Jonathan Blow on the Problem with Open Source

Поділитися
Вставка
  • Опубліковано 25 лис 2024

КОМЕНТАРІ • 263

  • @mrpissed
    @mrpissed 7 місяців тому +79

    Prophetic. Considering the fact that the xz backdoor was found in a completely roundabout way (Microsoft dev with no affiliation to the project investigates the source of a 0.5 s delay), it's very likely that many other exploits slipped through the cracks.

    • @0xsn1pe36
      @0xsn1pe36 7 місяців тому +7

      He was correct but his argument still os faulty the threat actor spent the last 5 years building trust by commiting to a largely overlooked repo but the exploit was found by a user pretty soon.
      If he had encountered such a 500ms delay on windows he would have no option to really investigate (ignoring the fact he works at Microsoft).
      If the nsa wamted a backdoor in windows they would just ring up microsoft. 😂

    • @ibrahimshehu8677
      @ibrahimshehu8677 7 місяців тому

      The backdoor was not in the in the source code, but was injected in the already compiled form by a manager of the repo, and as far as I know, it took a couple of year to become one, so I guess this is a different situation than what Scott is talking about

    • @sebastiang7394
      @sebastiang7394 7 місяців тому +5

      The xz backdoor is also a very high level exploit. It does a lot and is extremely powerful and therefore very dangerous. But that also makes it harder to hide. It was hidden brilliantly, but ultimately once you understand what it does it’s obviously a back door. There could be thousands of smaller exploits that just hide as bugs. Some of them might have already got patched. But everyone just assumed they were normal bugs.

    • @sebastiang7394
      @sebastiang7394 7 місяців тому +1

      It was in the source. It was hidden in a binary test file. The exploit unpacks when building.

    • @kryzet_official
      @kryzet_official 2 місяці тому +1

      That's the point. He does mention that it's not something in the source code, but something that has to be combined with other factors to be fruitful or else it is not subtle.

  • @Lircking
    @Lircking 8 місяців тому +102

    this aged well

    • @enno1162
      @enno1162 7 місяців тому +13

      didn't even age, it just welled

  • @ryedev
    @ryedev 7 місяців тому +31

    Aged really well. Jblow truly knows what he is talking about. There is no way in hell that the xz backdoor was done by a single sociopath that spent years of investment into social engineering and technical design of the exploit. It had massive funding for sure

    • @ChristopherGray00
      @ChristopherGray00 Місяць тому

      i'm not sure how xz is used as an example of evidence for this claim when it got caught prior to ever even landing on any distribution's repo, it was a highly sophisticated multi year plan that got foiled before it had even been out in production.
      why are people using this as an example? probably because it's been about 30 years and we've yet to see a legitimate backdoor attempt even make it into a commit, and yet we have seen a severe vulnerability exist for 5 years straight, utilized as a backdoor on windows, with eternalblue.
      so no, this isn't fuel for this argument lol, if anything this directly contradicts your point.

  • @replikvltyoutube3727
    @replikvltyoutube3727 11 місяців тому +76

    Another TempleOS W. It's protected by our lord

  • @Elrog3
    @Elrog3 11 місяців тому +62

    Closed source is more likely to have spyware run by the nation the company is based in but open source software is more vulnerable to international cyber attacks.

    • @dennis.blondell-decker
      @dennis.blondell-decker 10 місяців тому +3

      Listen to the first 3 minutes again, please.

    • @Elrog3
      @Elrog3 10 місяців тому +8

      @@dennis.blondell-decker Done. Why did you ask me to do that?

    • @see-sharp
      @see-sharp 7 місяців тому +1

      @@dennis.blondell-decker You got owned bro

  • @user-gw1sh9qc2s
    @user-gw1sh9qc2s 29 днів тому +2

    Jonathan Blow describes SystemD

  • @immanuellitzroth1905
    @immanuellitzroth1905 6 місяців тому +6

    I love the part where they start calling bullshit at each other.

  • @chrisanderson687
    @chrisanderson687 4 місяці тому +2

    Years ago I worked in the aerospace industry, on a Flight Management System, and just before I quit I measured how many lines of code I added vs deleted, and I actually deleted far more lines than I added, after about a year. This is something I am still proud of to this day. :)

  • @Burgo361
    @Burgo361 10 місяців тому +5

    I can see your point there are people out there who could create something like this that we wouldn't understand even if they explained what they did step by step, there is a lot of insanely smart people out there.

  • @remixisthis
    @remixisthis 11 місяців тому +16

    A lot of governments can also pay or force maintainers of open/closed source software to allow backdoors or bugs. Also, almost every large company has spies or family/spouses who are spies

  • @friedrichmyers
    @friedrichmyers 7 місяців тому +5

    This aged like fine wine

  • @dfaultkey
    @dfaultkey 11 місяців тому +27

    Funny he mentions Heart Bleed. openssl patched it really quickly after it was DISCOVERED and many companies worked together to roll out security updates. Can't say the same for commercial software. There might be a 1993 zero-day lingering around in the legacy codebase of windows through which someone is logging in and out of our windows machines silently. Probably not but we have no means of DISCOVERING it and fix it. No new engineers will touch the legacy code base. Old engineers who wrote it are either no more(bless their soul) or retired except for a very few people who cannot possibly maintain such legacy code bases. Open source may not be perfect but is way better than hiding the code and saying "Trust us".

