Jonathan Blow on the Problem with Open Source
ฝัง
- เผยแพร่เมื่อ 26 ธ.ค. 2023
- Support me on Ko-fi: ko-fi.com/jonathanblowclips
Jonathan Blow on the Problem with Open Source
Clip from Jonathan Blow
Twitch: / j_blow
TH-cam: / @jblow888
#jonathanblow #gamedev #webdevelopment #programming #opensource #foss
Prophetic. Considering the fact that the xz backdoor was found in a completely roundabout way (Microsoft dev with no affiliation to the project investigates the source of a 0.5 s delay), it's very likely that many other exploits slipped through the cracks.
He was correct but his argument still os faulty the threat actor spent the last 5 years building trust by commiting to a largely overlooked repo but the exploit was found by a user pretty soon.
If he had encountered such a 500ms delay on windows he would have no option to really investigate (ignoring the fact he works at Microsoft).
If the nsa wamted a backdoor in windows they would just ring up microsoft. 😂
The backdoor was not in the in the source code, but was injected in the already compiled form by a manager of the repo, and as far as I know, it took a couple of year to become one, so I guess this is a different situation than what Scott is talking about
The xz backdoor is also a very high level exploit. It does a lot and is extremely powerful and therefore very dangerous. But that also makes it harder to hide. It was hidden brilliantly, but ultimately once you understand what it does it’s obviously a back door. There could be thousands of smaller exploits that just hide as bugs. Some of them might have already got patched. But everyone just assumed they were normal bugs.
It was in the source. It was hidden in a binary test file. The exploit unpacks when building.
this aged well
didn't even age, it just welled
Aged really well. Jblow truly knows what he is talking about. There is no way in hell that the xz backdoor was done by a single sociopath that spent years of investment into social engineering and technical design of the exploit. It had massive funding for sure
Another TempleOS W. It's protected by our lord
Closed source is more likely to have spyware run by the nation the company is based in but open source software is more vulnerable to international cyber attacks.
Listen to the first 3 minutes again, please.
@@dennis.blondell-decker Done. Why did you ask me to do that?
@@dennis.blondell-decker You got owned bro
This aged like fine wine
I love the part where they start calling bullshit at each other.
Aged like a fine wine
I can tell you that many closed source software that uses open source libraries, so none of the software would be free from this type of exploitation.
Funny he mentions Heart Bleed. openssl patched it really quickly after it was DISCOVERED and many companies worked together to roll out security updates. Can't say the same for commercial software. There might be a 1993 zero-day lingering around in the legacy codebase of windows through which someone is logging in and out of our windows machines silently. Probably not but we have no means of DISCOVERING it and fix it. No new engineers will touch the legacy code base. Old engineers who wrote it are either no more(bless their soul) or retired except for a very few people who cannot possibly maintain such legacy code bases. Open source may not be perfect but is way better than hiding the code and saying "Trust us".
A lot of governments can also pay or force maintainers of open/closed source software to allow backdoors or bugs. Also, almost every large company has spies or family/spouses who are spies
I can see your point there are people out there who could create something like this that we wouldn't understand even if they explained what they did step by step, there is a lot of insanely smart people out there.
This aged well hahaha
"fly a dude" im dead 😂i can binge these forever, thank you for uploading them ❤
Is there any clip where Jonathan Blow talks about something he likes or thinks is good?
Yes, the ones where he talks about himself.
@@davidspagnolo4870 HAH
In Open Source, people who introduce vulns are paid 200k+, people who find them are frequently not paid at all. There's no competition here. Why are they paid so much? Because buying an exisiting vuln would be orders of magitude more expensive and (because you bought it from someone) by definition known by others/ exploited by others. Whereas your own vuln added by you is known only to you until patched. Exclusivity built-in for 1% of the price. It's a no-brainer from just a financial perspective. The Linux code police does not have the funding of a state actor, much less the funding of 10.
I’ve been listening to a bunch of videos of this guy spitting wisdom about programming. But this hot take makes me a little skeptical of things he said that I agreed with and took at face value. So I guess I now have a healthy skepticism.
He has plenty of bad takes.
He’s an average game dev with a hot mic.
