Written by Raphael Sutter
WASHINGTON (Reuters) – German software developer Andres Freund was conducting detailed performance testing last month when he noticed strange behavior in a little-known program. What he discovered in his research shocked the entire software industry and garnered attention from technology executives and government officials.
Freund, who works for San Francisco-based Microsoft, discovered that the latest version of the open source software program XZ Utils had been intentionally sabotaged by one of its developers. This could open secret doors to millions of servers around the world. internet.
Security experts say the world was spared a digital security crisis only because Freund discovered the changes before the latest version of XZ was widely rolled out.
“We really dodged a bullet,” said Sanam Narang, a security researcher at Tenable who has been tracking the impact of the discovery. “It's one of those moments where you have to raise your eyebrows and say, 'We were really lucky this time.'”
This near-miss incident has brought renewed attention to the safety of open source software. Open source software is free, often volunteer-maintained programs that serve as the foundation of the Internet economy because of their transparency and flexibility.
Many such projects rely on a small circle of unpaid volunteers who fight their way through a mountain of requests for fixes and upgrades.
XZ is a suite of file compression tools packaged with Linux operating system distributions, long maintained by a single author, Lasse Collin.
In recent years, he seemed nervous.
In a message posted to a public mailing list in June 2022, Colin said he was dealing with “long-term mental health issues” and was personally working with a new developer named Jia Tan. “Maybe he'll play a bigger role,'' he said. future. “
Update logs available on open source software site Github show that Tan's role expanded rapidly. By 2023, logs show that his Tan was merging his code into his XZ, indicating that he had earned a trusted role on the project.
But cybersecurity experts who reviewed the logs said Mr. Tan was posing as a volunteer. Over the next several months, they say Tan introduced a nearly invisible backdoor into his XZ.
Collin did not respond to messages seeking comment and said on his website that he would not respond to reporters until he fully understood the situation.
Ms Tan did not reply to messages sent to her Gmail account. Reuters has not been able to confirm who Tan is, where he is or who he worked for, but many who have looked into his latest information believe he is a professional hacker or a pseudonym for a hacker group. I believe that. On behalf of a powerful intelligence agency.
“This is not a kindergarten story,” said Omkar Arasaratnam, general manager of the Open Source Security Foundation, which advocates for projects like XZ. “This is incredibly sophisticated.”
“We were lucky.”
If it wasn't for Microsoft developer Freund, Tan could have easily avoided the problem. Freund became curious when he noticed that the latest version of the XZ was using an unexpected amount of processing power intermittently on the system he was testing.
Microsoft declined to interview Freund, but in publicly available emails and social media posts, Freund said a series of overlooked clues led to the discovery of the backdoor.
The discovery “really required a lot of serendipity,” Freund said on the social network Mastodon.
Microsoft CEO Satya Nadella congratulated Freund over the weekend, saying in a post on social network X that Freund “was able to help us all with his curiosity and craftsmanship.” He said he would love to see what happens.
In the open source community, this discovery was sobering. The volunteers who maintain the software that powers the Internet, accustomed to the idea of little pay and recognition, are now being chased by a deep-pocketed spy posing as a Good Samaritan. The realization that he was there was “incredibly frightening,” Alasaratnam said. , of the Open Source Security Foundation.
Government officials are also weighing the impact of the near miss, highlighting concerns about how to protect open source software. Anajana Rajan, assistant director of the National Cyber Bureau, told Politico that “we need to have a lot of conversations about what we do next” to protect open source code.
The Cybersecurity and Infrastructure Security Agency (CISA) said it relies on U.S. companies to use open source software and pour resources into the communities that build and maintain it. Jack Cable, a CISA advisor, told Reuters that tech companies should not only scrutinize open software, but also “contribute and help build sustainable open source ecosystems from which we derive tremendous value.” He said that there is a burden.
It is not clear whether software companies are properly incentivized to do so. Online open source mailing lists are filled with complaints about big tech companies asking volunteers to troubleshoot problems with the open source software that companies use to make billions of dollars. .
Whatever the solution, almost everyone agrees that the XZ episode shows that something needs to change.
“We got undeservedly lucky here,” Freund said in another Mastodon post. “We can’t count on that going forward.”
(Reporting by Rafael Sutter; Editing by Chris Saunders and Nick Zieminski)