  • @shableep
    @shableep 11 місяців тому +53

    I’ve been listening to a bunch of videos of this guy spitting wisdom about programming. But this hot take makes me a little skeptical of things he said that I agreed with and took at face value. So I guess I now have a healthy skepticism.

    • @solitary200
      @solitary200 11 місяців тому +14

      He has plenty of bad takes.
      He’s an average game dev with a hot mic.

    • @youtubeenjoyer1743
      @youtubeenjoyer1743 11 місяців тому +7

      ​@@solitary200 I'm sure an average game dev has analyzed the industry and concocted their own compiled language to address the problems they have found at least once, or has produced multiple games that sold very well.

    • @solitary200
      @solitary200 11 місяців тому +1

      @@youtubeenjoyer1743 just because your game sells well doesn’t mean you’re not mid. Point stands. As for Jai, let’s see when it’s released 😂

    • @youtubeenjoyer1743
      @youtubeenjoyer1743 11 місяців тому +7

      @@solitary200 The point that stands is that you don’t know what an average game dev is.

    • @solitary200
      @solitary200 11 місяців тому

      @@youtubeenjoyer1743 You're conflating below average game devs and average because you're injecting yourself into the latter.

  • @jfftck
    @jfftck 11 місяців тому +25

    I can tell you that many closed source software that uses open source libraries, so none of the software would be free from this type of exploitation.

  • @dingoDogMan
    @dingoDogMan 7 місяців тому +15

    They hated him because he told the truth.

  • @CyberDork34
    @CyberDork34 11 місяців тому +58

    I think this is kind of a bad take. First of all, his take is pretty much similar to the infamous "hypocrite commit" paper from a few years ago that generated all that drama in the Linux community. The idea was that it was hypothetically possible to insert malicious code into the Linux kernel by submitting commits that claim to fix an issue but actually cause a vulnerability. The issue with the study, besides the fact that they ran it without asking people's permission, is that it kind of ignores the amount of trust required to actually put a change through the Linux kernel, as well as the amount of vetting and testing, often backed by companies with an interest in security, the kernel codebase actually goes through.
    If the NSA wants a backdoor in the Windows kernel for "national security reasons", they can literally just... pay Microsoft to install one. They wouldn't need a sleeper agent or something working for Microsoft to secretly add a vulnerability.
    I'm sure the government studies security vulnerabilities in common FOSS to design attacks and vulnerabilities, but that's not actually special or unexpected information

    • @Narblo
      @Narblo 11 місяців тому +1

      But didn't they actually merged a malicious commit and had to reverse it and vetted the paper authors?

    • @CyberDork34
      @CyberDork34 11 місяців тому +6

      @@Narblo I believe the story goes that the commits that were merged did not contain the bug the researchers meant for it to contain. But yeah the Linux Foundation went back and cherry pick removed every single commit from the university to the Linux kernel, then vetted them all one by one, finding that the vast majority were clean, and the mistakes that were there weren't really malicious. But I could be misremembering

    • @ja31ya
      @ja31ya 10 місяців тому

      Exactly this... there is more flexibility in buying people than there is in finding some hacker to infiltrate open-source. He's focusing so heavily on one attack vector (open source) rather than realizing a far simpler solution is to just buy or lobby a person to do the dirty work, who is already at a high level within a company/agency. He already admitted that he saw evidence of espionage within large corporations, so I'm not sure why he narrowed his field of vision to open source. In this case, I don't think he's seeing the forest for the trees.

    • @whodis5774
      @whodis5774 10 місяців тому

      it is a hypothesis worth thinking about
      the argument of, in windows it would be worse , is really bad, i dont want to be better than windows, cause that is easy, i want linux to be GOOD

    • @viata.
      @viata. 8 місяців тому +8

      Well, what do you think about this now that the zx utils backdoor thing happened? The guy supposedly released a commit fixing a problem 2 years ago.

  • @GonziHere
    @GonziHere 11 місяців тому +15

    Ultimately, it's a "trust me, bro" from a corporation or a FOSS which I can audit myself. I agree with what he is saying, and yet I feel like FOSS is a significantly better option. Also note that my stuff might be FOSS without it accepting any PRs at all, so he mixes full community development with FOSS as if it is the same thing...
    Generally love the guy but heavy disagree here.

    • @MAXIMILI
      @MAXIMILI 11 місяців тому

      Sometimes this man is so full of bullshit. That's just had to be said.

    • @stalwart6100
      @stalwart6100 10 місяців тому +4

      Sure, go audit 1 mil lines of linux code, give you a week

    • @GonziHere
      @GonziHere 10 місяців тому

      @@stalwart6100 I can audit more of Linux than of Windows in that week, but my point was elsewhere.

