
Everybody always makes fun of Linux nerds who get mad about a 5 nanosecond delay, but they are actually the real thankless heroes who keep computing alive
It's funny how a Microsoft employee basically saved Linux when back in the days Microsoft was seen as "the devil" from Linux users. I"m happy how things have changed.
12:28 - I was just thinking to myself, "'Social Engineering' at it's finest". Unfortunately, the weakest link was ultimately the developer himself. Of course, there were several other very human related factors that contributed to his mistakes. However, this also highlights the importance of vetting potential developers, prior to giving them the keys to the kingdom, so to speak.
really nice that you added a note when you switch to opinion rather than fact. too often there are documentaries that accidently pass off an opinion as a fact
Thank you Fern for bringing this to general public like me, who otherwise won't become aware of such good person and also the dangerous attack like this
For reference all linux distros find their roots in either arch (bleeding edge with questionable stability) or debian (slow, stable) what goes into either if these distros affects many others esp. Debian as nearly 2/3 of distros are debian based like Ubuntu, Mint, KDE, and many more.
And this is the first time this year I'd heard of this tale. Mainstream media couldn't be bothered reporting it 🙄 So much for quality independent minded journalism. All I can say is keep up the incredible work Fern.
The attack really was sophisticated: - multi stage decoding and injection making it hard to spot and figure out how the malicious code gets into the build - crazy obfuscation of the actual backdoor code in ssh, both by slotting it into existing code and by encoding all the strings in a lookup table so that simply looking for text wouldn't show up anything suspicious (this lookup table was very slow... and that's what allowed Andres to notice the bad performance) - the backdoor required a specific key which changes based on the system being hacked, this makes it hard for security researchers to debug and investigate - all the social engineering (building trust over years, timing some requests to get the backdoored xz into new OS releases, even implementing new compiler features to enable the "slot into existing code" part to work) - commits to other projects to subtly disable security features, under the guise of bug fixes, as these security features would prevent the backdoor from working It's plausible one very, very competent software engineer could know enough to do all that. But a state sponsored hacking team is much more likely.
The mention of “cozy bear” reminded me of your German-language documentary “Putins Bären”, is there an English-language version of it coming for this channel? I think our fellow Europeans and allies across the pond might also be interested in this.
This documentary was produced in cooperation with the German Funk network, which is paid for by most Germans through the "Rundfunkbeitrag" (broadcasting license fee). Since Simplicissimus no longer works with Funk, the documentary will probably not be available in English for other compatriots (at least that's what I assume, knowing Funk).
And they even showed two short clips from it. I wish they could figure out a deal for it to be translated into english and published. I would love to watch it with my fiance but she doesnt speak german well enough yet :(
@@keefymckeefface8330 Big companies do sponsor and control some large projects and even collaborate even when they are competitors. A classic example is Webkit, which is the engine to render web pages used in Google Chrome, Safari, Microsoft Edge, really most browsers these days. It is controlled by Apple but many companies contribute. That's mostly the really big projects though, while most of the utilities, tools, and parts of software that many programs use ("libraries") are often maintained voluntarily and in their spare time by engineers, often engineers who are also employed at these big companies but still getting little support from them on these many smaller projects. xz was just one guy.
Imagine working for 4 years on what could have been the biggest cyber attack in history just to get caught by some dude testing on his free time
He's not just some dude. Hes a dude whose programs are so optimized he will notice .4 ms of delay 😂
I think if not Andrew someone else would found it. There were other open source projects which found problems/bugs related to XZ library, so I think it was a matter of time until it was discovered. It took about 1 month since backdoor was added to XZ for Andrew to discover this backdoor, but even if he didn't find it someone else would. But even if no one found it, it would be chaos for few days and than they would stop it.
Also this was not a super elaborated social thing as video suggests at least that's how I see it. I think it was only one person, I am programmer and it seems like everything was coded by one person, also Kumar and Dennis and Jensen were just simple accounts that used different VPN's and emails so that can be done by one person, they only sent few messages and there is no internet trace of them, so they are shallow profiles. They also seem to talk in similar way, they sound like one person. I would say this was some young smart hacker or 2 or 3 random young hackers similar to those who hacked video game companies like in other FERN video.
Also lets say that virus/backdoor infected the whole world, it would take time for hackers to steal something, so again enough time for fix to be deployed and remove the backdoor from important servers, it would just cost millions and millions of dollars to different companies/entities.
