nope. my distro was affected but me. i only trust the kernel and its updates but any packages. i always ether review package updates manually or when lazy wait a couple of weeks for the public to maybe report issues, well if its not a security update at least. so i was lucky tbh.
Well one thing is for sure: With the code being open source it seams many problems are found before any major damage occurs, and also fixed in an "all hands on deck" fashion, unlike having to wait who knows how long for some major tech company to admit they caused it, and then finally get to work on a solution.
No, I think that's going to far. I think it's more reasonable to say that open source guarantees that problems _can_ be found, while proprietary source makes it all but impossible to find it. In this case, it's really a matter of infiltration and if the Manhattan Project could be infiltrated, you know that Microsoft can be. An important aspect here is that open source guarantees that whistleblowers can't be identified by the code that they have access to. If someone plants a logical bomb in some obscure piece of Windows, then the whistleblower will be instantly identified. But if it happens in Linux, then it might be an external researcher. I think that's very important.
@@jeschinstad All but impossible? So there are no security bulletins published regarding closed source applications like... ever? But overall there is no guarantee that problems can be found whether you're talking about open or closed source. Open source at least allows for anyone to analyze the source code to look for potential issues. But that analysis is only as good as the tools being used or the people reviewing the code. Meaning if there is no static code analysis or code reviews occurring, vulnerabilities will slip by. Leading to this question: what other vulnerabilities exist *today* that aren't being detected because the tools aren't good enough, if any are being run at all, code isn't being reviewed or reviewed properly, or the right conditions for exploit have yet to be found? Generally a vulnerability needs to occur to know what code patterns to look for, just as antivirus tools can only detect viruses known to those who prepare the signatures. Plus the XZ vulnerability was a process exploit, not a code exploit, that just happened to occur in plain sight because no one was paying attention. The exploit didn't exist in the source code and the person responsible was taking advantage of the fact there was... no actual review happening on what was being checked in. And the downstream distros merely accepted that binary release archive as-is rather than pulling and building the source code - which would've prevented the exploit from going anywhere. And the only reason it was caught "quickly" was due to someone running some kind of automated process that relied on XZ behaving a specific way. "If someone plants a logical bomb in some obscure piece of Windows, then the whistleblower will be instantly identified. But if it happens in Linux, then it might be an external researcher. I think that's very important." Instantly identified? Not even with the best audit tools would that be possible. It would probably still take months to identify an anonymous whistleblower unless the whistleblower was being very sloppy since there are likely a LOT of people at Microsoft with read access to the Windows source code repository.
Honestly Linus said it the best, it doesn't matter if it is open source or propitiatory software. It can happen to anything. It comes down to having trust and bad actors taking advantage of said trust. I think their should be a few vetted people to look over code before said code can even be implemented, as well as better background checks of contributors.
@@gzoechi tf their isn't, tons of developers do this with no issue. Otherwise anybody's code would be getting into everywhere. Instead of relying on one person like they did with xz, it should be spread amongst a few people to make sure shit doesn't go AWOL because of one rotten tomato.
@@Derpingtonshere For how many OS projects are you willing to voluntarily do this? "Others should do that so that I can have flawless free software" - that won't fly.
fun fact: I'm _exactly_ 18 years younger than Linus, +- some hours. ...That was very much more fun to discover back when I was 18, then writing it in a random comment when I'm 37 and he's 55.
No way you can read it faster than 5 seconds. I just set up a timer and tried to break my own 7.4s record. Best I did was 6.6s Let's see you try, Mr. Verac the Fast Reader!!!!
0:00 🔍 Linus Torvalds discusses trust issues in the open-source community, especially after the XZ utilities backdoor vulnerability. 1:18 🔐 Open-source projects rely on trust among developers and maintainers, similar to trust in proprietary software. 2:12 🧪 Past experiments and attacks, like the XZ vulnerability, highlight the challenge of maintaining trust and detecting malicious activity. 3:30 🔍 Despite the lack of explicit security rules, malicious activities in open-source projects are often detected relatively quickly. 5:10 🔄 The Linux kernel uses a network of trust, including face-to-face meetings and ID verification, to strengthen security. 7:03 🌐 Unlike many open-source projects run by a few people, the Linux kernel benefits from a large, deeply connected community. 8:27 🤝 Torvalds urges more support for smaller, underutilized open-source projects through active participation and moral support. 9:36 ⚠ The ongoing challenge in open-source is not just malicious actors but also managing bugs and improving infrastructure security.