    • @xeoneraldo1254
      @xeoneraldo1254 7 місяців тому +1

      Now you know he's definitely correct. Many eye-balls approach just doesnt work.

    • @GonziHere
      @GonziHere 7 місяців тому

      @@xeoneraldo1254 It was caught pretty fast. And again, I'm not saying that it's perfect, only that the same thing could happen in closed source but without the catching part...

  • @an_imminence
    @an_imminence 10 місяців тому +4

    In Open Source, people who introduce vulns are paid 200k+, people who find them are frequently not paid at all. There's no competition here. Why are they paid so much? Because buying an exisiting vuln would be orders of magitude more expensive and (because you bought it from someone) by definition known by others/ exploited by others. Whereas your own vuln added by you is known only to you until patched. Exclusivity built-in for 1% of the price. It's a no-brainer from just a financial perspective. The Linux code police does not have the funding of a state actor, much less the funding of 10.

    • @c4llv07e
      @c4llv07e 15 днів тому

      >people who introduce vulns are paid 200k+
      Source, please
      >people who find them are frequently not paid at all
      Bug bounty
      >The Linux code police does not have the funding of a state actor, much less the funding of 10.
      Yep, and because of this, there were a lot of audits by the state actors themselves.

  • @redetrigan
    @redetrigan 10 місяців тому +22

    Is there any clip where Jonathan Blow talks about something he likes or thinks is good?

    • @davidspagnolo4870
      @davidspagnolo4870 9 місяців тому +25

      Yes, the ones where he talks about himself.

    • @jackbotman
      @jackbotman 8 місяців тому +1

      @@davidspagnolo4870 HAH

  • @aziz9488
    @aziz9488 8 місяців тому +14

    This aged well hahaha

  • @peterkovacs8445
    @peterkovacs8445 5 місяців тому +1

    With the XV - attack we had now a security breach on linux that went public. If you see the amount of effort that has beed put into this it is not cheap. And the attack was in an underfundet section that has been popular to used.
    The same attack can be done on closed source side. The effort is complex in a different way. For the american goverment it is even easier since there are laws. We saw the tries in the past.
    There are fundamental design gas in today bios setups also a closed source production, which makes it possible for skilled malicious actors to add something there.
    The main issue is money. Money dicatates speed. Speed means errors, errors means security breaches. Thats simple. Open source is equally affected, depending. My 2 cents.

  • @mav45678
    @mav45678 10 місяців тому +3

    Interestingly, the Russia-Ukraine war so far has shown that (AFAIK) such exploits are NOT a factor. Russia was not able to perform any major cyberattack during the war. And if they can't, then the number of actors developing such exploits must be vanishingly small.

    • @sergeysmyshlyaev9716
      @sergeysmyshlyaev9716 8 місяців тому

      Not by Russia and not AGAINT Russia. Turns out the best cyber attack USA/NATO could coordinate was cutting off SWIFT, blocking apps on Apple and Google stores and some DDOS attacks during elections.

  • @mlv60
    @mlv60 7 місяців тому +1

    "fly a dude" im dead 😂i can binge these forever, thank you for uploading them ❤

  • @TurntableTV
    @TurntableTV 11 місяців тому +5

    I mean, he's kinda right. I'm a regular andy that checks for opensource alternatives to proprietary stuf but I'm not competent enough to check if the software I download and run for free is safe or not. I just rely on other people's expertise. That is a risk I'm personally willing to take. Saying that opensource software is 100% safe is just silly.

  • @user-gw1sh9qc2s
    @user-gw1sh9qc2s 29 днів тому

    Jonathan Blow also describes the plot to Battlestar Galactica 2004

  • @bhbr-xb6po
    @bhbr-xb6po 2 місяці тому

    2:50 "companies still have some degree of QA" made me laugh

  • @theonlybrian
    @theonlybrian 11 місяців тому +58

    Really don't understand his and Casey's hate for Open Source and Linux.
    What the hell does open source have to do with package managers?
    And the argument that injecting bugs or such for espionage purposes while running windows is a level of tragedy only Shakespeare could write.
    It's the same argument against Wikipedia.
    "Well anybody can just edit it."

    • @badpotato
      @badpotato 11 місяців тому +1

      because....

    • @stendeter623
      @stendeter623 11 місяців тому +4

      Nice argument about windows. Checking in bad code is a lot harder than writing bs on wiki though

    • @ProtossOP
      @ProtossOP 11 місяців тому +11

      I mean for general purpose Wikipedia is fine, but if you wanna go deeper it’s garbage.
      But yeah I’m with you on back doors in OS. Thinking Windows doesn’t have any takes quite a leap of faith.

    • @wisnoskij
      @wisnoskij 11 місяців тому +7

      Package managers, while they have some intrinsic benefits, exist because open source software does not work. The idea of an OS was originally an abstraction layer between hardware and software such that someone else with a different sound card run the same program. Linux has somehow made it such that someone with the same hardware and the same software, still cannot run the same binary. You almost need to build software individually on every computer. So they create these compatibility packs of software all built so that they work together.

