BIG security issue, Redis ditches FOSS, future of Linux is bright: Linux & Open Source News
Вставка
- Опубліковано 6 чер 2024
- Use SquareX to protect your browsing, email and OS with a suite of disposable tools: sqrx.io/tle_yt_v2
Grab a brand new laptop or desktop running Linux: www.tuxedocomputers.com/en#
👏 SUPPORT THE CHANNEL:
Get access to:
- a Daily Linux News show
- a weekly patroncast for more personal thoughts
- polls on the next topics I cover,
- your name in the credits
UA-cam: / @thelinuxexp
Patreon: / thelinuxexperiment
Or, you can donate whatever you want:
paypal.me/thelinuxexp
Liberapay: liberapay.com/TheLinuxExperim...
👕 GET TLE MERCH
Support the channel AND get cool new gear: the-linux-experiment.creator-...
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: thelinuxexp.com
Mastodon: mastodon.social/web/@thelinuxEXP
Pixelfed: pixelfed.social/TLENick
PeerTube: tilvids.com/c/thelinuxexperim...
Discord: / discord
#linux #opensource #linuxdesktop #technews
Timecodes:
00:00 Intro
00:32 Sponsor: SquareX
02:26 Big security flaw in a common package
04:07 Redis is forked after licence change
06:40 The future of the Linux desktop is looking good
08:26 Ubuntu 24.04 will be better for gaming
10:06 Canonical addresses the scam snap problem
11:26 Flathub improvements and adoption
13:03 Gaming: new Nvidia driver, EA anticheat
16:31 Sponsor: Tuxedo Computers
17:51 Support the channel
Big security flaw in a common package
www.phoronix.com/news/GitHub-...
www.redhat.com/en/blog/urgent...
www.phoronix.com/news/XZ-CVE-...
Redis is forked after licence change
www.linuxfoundation.org/press...
redis.com/blog/redis-adopts-d...
www.computerworld.com/article...
The future of the Linux desktop is looking good
blogs.gnome.org/uraeus/2024/0...
Ubuntu 24.04 will be better for gaming
www.omgubuntu.co.uk/2024/03/u...
Canonical addresses the scam snap problem
forum.snapcraft.io/t/manual-r...
Flathub improvements and adoption
mastodon.social/@flathub@flos...
Gaming: new Nvidia driver, EA anticheat
9to5linux.com/red-hat-announc...
www.gamingonlinux.com/2024/03... - Наука та технологія
Use SquareX to protect your browsing, email and OS with a suite of disposable tools: sqrx.io/tle_yt_v2
Sorry, that is bs, and its sad that you spread fud, you should check your facts before pumping a video in the wild. ❤
I don't like the change of the redis license but of course every developer can use, borrow, export and touch the code. The thing i can now not do anymore is take the code of redis and sell it to other people to make a shitload of money without doing any work 😅.
Redis is harming the open source community with this step, sure, but much harder do big cloud companies hurt it with taking other peoples work for free and sell it for money.
Andres Freund, who found and reported the xz backdoor, should be called "The XZorcist".
i saw this comment on brodies video lmao
As Linux gets more and more popular, hackers will find the beautiful platform more attractive as hacking fodder! Simple! But it's OpenSource, thus we WILL survive!🐧🐧🐧🐧
Tbh, Linux is super popular in the server market. So hackers have been very interested in it for a long time now.
Desktop Linux is the one gaining popularity, servers are already!
The xz back door was added by a core maintainer. Not some random hacker.
@@tablettablete186 My bad. I overlooked that. My vision was blurred with penguin feathers, while trying to save their eggs over this Easter egg-hunting seasonal fiasco. But that solidifies that fact of LINUX's power, even more! The majority of super-servers out there is LINUX based. Desktop users will always be less careful. The hackers KNOW that!
@@brandonw1604 listen to YOUR answer, "a core maintainer, not a RANDOM hacker". Oh by the way social engineering comes in more flavors than all of Linux's distros added.
WHAT THE FUCK IS A USERBASEEEEEEE 🐧🐧🐧🐧🐧🐧🐧🐧🐧🐧🐃🐃🐃🐃🐃
Hi Nick.
(maybe you already know) The increase of vm_map_max_count on Ubuntu is the first initiative from Gaming Linux Fr community to make Linux distributions better for gaming.
Don't know what they will try next, but that's nice, and easy to participate.
Nice!!
the thing with Redis is that even their justification doesn't make any sense, if they wanted to prevent corporations from taking advantage of them they could have dual licensed with AGPLv3 and a custom commercial license, so much software does this (like Qt for instance) and it does the same thing as they wanted while still keeping it fully FOSS.
