- The United States is grappling with serious cybersecurity issues after developers discovered sabotage within the program.
- Intentionally sabotaged by one of its developers, the program was also able to create secret doors to millions of servers across the Internet.
- Government officials were alarmed by the incident, which raised concerns about how to protect open source software.
German software developer Andres Freund was running some detailed performance tests last month when he noticed some strange behavior in a little-known program. What he discovered as he investigated thrilled the entire software world and captured the attention of technology executives and government officials.
Freund, who works at Microsoft in San Francisco, discovered that the latest version of the open source software program XZ Utils had been deliberately sabotaged by one of its developers. This could open secret doors to millions of servers around the world. Internet.
Security experts say the world was spared a digital security crisis because Freund discovered this change before the latest version of XZ was widely distributed.
Chinese hackers accessed US infrastructure for 'at least five years' before being discovered.
“We actually dodged a bullet,” said Satnam Narang, a security researcher at Tenable who has been tracking the fallout from the discovery. “It’s one of those moments where we wipe our eyebrows and say, ‘I was so lucky about this.’”
The crisis has refocused attention on the safety of open source software. The transparency and flexibility of the program, which is free and often managed by volunteers, means it is the foundation of the Internet economy.
Many of those projects depend on small groups of unpaid volunteers fighting to get out of a pile of demands for fixes and upgrades.
XZ, a suite of file compression tools packaged in Linux operating system distributions, has long been maintained by a single author, Lasse Collin.
China's cyberattack was aimed at 'provoking social panic' across the US, security leaders tell Congress.
In recent years he seemed to be in a state of tension.
In a message posted to a public mailing list in June 2022, Collin said he was dealing with 'long-term mental health issues', was working privately with a new developer named Jia Tan, and 'maybe he'll take on a bigger role in the future.' hinted. future.”
An update log available through the open source software site Github shows that Tan's role has expanded rapidly. By 2023, logs show that Tan had merged his code into XZ, an indication that he had gained a trusted role in the project.
But cybersecurity experts who combed through the logs say Tan was posing as a helpful volunteer. In the months that followed, Tan is said to have introduced a barely noticeable backdoor into XZ.
Colin did not respond to messages seeking comment and said on his website that he would not respond to reporters until he had a full understanding of the situation.
Tan did not reply to messages sent to his Gmail account. Reuters has not been able to confirm who Tan is, where he is or who he works for, but many who have examined his updates believe Tan is a professional hacker or an alias for a group of hackers. Replaces powerful intelligence agencies.
“This is not kindergarten-level stuff,” said Omkhar Arasaratnam, general manager of the Open Source Security Foundation, which defends projects like XZ. “This is incredibly sophisticated.”
Tan could have easily succeeded if not for Freund, a Microsoft developer whose curiosity was piqued when he noticed that the latest version of XZ was intermittently using unexpected amounts of processing power on a system he was testing.
Microsoft declined to make Freund available for an interview, but in publicly available emails and social media posts, Freund said a series of easy-to-miss clues led him to discover the backdoor.
“This discovery really took a lot of serendipity,” Freund said on the social network Mastodon.
Microsoft CEO Satya Nadella congratulated Freund in a post on the social network
These findings raised alarm in the open source community. Volunteers who maintain the software that underpins the Internet are no strangers to receiving little pay or recognition, but finding themselves hounded by well-resourced spies posing as good Samaritans is “incredibly threatening,” Arasaratnam said. , of the Open Source Security Foundation.
Government officials are also weighing the implications of the near miss, which has highlighted concerns about how to protect open source software. “We need to have a lot of conversations about what we do next to protect open source code,” Anajana Rajan, the national cyber director, told Politico.
CLICK HERE TO GET THE FOX NEWS APP
The Cybersecurity and Infrastructure Security Agency (CISA) said it has relied on U.S. companies using open source software to put resources back into the communities that build and maintain the software. CISA advisor Jack Cable told Reuters that the burden is on technology companies not only to research open software, but “to contribute and help build a sustainable open source ecosystem from which we can get a lot of value.”
It is unclear whether software companies are adequately incentivized to do so. Online open source mailing lists are full of complaints asking volunteers to fix problems with the open source software that big tech companies use to make billions of dollars.
Whatever the solution, almost everyone agrees that something needs to change about the XZ episode.
In another Mastodon post, Freund said, “We've been ridiculously lucky here.” “We can’t just rely on that going forward.”