    • @Fabian-pt4wy
      @Fabian-pt4wy 11 місяців тому +7

      I think many programms dont run out of the box on linux. You sometimes have to fight the distribution for basic things that just work on Windows. I had several experiences fighting with debian about installed packages/ non installed packages and was looking all over the internet for solutions, but couldnt find any. Outside of the realm of package managers hardware compatibility was also a huge problem for me. You dont want to go down the rabbit hole. I've been a software engineer and security consultant for several years so i wouldn't call it skill issue :D

  • @wilsonwilson137
    @wilsonwilson137 7 місяців тому +3

    Welp....

  • @shahabgohar3350
    @shahabgohar3350 7 місяців тому +5

    OOO boy

  • @MrLordFireDragon
    @MrLordFireDragon 11 місяців тому +4

    Interested to know how many big closed source projects are genuinely better than open source ones. I think a lot of Jon's arguments held better before all the other problems he has with software started accruing. There simply aren't many software companies oit there with professionals making cutting edge bugless software these days, most are full of entry-level programmers filling software with more bugs than they remove.
    The best closed source projects at the moment seem to be stuff like the Designer Affinity suite - stuff put out by smaller companies that haven't been bought and flrved to have an absurd profit incentive yet.

  • @emmettmcdow9916
    @emmettmcdow9916 Місяць тому

    Chat looks so dumb in this video. Jon is straight up describing the XZ exploit...

  • @amardeep.sahota
    @amardeep.sahota 7 місяців тому +3

    Nastradamus

  • @sub-harmonik
    @sub-harmonik 11 місяців тому +3

    Of course it's possible especially in a 'memory-unsafe' language like c, but I'll believe it when I see it.
    Most of the exploits previously used have been based on microsoft or other proprietary vulnerabilities afaik. (e.g. the solarwinds attack)
    Also if they're 'using vpns' you could just shut down the vpn's servers, you don't have to turn off the entire internet..

  • @tubeincompetence
    @tubeincompetence 11 місяців тому +20

    Blaming others for guessing, while guessing. 😀

    • @jewelsbypodcasterganesh
      @jewelsbypodcasterganesh 10 місяців тому

      Well it's a fact that many governments direct resources on spying, particularly via technology. Robert Maxwell (Ghislaine Maxwell's father) being one example.

  • @oraz.
    @oraz. 10 місяців тому +1

    Linux was Twitter guilt tripped by a weeb into adding rust to the codebase so it's safe now.

  • @jfftck
    @jfftck 11 місяців тому +5

    The only issue with this take is that the number of instances of Linux running in the real world would also make it easier to find the exploits as there are people, also not every patch is applied to every distribution.

  • @DanielMircea
    @DanielMircea 11 місяців тому +50

    Is his point to use windows because its less likely to have a government backdoor? Somebody tell him about Snowden.

    • @danboid
      @danboid 11 місяців тому +27

      @TheIncredibleAverageHe doesn't suggest a valid alternative (to Linux) because there is isn't one.

    • @tiranito2834
      @tiranito2834 11 місяців тому +9

      he himself says that windows has more backdoors lol, we all know that M$ is a company known for their close cooperation with govs to insert backdoors... it's just that it's more expensive to get a backdoor if M$ does not want you to have a backdoor. I know english can be hard and all, but like, listening to the video for more than 2 nanoseconds would have answered your questions.

    • @DanielMircea
      @DanielMircea 11 місяців тому +5

      ​​@TheIncredibleAverage I watched the entire thing mate, don't go with an ad hominem. He clearly thinks open source is less secure because anyone can contribute.

    • @anthonyewell3470
      @anthonyewell3470 11 місяців тому +5

      ​@DanielMircea then you also heard him not suggest using windows over linux

    • @DanielMircea
      @DanielMircea 11 місяців тому +5

      I never said he did, and that's why I phrased my comment as a rhetorical question. The idea is that by his own logic a closed source program will be more secure, just by the virtue that they're not taking external contributions alone. If we apply this train of thought, windows would be preferred over linux in his hypothetical attack against a country's computers by a foreign government. Even if everything sucks, you would still want the solution that sucks the least.

  • @gus2603
    @gus2603 11 місяців тому +10

    My man talking on hacking Windows as if they didn't offer backdoors as a service. They already harvest all of your data by defaul😂😂

    • @youtubeenjoyer1743
      @youtubeenjoyer1743 11 місяців тому +2

      Except these intended backdoors each have multiple unintended backdoors injected by multiple agents sent by different governments.

  • @yasin_karaaslan
    @yasin_karaaslan 2 місяці тому

    Well it seems like there is a RCE vulnerability in linux which has been present for more than a decade and it's going to be announced in < 2 weeks. He indeed was right

  • @Summersault666
    @Summersault666 11 місяців тому +7

    The bug is in the hardware!

    • @youtubeenjoyer1743
      @youtubeenjoyer1743 11 місяців тому

      Always has been.