99.9% of those who say that ‘open source code can be reviewed by anyone, so it’s more secure’ likely do not have the skills to review any software. The events of XZ demonstrate that there aren’t enough checks on the identity of those contributing to critical parts of GNU Linux. The mistake made by CrowdStrike had disastrous consequences, but it did not open a backdoor that could be exploited by government hackers from the PRC or RF for months or even years.
Another problem is package maintainers of distros using precompiled files from github releases, which in the case of xz contained the malicious code while the repo itself didn't, if I'm not mistaken. Feel free to correct me
@@cornelisvanlenten5954 depends on distro, in case of debian such is strictly forbidden, people got banned on their ftp servers for uploading precompiled stuff.
1. You don't know when there's a backdoor in your proprietary OS. Period. 2. Just because something is open source doesn't mean it's audited from security prospective, but that it can be examined when needed to, by millions around the world, and some of them can do the job. 3. Once an issue is identified and/or fixed, one can patch their system on their own if they wanted to, without waiting for Microsoft and Crowdstrike to publish an update.
1. You don’t know if there is a backdoor in your free software either. 2. Because it’s open source it doesn’t means it’s monitored, but it sure means that everyone and their mother can attack it, while there is no one to defend it. 3. Patching assume you know what you’re doing, and if that’s the case, it doesn’t matter if you’re on windows or Unix, you can patch or rollback.
I’ve been in the IT world for over 30 years and windows has been a problem since day one. When I was going to college for engineering in 1990 the entire computer lab was shut down because every single computer had a virus on it. I asked the professor why didn’t someone fix it and he said no one knew how. At that moment, I made it my mission in life. I have been calling it a cyber war since 1998. I bought my first computer in 1997. When the warranty expired in 1999 that computer had to go in a dumpster because it was so riddled with viruses. it was a pain in the ass and I enjoyed hearing the clunk of it hitting the bottom of that dumpster as I tossed it in. I then went to CompUSA And bought an iMac that I used till it self-destructed eight years later. Actually, it didn’t self-destruct but the unit had a CMOS battery that wasn’t replaceable. It simply would not work without that CMOS battery so I just bought two more macs. I got into linux 17 years ago so Linus Torvalds is my hero. I have saved so many PCs from a dumpsters fate by installing linux on them when windows has failed. Crowdstrike should go bankrupt.
There are many reasons why someone might dislike Windows, but disliking Windows because of "viruses" and using a Mac instead sounds a lot like someone who has bought into apple propaganda, where they lie to their customers and claim that Macs can't get viruses. The simple truth is that viruses are developed for the platform that has the most market share. Windows gets more viruses because it has the largest market share for desktop PCs. If Macs had the largest market share, they would get the most viruses. If Linux had the most market share, then it would get the most viruses. Additionally, this is a very outdated mindset, as viruses that spread easily are far less common today, in part due to how battle-tested windows is now, as well as the fact that it now includes an anti-virus by default. Most bad actors rely on social engineering attacks now.
@@Johncw87 Not only that, Windows is in a market position for basically every demographic, every budget, every use-case. The barrier to entry into a Mac is pretty high compared to Windows.
@@Johncw87 Firstly, he said he switched to Linux and Torvalds is his hero. I believe you are right about Macs, but Linux is safer by design. Also Microsoft could have created and freely given Microsoft Defender from the start. I mean, if you argue Windows is much safer because it includes an antivirus, why didn't MS do that in 1995??? It put a lot of effort into a free web browser, and frankly that rush is the source of many insecurities today! They put security in the hands of psychopaths like John McAfee. And all this history is "outdated"???
@@michalsvihla1403 but that's totally because of anticompetitive practices, with what amounted to power of a monopoly. And of course Apple is just as bad if not worse. Linux is the answer, why are you making this Mac vs. PC?
