 Recently, the Linux world was shocked by this exploit that was found in XZ. XZ is this compression utility that's kind of a standard on Linux and really all Unix-like operating systems, really all operating systems, period. And you know, people wanted to know my thoughts on it. You know, I really don't comment on like the latest news events, especially security news. That's not the kind of stuff I like covering on my channel. Plenty of people have already covered that and to be honest, it's kind of old news. You know, this kind of breaking news, after a couple of days, it's already patched and you know, nobody really is interested in learning the details of the exploit anymore. So I'm not going to talk about XZ in those terms. What I wanted to talk about, since people did want to know my thoughts, is let's have a little bit of a conversation about how this exploit and exploits like it really highlight just how wonderful the Linux community is, the free and open source software community is. And in some cases, how vulnerable we are. Now to me, what I found most fascinating about the XZ exploit was it really highlighted that the people that are trying to add this malicious code into our free and open source software, many times it's not an individual. It's not just one guy that's got an X to grind or you know, he's trying to put a crypto miner on your system or something like that. This was a really interesting attack because it was a very coordinated attack by a group of individuals that really spent some time to infiltrate this GitHub, this project for XZ on their GitHub. What they did is they all joined gradually and then they started submitting patches and submitting code to the project. Very complicated code that the maintainer, the lead dev, he didn't understand a lot of the code and it was a lot of headache, a lot of work for him to dive into because he was already overworked like many devs in free and open source software, right? It's a whole lot of work for not a lot of pay and basically what this group did, they submitted all this code and they got this guy frustrated. They burned him out and then once he realized he was burnt out, they basically asked him to turn over the reins for the project. Hey, if you can't maintain this, if you're not up to the task, hey, just give us the keys to the project and you get out. And it kind of almost seems like this group has to have some kind of money behind it, right? This is too good of an attack to be, you know, just a couple of teenagers in their garage or something. I think this could have been the work of organized crime. It could have been the work of a terrorist organization. It could have been the work of some nefarious corporations somewhere around the world. It could even be the work of a nation, right? Some nation around the world could have wanted this exploit and XZ so they could have, you know, hacked all these machines that are running open SSH and system D because it wasn't really just an XZ export. You had to have XZ. You also had to have SSH enabled. You also had to have system D. And naturally what they were really targeting was the tens of millions, hundreds of millions of Linux servers around the world. It was going to end up on those countless millions of Debian servers and Red Hat servers, Ubuntu LTS servers. Ubuntu was just about a couple of weeks there away from releasing the next version of Ubuntu LTS and Ubuntu LTS server and the XZ exploit, this group was really wanting this exploit to find its way in the next Ubuntu that's about to drop. They also wanted it in the next Fedora, which is about to drop. And what's crazy, it was really through sheer luck that a developer working for Microsoft found this backdoor, this malicious code. He wasn't really looking for it. He's not into security himself. He wasn't auditing the code. That's not his job. He just found something weird going on with the code. He was working with Microsoft Postgres and eventually something weird was going on with the latest version of XZ and he started investigating it further and thankfully he did because many people wouldn't even investigate the problem. They'd find something weird and hey, whatever, but this guy took the time to investigate it further, document it, let people know about it and again it was kind of lucky that this thing got caught. This thing could have very easily slipped through and then the next major versions of Ubuntu, Fedora and Debian would all have this built in backdoor. For those of you that hadn't been following the news, I will say very few Linux distributions were actually affected by this. It's already been patched anyways. You really don't have to worry about it if you've updated your system, but there were very, very few systems that would have ever had this version of XZ, this exploited version of XZ on the system. One thing unless you were running a rolling release distribution, you didn't have to worry about it, right? So really you're talking about distributions like Arch, but even Arch really wasn't affected by this. They sort of were. That version of XZ did end up on Arch but because it exploited XZ also using OpenSSH and SystemD and required some other libraries. Arch for whatever reason didn't link SystemD to a certain library that needed to actually exploit that backdoor, right? So Arch was kind of affected but not really. You were never really going to have that backdoor in Arch. Also NixOS, I think the latest version of XZ didn't make its way into the Nix repositories but because Nix is kind of weird, I don't think that exploit would have worked on Nix either. So that's a little bit of the backstory about the exploit, how it was discovered luckily and you know, it's already been fixed. I'm not going to go into greater detail on the exploit itself as far as the code and what it was possibly going to do to these systems that would have been affected. But I do want to highlight some things that we need to be concerned about with free and open source software. For one thing, burnout. Burnout is a real thing and many free and open source software developers are burnout. Thousands of hours working on a project, donating their time, freely donating their time in many cases, not earning a dime working on this software and it's a lot of work, right? It's a lot of pressure especially once the project becomes big, once it becomes a standard piece of software like the XZ Utils, right? It's very easy for the lead maintainer of a