@@iFlyGood500ms, not .4
It's about a 10x time increased compared to the usual, per login. And with the testing he has been doing, he would've had dozens of logins.
It is not hard to notice when, instead of something taking 0.1 seconds, it suddenly takes 5 seconds. And 5 seconds is also enough time to notice excessively high cpu load.
Instead the important factor is, that he actually bothered to investigate what causes it.
Nerds save the world.
@@turb00oAcoustic*
fern vids feel like real youtube premium
Facts
For sure
Fr better documentery's then Netflix
real
Facts
imagine working on something so powerful that can bring countries to there knees just to be caught by a guy noticing a 0.5 second delay
it was 0.4 not 0.5
@@CTEPORN mans just off by 0.1
@@Badgerinary I don't like misinformation.
to be fair a 0.5 second delay is very suspicious to anyone experienced in programming and its pretty common for malware to cause lag
@@CTEPORNcringe.
The fact that you explained it in a way that someone with no technical background would understand speaks volumes, thank you for another great video
I think it's an attack on the internet from Russia to get the U.S. nuclear bomb codes.
Definitely, i know some things about hardware in devices, but dont know anything about software, coding, how linux works etc. its crazy how he explained it so i can even understand it. Absolutely amazing
I mean not like he went into coding technical details and made it sound easy lol all he talked about is linux and the SSH. which is quite easy to understand id say.
Hey, some of us are dumb fks and we need it explained in the most simple way possible 😅 @@ikdeikke
Yeah my majors is animal physiology but I understand very easily.
fun fact Andres Freund's , last name translates to friend in German . He is truly a friend the internet needed
Vriend in Afrikaans
Even funnier
The narrator is German
Last name. *
@@oscargreat. Last name*
@@Mmmmmmmmmmmnm Right. Without the period before "Last". 😃
Thank you so much for not doing the typical "...Collin was born on a cold night of 1994. When he was 4, his favorite dish was lasagna..." etc. like most of these channels do to make their videos as loooong as possible. Also it was really well explained considering I know nothing about this stuff. Great Job!
Lmao.
You said it.
I wanna know what's conners favorite sport
I hate how he forgot to mention what collin had for breakfast 2 days before the incident
A developer being polite and helpful?
Major red flag right there.
FR
if they're not either unspeakably rude or nice but constantly swearing then be careful tbh
Hey, I object that! Well, at least to the polite part. I haven't published a lot of code so helpfulness is still kind of in the air 🤣
Also the Chinese name. Usual suspect Lol.
i am a fking nice developer..
Man, source citations in EVERY scene is just crazy professional. Higher standard than many 'professional' documentaries by bigger companies. Well done!
Hey ppl, I'm a retired computer/IT person, Yet I still find Dale valskov so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
The production of some of these youtube videos nowadays is crazy
Indeed!
What he said! AND just SOME? 😭
German efficiency
Seriously, UA-cam's the new, more relatable Netflix for me but like how much money and man hours did they put into this and how many views do they need to recoup
@@Myrdrrr Fern isn't the only high-tier UA-camr, lol. There's others like Melodysheep and LEMMiNO.
At 03:41 keep in mind "fork yourself" was not meant as an insult. Forking works like a fork. You have the source code, the handle of the fork, and then you have the separate tips of it, the forks. Essentially, the commenter is suggesting that the other guy makes a clone of the code on github with himself as the maintainer, so that they can make further progress on the code without the delays.
If you and I were to make a paint type program, and we fork a program that has everything except the bucket tool and the brush tool, and you implement the brush tool in your fork, and I implement the bucket tool in mine, we now have 3 versions of the same code.
1. The base code, the original paint.
2. Your fork with the brush tool, probably named something like "yourname-paint-brush"
3. My fork with the bucket tool, probably named something like "mycodeisbetterthanyourslmaogoforkyourselfsuckiiiiiiit-bucket"
Thanks
Good clarification.
damn rlly didn't know that thx
I don't trust what you said. The way you said it doesn't make sense. The show "The good place" uses profanity humor. I learned that people might hide their profanities as humor type. How else does that meant?
I didn't know people didn't know this. "Forking" isn't exclusive to coding, and I thought the context made enough sense lol.