They shot themselves in the foot for no reason.
same case for mongodb, but unlike mongodb which is ahead of time that forks and clones still aren't up to standard, redis had several alternatives (keyDB and dragonflyDB) that outperformed redis by orders of magnitude, while being 100% compatible with redis clients. This time with redis isn't just a tradeoff, it's total loss for them
Note: dragonfly is still not fully FOSS yet, but it will by 2028
That isn't actually accurate - AGPL doesn't require cloud providers that provide "Redis as a service" to get a commercial license, while small companies - some of which pay Redis consulting fees - would need to expose all the data on their servers. AGPL is not the correct license to fight AWS taking your code, making it commodity and drying up your support and consultancy work.
The same old problem with BSD type licenses. Somebody else will monetise your code and get to screw you over.
@@MattVickers You're not screwed over since you agreed to letting them monetize your code before contributing code, and you can monetize it also.
@@fakecubedyeah? you can found a cloud company with nearly monopolistic advantages like aws, azure and google cloud? well, they should have hired you for consultancy work! 😂
I was a developer for one of the largest Minecraft multiplayer server networks and Minecraft has a notorious issue with cheaters. We developed a pretty sophisticated platform to detect an ban cheaters, which was a combination of heuristics that would calculate a score as to how likely each player was cheating and with what tools. Over a specific threshold they would just be banned automatically but below that, it would alert the moderators to go and watch their behavior live. However, the heuristics never encompassed anything machine learning related afaik, but I played with the thought back then. Glad that I am not the only one who wants to see AI being used for this :D
Training that AI would have been pretty easy, because each time someone was banned, an automatic replay of the entire round with each players actions was saved for evidence and dispute purposes (that replay system was an insane achievement all by itself)
Funny, nowadays people would be claiming you're close to AGI with that heuristic analysis 🙄
One of the most worrying things about the whole xz situation is that the only reason they found out about the possible backdoor was that it slowed down some systems, which prompted certain people to investigate the cause of the slowdown, going down a deep rabbit hole.
This means that if the programmer of the possible backdoor had been more competent and wrote faster code, then it might have never been detected at all.
That first sentence describes my life right now - finding a slight performance bug, figuring out why it's happening - and then not having a clue as to what can really be done...
For instance, running WINE [or proton] and then loading up the browser after connecting to the internet leads to some strange behavior when the browser is closed and the network disconnected again: the CPU has an extra load on it that comes in pulses lasting for 15 seconds, before going quiet for about the same amount of time - though Iv'e seen pulsing as short as 1 second and as long as 2 minutes...
I HOPE it's just a windows-ey thing that's happening as a result of 'svchost' getting a network connection, and NOT something strange packed into the casks these days!
SOLUTION: Sanitize the session before and after using wine, when network traffic will be involved. Do this by resetting the shell, and the window manager - the method for which is distro and desktop dependent - and probably does not work in Wayland (I saw similar issues on Debian - but traced the excess undulating CPU usage to a "worker" process which was root protected.)
you open an issue for this? @@Vilvaran
Not only that. The delay was merely 500ms. Unnoticeable to most of us muggles
@@borg-dx1st Not yet, as it's got to be tested under more conditions.
I can't blame wine or firefox or anything else in the chain, until I eliminate hardware / drivers as possible causes.
And then there's distro, as I mentioned it happened under Debian, and I'm seeing it under Arch / Manjaro - but I don't see it on Kali.
Though installing wine and anything under it is a tedious process on Kali...
So yeah - one of many things to do after I rebuild my distro that i recently made - that has the back door in it x_x
@@asgacc8789 Ahaha indeed. But yeah kudos to the person who figured it out. Certainly takes some wit and patience to dig up stuff like that
There is a lot of speculation around xz and how much CVEs could be waiting to pop up from the project, even before 5.6.x. The developer has been around for a while and have basically been confirmed to have been making dangerous commits before they all combined into this CVE. This backdoor specifically targets deb and rpm building, but we don't know if there is anything more that we need to be cautious about. For now, I'd advise reverting back to xz-5.4.6, then avoid downloading xz tarballs, unpacking those tarballs, and creating xz compressed tarballs. gz, bz2, and zst are suitable replacements. Stay safe, people.
What command you used to detect your xz version?
@@Subh8081 `xz --version`
@@scyth2 No, it's better to use the package manager from your distro to detect xz version than the app itself, since it is compromised. For example using apt: apt list --installed | grep xz
@@arthurcastro9741 Yes, better still.
Damn, is it bad that I dont know the majority of ehat you just said? How can someone using Linux Mint woth very little knowledge protect themselves if possible
Man, IG EA decided to completely pass on millions of dollars, I honestly was not expecting a company to actively break comparability for Linux gamers when market share is going up like this
EA Games
Piss off everyone!
Regarding checking the version of xz, do not use xz to print the version itself, but check it using your package manager. You don’t want to run the malware to check itself
Note on redis, there are 2 licenses available, one is clearly source available and doesn't let you redistribute, the other does let you redistribute, but with the restriction that should you host the code as a service, you are required to also provide all tools used in combination to host said service.