@@squirlmy I don't know why you are asking me why Microsoft didn't create an antivirus in 1995. I'm not a mind reader. Maybe they put their focus into what they thought was the most profitable? Like most companies? The threats that people have to deal with today are nothing like how it was back in the late 90s and early 2000s. The attitude toward security most companies had at the time was very poor. The internet as a whole had yet to transition to using HTTPS everywhere. It has improved quite a bit over time, as more software companies were forced to become more security conscious. This dramatic improvement in security across the board is why the perception that "windows machines are full of viruses" is outdated. I don't recall exactly when this happened, but a hacker was charged with the task of obtaining privilege escalation on a Windows machine and on a Mac. They managed to achieve it on both, but it was much easier to do on the Mac. They only needed a single exploit that was easy to find. They needed multiple exploits chained together to do the same on Windows, and it took much longer to find them. This is because the easy exploits have been found and patched already on Windows. Macs don't have that battle-hardening experience that Windows does, simply because not very many hackers targeted it.
yes, but to get oneself in the position of being an important host, and interviewer really has to be a bit aggressive. This is a problem in all interview media. Charlie Rose is a good example. The people who are good listeners, are rarely in positions where they can interview important people. And honestly, Linus isn't the most exciting orator. lol
A well funded effort by a nation state willing to invest years, if not decades, with the mission to inject vulnerabilities into the open source universe is a real threat; and not one that was addressed in a meaningful way in this clip.
@@stargazer7644 And Windows is a Microsoft product!!! In blame for this specific, particular, "crash", MS has only tangential responsibility, another word that comes to mind is circumstantial, BUT it shows the world depends too much on Microsoft Windows! Also MS has a history of being an anticompetitive force in the marketplace, even if you don't think it a monopoly (maybe not technically a monopoly), and the ecosystem where security patches need to be rushed out is faulty, even if nothing can be done at this point.
right. and in the rush to diminish Microsoft's responsibility, many people are overlooking the fact that the world economy is overly dependent on Windows, and they've developed a faulty security ecosystem, that depends on rushing out patches from third-parties like Crowdstrike. If this happened to Linux, it would be limited to specific distros. Even if it was Red Hat, the damage would be less. BSD, even less. It didn't just "happen" to be with Windows. As much as the specific problem might have been one Crowdstrike goof, the larger problem is that too many computers are running Windows!
@@squirlmy This exact thing has also happened to Linux. Crowdstrike runs on Linux too. This particular problem was in a config file for Windows named pipes. If it had been in a file that goes out to all sensors it wouldn't have just been Windows related.
When you install a Linux distro on your system, you're placing an awful lot of trust on people that a) you know nothing about, b) are often not under a work contract and not salaried to maintain their piece(s) or software that are included in the distro, c) haven't been screened before they are allowed to contribute to the distro you just installed, d) are assumed to be one of the "good guys" by their contributions alone.
I have no idea what the exact ratio is but I'd say most people contribute to FOSS or similar projects with good intentions. But bad actors draw most attention despite being relatively small in comparison.
We are social animals. And trust is the magic word. As in our physical relationships so in digital ones. Trust is a human property we can not avoid in whatever we do. Be it throwing a bone to a wild wolf or being overwhelmed with overwork, no time and sinister "friends". Any human property can be misused. I don't think we can write a magic recipy to avoid that. Trust has given us way more than what we could achieve by being loners.
the attack was found at random. "random is good, if we put rules in place, bad actors don't play by the rules".. so.. let's continue to yolo security and keep our Trust me bro® model :)
Why is that important in this instance? We are discussing bad actors in the open source community and your response is "WeLl microsOFT dId ThiS hUrbYDeRbY" You just come off as an asshat. Need I say more?
Tons of company are allowed to send patches through windows update. What is the most shocking is how many large companies have zero process for staging the deployment of Windows Update patches to critical systems.
@@alan5506That applies to any sufficiently complex software program whether open source or proprietary. The difference is that with open source _anybody_ can look at it (though realistically it’s anybody with software development skills), while for proprietary software only the owning company’s software developers can look at it … and that only if the company allocates the budget for them to do so.
Mr Torvalds,,,,another super system i use is Chromebook/ChromeOS BY GOOGLE,,,All people tell me is based on Linux!!!...Mr Torvalds this Google system is so much polished on SPEED and SECURITY...Never seen anything like it in my entire LIFE!!!
"Lean-us"? Really? There's nothing that irks me more than someone who doesn't know how to pronounce words. I don't know ANYONE who pronounces his name like that.
Did XZ affect you?
nope. my distro was affected but me. i only trust the kernel and its updates but any packages. i always ether review package updates manually or when lazy wait a couple of weeks for the public to maybe report issues, well if its not a security update at least. so i was lucky tbh.