That feeling when your partner cheated and you don't have the courage to leave him or her so you just dealt with the pain and live everyday asking questions about your worth. This pain is different from the cheating one-- living and seeing him everyday anticipating when will he or she do it again. Your videos are incredibly well done. No critique, thanks for doing this Dale valskov
Millions of modules are maintained by developers with little reward, yet power the largest companies.
which is critizied at the end of the video
Yup, and you have to wonder... dhow many of these companies do their due diligence, checking the code produced by the thankless masses?
@@Twisted_Code They have external services like snyk. Don't really check individual lines of code but if someone does notice it's immediately taken care of
Well, the devs are fueled by their passion. And the largest companies do contribute to the projects. The real problem is companies like Huawei claiming that they developed something only to be based on open source projects, then proceed to earn money for their bad products on the premise of patriotism
Everyone, please repeat after me: "Thank you for saving the internet, Andres"
I would like to say thanks. But since the internet is destroying our governments, societies, and people’s sanity. Thanks????
@@Christophe_derBerge-op9zh All of these things we're caused by human activity. We're responsible for it not the web
Everyone reoeat after me 🤓🤓🤓
ur not him bro
Thank you for saving the internet, Andres!
Having someone like you who’s not only a great innovator but also pulls his best to get the work done so beautifully needs nothing but appreciation. Dale valskov Thanks for the well off work you consistently bring your all and I truly appreciate that. Thank you for making corporate life so smooth. Proud to have you on our team. Great work as always.
The crazy thing is that backdoor wasn’t even inside the code itself. But was attached while the code was being deployed.
Yeah I've always wondered how tf you put in code in there doing ssh key authentication whatever without people noticing that piece of code?
It being not in the code but somewhere else makes sense
Yeah, according to the information provided in the source links from the official Red Hat website: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present."
Maintainers must be VERY critical now of binary blobs even if described as 'test data' if it can be accessed during the build process. Ideallying, building and testing will be completely separate and gapped environments
04:46 devs/ maintainers being polite, the biggest red flag. 🚩
fr
Also, displaying social skills 🚩
See: Linus Torvalds mailing list rants
@@FCoFix that's how you know he's legit lol
Please most open-source maintainers who i reported issues to or contributed code to have been SUPER nice.
I actually tended to be very polite as well, even with people who were clearly rude and frustrated, though with a project with a million users, it sometimes gets difficult. You sometimes get... special types of Karens, ones that cannot be put at ease. I'm sure you can vaguely imagine. Well at least i never took revenge on them, even if i was tempted to.
There’s nothing I love more than getting a UA-cam recommendation in my feed that changed my perspective of everything
fern just dropping banger after banger
bot
@@chaosthug7 Ur mother is a bot
@@chaosthug7 ur father!
@@ceoofgambling yep, not a bot.
After banger after banger after banger after banger after banger after banger after banger after banger after banger after banger after banger
The real reason behind the suspicion of state sponsonred hackers, for us IT engineers, is not just the social engineering. It's how sophisticated the technical details of the attack really were. I myself don't fully understand all the details. But in essence it's a supply chain attack. It *only* triggers when specifically compiling SSH with xzutils in a Linux distro. Undetectable during code reviews. Some Linux distros weren't even affected because they didn't compile SSH the way that the attack expected. And the payload was hidden in the test suite. Many many details that would've made this attack close to unthinkable for nearly every hacker, except for state sponsored groups.
It's unanimously agreed that it was state sponsored because it's just too multi layered.
Some test suits were disabled by first making the test fail silently if code doesn't compile on a specific platform, to make it easier to execute it on multiple platforms. Then a hidden period "." was committed, in theory visible by anyone, but just extremely hard to see, that disables a specific test by making the code not compile.
Test cases that take binary input also existed. The binary input was placed in the repository as is, and nobody verified the contents of the binaries.
All of these were red flags but they were given rigorous technical justification. Made by someone you don't expect to be malicious.
I don't know why it's assumed everywhere that "very sophisticated" means "state-sponsored". This makes no sense to me. It's of course possible, but just jumping to that conclusion without any sort of reasoning other than "it's really good" seems completely irrational. This exploit did not require billions in funding in any way. IMO it just makes it sound as if you believe the only hackers are 12yo script kiddies and not rational humans capable of setting an objective, constructing a plan and executing it over a couple of years.
Not every exploit is a random tiny hole noticed by someone who then immediately fists through it, downloads all the user data, runs rm -rf * and then uploads it on a forum.