    • @igrewold
      @igrewold 11 місяців тому

      yeah almost everything hardware, firmware & software is backdoored
      the movie CITIZEN FOUR tells a lot

    • @eugenkeller
      @eugenkeller 9 місяців тому

      @@igrewold a movie, LOL

  • @timothyjohnson1511
    @timothyjohnson1511 21 день тому +1

    OpenBSD

    • @gx1tar1er
      @gx1tar1er 19 днів тому

      BSD is what Linux should've been

  • @s4uss
    @s4uss 10 місяців тому

    Because of donations to FOSS, they can just hire 2 people to review the same code all the time as their full time job. Code is reviewed by many others too of course. So this is a very solvable issue.

    • @mettemafiamutter5384
      @mettemafiamutter5384 10 місяців тому +6

      What donations? Most FOSS is criminally underfunded.

    • @s4uss
      @s4uss 10 місяців тому

      ​@@mettemafiamutter5384 Well at least the major ones can afford this, like Linux, Blender and Godot. At least hire 1 full time dev that does this (but having to really be sure about his background). Anyway, this doesn't actually affect users of these software, not in very harmful ways as some virus would. It's more targeted on creating chaos somehow, disrupting enemy government, not just stealing user data (which is useless for enemy governments, especially since they can already now buy all kinds of user data). And till this day today, after decades with FOSS, there has still not been any major incident like this, done by enemy government or just bad actors that want to steal data/blackmail.

    • @s4uss
      @s4uss 10 місяців тому

      @@mettemafiamutter5384 additionally, soon you can just have AI analyze all code really fast, and also constantly analyze new added code.

  • @c4llv07e
    @c4llv07e 15 днів тому

    Boys say: "give me evidence",
    Men say: "I guarantee", "I have been around for a long time", "100%", "how is that not true" and "how do you think that's not a thing".
    I think it's called conspiracism, but how can I disagree with the best game developer -who has been around since the beginning of the universe- ? /s

  • @thedeester100
    @thedeester100 11 місяців тому +5

    so there are a lot of people also monitoring and editing the FOSS every minute of every day. More than the threat actors. As fast as weakness is exploited by the few it is patched by the many.

    • @OpenGL4ever
      @OpenGL4ever 8 місяців тому

      Heartbleed is the best example.

    • @noop9k
      @noop9k 22 дні тому

      It is much easier to insert a bug that to fix a bug that was not detected.

  • @RichardBronosky
    @RichardBronosky 7 місяців тому +1

    11:18 THIS!

  • @potato9832
    @potato9832 10 місяців тому

    The problem with the backdoor argument against Linux and Linux apps is that foreign governments have an extremely vested interest in rooting out any backdoors surreptitiously inserted by a US government agency. You're assuming government agency developers are always smarter than developers in other fields or other nations. The US military also has a strong vested interest in making sure there are no backdoors in Linux and Linux apps.

  • @zeus000.00
    @zeus000.00 10 місяців тому +3

    How can someone as smart as jb not understand the difference between open source (anyone can read) and publicly sourced (any can write)...

    • @lunabob-ie5qx
      @lunabob-ie5qx 10 місяців тому +1

      i've never heard anyone use the term publicly sourced before

  • @SnakeEngine
    @SnakeEngine 11 місяців тому +5

    His criticism about open source doesn't match the success and quality of Linux.

  • @Doomsdayparade
    @Doomsdayparade 9 місяців тому

    The pirate software guy admits to being one of those people. Targeted foreign power plants

    • @an_imminence
      @an_imminence 7 місяців тому

      I think he targeted their own power plants to make them more secure. Don't take "hacking power plants" to mean "hacking foreign power plants maliciously". It's just a shorthand job description.

  • @fastflame200
    @fastflame200 7 місяців тому +1

    With outsourcing, dispersed teams, near-shoring and off-shoring, it is even easier to Inject a Team of Malicious Players by a Malicious (state) actor.

  • @freedoompictures6839
    @freedoompictures6839 9 місяців тому

    I can see why his doom and gloom sermons appeal to a majority of people. People prefer easy to consume arguments over in depth ones.

    • @musashi542
      @musashi542 7 місяців тому +3

      what do you think now ? take the L kid

    • @DoubleJumpPunch
      @DoubleJumpPunch 7 місяців тому

      What's not in-depth about what he said? Where was his explanation lacking?

  • @SimGunther
    @SimGunther 11 місяців тому +2

    We deal with state every day, why not have every software written as a series of state machines so we can automatically check what state will break the program?
    Oh no, we need a new feature, but we want it done like yesterday, so will you rush through this and not care about reducing code size or testing beyond what is required to pass those "pesky" audits?
    That's software in a nutshell.

  • @etiennez0r846
    @etiennez0r846 6 місяців тому +1

    now we know who is behind xz backdoor

  • @illegalsmirf
    @illegalsmirf 10 місяців тому +1

    As a programmer you get paid far too much, a lot of what you do can be simplified and/or automated and I look forward to the day you lose your priest caste status

    • @fk3239
      @fk3239 9 місяців тому

      If this is a jab at programmers, this is a strange take. If this is a jab at Blow, sure, sorry.

