What Everyone Missed About The Linux Hack
Related videos
Everyone is Wrong about Tokens
The PrimeTime
212.3k views
AI Is Hacking Everything Now...
Theo - t3․gg
82.0k views
What The Left Missed About Trump Assassination Attempt
Ben Shapiro
273.1k views
We need to talk about the Claude Code rate limits
Theo - t3․gg
126.0k views
Everyone is Wrong About the MacBook Neo
SAMTIME
164.7k views
We need to talk about Ralph
Theo - t3․gg
109.9k views
What happens now?
Theo - t3․gg
133.2k views
Here’s What EVERYONE Is Missing About Candace Owens Investigation!
The Jimmy Dore Show
283.0k views
What Everyone’s MISSING About The John Bolton Indictment!
The Jimmy Dore Show
342.0k views
The best model Anthropic has ever made
Theo - t3․gg
59.0k views
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Related videos
Everyone is Wrong about Tokens
The PrimeTime
212.3k views
AI Is Hacking Everything Now...
Theo - t3․gg
82.0k views
What The Left Missed About Trump Assassination Attempt
Ben Shapiro
273.1k views
We need to talk about the Claude Code rate limits
Theo - t3․gg
126.0k views
Everyone is Wrong About the MacBook Neo
SAMTIME
164.7k views
We need to talk about Ralph
Theo - t3․gg
109.9k views
What happens now?
Theo - t3․gg
133.2k views
Here’s What EVERYONE Is Missing About Candace Owens Investigation!
The Jimmy Dore Show
283.0k views
What Everyone’s MISSING About The John Bolton Indictment!
The Jimmy Dore Show
342.0k views
The best model Anthropic has ever made
Theo - t3․gg
59.0k views
Top Comments (10)
Thanks for highlighting this topic, Theo. We need to do more to support OSS maintainers. I share your feelings of anger and horror for this maintainer: Lasse Collin. While writing my thoughts down, I tried to hard to keep _most_ of the anger out of the text but my keyboard suffered. This is a particularly scary situation but I worry because its not uncommon. It needs to change.
Dude this poor original maintainer. Even when you somehow ignore the chaos and felt responsibility there’s also the fact that somebody that he trusted lied about probably pretty much everything. I’d be genuinely surprised if this was not orchestrated by a state agency of a major country (US, Russia, China, Western EU) but I doubt we’ll ever find out
This attack hit the entire software exploit playbook. Built trust? Check. Socially engineered a situation? Check. Built an elaborate, difficult to detect exploit? Check. Managed to infiltrate a wide scope of possible downstream systems? CHECK! I hope there is recourse against this (these?!) bad actor(s).
Really interesting video, I do think that the developer who discovered the exploit should be given a bit more respect than just "some random guy at Microsoft". They clearly went to a lot of effort and care about the quality of their work.
Imagine finding this exploit only to be called "a random Microsoft engineer"
this xz stuff is honestly so interesting, crazy that some guy at microsoft only found it cause he happened to be benchmarking and noticed a 500ms difference in ssh login speed. if he never noticed we'd probably not know about this until it was way too late.
That maintainer needs the worlds biggest hug, support and love from everyone in our industry
If you work in a company, advocate for time and/or money be put towards the foss tools and libraries the company uses frequently. It's how the open source model is supposed to work. It's also a PR gold mine to show how your company is contributing back in meaningful ways. Helps attract talent as well.
I fully agree that it's unacceptable to be blaming Lasse or how the XZ Utils project has been run, and even from day one I was not seeing any significant deviation from the standard operating procedure. He was doing everything "the right way." But, human nature being what it is, most people are in denial of the fact that the FOSS ecosystem *itself* is what's vulnerable/targeted here, and they're desperate to fault XZ/Lasse for the attack to maintain that denial: "He screwed up by accepting weird PRs." (He did not, Jia was given full committer access.) "He screwed up by letting the code get overly complex enough for the backdoor's entry point to hide in plain sight." (It wasn't in plain sight, Jia added it manually to the release tarballs.) "The project shouldn't have been releasing curated tarballs, those should come from git-archive automatically." (Perhaps, but this was standard practice, not individual sloppiness.) Don't get me wrong, I think we're going to learn some valuable ways to change the "standard operating procedure" of FOSS to make it more resilient against this kind of thing even in the face of a burned-out maintainer and malicious co-maintainer, but we NEED to have these discussions in the context of the status quo not being good enough, rather than Lasse being not good enough to follow the status quo.
Social Engineering hack was Kevin Mitnick's #1 skill when he was wanted and still alive.
Unlock the Data Inside
Turn Videos into Knowledge
- Get FREE 10/day: transcripts, summaries, chats
- Chat with videos, export text & PDF
- $1 free API credit for RAG, chatbots & research
Free forever plan • All features unlocked
Top Comments (10)
Thanks for highlighting this topic, Theo. We need to do more to support OSS maintainers. I share your feelings of anger and horror for this maintainer: Lasse Collin. While writing my thoughts down, I tried to hard to keep _most_ of the anger out of the text but my keyboard suffered. This is a particularly scary situation but I worry because its not uncommon. It needs to change.
Dude this poor original maintainer. Even when you somehow ignore the chaos and felt responsibility there’s also the fact that somebody that he trusted lied about probably pretty much everything. I’d be genuinely surprised if this was not orchestrated by a state agency of a major country (US, Russia, China, Western EU) but I doubt we’ll ever find out
This attack hit the entire software exploit playbook. Built trust? Check. Socially engineered a situation? Check. Built an elaborate, difficult to detect exploit? Check. Managed to infiltrate a wide scope of possible downstream systems? CHECK! I hope there is recourse against this (these?!) bad actor(s).
Really interesting video, I do think that the developer who discovered the exploit should be given a bit more respect than just "some random guy at Microsoft". They clearly went to a lot of effort and care about the quality of their work.
Imagine finding this exploit only to be called "a random Microsoft engineer"
this xz stuff is honestly so interesting, crazy that some guy at microsoft only found it cause he happened to be benchmarking and noticed a 500ms difference in ssh login speed. if he never noticed we'd probably not know about this until it was way too late.
That maintainer needs the worlds biggest hug, support and love from everyone in our industry
If you work in a company, advocate for time and/or money be put towards the foss tools and libraries the company uses frequently. It's how the open source model is supposed to work. It's also a PR gold mine to show how your company is contributing back in meaningful ways. Helps attract talent as well.
I fully agree that it's unacceptable to be blaming Lasse or how the XZ Utils project has been run, and even from day one I was not seeing any significant deviation from the standard operating procedure. He was doing everything "the right way." But, human nature being what it is, most people are in denial of the fact that the FOSS ecosystem *itself* is what's vulnerable/targeted here, and they're desperate to fault XZ/Lasse for the attack to maintain that denial: "He screwed up by accepting weird PRs." (He did not, Jia was given full committer access.) "He screwed up by letting the code get overly complex enough for the backdoor's entry point to hide in plain sight." (It wasn't in plain sight, Jia added it manually to the release tarballs.) "The project shouldn't have been releasing curated tarballs, those should come from git-archive automatically." (Perhaps, but this was standard practice, not individual sloppiness.) Don't get me wrong, I think we're going to learn some valuable ways to change the "standard operating procedure" of FOSS to make it more resilient against this kind of thing even in the face of a burned-out maintainer and malicious co-maintainer, but we NEED to have these discussions in the context of the status quo not being good enough, rather than Lasse being not good enough to follow the status quo.
Social Engineering hack was Kevin Mitnick's #1 skill when he was wanted and still alive.