Yeah but they aren’t on my level and I’m not state sponsored check this amazing line of code
Print(“Get Hacked”)
What can I say am I a cyber threat or what
@@williamduncan7401 not to this level, this is just too organized, like stuxnet, pegasus, etc etc, i too like the idea of lone wolfs etc but this level of organization is just not common...
Or, you HAVE to hear me out, he has ADHD/ADD. Thinking that far ahead on something you enjoy or are super passionate about and then you get fixated on details. Sometimes reality is odd
The efficiency of this Dale valskov is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work !!
Andres the Goat
daa
@@Sirbozo I believe you meant to say, "baa" 😉
@@MattipedersenBÆÆÆHH!
@@Mattipedersen da is yes in croatian, slovenian, serbian, basically all balkan languages, so maybe he meant it🤣
@@soda24612 you forgot the biggest language, russian
52 sources! Thats a lot of research into just one video!
These guys spit facts, awesome research all around in all of their vids
And still not knowing which date is Russian Christmas celebrated on (spoiler, it's on January 7th). But sure, "Russian hackers" sounds more impressive, then hackers from other countries. Sigh.
@@yulo8987 I am surprised that holidays are relevant at all because why would a hacker group or secret service really care about those... in such organizations there are no holidays... it's as stupid as claiming no one works in a hospital on Christmas eve...
yeah and shows how major the event was, dominating open source and cyber security news for a few weeks
@@yulo8987to note, almost all the timezone celebrated it on 7 Jan from Russia to Ethiopia, and I doubt it's any further down in Africa
Awesome work, Dale valsko ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!
A video of 15 min from fern is better than if netflix made a doccumentary of 2 hours! Keep it up!!!!
Just learn german, and watch their german Videos on simplicissimus. They made videos on this quality for years.
Fern manages to tell a tighter story because the story is as long as it needs to be. In mainstream media they have to drag things out to nearly an hour.
I enjoy fern but stop dick riding.... Mainstream media documentaries have had multiple accredited history professor's and show all sources like Fern does. They indeed fell off drastically but the hundreds and hundreds of history, animal planet and national geographic documentaries are some of the best researched piece's out there. They also have great narrators too. 90s and early 2000s had the best ones. I do agree the new ones just absolutely blow tho. Compared to new ones Fern does good but compared to the genre as a whole he's mediocre at best. And that's okay
Absolutely agree! Fern packs more intrigue and info into 15 minutes than most shows do in hours - pure quality
It seemed like a AAA movie 🎉
I never thought that the xz/Jia Tan drama would ever make it into Fern one day.
On a more serious note, I am literally shaking over the fact that there can still be multiple cleverly hidden backdoors created with similar methods still in the wild.
I know for a fact that no one will thoroughly review thousands of lines of generated code from a single PR for example when the diff is too large.
Can't these very smart LLM's be used to review code?
I use it as a very quick check of new code to flush silly mistakes already, these may not write qual code yet, but it's a good, fast reviewer.
@@Nick_the_Gold_Bach smart LLM's can't even tell if a student's work is LLM generated or real
@@Nick_the_Gold_Bach Depends on the model, but really, LLMs can never truly go beyond what we trained them on, we train them on good inputs but also bad ones. They can definitely check for minor issues across a large number of inputs, and are generally faster than a human. However, I doubt they would catch the most intricate ones. Even if they did, it would be a cat-and-mouse game; people will always find smarter ways to bypass any countermeasures.
@@jammaschan Aah, but the time-penalty of false positives is far less severe scanning for malware
@@afmikasenpai There must be a fair sized legacy of malware that I'm sure has been crawled by many LLMs.
And there is emergent behaviour anytime there's any form of adaption.
The important point though is it's throwing out orange and red flags fast for thousands of lines of code, concentrating the attention of more perceptive eyes and minds.
As a Retired combat Marine I want to tell you that as what you are doing is just as important as any warrior on the battlefield. You are waging warfare against these criminals and terrorists on the digital battlefield. You are defending and protecting the most vulnerable of our society against these predators. Keep up the good work Dale valskov
You are not a "Retired combat Marine".
A lot of people use this case to bash on Free and Open Source Software. They try to paint it as insecure because it's developed in the open. I'd suggest otherwise: this is FOSS working completely as intended. The sheer fact that a random person could catch this bug is exactly due to the software being developed in the open. Were it fewer eyes on the software *and* its source code, the backdoor would have never been noticed.