The Anti-Cheat that Helldiver 2 uses is quite good, from what I have experienced so far. It works on Linux when running through Proton and I haven't seen a single Hacker yet, even though I've been playing Helldivers for multiple hours a day since release.
Yeah I’ve been having a great time as well !
Arch seems not affected since the script in the malware only runs if the package is a deb or rpm... so there is "distro" intent, implicit in the code
Arch was not affected because it does not directly link liblzma to openssh. It still pulled the contaminated source tarballs that affected debs and rpms, complete with the entire back door, although there’s no way to trigger it unless you had compiled your own version of openssh that links liblzma. It’s why arch now uses git directly. Arch got lucky, as did everyone else.
Actually, both are true. The exploit specifically checks for .deb or .rpm based x86_64 distros, including Debian, Ubuntu, Fedora, and RHEL.
Arch got lucky in that it doesn't link openssh to liblzma via systemd, unlike Debian, but it also wasn't specifically targeted.
Thank you very much for keeping us up to date
The second that xz issue came up yesterday I rebooted out of 40 back to my 39 install and fdisk-ed that drive. Talk about a reaction 😆
Sounds like when a fake web site suddenly pops up in a tab, then your heart sinks and then wipe the drives and change passwords, just like my early-February, 2024 incident. :( It was with Windows 11, but it doesn't matter, I still wiped the SSD, because of a suspected drive-by-malware-installation attempt.
shoulda called the fork Freedis
New number who freedis?
We have already Redict
Freedis and Freedat, it's like advertising free software. thumbs up 👍
Thanks for the heads up! got some updates to run
Could someone explain to me why would an anti-cheat be installed on a user's computer?
Shouldn't the anti-cheat be on the SERVER side instead of the client side?
Feels useless in client side, because it's a downloaded binary, meaning the client can remove the protection, while the server one is... impossible without literal access to the server
Totally agree
yeah this already the way built in minecraft anti cheat works (yes there is a built in one.) And minecraft plugins also do it this way.
cheating is usually done with the aid of a computer program on the gamer's pc. the server has no visibility into the gamer's pc. the anticheat software is looking for things that won't be happening by a human (buttons being pressed faster than humanly possible, programs running other than the game, etc).
@@SteveHazel If pressing buttons (or emulating/ automating them) too quickly is the problem, then couldn't the game client just ignore the inputs instead of needing to monitor kernel level events globally? I'm not sure all client side cheat exploits have as simple a solution, but I would like to think that the game servers should be able to identify invalid states reported by the (potentially modified or manipulated) game client for other cheats that aren't related to input automation. The problem of preventing user access to locally cached information about other players that should not be visible is kind of a hard problem, though.
As somebody who's never cheated at multiplayer games in his entire life, but has been accused of cheating in said games many times, it's actually quite difficult to tell the difference between a game being modified to play itself at a high level, and a human player who's actually that good or that lucky, based simply on input and results. I do think software, server-side, could be used to detect statistically implausible strings of luck and/or performance. Statistical analysis is how they catch cheaters at online chess, and even some cheaters at chess in in-person chess tournaments.
The thing about cheaters is they don't cheat just a little bit, get a few good results, and then stop. And if they did do that, they aren't a serious problem anyway. Such anomalies don't really impact other players that much, and things work out as they should in the end. The cheaters that cause problems are the cheaters who keep cheating all the time. This can be detected statistically, using a variety of metrics. It wouldn't catch the cheater instantly, but it would catch them after a while with a high degree of confidence. The exact metrics used could be preprogrammed, or be determined based on some kind of self-trained AI model. Then it wouldn't matter the specific methods by which cheaters cheat.
It might also be interesting not to ban cheaters, but put them into a sort of ladder, where they end up only playing against tougher and tougher opponents, and if they keep beating those, they will end up playing against just the other cheaters. Personally, I'd be very curious to see how far things could get, as cheaters try to out-cheat each other. Just as it would be interesting to see how effectively humans could play chess against each other, if the humans were assisted by their own chess computer engine. We know that computers can already play chess at a much higher level than humans can, but humans assisted by chess engines can actually be much better at choosing from the chess engine suggested moves, based on their experience.
So I say, let the cyborgs fight each other, just put them in their own league by themselves where they won't bother anyone.
We still lack a good sdk for flatpaks. I don't really like the idea to compile a package for a native system and trick it to run on flatpak. A flatpak runtime that I import just like Android libs would be better.
For anyone on Arch or -based the package names you want are "xz" and "lib32-xz" as those include liblzma, version 5.6.1-2(latest) is safe, versions between that and 5.6.0 are not.
That's only safe from the recently discovered backdoor. The perpetrator had been maintaining xz for at least 2 years, probably more. Can't be sure that he hadn't put in more holes during those two years.