Nope not me. I always look into it first before installing anything new, and updates.
I was dumbly trying Opensuse tumbleweed
technically, but I had sshd disabled on tumbleweed
No,antix Linux was fine.
Well one thing is for sure: With the code being open source it seams many problems are found before any major damage occurs, and also fixed in an "all hands on deck" fashion, unlike having to wait who knows how long for some major tech company to admit they caused it, and then finally get to work on a solution.
No, I think that's going to far. I think it's more reasonable to say that open source guarantees that problems _can_ be found, while proprietary source makes it all but impossible to find it. In this case, it's really a matter of infiltration and if the Manhattan Project could be infiltrated, you know that Microsoft can be. An important aspect here is that open source guarantees that whistleblowers can't be identified by the code that they have access to. If someone plants a logical bomb in some obscure piece of Windows, then the whistleblower will be instantly identified. But if it happens in Linux, then it might be an external researcher. I think that's very important.
@@jeschinstad All but impossible? So there are no security bulletins published regarding closed source applications like... ever?
But overall there is no guarantee that problems can be found whether you're talking about open or closed source. Open source at least allows for anyone to analyze the source code to look for potential issues. But that analysis is only as good as the tools being used or the people reviewing the code. Meaning if there is no static code analysis or code reviews occurring, vulnerabilities will slip by.
Leading to this question: what other vulnerabilities exist *today* that aren't being detected because the tools aren't good enough, if any are being run at all, code isn't being reviewed or reviewed properly, or the right conditions for exploit have yet to be found? Generally a vulnerability needs to occur to know what code patterns to look for, just as antivirus tools can only detect viruses known to those who prepare the signatures.
Plus the XZ vulnerability was a process exploit, not a code exploit, that just happened to occur in plain sight because no one was paying attention. The exploit didn't exist in the source code and the person responsible was taking advantage of the fact there was... no actual review happening on what was being checked in. And the downstream distros merely accepted that binary release archive as-is rather than pulling and building the source code - which would've prevented the exploit from going anywhere.
And the only reason it was caught "quickly" was due to someone running some kind of automated process that relied on XZ behaving a specific way.
"If someone plants a logical bomb in some obscure piece of Windows, then the whistleblower will be instantly identified. But if it happens in Linux, then it might be an external researcher. I think that's very important."
Instantly identified? Not even with the best audit tools would that be possible. It would probably still take months to identify an anonymous whistleblower unless the whistleblower was being very sloppy since there are likely a LOT of people at Microsoft with read access to the Windows source code repository.
Another thing is for sure, this wouldn’t have happened if it was closed source.
@@andyvirus2300 How so? The Russians were able to infiltrate the Manhattan Project, which is the most closed source project of all time.
@@jeschinstad I think/hope that @andyvirus2300 was referring to the backdoor being found, not the backdoor being rolled out.
Honestly Linus said it the best, it doesn't matter if it is open source or propitiatory software. It can happen to anything. It comes down to having trust and bad actors taking advantage of said trust. I think their should be a few vetted people to look over code before said code can even be implemented, as well as better background checks of contributors.
Wishful thinking doesn't solve problems. Nobody is willing to pay for such work and there are just not enough volunteers with the required skills.
@@gzoechi 100% correct. Also, with proprietary software, there's more reasons not to try this because you're not anonymous and can be prosecuted.
@@gzoechi tf their isn't, tons of developers do this with no issue. Otherwise anybody's code would be getting into everywhere. Instead of relying on one person like they did with xz, it should be spread amongst a few people to make sure shit doesn't go AWOL because of one rotten tomato.
@@Derpingtonsherethe issue with xz was that nobody stepped up to help despite the maintainer asking for help.
@@Derpingtonshere For how many OS projects are you willing to voluntarily do this?
"Others should do that so that I can have flawless free software" - that won't fly.
More trust issues these recent days:
* GNOME (foundation)
* CrowdStrike (QA)
* Intel (13th&14th gen Issues)
....
What else?
What's with gnome
@@saadhabashneh5587 They fired their only shaman. They don't have a shaman now. :(
@@unstable-horse what 😂😂
@@saadhabashneh5587 They fired a member of the board and didn't tell anyone for two months.