@@solitary200 I'm sure an average game dev has analyzed the industry and concocted their own compiled language to address the problems they have found at least once, or has produced multiple games that sold very well.
@@youtubeenjoyer1743 just because your game sells well doesn’t mean you’re not mid. Point stands. As for Jai, let’s see when it’s released 😂
@@solitary200 The point that stands is that you don’t know what an average game dev is.
@@youtubeenjoyer1743 You're conflating below average game devs and average because you're injecting yourself into the latter.
Ultimately, it's a "trust me, bro" from a corporation or a FOSS which I can audit myself. I agree with what he is saying, and yet I feel like FOSS is a significantly better option. Also note that my stuff might be FOSS without it accepting any PRs at all, so he mixes full community development with FOSS as if it is the same thing...
Generally love the guy but heavy disagree here.
Sometimes this man is so full of bullshit. That's just had to be said.
Sure, go audit 1 mil lines of linux code, give you a week
@@stalwart6100 I can audit more of Linux than of Windows in that week, but my point was elsewhere.
Now you know he's definitely correct. Many eye-balls approach just doesnt work.
@@xeoneraldo1254 It was caught pretty fast. And again, I'm not saying that it's perfect, only that the same thing could happen in closed source but without the catching part...
I think this is kind of a bad take. First of all, his take is pretty much similar to the infamous "hypocrite commit" paper from a few years ago that generated all that drama in the Linux community. The idea was that it was hypothetically possible to insert malicious code into the Linux kernel by submitting commits that claim to fix an issue but actually cause a vulnerability. The issue with the study, besides the fact that they ran it without asking people's permission, is that it kind of ignores the amount of trust required to actually put a change through the Linux kernel, as well as the amount of vetting and testing, often backed by companies with an interest in security, the kernel codebase actually goes through.
If the NSA wants a backdoor in the Windows kernel for "national security reasons", they can literally just... pay Microsoft to install one. They wouldn't need a sleeper agent or something working for Microsoft to secretly add a vulnerability.
I'm sure the government studies security vulnerabilities in common FOSS to design attacks and vulnerabilities, but that's not actually special or unexpected information
But didn't they actually merged a malicious commit and had to reverse it and vetted the paper authors?
@@Narblo I believe the story goes that the commits that were merged did not contain the bug the researchers meant for it to contain. But yeah the Linux Foundation went back and cherry pick removed every single commit from the university to the Linux kernel, then vetted them all one by one, finding that the vast majority were clean, and the mistakes that were there weren't really malicious. But I could be misremembering
Exactly this... there is more flexibility in buying people than there is in finding some hacker to infiltrate open-source. He's focusing so heavily on one attack vector (open source) rather than realizing a far simpler solution is to just buy or lobby a person to do the dirty work, who is already at a high level within a company/agency. He already admitted that he saw evidence of espionage within large corporations, so I'm not sure why he narrowed his field of vision to open source. In this case, I don't think he's seeing the forest for the trees.
it is a hypothesis worth thinking about
the argument of, in windows it would be worse , is really bad, i dont want to be better than windows, cause that is easy, i want linux to be GOOD
Well, what do you think about this now that the zx utils backdoor thing happened? The guy supposedly released a commit fixing a problem 2 years ago.
With the XV - attack we had now a security breach on linux that went public. If you see the amount of effort that has beed put into this it is not cheap. And the attack was in an underfundet section that has been popular to used.
The same attack can be done on closed source side. The effort is complex in a different way. For the american goverment it is even easier since there are laws. We saw the tries in the past.
There are fundamental design gas in today bios setups also a closed source production, which makes it possible for skilled malicious actors to add something there.
The main issue is money. Money dicatates speed. Speed means errors, errors means security breaches. Thats simple. Open source is equally affected, depending. My 2 cents.
I mean, he's kinda right. I'm a regular andy that checks for opensource alternatives to proprietary stuf but I'm not competent enough to check if the software I download and run for free is safe or not. I just rely on other people's expertise. That is a risk I'm personally willing to take. Saying that opensource software is 100% safe is just silly.
OOO boy
Nastradamus
Welp....