Gentoo Linux had taken the extreme measure of masking everything after 5.4.2.
@@PanduPoluan maybe there's more, I was just relaying from the arch security advisory
Thanks!
That SSH vulnerability is scary. I'm luckily unaffected and I expect it to not be a problem for release Fedora.
As for EA anti-cheat: kernel level anti-cheats like EAC do work on Linux (it even has a native Linux version). However, kernel level access on Linux means something completely different than it does on Windows. When running on Linux the anti-cheat runs in userspace, heavily containerized. Same story with the anti-cheat in Helldivers 2. EA not considering Steam Deck is entirely by choice. It can be done, it isn't super hard and I'm pretty sure the folks at Valve will happily sit down and work with any dev/publisher to get it working. After all, a game running well on the Deck is a nice selling point for everyone.
kernel level anti cheat such as ea anti cheat uses in bf2042 does not work on linux. It's developed in house by EA
EAC is licensed to ea games and ea does not develop EAC. It's now owned by Epic
The xz attack should be a wakeup call. We need companies that benefit from free software to start paying some money into supporting it, especially into securing supply chains. I also think the days of semi-anonymous contributors contributing to important open-source projects are numbered. We will need strong forms of identification to know who is contributing and to track what they do.
I feel like the increase in Linux market share is having the same effects as the increase in Mac market share in the early 2000s. As market share increases, more things like this will happen.
Lol no. We need improved quality assurance of contributions , not reduced privacy of contributors.
I think it is unrealistic to expect the open source ecosystem to change - RedHat and friends have made a lot of money from reusing code written by unpaid volunteers all around the globe. When the next best compression algorithm is created by some girl in an African jungle, they'll grab that and not pay her a dime - not because she's a woman or African but because that's what they do.
But maybe next time they'll know better than to disable the valgrind static compiler checks...
What about people using the software. But most important don't fork, don't port the same shit into 100 different language, stick with C and C++ for libraries.
No, why reduce privacy? That's never the answer
squareX looks very interesting and helpful! thanks for another awesome tip!
Just to confirm, the SSH security issue only applies to distros that patch the base OpenSSH with liblzma. Arch, for example, does not patch OpenSSH and as such is not susceptible. However, Debian and some other distros do, so any and all Debian or Debian based installs should make sure they are not compromised, and fix it if they are.
More info on the issue from Low Level Learning: ua-cam.com/video/jqjtNDtbDNI/v-deo.html
Unfortunately, deb and rpm-based distros are what run most servers. No one's running Arch in prod unless they're very brave and have no compliance requirements.
@@zacanger yeah, just wanted to state this as it is mentioned in the video that rolling release like Arch and arch based distros should be wary.
Hopefully this was caught before anyone really switched to the latest version though, and hopefully no one was compromised.
@@pranavbadrinathan6693For sure. I'm actually very concerned about people doing things like shipping an Alpine image but with glibc and libsystemd, or building random packages from tarballs they found because a Stackoverflow answer somewhere said to. Everyone should check all their systems and images, just in case.
@@zacanger the good thing about arch is that it teaches you how to fix it if anything breaks. So there is not a lot of bravery involved in running it in production, it's just the compliance thing and also people sticking to what they know, and most know the debian variants. In the almost 10 years of running arch on several PCs and servers, I had maybe 2 breakages that weren't my fault (systemd-boot changing syntax being one, a btrfs bug preventing mounting the system being another) and those I could have prevented if I read the news before updating. Still, reverting to a working system was easy and came without data loss.
@@AzureSoukyuuI think we're talking about different levels of "prod." Right now my company's environments probably have somewhere around 1500 pods running (mostly in prod; too lazy to check the exact number but I haven't seen any notifications telling me stuff's down). At moderate to large scale, everything build/deploy-related is automated, sometimes including package updates, so it's important to be able to just trust that it works. You can't just do that with Arch, if it breaks something even 1% of the time that's a huge issue.
Arch is a great learning experience though; when I ran it on my PC, I managed to break glibc somehow, then had to figure out how to fix that (pacman-static is handy!). I might try it out again for serving a side project, next time I have a brilliant idea for a side project (that I'll probably abandon two months later).
To be fair A.I. is being used for early detection of diseases and in other scientific applications such as searching through huge amounts of data to find patterns or specific targets of interest, it just doesn't get as widely publicised.
Fedora 41 barely exists. Current version is 39 and beta version of 40 publicly available.
That was my question when I read 41
Linus Torvalds said that GPL3 violates everything GPL2 stood for. He was right.
As the software ecosystem on Linux matures, even at a slow pace, more people will flock to the Linux world. Both the developers and the users should collaborate for steady improvements.
Gracias por la noticias 👍
Hey Nick, thank you for being the best Linux news channel on the 'tube, you rock!
The internet is really scary place nowadays!! I like it when I first started many years ago, call me old fashioned I like dial up better.
