Lessons Learned From the xz Backdoor

Trafotin

Додати в
- Мій плейлист
- Переглянути пізніше
Поділитися

Поділитися

Вставка

Розмір відео:

Показувати елементи керування програвачем

Автоматичне відтворення

Автоповтор

Опубліковано 26 вер 2024

КОМЕНТАРІ • 38

@JoseEncarnacao 5 місяців тому ⁺⁵
Cheers from Portugal. UA-cam recommended this video since I've watched some on the subject, and I loved it.
Well put argument, editing and graphics, and having the courage to point that the solution is to have Conversations about the subject to properly solve issues like this. :)
@ZipplyZane 5 місяців тому ⁺⁶
I think "don't talk about your mental health issues" would be better received with some more limitations. It's not that you can't talk about them online. It's that you don't want to link them with your developer account.
That said, in this case, the reason he mentioned them was that they were bullying him, and he felt the need to explain himself. That's very hard to deal with. I very much think empowering developers by letting them know it's okay to ban people who are mean is a better strategy. Be nice, or be banned.
@LiEnby 5 місяців тому ⁺¹
talking about your mental health issues, with like, good people can be amazing for your mental health.
@joseoncrack 5 місяців тому ⁺²
@@LiEnby If those are close people or professionals and it stays confidential, sure. If it's spread all over the internet for the whole world to see, definitely not.
Heck, even perfectly mentally sane people, exposed to thousands of people worldwide on social media, can become seriously ill from the amount of bullying there is out there. So if you're any kind of fragile, that's almost suicidal.
@LiEnby 5 місяців тому ⁺¹
@@joseoncrack i was talking from experience here. Theres lots of bullying but theres also lots of people being supportive and trying to help. Anyway ive done it with randoms i barely know and its helped on occasion .. i was talking from experience here
@jamesarthurkimbell 5 місяців тому ⁺³
If Lasse is Theoden and Jia is Grima, who's Gandalf? What could shine a light on these situations and heal the harried king?
@Trafotin 5 місяців тому ⁺³
I wish I knew...
@bart2019 5 місяців тому ⁺⁶
It's disgusting how even multibillion dollar companies depend on free software from often single person projects who put in years of work without any form of kudos. Yes at least some of these companies do contribute back to open source, but far too many keystone projects are simply taken for granted, like the ssh libraries.
@Trafotin 5 місяців тому ⁺¹
This is another element of this, but I felt it was out of scope of the video.
@joseoncrack 5 місяців тому ⁺¹
Yes, very true. But that's what comes with open sourcing your code. Single developers should never accept that situation. If your project gets any kind of traction like this, either you manage to set up a whole team with proper funding, or you step down, and let other people maintain it if they feel like it. But in this case, you shouldn't do this if being pressured to do so, and you should NOT stay in the loop while naming another maintainer (unless maybe you've known them for a very long time and it's basically a friend.) Don't wait until it's too late.
As to the "consumers" of open source packages that do not bother to either contribute significantly or even analyze what they are depending on, they are the ones at fault in any case.
@Henry-sv3wv 5 місяців тому
@@joseoncrack or you sell your open source code to a scammer company like simple mobile tools was sold
@GoldenSpike300 5 місяців тому ⁺¹
Bill Gates felt a similar way before he created Microsoft. During his time in high-school it was a very common practice for most software to be free and it was looked down upon to pay for software if it wasn’t for some sort of business service (i.e the software was not the business but the business used the software). When he submitted programs and demanded for money he was often scoffed at, but his reasoning was that he would put as much work and time as someone in a regular job so why should he not expect compensation for it, when business are more than happy to profit of programmer’s work without even a thank you.
@TeleviseGuy 5 місяців тому ⁺⁹
liblzma almost died from ligma
@ExponentialWorkload 5 місяців тому ⁺²
ligmalzma
@stefanalecu9532 5 місяців тому ⁺¹
The project name is definitely just a typo of xd
@dakata2416 5 місяців тому ⁺⁴
libligma
@Trafotin 5 місяців тому ⁺¹
You're not jebaiting me.
@dakata2416 5 місяців тому
@@Trafotin ligma balls
@rationalbushcraft 5 місяців тому ⁺²
I admit I don't know if those things will work. I think it is a double edged sword. On one hand open source is good for the community to look for flaws and improve the project. But at scale it becomes a risk and difficult to keep bad actors from doing this very thing. This one was a two year operation where confidence was built over a long enough period of time that it was not suspected to be nefarious. And the threat actors will only get better at doing this as they learn what project managers are looking for to stop them.
@musicalneptunian 5 місяців тому
Yeah and the threat actor next time might not involve a human. It could all be AI threat actors and deep fakes.
@mkDaniel 5 місяців тому
1:32 understayement of the century..
To be even possible to.
@ttrev007 5 місяців тому ⁺²
i don't think that keeping your mental health conditions secret will help. if someone is looking for a weakness they will probe personally and likely easily find what they need to exploit by just getting to know them personally. keeping your mental health a secret is not a solution to this issue.
@ZipplyZane 5 місяців тому ⁺³
It's not a perfect fix, but the idea can help. Don't make it easier on them.
Though I really think we just need to normalize that aggressive behavior gets you banned. Sure, there may be other social engineering tactics, but being a jerk should not be something that helps you.
I've long pushed the idea that, if you're a jerk and you want me to do something, I don't do what you want.
@RarefiedError 5 місяців тому
luckily I still have a computer or 2 that runs on LhARC compression on the majority of its software (just in case). Quick everyone switch to huffman v2. Maybe put AI tools to use to scrape the backend of these code commits and do validation screening on that. Could reduce some of the labor on the human element
@Hofer2304 5 місяців тому ⁺¹
It's very problematic if only one person works on a project. The source code should be more systematically read. My idea is, that an expert asks laymen to work on a file. The layman could the expert tell, that something is wrong with the code, for example a comment is badly written, or a test is missing.
Make it easier for people to work on open source projects.
@cbbcbb6803 5 місяців тому
Good suggestios.
How do you know in you have the bad version of xz?
@Trafotin 5 місяців тому
Just update.
@beckham1872 5 місяців тому ⁺¹
youre so cute
@aa898246 5 місяців тому ⁺¹⁰
i like your videos
@ChaoscelusApollyon 5 місяців тому ⁺²
Go marry it then
@BunnyKhatri-pd8zm 5 місяців тому ⁺¹
hes like dt he gets some shit wrong hes avg linux youtuber so yeah some videos are good while others bad
@darknetworld 5 місяців тому
There are pros and cons. Reason people live different area of the world which not easy to standards it. Plus there are people working part time or hobbies. As well there are people work in big tech and low tech. To expose their id which could lean to attack by bad apples. Plus with the history system to make sure the git access is not easy task plus there are 10000 users commit is not easy job for one or many people. Lastly there are many libs which is a lot of core or sub devs.
@ustrucx 5 місяців тому
Outdated distros for the win!
@DaMu24 5 місяців тому
Drama 🥱
@CaribouDataScience 5 місяців тому ⁺²
The real question is, was it the first time?
@musicalneptunian 5 місяців тому ⁺²
We've been here before my friend...you got me to channel my inner Phil Collins in the air tonight.
@discocat2500 5 місяців тому
The last time?

Наступне

Автоматичне відтворення

The Human Cost of Desktop Linux Extensions