  • @andretheophilo4102
    @andretheophilo4102 7 місяців тому +1

    rapaz é que take ruim ein

  • @krunkle5136
    @krunkle5136 15 днів тому

    Unix, which Linux is a clone of, was developed by people with masters degrees under the same roof.

  • @sv_gravity
    @sv_gravity 11 місяців тому +14

    I think channel author is doing dishonest low effort work cutting and pasting these clips on a UA-cam, without any added value by not providing any kind of response or critique, solely relying on UA-cam commentary section witch is one of worst places on the internet to have meaningful discussion.

    • @josephsmith5110
      @josephsmith5110 11 місяців тому +11

      The added value is the clip being titled rather than existing in a multi-hour stream archive.

    • @lucasjames8281
      @lucasjames8281 11 місяців тому +3

      It would detract value if they sat and talked over it. They add value by giving a snippet of a whole subject he’s talked about and titling it. Very few people are gonna sit through a 4 hour stream to find content on a topic that interests them

    • @sergeysmyshlyaev9716
      @sergeysmyshlyaev9716 8 місяців тому

      That's called a 'highlighter' and this is very common on YT

  • @priapushk996
    @priapushk996 11 місяців тому +1

    Take several seats. Nothing you do is that important.

  • @zxuiji
    @zxuiji 10 місяців тому +1

    1:30, the reason you're wrong on that particular point is because of how many companies keep their eyes on the arch linux codebase because they stand to lose so much if malicious code gets in there, not to mention the number of distros and regular users too.Distros on the other hand...depends on the distro but you may have a point.

    • @OpenGL4ever
      @OpenGL4ever 8 місяців тому +1

      Heartbleed proved you already wrong. Thousands of companies built their foundation on OpenSSL and used it to run their platform, online shop, customer support, etc. and no one has found this security hole in years.

    • @zxuiji
      @zxuiji 8 місяців тому

      @@OpenGL4ever a security bug is not the same as malicous code. If you think it is the you need to see a theropist

    • @OpenGL4ever
      @OpenGL4ever 8 місяців тому +1

      @@zxuiji A security bug allows to insert malicious code, that's one major entry point. Your last sentence is kindergarten, grow up!

    • @zxuiji
      @zxuiji 8 місяців тому

      @@OpenGL4ever And you have just proven you need to see a therapist. Bugs are not intional, malicous code is. Learn the difference, until then you'll be treated by many (especially myself) as clueless.

    • @OpenGL4ever
      @OpenGL4ever 8 місяців тому +2

      @@zxuiji
      You're wrong. Intentional security holes are bugs that are intentional. Their task is to look like simple bugs so that they do not allow any conclusions to be drawn about the intention of the perpetrators who installed them. The person responsible can thus deny that they intentionally installed the bug.
      Your insults don't help you, they just force you into the confessional.

  • @pipeliner8969
    @pipeliner8969 8 місяців тому +1

    What do you think about the Godot Engine?

  • @gmodrules123456789
    @gmodrules123456789 10 місяців тому +1

    This guy is so full of shit. If it was so easy to break the Linux kernel, then why hasn't anyone done it yet? The incentives to do this are obviously huge. Yet nothing has happened. Not in the decades since Linux was introduced.
    Does this guy ever provide a single source for what he claims? Ever? Like, even once? Because it seems like all he does is run his mouth, end the sentence with "right?" and then assume that he is correct and that his audience agrees with him.
    Has this man ever faced a single ounce of real scrutiny?

    • @trumpetpunk42
      @trumpetpunk42 10 місяців тому +3

      Come on, man - he made one cool game. That makes him a cyber security expert!

    • @SurrogateActivities
      @SurrogateActivities 10 місяців тому +3

      It was done, I guess. "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"

    • @xyangst
      @xyangst 10 місяців тому +1

      ​@@trumpetpunk42 2! And he'll release a third one before 2050 maybe 🤔

    • @Bramble20322
      @Bramble20322 7 місяців тому +5

      Come again?

  • @ElPikacupacabra
    @ElPikacupacabra 11 місяців тому +1

    He's calling out people, but in fact he's also guessing for the most part. Why act like you're intimately familiar with something that has to be top secret by definition?

  • @nikolaiborbe3366
    @nikolaiborbe3366 7 місяців тому +2

    lol

  • @earthian2777
    @earthian2777 11 місяців тому +2

    He ALWAYS makes claims without any evidence, and still think others need to give their evidence for thieir claims. You need to read Emmanuel Kant.

  • @rihgdb
    @rihgdb 8 місяців тому +1

    Lots of accusations. No sources.
    But believe him: „I guarantee , …“

    • @johncombo
      @johncombo 7 місяців тому +9

      Comment aged like milk. John clearly knows what he's talking about.