Ah yes, the good old times of dialers and scary-focused malware destroying all data left and right. Can’t get malware if browsing 4 sites takes 20 minutes! 😅
Call me new fashioned, but I find the internet (if one isn’t a moron and wildly clicks everything) much safer to navigate today - especially with all the backup and protective tools broadly and often built-in available!
Although - as everything - hackers have become more boring and greedy. Everything‘s ransomware these days… 😒
Stay safe!
@@TomJacobW When I first started there was no internet just terminals, and bulletin boards. Not that I used them that much. 😀
That’s a wild take.
@@trevorford8332bulletin boards and terminals are the internet. The internet existed for years before the Web.
I saw a diagrammatic explanation by a professional reverse-software engineer, of how the hackers compromised the Linux kernel. It was NOT FKIN easy. Just goes to prove how much of a stalwart this Linux thingy is. We are strong. Have faith. We are COMMUNITY!
Is there somewhere we can find this?
@@resultingrun5928low level learning
It was probably point of Low-Level Learning's latest videos
@@resultingrun5928 Dude, the algorithm keeps deleting my answer to you!
@@savagepro9060 Damn
Arch has the bad version, and they issued an update for the xz library. However, since Arch does not patch openssh to need liblzma, seems to not be affected.
OMG I was so worried.
Additionally the malicious code seems to search for deb and rpm packages specifically. There's an interesting discussion about it in Gentoo's bugzilla.
Literally no one was affected, unless they were doing really stupid things with unstable versions of Debian or Fedora. And even then the "effect" was just a backdoor existing. There's no evidence anyone was using that backdoor on any systems anywhere. It was very likely the creators of it (probably a state actor) were waiting on release versions to ship, and then some particular target or target updating to that new release version. This got caught almost immediately, before any real production systems could possibly use the malicious xz version.
Redis: We want big cloud to start paying for Redis' development
Big cloud: start foundation to pay for Redis fork development
Truly a galaxy 5d chess with multidimensional time travel brain moment from Redis team
This BF V situation sucks because I have friends that I play Battlefield with and they have no clue what Linux is, and they just think I play on pc so it will be awkward to explain to them on why I can’t play with them anymore 😅
EA should actually start with Apex, and give me an excuse to never go back to that trashfire. Skipping the last few seasons has felt really good.
Thanks Nick.
It also affects Opensuse Tumbleweed but not leap or entreprise.
I think the xz vulnerability only affects ssh under systemd as far as people know, and I heard it doesn't affect arch. there are a very specific set of circumstances that trigger it.
@TheLinuxEXP, how about a video about linux specific 2-in-1 laptops situation? Like support for stylus, handwritten notetaking software, pdf annotation, drawing, etc.?
the backdoor only affects debian and rpm packages. There is literally s check in the backdoor for thst.
Obligatory I use Arch btw ... but that's kinda hilarious ... although I wouldn't wish exploits even on the savages that use shitty RPM distros.
There are already enough reasons not to play any EA games,, so it's amusing to see the company itself giving a helping foot-in-mouth hand.
Yeah, most EA games are trash and garbage. They ran their company into the ground by making repetitive games over and over again and using the same engine for years. Last good EA games were command and conquer games and those style of games.
Impressed by SquareX
That does it for me. I have been generally happy with arch based Garuda linux but it was bitten by the recent xz issue. Been thinking about going back to Fedora for a while anyway.
For Ubuntu fix, this is thanks to Gaming Linux France (GLF), and specifically to Chevek.
It wasn't a random attacker it was the maintainer that forced control over the repo.
The code was only looking for Deb or rpm so Arch and Gentoo was not affected.
I have that in helldivers 2, will try it cheers
in my opinion, instead of "registrate" use register; or "devaluate" use devalue.
Valve already use AI/ML in VAC for Counter-Strike. John McDonald gave a pretty good talk on it at GDC 2018. They use match replay data and cheater-like heuristics to detect and deal with cheaters with almost perfect accuracy.
That malicious code being added is quite concerning, although I guess the benefit of open source is that is it caught quicker.
The benefit of open source is that it's caught at all. Closed source, for anything that's security-critical, has assets from government agencies working for them, whether known to the companies or not, and if somebody notices something, very often somebody higher up is also an asset, reassures the noticer, and covers it all up, so it doesn't get fixed and the public is unaware.
Open source still has the problem with government agency assets getting into the code and management positions, but if somebody notices, they can and will go public with it, and somebody somewhere who _isn't_ working for some government agency will patch it and everyone can verify it's been patched.
in closed source world, it would be a feature not a bug
Redis: I don't think their decision is really such a scandal. The last BSD release can be forked, so they are not revoking any rights from anybody. The new license is not open source, but it keeps their product auditable. I cannot take issue with that, even if I preferred Redis to remain OSS. The difference between the company behind Redis and say RedHat, Canonical and Docker to name a few is that Redis makes money rather immediately from the development work they do, while the companies I mentioned make money from their market position by capitalizing on the position and not on the products they create. If Redis cannot capitalize on their work, because other companies sell their product (as a service) without having to invest in the maintenance, it seems to be fair to demand a contribution from them. Of course the interest of the OSS community is secondary for all of them, but that's the nature of business.