Interestingly, the Russia-Ukraine war so far has shown that (AFAIK) such exploits are NOT a factor. Russia was not able to perform any major cyberattack during the war. And if they can't, then the number of actors developing such exploits must be vanishingly small.
Not by Russia and not AGAINT Russia. Turns out the best cyber attack USA/NATO could coordinate was cutting off SWIFT, blocking apps on Apple and Google stores and some DDOS attacks during elections.
11:18 THIS!
Interested to know how many big closed source projects are genuinely better than open source ones. I think a lot of Jon's arguments held better before all the other problems he has with software started accruing. There simply aren't many software companies oit there with professionals making cutting edge bugless software these days, most are full of entry-level programmers filling software with more bugs than they remove.
The best closed source projects at the moment seem to be stuff like the Designer Affinity suite - stuff put out by smaller companies that haven't been bought and flrved to have an absurd profit incentive yet.
Linux was Twitter guilt tripped by a weeb into adding rust to the codebase so it's safe now.
The bug is in the hardware!
Always has been.
yeah almost everything hardware, firmware & software is backdoored
the movie CITIZEN FOUR tells a lot
@@igrewold a movie, LOL
The problem with the backdoor argument against Linux and Linux apps is that foreign governments have an extremely vested interest in rooting out any backdoors surreptitiously inserted by a US government agency. You're assuming government agency developers are always smarter than developers in other fields or other nations. The US military also has a strong vested interest in making sure there are no backdoors in Linux and Linux apps.
They hated him because he told the truth.
Of course it's possible especially in a 'memory-unsafe' language like c, but I'll believe it when I see it.
Most of the exploits previously used have been based on microsoft or other proprietary vulnerabilities afaik. (e.g. the solarwinds attack)
Also if they're 'using vpns' you could just shut down the vpn's servers, you don't have to turn off the entire internet..
Because of donations to FOSS, they can just hire 2 people to review the same code all the time as their full time job. Code is reviewed by many others too of course. So this is a very solvable issue.
What donations? Most FOSS is criminally underfunded.
@@mettemafiamutter5384 Well at least the major ones can afford this, like Linux, Blender and Godot. At least hire 1 full time dev that does this (but having to really be sure about his background). Anyway, this doesn't actually affect users of these software, not in very harmful ways as some virus would. It's more targeted on creating chaos somehow, disrupting enemy government, not just stealing user data (which is useless for enemy governments, especially since they can already now buy all kinds of user data). And till this day today, after decades with FOSS, there has still not been any major incident like this, done by enemy government or just bad actors that want to steal data/blackmail.
@@mettemafiamutter5384 additionally, soon you can just have AI analyze all code really fast, and also constantly analyze new added code.
The only issue with this take is that the number of instances of Linux running in the real world would also make it easier to find the exploits as there are people, also not every patch is applied to every distribution.
so there are a lot of people also monitoring and editing the FOSS every minute of every day. More than the threat actors. As fast as weakness is exploited by the few it is patched by the many.
Heartbleed is the best example.
The pirate software guy admits to being one of those people. Targeted foreign power plants
I think he targeted their own power plants to make them more secure. Don't take "hacking power plants" to mean "hacking foreign power plants maliciously". It's just a shorthand job description.
We deal with state every day, why not have every software written as a series of state machines so we can automatically check what state will break the program?
Oh no, we need a new feature, but we want it done like yesterday, so will you rush through this and not care about reducing code size or testing beyond what is required to pass those "pesky" audits?
That's software in a nutshell.
My man talking on hacking Windows as if they didn't offer backdoors as a service. They already harvest all of your data by defaul😂😂
Except these intended backdoors each have multiple unintended backdoors injected by multiple agents sent by different governments.
1:30, the reason you're wrong on that particular point is because of how many companies keep their eyes on the arch linux codebase because they stand to lose so much if malicious code gets in there, not to mention the number of distros and regular users too.Distros on the other hand...depends on the distro but you may have a point.
Heartbleed proved you already wrong. Thousands of companies built their foundation on OpenSSL and used it to run their platform, online shop, customer support, etc. and no one has found this security hole in years.
@@OpenGL4ever a security bug is not the same as malicous code. If you think it is the you need to see a theropist
@@zxuiji A security bug allows to insert malicious code, that's one major entry point. Your last sentence is kindergarten, grow up!