    • @babylfsh
      @babylfsh 6 місяців тому +1

      @@johncombo The xz backdoor was a perfect storm, and it still got caught before going into major distros. People who view this as a failure of open source don't know what they're talking about at all

  • @_start
    @_start 11 місяців тому +2

    LSP is the greatest thing humanity has ever invented!

  • @quantum_dongle
    @quantum_dongle 11 місяців тому +5

    Blow calling out every person who hasn't taken a cyber security class or two lol

    • @dave7244
      @dave7244 11 місяців тому +4

      Supply chain attacks can happen with proprietary software as well. In fact I think it probably has happened more often.

    • @quantum_dongle
      @quantum_dongle 11 місяців тому +2

      @@dave7244 I think his point is that regardless of the openness of the source code, the total attack surface and the amount of people who stand to gain from planting vulnerabilities outweigh those trying to find them

    • @dave7244
      @dave7244 11 місяців тому +4

      @@quantum_dongle he is talking about it being an open source specific problem when it isn't.

    • @igrewold
      @igrewold 11 місяців тому

      there be certs for infosec; CEH , Security+ , CISA, CISSP ...etc.
      cyber is just myth since some peoples still stuck with older net connections as DSL ...etc.
      See Jeff Gurling & donating his Satellite Net Dish to his cousin

    • @Bramble20322
      @Bramble20322 7 місяців тому +1

      @@dave7244 Maybe, the barrier of entry for closed source software is orders of magnitude higher, though, and the risks for the agents involved are also orders of magnitude higher.

  • @twenty-fifth420
    @twenty-fifth420 10 місяців тому +2

    Basically conspiracism. It is no wonder he thinks Linux is ‘too complicated’, he conjectured strawmans and cherry picked arguments that are no way true.
    There is hundreds of Linux ‘forks’, the Kernel team has a vested interest to not have any backdoors. Unlike say closed source, where the trust is entirely one way and implicit. Not with Linux, it is always explicit in what it wants you to do.
    Also, no software is perfectly safe, but closed source is just as unsafe as open source, with the caveat that if there is a bug or security issue, a closed source team can hide it. Not so with an Open Source team.
    I still use Windows, but Linux is far more comfortable and considerate both to me as a dev and a user. And there is plenty of open source, high quality software that matches their proprietary counterparts, if not trading off in either performance, personability, or practicality (like the learning curve or UI/UX.)
    Now, that isn’t to say the possibility of a back door will never exist, but it should be substantied with proof. The closest I can think of is a fork that probably built a backdoor in itself, Red Star OS (built by North Korea’s Communist Party and Government). Ironically, a Linux Based OS probably because they cannot afford windows nor get it due to sanctions. Otherwise, you can safely dismiss this concern.
    The strongest argument he has is ‘software quality’, but only in the case by case. And even then, teachers who could somehow grade Open and/of Closed Source will have to decide quality based on some testable metric. System Crashes? Bugs? Security Exploits? Or just plain code quality? (Does it look pretty?).

    • @johncombo
      @johncombo 7 місяців тому +7

      Aged like milk.

    • @Bramble20322
      @Bramble20322 7 місяців тому +4

      As you were babbling in your response, some dude literally put malicious code inside open source software and was only found because another dude from Microsoft investigated it, lmfao.

    • @boris---
      @boris--- 7 місяців тому +1

      7:17 he talking to you

    • @abuDA-bt6ei
      @abuDA-bt6ei 4 місяці тому

      What’s the difference between a conspiracy theory and reality? A few months.

  • @AviatorXD
    @AviatorXD 11 місяців тому +16

    This is by far the most delusional take ive heard from him. A university tried this by adding bugs or exploits to the kernel and they got caught instantly and are now banned from contributing.

    • @AviatorXD
      @AviatorXD 11 місяців тому +1

      also at the same time, like he says that state actors probably employee people to plant bugs, the same state actors also probably employee people to find bugs from others so it kinda fights itself out.

    • @tiranito2834
      @tiranito2834 11 місяців тому +32

      Don't lie, they weren't caught instantly. They were caught AFTER they published a paper about what they did themselves, which means that Jon is 100% correct. How long would it have taken for the kernel devs to realise that the exploit was there if it wasn't for the fact that they themselves confessed in their paper? If it wasn't for that, the bug would have gone unnoticed for far longer. They bot banned because they confessed, otherwise nothing would have happened and the exploit would still be there sitting in the repo.

    • @gabriel-ej7jb
      @gabriel-ej7jb 11 місяців тому +14

      They didn't get caught, they actually confessed. Some researchers of that university published a paper recounting that they successfully slipped in malicious code into their bug fixes. The paper is called "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits".

    • @tiranito2834
      @tiranito2834 11 місяців тому +7

      @@AviatorXD No, it does not fight itself out. Why would it? As a matter of fact, it adds to it.
      He never defends closed source software or windows as better alternatives to open source software. All he did is say that bad actors will have a harder time getting backdoors or slipping exploits into closed source software. Simple as that.
      I know "it's Jblow so I must hate hurr durr" but like, put in a little bit of effort and fully listen to what he says to say before you criticise him.
      We already know that M$ is known for cooperating with govs to insert backdoors, and adding tons worth of spyware to their (terrible) OS. The point is that if a third party that MS doe snot want to give that kind of access wants to achieve it, then they will have to do a lot more work to slip by their security than people who want to slip into open source projects. It's possible, but it's harder. Understand the difference between the words "impossible" and "hard"? I hope you do.