There are is much worse behavior from companies controlling the Linux foundation - the fact that they can hide behind the term "Linux foundation" really bugs me.
Nobara 39 is at XZ version 5.4.4
Valkey is not a first fork, the first fork is Redict which did much more than Valkey.
I strongly believe having multiplayer games running in a sandbox environment with the anti-cheat only scanning for exploits within the sandbox would be a good solution. Of course this is not exactly easy to implement because it involves implementing a separate anti-cheat tool that can deal with all parts of the sandbox that are exposed to the sandbox runtime. But, it's hell of a lot safer than kernel level anti-cheat and is quite possibly a better solution for all gamers regardless of platform.
I think the issue with that is that it’s too easy to cheat from outside the sandbox.
Actually this is already an issue with external cheating hardware that pretends to be keyboard and mouse, but this would lower that barrier
They should do what chess does. Statistical analysis of results (and sometimes specific chess moves) over a period of a set number of games, which is too implausible as to not be cheating. Every so often, they will catch somebody at an in-person tournament with something in their shoe, or doing something in a bathroom. But most cheaters are caught, online and off, by statistical analysis.
Multiplayer games could do this at the server level, looking at a variety of metrics, and see if somebody is cheating over time with a high confidence level. Then it wouldn't matter what the method is, all that matters is that cheating is suspected and mathematically proven. You could do this with some kind of AI that looks at non-cheating play at a high level of unassisted human play. Or you could have preprogrammed metrics. Either way, you wouldn't catch the cheaters immediately, but you would catch them inevitably. A little occasional cheating wouldn't matter enough to ruin the game for everyone else, but continual cheating would be result in bans.
Or, simply put the cheaters in rooms together, through matchmaking, and have them try to out-cheat each other. When that stops being fun, they'll stop cheating, and eventually get put back into the regular rooms with everyone else, hopefully having learned their lesson.
@@shadowpenguin3482 Depends on the sandbox design. Which is why I think it's difficult to implement. I'm thinking something like a VM with only relevant hardware being exposed to it. Each game will have to come up with its own custom sandbox runtime to support something like this though.
It's just an idea. But, I can see why it could be easier to trick.
About the AI as a anti-cheat thing:
YES!!! THANK YOU! Finally someone who also sees how it should be done!
Is the affected lib xz already in the newest lmde 6 iso? Or am i safe? Only made a boot stick with that iso a month ago and hadnt time to install the os on my pc😅
the last part was very accurate and synonymous to our feelings, its like use it to make behavioral analysis and ai for such purpose rather than morphing people's face, and taking creative jobs like writers, painters etc etc, its liek creating a weapon to destroy rather than a tool to do some good.
I just want somebody to finally use AI for UA-cam comments, to get rid of the same spam bots that always say the same thing every time for months and months.
Manjaro pushed an update of the XZ stuff today.
Good on Redis, tbh. And also, banning blockchain apps seems like a decent stopgap for the snap store malware problem and should be permanent.
How about talk about the lag issue with web browsers where when you load a page there's a 2ish second delay before the page actually starts to load. Internet also runs about half as fast for Steam downloads as windows. This effects every distro I have tried and on multiple systems. Google search indicates these are common issues.
The only reason I used Windows was for League of Legends. Since they are implementing a kernel level anti-cheat, I made the full switch to Linux. Completely done with Windows and invasive anti-cheats.
@dreaper5813 I'm glad I have better things to do and never got into any games.
It wouldn't surprise me if we eventually find out that all of these Windows exclusive anti-cheat decisions were part of a Microsoft campaign to re-secure their Windows gaming monopoly. Some of their marketing material (especially for "Secured Core" and "Pluton") makes a lot of references to the "XBox level security" of Windows 11.
This is why grownups pay for software and maintenance. It’s also why I spend $600/yr on a pro firewall appliance maintenance as a home user and one of the reasons why I use Apple products. A person/entity is responsible for maintenance… not open source. Nothing is 100% safe. Personally, I have nothing against open source except a knowledge of human nature. Fixes will come faster but they may not be thoroughly regression tested.
Lzma is the compression algorithm of 7zip, right?
Yes. Xz utils started as a frontend of the lzma sdk (which still sees new releases today) in 2008.
7zip still exists!?!
@@halfsourlizard9319barely. it's mostly DITW because the dev refuses to implement recovery records and crc/hash-based deduplication in archives. RAR on linux is unfortunately gaining popularity because it supports that plus more on enterprise machines
Debian Bookworm still has liblzma 5.4.1. So all good.