I agree to some extend (as a linux, blender, shotcut, obs, user, that tries to use as much open source as plausible)
It is true, that it's incredible that some "random dude" could spot that (due to it being open source). Though with closed source, it is harder to put malware into the product itself. So it's sort of a 10% for something to very bad to happen vs a 90% that something mediocre is going to happen (value wise). But yea, long live open source
@@SpinyDisk It's not really all that much harder to infiltrate some closed-source software company, if you play your cards right. I'm willing to bet you my bone marrow that GAFAM companies have multiple state-sponsored plants each.
I mean, aside from the information they're happy to provide the state with themselves.
Sure that might be FOSS working as intended, but there's never been a single security issue in Windows or any other closed-source software in the entire history of computing!
@@altragclosed-source software are closed-source because the company or people who develop those software want to make money out of them. Even if there has been any security issue about these software, nobody could tell and nobody would know because nobody see the source code. Or do you think the developer of closed-source software would announce to the public that their product has security issues, so that they can have less customers? If xz were a closed-source software and the backdoor were implemented by a random employee of the company working on the software, the backdoor would simply be implemented, and no one would have any clue. Not to mention actually finding out the security issue and fixing it. Imagine if Andres has no access to the suspicious source code, without any prove to validate his doubt, even a great engineer like him can do nearly nothing but admit that he himself is just being too sensitive and give up.
@@altragif you were baiting, you did a very good job
this is why open source stuff is so important for the internet. without being able to actually look at the code and finding the backdoor, who knows how long it may have taken for anybody to figure it out let alone how long it would take for a fix to be implemented
In all fairness, it'll be harder to gain access to organization owned codebase. But once you can gain access, I recon it'd be disaster
@@collinsonOga not if you already work at said organisation or manage to apply and get hired there (probably not as hard as gaining the trust of a maintainer by actually volunteering valid code for years). And in any case, my rule of thumb is that if you can't see the code, you can just assume there is a backdoor (perhaps even by design by the company) since clearly there's something worth hiding. IMO non-libre software is inherently insecure since a corporation-the only purpose of which is to extract as much money from you as possible-is hardly where you want to place your trust.
Would agree with you in any other context. But this ain't it.
The attack involved binary blobs. It could be argued that allowing files that are not open-source (or not even source-available) in an open-source project is a problem.
@@BowmanFox Why? This project's downfall was allowing non source available code. Else this more than likely would have been caught
I wish you showed how the code was written. THAT BACKDOOR was a stroke of GENIUS!
Boy that was probably the sickest sponsor animation I have ever seen. Fern is just on another level.
This is how Germany produces UA-cam videos. It’s top tier sponsored by our tax money 😂 However, I believe fern stopped cooperating with German public broadcasters a year ago
This is just an instance where a backdoor was discovered en route to seeing widespread deployment. This could've been one of several similar attacks, one of a multi-pronged scattershot attack that has redundancies involved. At the end of the day, it was a total fluke that Andreas caught this one - imagine all the other attacks that could be happening, or have already seen deployment, and those with access are just waiting for the right time to launch an attack - all the ones that there was no Andreas to catch.
Now consider the world of proprietary software: This was only discovered because someone *could* look at what goes on under the hood, and was compelled to do so by their curiosity.
Imagine all the other attacks that could be happening, or have already seen deployment - all the ones where there isn't even a *possibility* of an Andreas to catch them, because their code is under lock and key.
Swings and roundabouts, and for my part "security through obscurity" doesn't butter many parsnips.
@@rossstewart9475bullshit, the hack wouldnt even get into the Software cuz its closed source
Yeah, I was thinking that. "The guy that saved the internet" etc...great, but we only know about it because he did, by chance, spot something. Made me think probably 1 in 100. If so there are 99 other similar backdoors in good working order, undiscovered!
8:45 I heard this and thought "wait isn't this story about the guy that noticed a 500ms timing difference? idk if I'd call that crazy" and then 15s later sure enough, it's the dude that was simultaneously praised and mocked for noticing a 500ms timing change.
The 3d animation is top tier even down to the accuracy of the inside of the pc you fly through truly great work
I love it when David or Jonas are speaking, it kinda feels more like simpli that way
But the english pronounciation is annoying. It is really hard to listen through that accent.