KDE superiority
Mentioned that it was a German engineer who found the issue, but not that his working at Microsoft.
fun fact: I'm _exactly_ 18 years younger than Linus, +- some hours. ...That was very much more fun to discover back when I was 18, then writing it in a random comment when I'm 37 and he's 55.
It's not a fun fact...
Maybe it's fun for you, but I want my 7.4 seconds back. Or I just wanna erase the memory of your comment.
@@AJ5 it took you 7+ seconds to read a couple of sentences?
No way you can read it faster than 5 seconds. I just set up a timer and tried to break my own 7.4s record. Best I did was 6.6s
Let's see you try, Mr. Verac the Fast Reader!!!!
You and millions of other people.
@@AJ5 +time to write your comment
leanis torvolds my favorite leaniks developer
0:00 🔍 Linus Torvalds discusses trust issues in the open-source community, especially after the XZ utilities backdoor vulnerability.
1:18 🔐 Open-source projects rely on trust among developers and maintainers, similar to trust in proprietary software.
2:12 🧪 Past experiments and attacks, like the XZ vulnerability, highlight the challenge of maintaining trust and detecting malicious activity.
3:30 🔍 Despite the lack of explicit security rules, malicious activities in open-source projects are often detected relatively quickly.
5:10 🔄 The Linux kernel uses a network of trust, including face-to-face meetings and ID verification, to strengthen security.
7:03 🌐 Unlike many open-source projects run by a few people, the Linux kernel benefits from a large, deeply connected community.
8:27 🤝 Torvalds urges more support for smaller, underutilized open-source projects through active participation and moral support.
9:36 ⚠ The ongoing challenge in open-source is not just malicious actors but also managing bugs and improving infrastructure security.
Leenus is such a good ma.
Starts at 0:36, you’re welcome
99.9% of those who say that ‘open source code can be reviewed by anyone, so it’s more secure’ likely do not have the skills to review any software. The events of XZ demonstrate that there aren’t enough checks on the identity of those contributing to critical parts of GNU Linux. The mistake made by CrowdStrike had disastrous consequences, but it did not open a backdoor that could be exploited by government hackers from the PRC or RF for months or even years.
Exactly, maintainers of critical parts should have to be IDed. GitHub could do it, distros would have to look after it..
Another problem is package maintainers of distros using precompiled files from github releases, which in the case of xz contained the malicious code while the repo itself didn't, if I'm not mistaken. Feel free to correct me
@@cornelisvanlenten5954 depends on distro, in case of debian such is strictly forbidden, people got banned on their ftp servers for uploading precompiled stuff.
1. You don't know when there's a backdoor in your proprietary OS. Period.
2. Just because something is open source doesn't mean it's audited from security prospective, but that it can be examined when needed to, by millions around the world, and some of them can do the job.
3. Once an issue is identified and/or fixed, one can patch their system on their own if they wanted to, without waiting for Microsoft and Crowdstrike to publish an update.
1. You don’t know if there is a backdoor in your free software either.
2. Because it’s open source it doesn’t means it’s monitored, but it sure means that everyone and their mother can attack it, while there is no one to defend it.
3. Patching assume you know what you’re doing, and if that’s the case, it doesn’t matter if you’re on windows or Unix, you can patch or rollback.
Linus, puts the wild and crazy in wild and crazy.
Leenus?
linux 👉 lee-nux
linux 👉 lie-nux
in german language li is only lee, never lie. english has that ambiguity
@@ksheer I never knew. Thanks!
I dunno i didn’t think it rhymes with p*nis
Don’t forget “lih-nux”
It's how you properly pronounce his name
I’ve been in the IT world for over 30 years and windows has been a problem since day one. When I was going to college for engineering in 1990 the entire computer lab was shut down because every single computer had a virus on it. I asked the professor why didn’t someone fix it and he said no one knew how. At that moment, I made it my mission in life. I have been calling it a cyber war since 1998. I bought my first computer in 1997. When the warranty expired in 1999 that computer had to go in a dumpster because it was so riddled with viruses. it was a pain in the ass and I enjoyed hearing the clunk of it hitting the bottom of that dumpster as I tossed it in. I then went to CompUSA And bought an iMac that I used till it self-destructed eight years later. Actually, it didn’t self-destruct but the unit had a CMOS battery that wasn’t replaceable. It simply would not work without that CMOS battery so I just bought two more macs. I got into linux 17 years ago so Linus Torvalds is my hero. I have saved so many PCs from a dumpsters fate by installing linux on them when windows has failed. Crowdstrike should go bankrupt.
