- The US is grappling with significant cybersecurity issues after a developer discovered an act of sabotage within the program.
- The program, which was deliberately sabotaged by one of its developers, could have opened secret doors to millions of servers across the Internet.
- Government officials were concerned about the incident, which raised concerns about how to protect open source software.
German developer Andres Freund was running some detailed performance tests last month when he noticed some strange behavior in a little-known program. What he discovered during his research sent shivers through the software world and caught the attention of tech executives and government officials.
Freund, who works for Microsoft in San Francisco, discovered that the latest version of the open source software program XZ Utils had been deliberately sabotaged by one of its developers, a move that could have opened a secret door to millions of servers around the world. Internet.
Security experts say the world was spared a digital security crisis only because Freund spotted the change before the latest version of XZ was widely distributed.
CHINESE HACKERS HAD ACCESS TO US INFRASTRUCTURE FOR ‘AT LEAST 5 YEARS’ BEFORE DISCOVERY
“We really dodged a bullet,” said Satnam Narang, a security researcher at Tenable who followed the fallout from the discovery. “It’s one of those moments where we have to wipe our foreheads and say, ‘We really got lucky with this.'”
A developer was running some detailed performance tests last month when he noticed strange behavior in a little-known program. What he discovered during his research sent shivers through the software world and caught the attention of technical executives and government officials. (REUTERS/Dado Ruvić/Illustration/File Photo)
The near miss has refocused attention on the security of open source software – free programs often maintained by volunteers whose transparency and flexibility mean they serve as the bedrock of the Internet economy.
Many such projects depend on a small circle of unpaid volunteers who struggle to get out from under the pile of requests for repairs and upgrades.
XZ, a set of file compression tools packaged in Linux distributions, has long been maintained by a single author, Lasse Collin.
CHINESE CYBER ATTACKS AIM TO ‘CAUSE SOCIAL PANIC’ IN AMERICA, SECURITY DIRECTORS TELL CONGRESS
In recent years it seemed to be under pressure.
In a message posted to a public mailing list in June 2022, Collin said he was dealing with “long-term mental health issues” and hinted that he was working privately with a new developer named Jia Tan and that he “may have a bigger role in the future.”
Update logs available through the open source software site Github show that Tan’s role has expanded rapidly. By 2023, the logs show that Tan was merging his code into XZ, a sign that he had won a trusted role in the project.
But cybersecurity experts who have searched the records say Tan was pretending to be a willing volunteer. Over the next few months, they say, Tan introduced an almost invisible rear door to the XZ.
Collin did not return messages seeking comment and said on his website that he would not respond to reporters until he understood the situation well enough to do so.
Tan did not respond to messages sent to his Gmail account. Reuters has been unable to determine who Tan is, where he is or who he worked for, but many who have reviewed his updates believe Tan is a pseudonym for a professional hacker or group of hackers — possibly those working on behalf of a powerful intelligence agency.
“This is not a kindergarten,” said Omkhar Arasaratnam, managing director of the Open Source Security Foundation, which works to defend projects like XZ. “This is incredibly sophisticated.”
Tan could have easily gotten away with it if it weren’t for Freund, a Microsoft developer whose curiosity was piqued when he noticed that the latest version of the XZ was occasionally using an unexpected amount of processing power on the system he was testing.
Microsoft declined to make Freund available for an interview, but in publicly available emails and social media posts, Freund said a series of easy-to-miss clues led him to uncover the backdoor.
The find “really required a lot of serendipity,” Freund said on the Mastodon social network.
Microsoft CEO Satya Nadella congratulated Freund over the weekend, saying in a post on social network X that he loved seeing how the developer, “with his curiosity and skill, was able to help us all.”
In the open source community, the revelation was sobering. The volunteers who maintain the software that powers the Internet are no strangers to the idea of little pay or recognition, but knowing they were now being hunted by well-equipped spies pretending to be good Samaritans was “incredibly terrifying,” Arasaratnam said. , Open Source Security Foundation.
Government officials are also weighing the implications of the near miss, which has highlighted concerns about how to protect open source software. Assistant National Director of Cyber Anajana Rajan told Politico that “we need to have a lot of conversations about what we’re going to do next” to protect open source code.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
The Cybersecurity and Infrastructure Security Agency (CISA) says it relies on US companies using open source software to return resources to the communities that build and maintain it. CISA adviser Jack Cable told Reuters the onus is on tech companies not only to examine open software, but also to “contribute and help build the sustainable open source ecosystem that we get so much value from.”
It’s not clear whether software companies are properly incentivized to do so. Internet open-source mailing lists are abuzz with complaints about tech giants demanding volunteers to fix problems with the open-source software those companies use to make billions of dollars.
Regardless of the solution, almost everyone agrees that episode XZ shows that something has to change.
“We got unreasonably lucky here,” Freund said in another Mastodon post. “We can’t just count on it in the future.”