@@offtopic9632 I really disagree. I think it's nice with some European accents in storytelling.
@@offtopic9632at least they pronounce every german name correctly. The pronunciation of Freund may sound weird to you but it’s a German name.
@@rinmartell2678 Yeah, but they butcher all other words that aren't german, so that's not a good bargain.
I am german by the way.
@@offtopic9632 it's called having character, turn on subtitles and mute the video
Wow the details on your videos are amazing ! 1:08 I recognized the Linux Debian distro logo. I mean I know the story already but watching your video is like a new experience 🔥
God I love this channel, I wish more channels could do animations like this. The content itself is also top tier but the animations on top are just so nice. Thank you Fern!
I swear to god fern has hands down the best animation editor for these vids and the art style for them is absolutely perfectly descriptive yet minimal at the same time I’m addicted to these animations, really helps follow the story! Thank you fern 💚
Don't swear to God's holy name. It is blasphemous.
I literally just got an ad from Google about “breaking” cyber security right after Andres discovered the SSH thing. *The irony.*
I just found your channel this week, had to binge watch your old videos and I freaking love your contents fern!
For this quality of animation I think fern should have at least 10-15M subs
Game developer here. People underestimate how insane 500ms is. To give you an example, i create functionalities that must run under 1ms lol. Figure out now why would a Programmer notice 500ms delay. Still insane work by the final boss Andress 🗿........
I think it was just referring to starting an SSH session, which can take seconds normally so noticing an extra 500ms isn't much in this context.
Obviously, latency in gaming or ping of 500ms is massive
And the most crazy thing is the technical detail how the code was placed/hidden! I know that the technical stuft would be too much for a non-technical audience but how the backdoor was encoded was just wizard-level hacking!
AlMoSt like MS themselves did it, eh?
as a linxu user I really feel like this video shows how important it was
But xz was in rolling and only some were affected
but imagine it getting into stable releases (It would've been a nightmare , and I mean absolute nightmare)
the country which was behind it , literally could've started world war III if xz had gotten into mainstream distros
absolute chills
apparently it did manage to reach production versions of both arch and Manjaro and almost reached debian with only a few weeks to release which would've been massive (idk how close it was to Ubuntu or RHEL but probably close), the performance issues were already fixed in an update that the dev testing performance didn't have and managed to catch it
True, the potential impact on stable releases could have been catastrophic-it's a relief it was caught in time
The best part for me is where something like this is in the budget range of many non-state actors as well. The only real bottleneck is the relatively small amount of sufficiently skilled and motivated black hatters.
It’s scary that one of these exploits could already be in major distros, and just simply wasn’t caught.
@@artemis.nnnnnbbbbb arch (and manjaro based on arch) is rolling release. So it always has the newest packages that the user wants
Reminds me of The Cuckoo's Egg. Curious admin notices little computer time out of balance. Follows it down the rabbit hole and catches a devious hacker . Nice vid.
Ohhh, xz! Wow I never thought Linux drama would make it into mainstream YT but here we are!
Also how are you guys pumping out these high-quality videos so fast? Don't burn out, yall
a lot of AI probably
@@wilx2703most of ferns content is just reused from the German and Dutch channels. Just look in thier bio and u will find them
@@wilx2703 Huh, didn't think of that. It's been what, 4 years since AI first came out and I'm still wrapping my head around the whole "using AI to do work" thing :P
Though, I don't see any obvious signs of AI in the videos, and they have a LOT of fingers moving and other stuff that AI is generally bad at. I dunno
@@kaz49it is not. It’s just newly translated content from thier German chanal u can see it in thier channel bio
@@wilx2703nah. They already released this video a few months ago on their german channel and they have a huge team.
No intro straight into it much appreciated.
Can't even wait like 10 seconds? Wow
i was getting worried that i havent seen the notification that fern has uploaded until i checked the channel and saw the “(almost) weekly” everything makes sense now
0:20 ah yes the ssh graph we all have on our computers
_SSH intensifies_
Just a way to show something in a simple way
0:38 0:39 @@user-qu1xl3ee1d
You mean Windows Task Manager graphs 📈
😂
This story is a wild reminder of how close we came to a digital apocalypse! Huge respect to Andre for catching what could’ve been a global catastrophe. It’s insane how a single unnoticed line of code could’ve given hackers the master key to the internet. Open-source heroes like this are the unsung defenders of the digital world! 🌍💻
ferns voice is just right for these type of videos.Mysterious but also the type of voice that will keep you wondering for more content
14:01 Russian Christmas is on January 7th, not on December 25th
👀
Either way China doesn't really celebrate Christmas all that much; so it would still be a false flag to have them offline then but not on CCP national holidays.