@@OpenGL4ever And you have just proven you need to see a therapist. Bugs are not intional, malicous code is. Learn the difference, until then you'll be treated by many (especially myself) as clueless.
@@zxuiji
You're wrong. Intentional security holes are bugs that are intentional. Their task is to look like simple bugs so that they do not allow any conclusions to be drawn about the intention of the perpetrators who installed them. The person responsible can thus deny that they intentionally installed the bug.
Your insults don't help you, they just force you into the confessional.
How can someone as smart as jb not understand the difference between open source (anyone can read) and publicly sourced (any can write)...
i've never heard anyone use the term publicly sourced before
Really don't understand his and Casey's hate for Open Source and Linux.
What the hell does open source have to do with package managers?
And the argument that injecting bugs or such for espionage purposes while running windows is a level of tragedy only Shakespeare could write.
It's the same argument against Wikipedia.
"Well anybody can just edit it."
because....
Nice argument about windows. Checking in bad code is a lot harder than writing bs on wiki though
I mean for general purpose Wikipedia is fine, but if you wanna go deeper it’s garbage.
But yeah I’m with you on back doors in OS. Thinking Windows doesn’t have any takes quite a leap of faith.
Package managers, while they have some intrinsic benefits, exist because open source software does not work. The idea of an OS was originally an abstraction layer between hardware and software such that someone else with a different sound card run the same program. Linux has somehow made it such that someone with the same hardware and the same software, still cannot run the same binary. You almost need to build software individually on every computer. So they create these compatibility packs of software all built so that they work together.
I think many programms dont run out of the box on linux. You sometimes have to fight the distribution for basic things that just work on Windows. I had several experiences fighting with debian about installed packages/ non installed packages and was looking all over the internet for solutions, but couldnt find any. Outside of the realm of package managers hardware compatibility was also a huge problem for me. You dont want to go down the rabbit hole. I've been a software engineer and security consultant for several years so i wouldn't call it skill issue :D
I can see why his doom and gloom sermons appeal to a majority of people. People prefer easy to consume arguments over in depth ones.
what do you think now ? take the L kid
What's not in-depth about what he said? Where was his explanation lacking?
lol
With outsourcing, dispersed teams, near-shoring and off-shoring, it is even easier to Inject a Team of Malicious Players by a Malicious (state) actor.
He's calling out people, but in fact he's also guessing for the most part. Why act like you're intimately familiar with something that has to be top secret by definition?
What do you think about the Godot Engine?
rapaz é que take ruim ein
Take several seats. Nothing you do is that important.
As a programmer you get paid far too much, a lot of what you do can be simplified and/or automated and I look forward to the day you lose your priest caste status
If this is a jab at programmers, this is a strange take. If this is a jab at Blow, sure, sorry.
Lots of accusations. No sources.
But believe him: „I guarantee , …“
Comment aged like milk. John clearly knows what he's talking about.
@@johncombo The xz backdoor was a perfect storm, and it still got caught before going into major distros. People who view this as a failure of open source don't know what they're talking about at all
Blaming others for guessing, while guessing. 😀
Well it's a fact that many governments direct resources on spying, particularly via technology. Robert Maxwell (Ghislaine Maxwell's father) being one example.
He ALWAYS makes claims without any evidence, and still think others need to give their evidence for thieir claims. You need to read Emmanuel Kant.
Is his point to use windows because its less likely to have a government backdoor? Somebody tell him about Snowden.
@TheIncredibleAverageHe doesn't suggest a valid alternative (to Linux) because there is isn't one.
he himself says that windows has more backdoors lol, we all know that M$ is a company known for their close cooperation with govs to insert backdoors... it's just that it's more expensive to get a backdoor if M$ does not want you to have a backdoor. I know english can be hard and all, but like, listening to the video for more than 2 nanoseconds would have answered your questions.
@TheIncredibleAverage I watched the entire thing mate, don't go with an ad hominem. He clearly thinks open source is less secure because anyone can contribute.