You know, the snap store verification measures are practically the same used by Apple and Google in their mobile app stores, and those stores are still plagued with malicious apps.
I don't understand why it's not possible to make a signed Steam kernel to be able to insert the anticheat, at least those who want can play without having problems, and those who cry because they put the anticheat in the kernel don't install it and everyone is happy, it doesn't take a genius to understand that it would be enough to finally be the year of Linux. Having to keep Windows installed just for those 3 games doesn't seem right to me but it remains the only way for many online games.
It’s not the newer games are bad per se. It’s that there are greedy corporations that want to make sure that they have complete control over how you play their game so therefore they want to put invasive spyware on your PC called anti-cheat.
Arch should not affected by this as openssh is not related to liblzma. however it is still recommended that you update your system if you run v5.6.0-1 or 5.6.1-1 just in case.
Interestingly this xz backdoor was implemented by some Chinese contributor Jia Tan which kind of puts a lot of their contribution under the microscope.
(Thankfully I'm still on version 5.4.x)
Bit surprised Ubuntu needed a user suggestion to make the gaming experience better. But great to see that they listen of course. Getting more gamers on Ubuntu is good for the stats.
Genuine question, not flamebait: I don't understand the concern around the "source-available" licenses that only prevent selling the software as a service. If you're only using it as part of your stack and the license only restricts you from selling a hosted version of Redis as a service....why the rush to replace Redis? Is there something legal you're concerned about (if so, what specifically?) or is it more of a philosophical stance?
And I think it's absurd to accuse Redis of trying to "monetize the hell out of it" when that's _exactly_ what AWS, Microsoft and the rest are doing by selling it as a service.
I understand Linux is a very different thing, but it would be nice for an O’Neill cylinder design to operate in the same manner.
-with the main basis being that it would be open to all and People would choose who goes up.
Will there be an ARM based tuxedo laptop after Snapdragon x elite is released?
I really want an ARM based system, but don't want windows spyware
Happy about 24.04, because it's an LTS and thus, not a "throwaway" version. I dreaded non-LTS versions of Ubuntu, since Raring Ringtail, where you'll be deleting it sooner than a Windows installation, FFS!
This backdoor is another example that simply being open source does not make software secure. If source code is not audited properly, then the code is no more secure than closed source. Every change needs to be audited by multiple independent groups.
And what you said does not prove that it makes it less secure either. The fact that it's open source means anyone can look at the code and chances are it'll be a group of Lennox has Eggheads as it always is and has been thankfully hopefully will always be who resolve the problem like red on salsa often long before the public even gets wind of it or worst case if it takes him a little longer they still resolve the problem easily 10 to 100 times faster than micro crap even tries to resolve theirs which there's still some that's all this Windows 95 it's a problem and security vulnerability in Windows
So you do the math which one is more secure to you one in which the people are on it like a boss or one in which a centralized hypocritical line corporations on it and drag their feet while making that os LESS and LESS user friendly with each new version that removes more control from the end user
It's no more or less secure. The difference is that with open source, there is transparency so when problems are discovered, everyone gets to know about them and then verify when they are patched. Plus, anyone can offer that patch.
Closed source, if you find out about a vulnerability at all, it's usually after it's already being exploited by various governments and possibly criminal syndicates, and those organizations can potentially keep a vulnerability from ever being patched due to their infiltration of the companies shipping that closed source software. There's no public audit possible.
@fakecubed you apparently having difficulty understanding how to gauge whether or not something is more secure and operating system or not. Again anything can be hacked eventually it doesn't matter the operating system it does not matter the hardware chances are now it's how the support system or team of people respond to such a vulnerability or Hack That Matters and the Linux Eggheads of the Linux world have proven time and time again 99.99% of the time throughout the past two plus tickets straight that they will resolve problems eons faster than Microsoft and still faster than Apple facts don't care about your feelings or anyone else is on this matter. So yes that makes Linux more secure than other two operating system common computer worlds.
Wendell from Level1techs will tell you the same damn thing and of course given that he has eons of Linux experience over me can delve into very thorough reasons why
good video as always i will use ubuntu if remove snap completely
Literally this. It's almost as shit as that time that Canonical injected adware searches in that goofy GUI search thingy.
I don’t think it’s very accurate to say anti-cheat solutions are useless because they’re playing catch-up, as anti-malware and security patches do the same, but an AI anticheat would be definitely more powerful. I also agree that AI is being front-ended as a lazy pass tool way too often when it would be way more useful as a backend product, similar to how radioactive materials can be terrible front end but great backend support.
