- The United States is grappling with serious cybersecurity concerns after developers discovered sabotage within the program.
- The program could have been intentionally sabotaged by one of its developers, opening a secret door to millions of servers on the Internet.
- Government officials are alarmed by the incident, raising concerns about how to protect open source software.
German software developer Andres Freund noticed strange behavior in a little-known program last month while running detailed performance tests. What he discovered in his research shocked the entire software industry and garnered attention from technology executives and government officials.
Freund, who works for San Francisco-based Microsoft, discovered that the latest version of the open source software program XZ Utils had been intentionally sabotaged by one of its developers. This could open secret doors to millions of servers around the world. internet.
Security experts say the world was spared a digital security crisis only because Freund discovered the changes before the latest version of XZ was widely rolled out.
Chinese hackers had access to our infrastructure ‘at least five years’ before discovery
“We really dodged a bullet,” said Satnam Narang, a security researcher at Tenable who has been tracking the impact of the discovery. “It’s one of those moments where you have to raise your eyebrows and say, ‘We were really lucky this time.’
A software developer was running detailed performance tests last month when he noticed strange behavior in a little-known program. His findings shocked the entire software industry and attracted the attention of technology company executives and government officials. (Reuters/Dado Ruvik/Illustration/File photo)
This near-miss incident has brought renewed attention to the safety of open source software. Open source software is free, often volunteer-maintained programs that serve as the foundation of the Internet economy because of their transparency and flexibility.
Many such projects rely on a small circle of unpaid volunteers who fight their way through a mountain of requests for fixes and upgrades.
XZ is a suite of file compression tools packaged with Linux operating system distributions, long maintained by a single author, Lasse Collin.
China’s cyber attack aims to “cause social panic” across the United States, security officials tell Congress
In recent years, he seemed nervous.
In a message posted to a public mailing list in June 2022, Colin said he was dealing with “long-term mental health issues” and said he was personally working with a new developer named Jia Tan. “Maybe he’ll play a bigger role,” he said. future. “
Update logs available on open source software site Github show that Tan’s role expanded rapidly. By 2023, logs show that his Tan was merging his code into his XZ, indicating that he had earned a trusted role on the project.
But cybersecurity experts who reviewed the logs said Mr. Tan was posing as a volunteer. Over the next several months, they say Tan introduced a nearly invisible backdoor into his XZ.
Collin did not respond to messages seeking comment and said on his website that he would not respond to reporters until he fully understood the situation.
Ms Tan did not reply to messages sent to her Gmail account. Reuters has not been able to confirm who Tan is, where he is or who he worked for, but many who have looked into his latest information believe he is a professional hacker or a pseudonym for a hacker group. I believe that. On behalf of a powerful intelligence agency.
“This is not a kindergarten story,” said Omkar Arasaratnam, general manager of the Open Source Security Foundation, which advocates for projects like XZ. “This is incredibly sophisticated.”
If it wasn’t for Microsoft developer Freund, Tan could have easily avoided the problem. Freund became curious when he noticed that the latest version of the XZ was using an unexpected amount of processing power intermittently on the system he was testing.
Microsoft declined to interview Freund, but in publicly available emails and social media posts, Freund said a series of overlooked clues led to the discovery of the backdoor.
The discovery “really required a lot of serendipity,” Freund said on the social network Mastodon.
Microsoft CEO Satya Nadella congratulated Freund over the weekend, saying in a post on social network X that Freund “was able to help us all with his curiosity and craftsmanship.” He said he would love to see what happens.
In the open source community, this discovery was sobering. The volunteers who maintain the software that powers the Internet, accustomed to the idea of little pay and recognition, now find themselves being hunted by well-funded spies posing as Good Samaritans. The realization that this is the case is “incredibly frightening,” Arasaratnam said. , of the Open Source Security Foundation.
Government officials are also weighing the impact of the near miss, highlighting concerns about how to protect open source software. Anajana Rajan, assistant director of the National Cyber Bureau, told Politico that “we need to have a lot of conversations about what we do next” to protect open source code.
CLICK HERE TO GET THE FOX NEWS APP
The Cybersecurity and Infrastructure Security Agency (CISA) said it relies on U.S. companies to use open source software and pour resources into the communities that build and maintain it. Jack Cable, a CISA advisor, told Reuters that tech companies should not only scrutinize open software, but also “contribute and help build sustainable open source ecosystems from which we derive tremendous value.” He said that there is a burden.
It is not clear whether software companies are properly incentivized to do so. Online open source mailing lists are filled with complaints about big tech companies asking volunteers to troubleshoot problems with the open source software that companies use to make billions of dollars. .
Whatever the solution, almost everyone agrees that the XZ episode shows that something needs to change.
“We got undeservedly lucky here,” Freund said in another Mastodon post. “We can’t count on that going forward.”