@DanielMircea then you also heard him not suggest using windows over linux
I never said he did, and that's why I phrased my comment as a rhetorical question. The idea is that by his own logic a closed source program will be more secure, just by the virtue that they're not taking external contributions alone. If we apply this train of thought, windows would be preferred over linux in his hypothetical attack against a country's computers by a foreign government. Even if everything sucks, you would still want the solution that sucks the least.
Blow calling out every person who hasn't taken a cyber security class or two lol
Supply chain attacks can happen with proprietary software as well. In fact I think it probably has happened more often.
@@dave7244 I think his point is that regardless of the openness of the source code, the total attack surface and the amount of people who stand to gain from planting vulnerabilities outweigh those trying to find them
@@quantum_dongle he is talking about it being an open source specific problem when it isn't.
there be certs for infosec; CEH , Security+ , CISA, CISSP ...etc.
cyber is just myth since some peoples still stuck with older net connections as DSL ...etc.
See Jeff Gurling & donating his Satellite Net Dish to his cousin
@@dave7244 Maybe, the barrier of entry for closed source software is orders of magnitude higher, though, and the risks for the agents involved are also orders of magnitude higher.
LSP is the greatest thing humanity has ever invented!
No, that's bloatware
what be that ?
His criticism about open source doesn't match the success and quality of Linux.
Fuck
This guy is so full of shit. If it was so easy to break the Linux kernel, then why hasn't anyone done it yet? The incentives to do this are obviously huge. Yet nothing has happened. Not in the decades since Linux was introduced.
Does this guy ever provide a single source for what he claims? Ever? Like, even once? Because it seems like all he does is run his mouth, end the sentence with "right?" and then assume that he is correct and that his audience agrees with him.
Has this man ever faced a single ounce of real scrutiny?
Come on, man - he made one cool game. That makes him a cyber security expert!
It was done, I guess. "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"
@@trumpetpunk42 2! And he'll release a third one before 2050 maybe 🤔
Come again?
This is just a false dichotomy. Good software will have less defects than bad software. It has nothing to do with FOSS vs. proprietary. The method of distribution affects some things like the choice of security through obscurity or the ability to perform public audits. The fractal hell of linux contributors seems like a deficit and there are documented cases of the espionage issue Jon raises. On the other side of the coin Windows needs to be restarted every 5 days and there has been 0 days since the last discovered CVE.
I think the issue is that he believes something malicious is happening without proof.
he guaranteed 17 bugs which means he done some SoftWare Engeering witchcraft dubbed as gray box testing rather than white & black
you might wanna read some SWE book
there be lotsa coding witchcraft tactics on the corpie level
now we know who is behind xz backdoor
I think channel author is doing dishonest low effort work cutting and pasting these clips on a TH-cam, without any added value by not providing any kind of response or critique, solely relying on TH-cam commentary section witch is one of worst places on the internet to have meaningful discussion.
The added value is the clip being titled rather than existing in a multi-hour stream archive.
It would detract value if they sat and talked over it. They add value by giving a snippet of a whole subject he’s talked about and titling it. Very few people are gonna sit through a 4 hour stream to find content on a topic that interests them
That's called a 'highlighter' and this is very common on YT
This channel is a bunch of reuploads from another yt channel from 3yrs ago. There is no original content here
Thanks for the info man
does he not know that pull requests have to be reviewed and approved by the (FOSS) project owners before someone's contributions are added to the codebase?
He has no idea how OSS development works.
You didnt watch the video...
Linux distribution maintainers often add patches and changes to the projects they package. And usually only binaries are distributed - checksum level reproduceability is often hard. When there are tens of thousands of packages and much less maintainers, hundreds of distros, few can poison the well and it is difficult to detect.
that's exactly his reason why FOSS is bad, even when the software is made in a good way, it is fucked up on the process of requiring packaging and being packaged for a distribution.
debian is a great example of fucking with ppls projects with patches
god this man is cynical
And now proven correct...
Basically conspiracism. It is no wonder he thinks Linux is ‘too complicated’, he conjectured strawmans and cherry picked arguments that are no way true.
There is hundreds of Linux ‘forks’, the Kernel team has a vested interest to not have any backdoors. Unlike say closed source, where the trust is entirely one way and implicit. Not with Linux, it is always explicit in what it wants you to do.