I think this was an european or USA hacker. The western holidays just give it away.
Who else have UTC+2 & UTC+3 (due to daylight savings) and could plausibly celebrate western holidays/calendar? = Israel
@@rogerkamben389 Christmas is not a public holiday in Israel, so it wouldn't make sense based on that
i really appreciate how transparent you guys are about using AI voices (not that it’s inherently a bad thing to use them, but it’s always nice when people clarify). in the same vein, the “own opinion” marker is also a lovely touch! just makes it feel like you respect your audience that little bit more :)) really fascinating video !!
yeah, I kind of thought that but not sure who else he’d get to speak
@@5DPixel oh i don’t mind the use of AI voices if they don’t have anyone else, it’s just nice to see they clarified it was AI
My guy literally noticed 0.5 sec delay😂
You gotta really love your job to notice these kind of things
Right when lunch is ready, THANKS
Crazy how this channel doesn't even have a membership, the quality of the contents are insane like so insane, better than most of the informational documentation out there
This is hands down one of my favorite videos of all time! AMAZING work on this one and can't thank you enough for putting this out!!
please dont stop this form of content. it is educational and eye opening. Big love from western australia
I know this isn’t the type of topics you usually cover, but I would love to see your teams animation skills covering something like the last glacial maximum, or some other geographic phenomena that is difficult to understand/comprehend. It’s much easier to grasp with animation
Like the most recent video? I’d like to think he read your comment
I’m so glad your vids popped up on my feed one day! I love the animation!
fern uploading is like finding $100 in your pocket
Well, I was supposed to do homework, but this is much more interesting
0:11 he proceeded to send it to someone who then sent it to a witch trying to trap literally everyone ever with Santa’s power using something called a glaskafig.
Do what 😂
@ reference to a movie
@ why you always smiling?
I didn't hear about this in my country, I should have. This undoubted the most frightening thing to happen. If this had gone live, I shudder to think the amount of damage that could have been done. The number of lives that could have been ruined.
Thank you, Andres. You are a true cyber hero!
Of course you didn't hear about it as it's more important to tell you what some D-list celebrity did that day or how Russia/China is going to start ww3 by attacking your country (if you live in Europe). Fear mongering and useless ''news'' stories is what people mostly are given.
The opposite of Curiosity killed the cat. Good job Andres!
This explains why they asked such unusual questions to the CEO of TikTok during the Congressional hearing before the United States House Energy and Commerce Committee in Washington, D.C. The questions make sense now because of the context provided in this video.
I can watch fern's ad from start to finish, it's like it is perfectly embedded in the video. Nice job!.
you already know this gonna be a banger
0:43 didn't know master hand from smash had a pc lol
Or they could be the crazy hand
LMFAO CLEVER ASF
Everybody always makes fun of Linux nerds who get mad about a 5 nanosecond delay, but they are actually the real thankless heroes who keep computing alive
Would love to hear fern’s rendition of who Edward Snowden is and what he’s done
Great work on the ad of Brilliant, I'd have just skipped if it was the usual screen recording of courses
And always love your videos 🙌🏻
It's funny how a Microsoft employee basically saved Linux when back in the days Microsoft was seen as "the devil" from Linux users.
I"m happy how things have changed.
Bro's videos are UA-cam Red quality - like VSauce!
when's the last time vsauce made anything other than a short?...
@@Steamrick That's why I specifically mentioned UA-cam Red.
Fern: makes normal video
Also Fern in that same video: here's where they live
12:28 - I was just thinking to myself, "'Social Engineering' at it's finest". Unfortunately, the weakest link was ultimately the developer himself. Of course, there were several other very human related factors that contributed to his mistakes. However, this also highlights the importance of vetting potential developers, prior to giving them the keys to the kingdom, so to speak.
really nice that you added a note when you switch to opinion rather than fact. too often there are documentaries that accidently pass off an opinion as a fact
The production quality is INSANE
Thank you Fern for bringing this to general public like me, who otherwise won't become aware of such good person and also the dangerous attack like this
It's always a random nerd just randomly thinking, "Hey, maybe I can fix this," who ends up ruining a plan that took a long time to make.
