MurmurCast
InsightfulDiscussion

Intelligence agencies vs VLC: "No. We'll never do that" - Lead developer responds | Lex Fridman

Lex Clips

VLC's lead developer discusses how he has refused intelligence agency requests for backdoors, explaining that VLC's offline, open-source nature makes surveillance technically impossible. He also shares stories of legitimate government interactions, like helping US troops play videos in Afghanistan, and describes his philosophical approach to stress management.

Summary

The conversation covers several key dimensions of running VLC, an open-source media player used by millions worldwide. The developer draws a contrast between VLC's situation and that of Pavel Durov (Telegram), explaining that because VLC is a purely client-side tool with no platform infrastructure or telemetry, it cannot be held responsible for content users watch, and no government can compel it to censor or surveil users.

On the topic of government and intelligence agency pressure, the developer confirms that two intelligence agencies asked for backdoors to be placed in VLC, and he refused — emphatically. He describes an extreme level of security consciousness in their build process: compiling on air-gapped machines, compiling the compiler itself from scratch, and using double signatures. He also reveals that a non-Western government agency apparently attempted to push a fake binary onto VLC's servers, which alarmed the team greatly.

The developer explains that legal costs, while a concern, are manageable in Europe — less than $10,000 per year — unlike in the US where legal battles can be bankrupting. He also notes that VLC's open-source and internationally distributed nature makes it nearly impossible to kill: if pressured, he could simply move jurisdiction and restart under a new domain, since the code is already publicly available.

On more positive government interactions, he shares two stories: US police asking for help recovering a damaged video file in a murder case (purely a technical support matter), and a US Army soldier during the Afghan war asking for a fix to VLC's RTSP support because troops were using it to watch movies for morale. The developer patched the issue specifically for them.

Finally, the developer discusses his mental approach to the stress of running a small team (six to eight core contributors, with all legal responsibility falling on him alone). He uses a 'worst case scenario' mental model — always asking whether the outcome leads to death or harm to others — and concludes that since the answer is almost always no, the stakes feel manageable. He views VLC as a tool that, like all tools, will be used for both good and bad purposes, and believes that cannot and should not be the tool's responsibility.

Key Insights

  • The VLC developer confirms that two intelligence agencies requested backdoors into VLC, and he refused in terms he describes as 'a lot less polite' than a simple no, stating clearly that if they had to compromise the software, they would shut it down entirely.
  • VLC's build process is deliberately paranoid for security reasons: binaries are compiled on air-gapped machines that have never been connected to the internet, the compiler itself is compiled from scratch, and a double-signature process is used — motivated in part by a suspected non-Western government agency attempting to push a fake binary onto VLC's own servers.
  • The developer argues that VLC is structurally immune to surveillance demands because it has no telemetry, no platform infrastructure, and no visibility into how users use the software — so when authorities asked whether a specific person watched a specific type of video, his honest answer was 'no idea.'
  • During the Afghan war, a US Army soldier emailed VLC's developer because an RTSP bug was breaking movie playback for troops using VLC for morale — the developer built and delivered a custom patched version specifically for them, noting VLC was likely approved for US Army laptops because it is fully open source and auditable.
  • The developer manages stress by always mentally tracing the worst-case scenario to its endpoint — asking 'am I dead?' or 'am I hurting someone?' — and since the answer for VideoLan's situation is almost always no, he treats adverse outcomes like lawyer threats or financial losses as trivially acceptable, noting that VLC's total assets are around $50,000 and the source code is already public and unstoppable.

Topics

Government backdoor requests and refusalsVLC's offline and open-source architecture as a privacy guaranteeLegal and regulatory pressures on open-source softwareSupply chain security and air-gapped build processesStress management philosophy for high-stakes technical leadership

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.