Even after Ubuntu/Canonical reacted, they still had the same issue pop up again. They need to shut down Snaps until the fix the security vulnerabilities. I trust the Arch AUR far more than I just Snaps. But I know you can't help but schill for Snaps that are crap while crapping on the distro repositories that are safer, good, and simply work.
lucky to be on ubuntu 22.04 with that ould version of xz utils... phew
Why no Firefox extension square x? 😭
I don't like the term "unverified", I would use "community packaged" or something. Sometime, the repackaging is open source so it doesn't really matter
thank you for saying for saying what package's version i should check to be safe, but not show me how it's spelled.
What shall we replace Redis with, I wonder if Valkey or even MySQL X plugin.
with nvme drives, there's no point to anything beyond mysql. at least for meeee.
The significance of Redis ditching FOSS (Free and Open Source Software) could potentially impact the future of Linux and the open-source community. This move may lead to the development of alternative solutions or forks of Redis, affecting the ecosystem and community around the platform. It could also raise questions about the balance between commercial interests and open-source principles in the software industry.
I converted my Chromebook to Ubuntu Linux. sound driver not working well. I spent hours and hours to fix but it looks like there is no way to fix it. if someone know the solution then post here please.
To me it sounds like redis tried rto monetize the big cloud providers and those very providers forked it
As far as i've read it wasn't aimed at the regular user
16:05 I couldn't agree with you more on this! That would be a great use of AI, instead of installing super invasive anti-cheats on our computers that don't even work that well.
The problem I see with snap requiring only one manual review for packages is that they can retrieve their ui from the web (like youtube) and change all of their functionality without updating the snap package. A malicious application actually did this on Apple's appstore, it showed a safe application until the app got reviewed and then changed it to be malicious immediately afterwards.
you'll never get away from SOME apps being malicious. virus checkers just don't work. the only thing you can go off of is "is this app famous enough that I can trust it". This is also a big problem for new guys like me with an app that no one has ever heard of sigh.
I would it like if community flatpack repackages could get their own tag (like unofficial repackage), with very clear rules to get such a tag so scams etc. won’t get it but they keep the unverified tag.
What's stopping you from suggesting that to Flathub?
@@RayOfSunlight984 possible they read my comment here lol.
I am not familiar with how official feedback works so I would have to figure that out. If it is very easy and I can basically just write what I wrote here then there is a higher chance than not doing so, lol (even though they are probably already getting plenty of low effort feedback so mine probably wouldn't change much).
It will be interesting if the Redis fork will live on instead of Redis.
Google "Redis vs. KeyDB vs. Dragonfly vs. Skytable"
All of them are better than Redis, no need to fork anything, 2 of those are drop in replacements.
redis is hardly worth even using anymore. nvme drives aaaaaalmost turn mysql into redis. i think redis sees it's end of life a comin' and is tryina cash in on big companies being the only ones interested in it anymore. new tiny companies won't use it any more i bet.
That's usually how it goes.
I find it funny how "open" Oracle has become lately, kind of started this whole "close the source" trend back with Open Solaris. But now they are championing Centos forks and now Reddis.
All this centralization is no good. What if we all move in to Flatpack, and something bad will happen? Hope that at least Debian will still support and update debs packages, because open source charging fast forward.
Going to be the same as it ever was, n+1 package standards.
If you look into Rust, I think you will agree that RHEL/nvidia systems will be some of the most compromised computers for the first couple of years.
Things can go wrong very quickly with rust.
Rather then implementing an Anti-Cheat which only seems to look to see if your running wine, how about a Linux version of the game. The 5 largest game engines have the ability to build for Linux. Considering that it's a growing environment, this could grab market share, in an already crowded market.
Is it possible to improve Linux with Devian?
It's interesting how in the video Microsoft Edge is not a verified Flatpak application.
Because it is not. It is not supported by MicroSoft.
Why on Earth would any Linux user want to run any Chrome / Chromium-based browser?
@@halfsourlizard9319I run edge for Copilot, as it dosen't work well on ff. Maybe there are some workarounds
google docs, sheets, drive, calendar, gmail. if google wants to serve me ads, it can feel free - those are some quality apps. they beat office and anything linux has to offer hands down. does google know way too much about me - hell yes. do i care? kinda but nothing more sinister than ads happen.
@@halfsourlizard9319millions do. Not everyone is a paranoid basement dwelling incel.
How can your system and data being randomly strewn about on someone else's computers (the cloud) make your data not at risk? If anything it opens it up to risk.
if your performance is tanking after an hour into a game and increasing the memory limit 'fixes' it it sounds like the game has a memory leak.
Nick: this video is square-
Me: space
Nick: X!
Me: whu-
2:58 Fedora 41? Did I just time travel?
He meant fedora 40.
@@crossscar-dev no, he meant 41. 41 and rawhide are currently the same thing. 40 wasn’t affected because fedora’s test infrastructure detected something was wrong, and the functionality the back door relies on was disabled. Still, the package was rolled back, just in case.
@@npgoalkeeperoh from my understanding it was fedora 40 but ok