There are many reasons why someone might dislike Windows, but disliking Windows because of "viruses" and using a Mac instead sounds a lot like someone who has bought into apple propaganda, where they lie to their customers and claim that Macs can't get viruses. The simple truth is that viruses are developed for the platform that has the most market share. Windows gets more viruses because it has the largest market share for desktop PCs. If Macs had the largest market share, they would get the most viruses. If Linux had the most market share, then it would get the most viruses. Additionally, this is a very outdated mindset, as viruses that spread easily are far less common today, in part due to how battle-tested windows is now, as well as the fact that it now includes an anti-virus by default. Most bad actors rely on social engineering attacks now.
@@Johncw87 Not only that, Windows is in a market position for basically every demographic, every budget, every use-case. The barrier to entry into a Mac is pretty high compared to Windows.
@@Johncw87 Firstly, he said he switched to Linux and Torvalds is his hero. I believe you are right about Macs, but Linux is safer by design. Also Microsoft could have created and freely given Microsoft Defender from the start. I mean, if you argue Windows is much safer because it includes an antivirus, why didn't MS do that in 1995??? It put a lot of effort into a free web browser, and frankly that rush is the source of many insecurities today! They put security in the hands of psychopaths like John McAfee. And all this history is "outdated"???
@@michalsvihla1403 but that's totally because of anticompetitive practices, with what amounted to power of a monopoly. And of course Apple is just as bad if not worse. Linux is the answer, why are you making this Mac vs. PC?
@@squirlmy I don't know why you are asking me why Microsoft didn't create an antivirus in 1995. I'm not a mind reader. Maybe they put their focus into what they thought was the most profitable? Like most companies?
The threats that people have to deal with today are nothing like how it was back in the late 90s and early 2000s. The attitude toward security most companies had at the time was very poor. The internet as a whole had yet to transition to using HTTPS everywhere. It has improved quite a bit over time, as more software companies were forced to become more security conscious. This dramatic improvement in security across the board is why the perception that "windows machines are full of viruses" is outdated.
I don't recall exactly when this happened, but a hacker was charged with the task of obtaining privilege escalation on a Windows machine and on a Mac. They managed to achieve it on both, but it was much easier to do on the Mac. They only needed a single exploit that was easy to find. They needed multiple exploits chained together to do the same on Windows, and it took much longer to find them. This is because the easy exploits have been found and patched already on Windows. Macs don't have that battle-hardening experience that Windows does, simply because not very many hackers targeted it.
well stated. rules are broken. is harder to escape the unknow scrutiny of an unknow developer in the wild.
A simpler way to put this is that NDA and secrecy is an inherent security risk in software.
*German developers scrutiny
Host wants to talk over Linus. You bring in a guest then you should not want them sitting listening to your own yapstering.
yes, but to get oneself in the position of being an important host, and interviewer really has to be a bit aggressive. This is a problem in all interview media. Charlie Rose is a good example. The people who are good listeners, are rarely in positions where they can interview important people. And honestly, Linus isn't the most exciting orator. lol
A well funded effort by a nation state willing to invest years, if not decades, with the mission to inject vulnerabilities into the open source universe is a real threat; and not one that was addressed in a meaningful way in this clip.
Very interesting to hear, especially after the Microsoft worldwide crash
Sigh. It was not a Microsoft worldwide crash. It was a Crowdstrike worldwide crash that happened (in this case) to only affect Windows.
@@stargazer7644 And Windows is a Microsoft product!!! In blame for this specific, particular, "crash", MS has only tangential responsibility, another word that comes to mind is circumstantial, BUT it shows the world depends too much on Microsoft Windows! Also MS has a history of being an anticompetitive force in the marketplace, even if you don't think it a monopoly (maybe not technically a monopoly), and the ecosystem where security patches need to be rushed out is faulty, even if nothing can be done at this point.
right. and in the rush to diminish Microsoft's responsibility, many people are overlooking the fact that the world economy is overly dependent on Windows, and they've developed a faulty security ecosystem, that depends on rushing out patches from third-parties like Crowdstrike. If this happened to Linux, it would be limited to specific distros. Even if it was Red Hat, the damage would be less. BSD, even less. It didn't just "happen" to be with Windows. As much as the specific problem might have been one Crowdstrike goof, the larger problem is that too many computers are running Windows!
