Near-miss Cyberattack Worries Officials, Tech Industry
2024-04-13
LRC
TXT
大字
小字
滚动
全页
1German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program.
2He decided to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials.
3Freund works for Microsoft in California.
4He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers.
5The action could have created a secret door to millions of servers across the internet.
6Freund noticed the change before the latest version of XZ became widely used.
7His observation, security experts say, helped save the world from a digital security crisis
8The near-miss has re-centered attention on the safety of open-source software.
9Open-source software is free. Volunteers often maintain the programs.
10Their openness means they serve as the foundation for the internet economy.
11Many such projects depend on a small number of unpaid volunteers working on fixes and improvements.
12XZ is a collection of file compression tools for the Linux operating system.
13It was long maintained by a single person, Lasse Collin.
14But in a message published in June 2022, Collin said he was dealing with mental health issues.
15He suggested he was working privately with a new developer named Jia Tan.
16Update logs available through the open-source software site Github show that Tan's role quickly expanded.
17By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
18But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer.
19Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
20Tan did not return messages sent to his email account.
21Reuters has been unable to find out who Tan is, where he is, or who he was working for.
22But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers.
23Experts say Tan was likely working for a powerful intelligence service.
24Tan could easily have gotten away with the actions if Freund had not noticed something unusual.
25He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
26Microsoft did not make Freund available for an interview.
27But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
28The find "really required a lot of coincidences," Freund said on the social network Mastodon.
29Among those in the open-source community, the discovery has been concerning.
30The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition.
31But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam.
32He is with the Open Source Security Foundation.
33For government officials, the incident has raised concerns about how to protect open-source software.
34Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
35Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
36"We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
1German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program. He decided to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials. 2Freund works for Microsoft in California. He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers. The action could have created a secret door to millions of servers across the internet. 3Freund noticed the change before the latest version of XZ became widely used. His observation, security experts say, helped save the world from a digital security crisis 4The near-miss has re-centered attention on the safety of open-source software. Open-source software is free. Volunteers often maintain the programs. Their openness means they serve as the foundation for the internet economy. 5Many such projects depend on a small number of unpaid volunteers working on fixes and improvements. 6XZ is a collection of file compression tools for the Linux operating system. It was long maintained by a single person, Lasse Collin. 7But in a message published in June 2022, Collin said he was dealing with mental health issues. He suggested he was working privately with a new developer named Jia Tan. 8Update logs available through the open-source software site Github show that Tan's role quickly expanded. By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project. 9But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ. 10Tan did not return messages sent to his email account. Reuters has been unable to find out who Tan is, where he is, or who he was working for. But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers. Experts say Tan was likely working for a powerful intelligence service. 11Tan could easily have gotten away with the actions if Freund had not noticed something unusual. He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing. 12Microsoft did not make Freund available for an interview. But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor. 13The find "really required a lot of coincidences," Freund said on the social network Mastodon. 14Among those in the open-source community, the discovery has been concerning. The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition. But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam. He is with the Open Source Security Foundation. 15For government officials, the incident has raised concerns about how to protect open-source software. Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code. 16Whatever the solution, almost everyone agrees the XZ incident shows that something must change. 17"We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward." 18Dan Novak adapted this story for VOA Learning English based on reporting from Reuters. 19_____________________________________________ 20Words in This Story 21sabotage - v. the act of destroying or damaging something deliberately so that it does not work correctly 22maintain - v. to reduce the size of by using special software 23compression - n. to reduce the size of by using special software 24role - n. a part that someone or something has in a particular activity or situation 25invisible - adj. impossible to see 26pseudonym - n. a name that someone uses instead of his or her real name 27interview - n. a meeting at which people talk to each other in order to ask questions and get information 28coincidence - n. a situation in which events happen at the same time in a way that is not planned or expected 29pretend - v. to act as if something is true when it is not true 30intimidate - v. to make afraid 31conversation - n. an informal talk involving two people or a small group of people 32bank on- phrasal v. to feel confident or sure about