    • @baki9191
      @baki9191 11 місяців тому

      ​@@AviatorXD fights itself out? You unironically know fuckall about what you're talking about. Just sit on the bench and let people who know things talk.

  • @sporefergieboy10
    @sporefergieboy10 11 місяців тому +1

    This is just a false dichotomy. Good software will have less defects than bad software. It has nothing to do with FOSS vs. proprietary. The method of distribution affects some things like the choice of security through obscurity or the ability to perform public audits. The fractal hell of linux contributors seems like a deficit and there are documented cases of the espionage issue Jon raises. On the other side of the coin Windows needs to be restarted every 5 days and there has been 0 days since the last discovered CVE.

  • @bokunogentoo4420
    @bokunogentoo4420 11 місяців тому +13

    does he not know that pull requests have to be reviewed and approved by the (FOSS) project owners before someone's contributions are added to the codebase?

    • @stendeter623
      @stendeter623 11 місяців тому +6

      He has no idea how OSS development works.

    • @spectr__
      @spectr__ 11 місяців тому +17

      You didnt watch the video...

    • @gamedevjoni
      @gamedevjoni 11 місяців тому +4

      Linux distribution maintainers often add patches and changes to the projects they package. And usually only binaries are distributed - checksum level reproduceability is often hard. When there are tens of thousands of packages and much less maintainers, hundreds of distros, few can poison the well and it is difficult to detect.

    • @lucastavares3518
      @lucastavares3518 11 місяців тому +3

      that's exactly his reason why FOSS is bad, even when the software is made in a good way, it is fucked up on the process of requiring packaging and being packaged for a distribution.
      debian is a great example of fucking with ppls projects with patches

    • @c4llv07e
      @c4llv07e 15 днів тому

      @@lucastavares3518 What does this have to do with FOSS? Do you think if debian was proprietary, there would be no package managers or what? I don't get it.

  • @tototitui2
    @tototitui2 10 місяців тому +10

    Jon had ups and downs but this one is incredibly wrong. It is always easy to build up conspiracy theories but can you give us ONE example then? A real one show us code and link it to a state actor. It is so intellectually cheap to theorize bullshit.

    • @qwelias
      @qwelias 9 місяців тому +5

      there was literally a case of uni students Trojaning a bug into Linux as a case study and then when they disclosed it the whole university got banned from contributing

    • @tototitui2
      @tototitui2 9 місяців тому

      @@qwelias ha yes I remember this one.

    • @k.8597
      @k.8597 8 місяців тому +4

      @@tototitui2choked on ur words there didn’t ya

    • @WhoisTheOtherVindAzz
      @WhoisTheOtherVindAzz 8 місяців тому

      He didn't question whether it was possible ​@@k.8597

    • @musashi542
      @musashi542 7 місяців тому

      what about now ? take the L

  • @thirstisr34l
    @thirstisr34l 11 місяців тому +2

    I think the issue is that he believes something malicious is happening without proof.

    • @igrewold
      @igrewold 11 місяців тому

      he guaranteed 17 bugs which means he done some SoftWare Engeering witchcraft dubbed as gray box testing rather than white & black
      you might wanna read some SWE book
      there be lotsa coding witchcraft tactics on the corpie level

  • @bastiat6865
    @bastiat6865 9 місяців тому

    Fuck

  • @pipeliner8969
    @pipeliner8969 8 місяців тому +2

    I don't agree with you here

    • @maximumcockage6503
      @maximumcockage6503 8 місяців тому +8

      8 hours later and the they just found that SSH libraries have backdoors in them submitted by open source devs. This comment aged poorly.

    • @pipeliner8969
      @pipeliner8969 8 місяців тому

      @@maximumcockage6503

    • @pipeliner8969
      @pipeliner8969 8 місяців тому

      @@maximumcockage6503 I mean this is not an open source exclusive thing, see the issue with the Apple M chips that was just discovered

    • @musashi542
      @musashi542 7 місяців тому +5

      @@pipeliner8969 take the L

    • @jesusmgw
      @jesusmgw 7 місяців тому

      See 7:17

  • @hightidesed
    @hightidesed 10 місяців тому

    god this man is cynical

  • @poggybitz513
    @poggybitz513 11 місяців тому +3

    it has been researched over and over again, and it has been proven that open source is more secure than close source. world literally runs on open source software. the software you use, vscode and windows, also uses bunch of open source software. lmao.

  • @MenkoDany
    @MenkoDany 11 місяців тому

    Jon is wrong on this one big time. I know linux kernel devs and they're on top of it. Linux's biggest issue is reliance on Linus's guiding hand. He has handed off a lot of responsibilities already but still there's no replacing Linus