project like that to get burnout. These hackers, this group, they knew this guy was burnout. I don't think it was an accident that they picked this particular project with this particular developer who they could already see was overworked. He was frustrated and then they added a whole bunch of extra work. I don't think that was just happenstance. I think they targeted him for that reason. They knew he was burnout and then they tried to burn him out more and then once he got frustrated, then they tried to turn the tables on him. Well, hey, man, if you're just not up to the test, you need to go, you know, this is something we're probably going to see more of as Linux grows in popularity. We're going to see these groups target open source projects based on these developers in many cases that are just overworked and underpaid. And because of that, these lead maintainers of these open source projects, they themselves are in many cases the exploit, the back door, right? That's how these groups are going to get in. In my opinion, this story is more of a human story than a tech story or a code story, right? It's more about a human being's emotional state, you know, and people preying on that rather than people hacking the code or, you know, like in the movies, you know, finding some kind of back door in the code, right? This was much more of the human being being the back door. Now, many people want to use this story to highlight the reason why proprietary closed source software is more secure than free and open source software. There's actually people on the Internet. I've seen these people making that claim, right? Especially the people that live in the proprietary software world, right? They want to, you know, stick it to free and open source software. Hey, all of you open source guys that are always saying that open source software is more secure than closed source software. Look at this, F.U. Right. And is there any validity to their argument? Is closed source software as secure as open source software? No, absolutely not. Right. We all know that free and open source software is more secure. It just is because of the nature of it, the community aspect of it. More people work on it. More eyeballs are actually looking at the code where in proprietary closed source software, nobody's looking at the code. At least the only people that can look at the code are the people that work for that company, that proprietor of that software. So does this exploit prove that open source is not as secure as what we thought? No, in my opinion, I think this exploit proves that free and open source software is vastly superior to proprietary software. I mean, think about it. The reason that we were lucky enough to catch this thing is because someone could look at the code. This developer that was working for Microsoft of all companies, right? He was actually able to look at the code. He was able to inspect this thing. And you couldn't do that if this was proprietary software. And if this was a piece of proprietary software, this was a proprietary compression tool, right? Then you wouldn't be allowed to look at the code. You wouldn't even know what the hell was in the code. And he would have known something funny was going on on his computer, but he really couldn't have investigated the problem. So in my opinion, this is a victory for the free and open source model. And I think the fact that these things get patched so quickly in Linux, right, every time we get one of these major exploits, it is patched before the news story is even out before the articles about it are written before people are making YouTube videos and audio podcasts about this exploit. It is already patched every single time because it's free and open source software. And because nobody has to wait, you know, there's thousands of people out there that, you know, are part of the free and open source community. And as soon as this stuff crops up, they work to immediately patch that piece of software to patch all the distributions that were affected by this. Like as soon as this happened, you know, teams at Ubuntu and Red Hat and Debian and Arch, they're already on it. They're already on it. It's it's patched again before most people ever knew this was a real thing. This story was already done. And that really is also a victory for free and open source software. The fact that we're able to patch our exploits so quickly to the point that really no one is very rarely affected by these things because these things get patched before the exploits really have a chance to really make their way into the Linux ecosystem, especially the broader Linux ecosystem, where typically these things, like in this case, they exploit the rolling release distributions first and then they work their way into stable release distributions, particularly those that are very heavily focused on the server market. Right. They never got to that point. And this is something that a substantial majority of the Linux community doesn't like to admit, but we need to admit it. There is a very real use case for the rolling release model, especially on desktop Linux, because without those of us like me and like many of you guys watching this video that choose to run rolling release distributions, especially on our desktops. Right. If we weren't that way, if we weren't the guinea pigs that are testing out this latest and greatest software that gets pushed to us before it gets pushed to things like Debian stable, Ubuntu, LTS, Red Hat. If we weren't the guinea pigs, then this malicious software oftentimes wouldn't get found nearly as early and it would make its way into those tens of millions, hundreds of millions of Linux servers out there. And then we would really be facing a serious problem. I've seen way too many people in the Linux community and chat rooms, subreddits, forums, whatever it happens to be, you know, Linux related communities that this debate comes up all the time between stable release distributions and rolling release distributions. You know, should I run which and you know what? At the end of the day, run what you want. But I see too many people tell others that they shouldn't run a rolling release or that rolling release is unstable. It's unsaved, yada, yada, yada. You know what? Don't do that. We should be encouraging more people to run rolling release distributions if they want to, if they want to test out new software and experience some breakage, you're right, rolling release has