ONOn Good Friday, a Microsoft engineer named Andres Freund noticed something unusual. He used a software tool called SSH to securely log into remote computers on the Internet, but interactions with the remote machines were significantly slower than usual. So he did some digging and found malicious code embedded in a software package called XZ Utils that was running on his computer. This is a key data compression (and decompression) utility that runs on the Linux operating system, the OS that runs the vast majority of publicly available Internet servers around the world. Which means that every such machine runs XZ Utils.
Freund’s digging revealed that the malicious code had reached his machine via two recent XZ Utils updates, and he alerted the Open Source Security List to discover that those updates were the result of someone deliberately planting a backdoor in the compression software. It was what is called a “supply chain attack” (like the disastrous SolarWinds of 2020) – where the malware is not injected directly into the targeted machines, but instead is distributed by infecting the regular software updates that all computer users are wearily used to. If you want to push out malware, infecting the supply chain is a smart way to do it.
So what was the malware discovered by Freund designed for? Mainly to break the authentication process that makes SSH secure and thus create a backdoor that would allow an intruder to remotely gain unauthorized access to the entire system. Since SSH is a critical tool for the secure functioning of the networked world, anything that breaks it is really bad news – which has put the cybersecurity world on high alert for the past week. Those using the various types of Linux used around the world have been warned of the dangers posed by two fake updates.
So the barn door is locked and hopefully the horses are not missing. However, none of this would be true if Freund wasn’t so headstrong and curious. “The world owes Andres unlimited free beer,” remarked one security expert. “He just saved everyone’s asses in his spare time.”
In some ways, the story of how the malware got into the updates is even more instructive. XZ Utils is open source software, ie software with source code that anyone can review, modify and improve. Much open source code is written and maintained by small teams of developers, and in many cases by one individual. At XZ Utils, that person has been Lasse Collin for years, who has been with the project since its inception. Until recently, he was the person who compiled and distributed software updates.
But it seems that in recent years, the job of maintaining such a crucial piece of software has become more difficult, and it has reportedly had health problems as well. (We don’t know for sure because he decided to take a year off from the internet some time ago.) But according to security expert Michał Zalewski, about two years ago a developer with “no previous online track record” who goes by the name of Jia Tan appeared out of the blue and started giving useful contributions to the XZ Utils library. “Shortly after the arrival of ‘Jia,’” Zalewski continues, “several supposed sock puppets appeared and began pressuring Lasse to hand over the baton; it appears to have given way at some point in 2023.” The two malware infected updates appear to have been issued by this character Ji.
Now the plot tightens. Cyber security experts are clearly taking the attack seriously. “The backdoor is very unusual in the way it’s implemented, but it’s a really clever thing and very stealthy,” a well-known South African security guru told Economist. Even more interesting is the existence of a concerted online campaign to persuade Lasse Collin to transfer control of XZ Utils to “Jia Tan”. This guru suspects that the SVR, the Russian foreign intelligence agency behind the SolarWinds intrusion into US government networks, may have even played a role in the attack.
Who knows? But two clear lessons can be drawn from what we know so far. The first is that we have built a whole new world on top of a technology that is intrinsically and fundamentally insecure. The second is that we are critically dependent on open source software that is often maintained by volunteers who do it for love, not money – and generally without industry or government support. We can’t go on like this, but we will. Those whom the gods wish to destroy they first make complacent.
What I read
How tacit
How could Trump actually turn the USA into a fascist state? Robert Reich outlines Trump’s five-phase plan on his Substack.
Consequences of the Conservative government
What did 14 years of Conservative rule do to Britain? You know the answer, but Sam Knight provides some helpful details here The New Yorker essay.
Our priceless planet
Why capitalism cannot solve the climate crisis – explains Professor Brett Christophers in Time magazine.