@@squirlmy This exact thing has also happened to Linux. Crowdstrike runs on Linux too. This particular problem was in a config file for Windows named pipes. If it had been in a file that goes out to all sensors it wouldn't have just been Windows related.
mASS updates r good. no1 should be able 2 track them. we need exponential growth of updates. and AI has to add additional updates ontop.
7:34 150 is the Dunbar Number.
Where did this interview take place?
Don't know exactly, but this is the full interview from FSF th-cam.com/video/cPvRIWXNgaM/w-d-xo.html
It says "open source summit NA" on the title.
@@ema7318 Good link. The first slide says North America. If you search for Open Source Summit 2024 - the stage looks to be the same.
@@ema7318 at 0:43 Dirk says they are in Seattle.
@@Terra101 😂 thanks 🙏 didnt watch from the beginning 😅
@@ema7318 It happens :)
Chinese hacker - what a shock ;)
The high trust culture has vanished, and nobody knows how to replace it. :/
When you install a Linux distro on your system, you're placing an awful lot of trust on people that a) you know nothing about, b) are often not under a work contract and not salaried to maintain their piece(s) or software that are included in the distro, c) haven't been screened before they are allowed to contribute to the distro you just installed, d) are assumed to be one of the "good guys" by their contributions alone.
I have no idea what the exact ratio is but I'd say most people contribute to FOSS or similar projects with good intentions. But bad actors draw most attention despite being relatively small in comparison.
Mr Torvalds Linux is Internet,,,with Linux i have experienced super SPEED and SECURITY!!!....Dont Quit keep the system ALIVE!!!
We are social animals. And trust is the magic word. As in our physical relationships so in digital ones. Trust is a human property we can not avoid in whatever we do. Be it throwing a bone to a wild wolf or being overwhelmed with overwork, no time and sinister "friends". Any human property can be misused. I don't think we can write a magic recipy to avoid that. Trust has given us way more than what we could achieve by being loners.
We are humans, not animals buddy.
@@flailofthelord Humans are just a subset of the larger set of all animals.
@@nihorothereal braindead comment
Why we'll need Top Level trusted maintainers and even Linus himself to really double check everything, before sending it all out. IMHO.
@@hashtag9990 sorry but I do. I know many others too that would disagree with you as well.
Clearly someone that doesn't contribute anything to anything. No clue.
the attack was found at random. "random is good, if we put rules in place, bad actors don't play by the rules".. so.. let's continue to yolo security and keep our Trust me bro® model :)
Claim "we found within weeks", is pure survivor bias...
Leenus
Microsoft trusted Clownstrike... do I need to say more?
Why is that important in this instance? We are discussing bad actors in the open source community and your response is "WeLl microsOFT dId ThiS hUrbYDeRbY" You just come off as an asshat. Need I say more?
They don't trust them... were forced to allow 3rd party vendors into ring 0 by the Europeen Union regulatory body.
Thats a bit too easy of an awnser
The person who discovered XZ attack, Andres Freund, worked at Microsoft lol
Tons of company are allowed to send patches through windows update.
What is the most shocking is how many large companies have zero process for staging the deployment of Windows Update patches to critical systems.
Write in Ada
lines
Trust nobody, clownstrike or xz
time to go microkernel
Always was. Thankfully L4 (in various forms from OKL4 to seL4) is deployed all over the place. Most people just don't realize it.
@@grey5626 - It's the first time I've heard of L4 actually.
The problem with open source is it's not open source.
Please elaborate
@@Nichiyoobiko I don't know exactly what OP means, but it might be something like:
- Code too hard and too long to read
@@alan5506That applies to any sufficiently complex software program whether open source or proprietary. The difference is that with open source _anybody_ can look at it (though realistically it’s anybody with software development skills), while for proprietary software only the owning company’s software developers can look at it … and that only if the company allocates the budget for them to do so.
Mr Torvalds,,,,another super system i use is Chromebook/ChromeOS BY GOOGLE,,,All people tell me is based on Linux!!!...Mr Torvalds this Google system is so much polished on SPEED and SECURITY...Never seen anything like it in my entire LIFE!!!
"Lean-us"? Really? There's nothing that irks me more than someone who doesn't know how to pronounce words. I don't know ANYONE who pronounces his name like that.