Also, no software is perfectly safe, but closed source is just as unsafe as open source, with the caveat that if there is a bug or security issue, a closed source team can hide it. Not so with an Open Source team.
I still use Windows, but Linux is far more comfortable and considerate both to me as a dev and a user. And there is plenty of open source, high quality software that matches their proprietary counterparts, if not trading off in either performance, personability, or practicality (like the learning curve or UI/UX.)
Now, that isn’t to say the possibility of a back door will never exist, but it should be substantied with proof. The closest I can think of is a fork that probably built a backdoor in itself, Red Star OS (built by North Korea’s Communist Party and Government). Ironically, a Linux Based OS probably because they cannot afford windows nor get it due to sanctions. Otherwise, you can safely dismiss this concern.
The strongest argument he has is ‘software quality’, but only in the case by case. And even then, teachers who could somehow grade Open and/of Closed Source will have to decide quality based on some testable metric. System Crashes? Bugs? Security Exploits? Or just plain code quality? (Does it look pretty?).
Aged like milk.
As you were babbling in your response, some dude literally put malicious code inside open source software and was only found because another dude from Microsoft investigated it, lmfao.
7:17 he talking to you
What’s the difference between a conspiracy theory and reality? A few months.
This is by far the most delusional take ive heard from him. A university tried this by adding bugs or exploits to the kernel and they got caught instantly and are now banned from contributing.
also at the same time, like he says that state actors probably employee people to plant bugs, the same state actors also probably employee people to find bugs from others so it kinda fights itself out.
Don't lie, they weren't caught instantly. They were caught AFTER they published a paper about what they did themselves, which means that Jon is 100% correct. How long would it have taken for the kernel devs to realise that the exploit was there if it wasn't for the fact that they themselves confessed in their paper? If it wasn't for that, the bug would have gone unnoticed for far longer. They bot banned because they confessed, otherwise nothing would have happened and the exploit would still be there sitting in the repo.
They didn't get caught, they actually confessed. Some researchers of that university published a paper recounting that they successfully slipped in malicious code into their bug fixes. The paper is called "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits".
@@AviatorXD No, it does not fight itself out. Why would it? As a matter of fact, it adds to it.
He never defends closed source software or windows as better alternatives to open source software. All he did is say that bad actors will have a harder time getting backdoors or slipping exploits into closed source software. Simple as that.
I know "it's Jblow so I must hate hurr durr" but like, put in a little bit of effort and fully listen to what he says to say before you criticise him.
We already know that M$ is known for cooperating with govs to insert backdoors, and adding tons worth of spyware to their (terrible) OS. The point is that if a third party that MS doe snot want to give that kind of access wants to achieve it, then they will have to do a lot more work to slip by their security than people who want to slip into open source projects. It's possible, but it's harder. Understand the difference between the words "impossible" and "hard"? I hope you do.
@@AviatorXD fights itself out? You unironically know fuckall about what you're talking about. Just sit on the bench and let people who know things talk.
Jon is wrong on this one big time. I know linux kernel devs and they're on top of it. Linux's biggest issue is reliance on Linus's guiding hand. He has handed off a lot of responsibilities already but still there's no replacing Linus
I don't agree with you here
8 hours later and the they just found that SSH libraries have backdoors in them submitted by open source devs. This comment aged poorly.
@@maximumcockage6503
@@maximumcockage6503 I mean this is not an open source exclusive thing, see the issue with the Apple M chips that was just discovered
@@pipeliner8969 take the L
See 7:17
it has been researched over and over again, and it has been proven that open source is more secure than close source. world literally runs on open source software. the software you use, vscode and windows, also uses bunch of open source software. lmao.
@TheIncredibleAverage dude trust me
Jon had ups and downs but this one is incredibly wrong. It is always easy to build up conspiracy theories but can you give us ONE example then? A real one show us code and link it to a state actor. It is so intellectually cheap to theorize bullshit.
there was literally a case of uni students Trojaning a bug into Linux as a case study and then when they disclosed it the whole university got banned from contributing
@@qwelias ha yes I remember this one.
@@tototitui2choked on ur words there didn’t ya
He didn't question whether it was possible @@k.8597
what about now ? take the L