breakage, right? But we need people to test software. We need beta testers, right? So don't discourage people that want to run things like Arch Linux or Gen 2 or Debian CID or whatever it happens to be. Tumbleweed, you know, other rolling release distributions because we need those people testing the software that eventually makes its way into this might be controversial, but much more important Linux distributions. And let's be fair, the much more important ones are those big enterprise server distributions because those things run the world. And if any of these exploits ever make their way onto those machines, then that's a big deal. I've also seen some Windows fanboys and Mac OS fanboys come out recently as far as, hey, you Linux guys always talked about the proprietary operating systems like Windows and Mac. They got built in spyware, built in key loggers, built in backdoors. And look at Linux, you know, we just found a backdoor in Linux. So, you know, how do you know that Linux isn't riddled with backdoors? Well, I don't know. It might be. How do you know Microsoft Windows is not riddled with backdoors? You can't even audit the code of Windows. You can't look at the code because it's proprietary closed source code. At least I can go investigate all of the code with my Linux distribution. I can look at every single line of code if I want to. And it had the knowledge, but here's the thing. I don't have to do that individually. There are millions of other people around the world that are also looking at that code. Who's looking at the code for Microsoft Windows? Unless you're a very privileged person that works for Microsoft. You can't look at the code. You have no idea about what backdoors are built into Microsoft. The same thing with Apple and Mac OS and iOS and Google with Chrome OS. You have no idea what those operating systems are doing to you. So, you know, it's very disingenuous when you ask a Linux user, hey, are there any backdoors left in Linux? Is there anything you don't know about? Well, there's probably some stuff we don't know about. But here's the thing. We have the chance to find it. We have that possibility. You don't. And as much as I appreciate some of the work that Microsoft has been doing with freedom of source software. And as a matter of fact, this story and the developer that discovered the XZ bug, right, he was actually working for Microsoft on a Microsoft project at the time. And yeah, but still Microsoft, especially with its proprietary software in particular, its proprietary operating system like Windows. Do I trust it? No, we can be ninety nine point nine percent. Sure, that Microsoft Windows has built in spyware, built in keyloggers, built in backdoors that can be exploited not just by Microsoft, but also by other bad actors. And I think this XZ story, what also we should focus on is the fact that the project was hosted on GitHub, which is also owned by Microsoft. It's also a proprietary piece of software GitHub is. And, you know, if anybody wants to go investigate this group of hackers that infiltrated the the XZ project and look through their history and really investigate deeply the GitHub history for these people and try to investigate it in a serious way. Well, who can do that? Well, the only people that can do that are the people that own GitHub. It's Microsoft. They're the only people that can really deep dive into that. Do you trust Microsoft to do a good job with investigating that? Well, honestly, Microsoft is a trillion dollar corporation and they take security seriously, but wouldn't it be better if that was a situation where the community could investigate it? And basically what I'm trying to say is, you know, I left GitHub as soon as Microsoft bought it actually left GitHub a couple of weeks before it was announced Microsoft bought it. But the rumors were already out there that Microsoft planned on purchasing GitHub. So a couple of weeks before the purchase was final, I moved to GitLab because GitLab is free and open source software. And I think this issue, you know, these kinds of issues are going to keep cropping up these serious exploits on some of these projects on GitHub. And wouldn't it be nice if, you know, you were hosting your project on GitLab, which is decentralized free and open source software? I don't know. This is I don't know if that really solves the problem. I don't even know if that's going to move the needle, but I'm going to talk about it just because I know it's going to be a little bit controversial, but I think more of us in the free and open source software community really need to start pushing GitLab much more so than we've been doing. One last thing I want to mention is one of the biggest complaints with free and open source software and links is choice and variety and all the forks of things. There's just too much software. Too many people are working on different things. And, you know, this exploit proves why not having enough choices or having one de facto standard, right? Because honestly, XZ is a standard SSH open SSH is a standard system. D is a standard. And this exploit, you know, prayed on that that pretty much all these Linux boxes are going to have all of this stuff installed. Even system D, even though there are non-system D distributions out there, they're not that many, right, especially in the server world where, you know, Debian and Ubuntu and Red Hat are king. It's all system D all the time. And as far as system D goes, I like system D as an internet system. I have no problem with it. But I don't mind there being choices out there. I don't think that people forking software. You know, I always think more choice is better. And I always rail against people that say that Linux should have standards. There should be a standard, this and a standard that we should all agree on this standard, whatever. No, because the minute you standardize the minute this sort of thing happens. In closing, I will say that I think this XZ exploit was a good thing. I think it's a positive thing as far as it's going to get the free and open source software community to start focusing on some things that they need to focus on a little more. I also think it's a positive in that it highlights to everybody why free and open source software is vastly superior to proprietary software because this exploit, this kind of exploit could have very well happened in Microsoft Windows or Mac OS. The only difference is you'd never know about it. Peace, guys.