True
Woah! This is such a cool map! I love how the song fits, and the art style is super cool! Good song choice, really ❤
For reference all linux distros find their roots in either arch (bleeding edge with questionable stability) or debian (slow, stable) what goes into either if these distros affects many others esp. Debian as nearly 2/3 of distros are debian based like Ubuntu, Mint, KDE, and many more.
I use arch btw (I swear to god I have a live)
ehh, arch is pretty stable but nothing beats debian
Dude this guy NEEDS his own Netflix series.
this is a tax paid channel related to a big network
@@rushe-1how so ??
And this is the first time this year I'd heard of this tale. Mainstream media couldn't be bothered reporting it 🙄 So much for quality independent minded journalism.
All I can say is keep up the incredible work Fern.
11:40 VX Underground 🤘🏻😄
Yuperdoodles
Hackers mentality >>> any other mentality
2.4M views? Underrated. The production quality of these videos is insane.
I see Fern I click. You're amazing
Please continue to make videos about hackers! fern's just hit different.
Fern has got to be the most underrated UA-camr. He deserves
_AT LEAST_ 20 mil.
Andrés be cooking
Bro waited half a second and found out theres a problem
Im over here waiting an entire minute for anything to load 😭
The attack really was sophisticated:
- multi stage decoding and injection making it hard to spot and figure out how the malicious code gets into the build
- crazy obfuscation of the actual backdoor code in ssh, both by slotting it into existing code and by encoding all the strings in a lookup table so that simply looking for text wouldn't show up anything suspicious (this lookup table was very slow... and that's what allowed Andres to notice the bad performance)
- the backdoor required a specific key which changes based on the system being hacked, this makes it hard for security researchers to debug and investigate
- all the social engineering (building trust over years, timing some requests to get the backdoored xz into new OS releases, even implementing new compiler features to enable the "slot into existing code" part to work)
- commits to other projects to subtly disable security features, under the guise of bug fixes, as these security features would prevent the backdoor from working
It's plausible one very, very competent software engineer could know enough to do all that. But a state sponsored hacking team is much more likely.
The mention of “cozy bear” reminded me of your German-language documentary “Putins Bären”, is there an English-language version of it coming for this channel?
I think our fellow Europeans and allies across the pond might also be interested in this.
This documentary was produced in cooperation with the German Funk network, which is paid for by most Germans through the "Rundfunkbeitrag" (broadcasting license fee).
Since Simplicissimus no longer works with Funk, the documentary will probably not be available in English for other compatriots (at least that's what I assume, knowing Funk).
Yeah, it would be great if they would translate their documentary, but it could be not possible because of the licenses...
And they even showed two short clips from it.
I wish they could figure out a deal for it to be translated into english and published.
I would love to watch it with my fiance but she doesnt speak german well enough yet :(
Average Minecraft server downfall lore:
Fern's content is soooo good it could be state sponsored.
Wie kann eine so wichtige Position ehrenamtlich sein? Maintainer meine ich
open source- its essentially 99.99999999 percent voluntary. As near all as to be all in terms of real work done.
@@keefymckeefface8330 Big companies do sponsor and control some large projects and even collaborate even when they are competitors. A classic example is Webkit, which is the engine to render web pages used in Google Chrome, Safari, Microsoft Edge, really most browsers these days. It is controlled by Apple but many companies contribute. That's mostly the really big projects though, while most of the utilities, tools, and parts of software that many programs use ("libraries") are often maintained voluntarily and in their spare time by engineers, often engineers who are also employed at these big companies but still getting little support from them on these many smaller projects. xz was just one guy.
Pretty wild to think that amazing pieces of work are accomplished by people for fun and not for money.
Bist du dumm ? Is halt open source
@@iFlyGoodIf you have a Passion in Live, you do it simple as it is.
Just imagine backdoors that have gone undetected and laying dormant waiting for the right time to execute💀
Really shows how even the most foolproof plans can be crumbled up by the most minute things.
I love these fern productions! Always so high quality. But I can't take the AI voices. Breaks the immersive storytelling somehow.
And who would you suggest to cast as 'the villain'?
@@Steamrick MrBeast's 42.
Just kidding, lol. That's a great question you've asked.