Near-miss Cyberattack Worries Officials, Tech Industry

2024-04-13

00:00 / 00:00
复读宝 RABC v8.0beta 复读机按钮使用说明
播放/暂停
停止
播放时:倒退3秒/复读时:回退AB段
播放时:快进3秒/复读时:前进AB段
拖动:改变速度/点击:恢复正常速度1.0
拖动改变复读暂停时间
点击:复读最近5秒/拖动:改变复读次数
设置A点
设置B点
取消复读并清除AB点
播放一行
停止播放
后退一行
前进一行
复读一行
复读多行
变速复读一行
变速复读多行
LRC
TXT
大字
小字
滚动
全页
1
  • German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program.
  • 2
  • He decided to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials.
  • 3
  • Freund works for Microsoft in California.
  • 4
  • He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers.
  • 5
  • The action could have created a secret door to millions of servers across the internet.
  • 6
  • Freund noticed the change before the latest version of XZ became widely used.
  • 7
  • His observation, security experts say, helped save the world from a digital security crisis
  • 8
  • The near-miss has re-centered attention on the safety of open-source software.
  • 9
  • Open-source software is free. Volunteers often maintain the programs.
  • 10
  • Their openness means they serve as the foundation for the internet economy.
  • 11
  • Many such projects depend on a small number of unpaid volunteers working on fixes and improvements.
  • 12
  • XZ is a collection of file compression tools for the Linux operating system.
  • 13
  • It was long maintained by a single person, Lasse Collin.
  • 14
  • But in a message published in June 2022, Collin said he was dealing with mental health issues.
  • 15
  • He suggested he was working privately with a new developer named Jia Tan.
  • 16
  • Update logs available through the open-source software site Github show that Tan's role quickly expanded.
  • 17
  • By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
  • 18
  • But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer.
  • 19
  • Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
  • 20
  • Tan did not return messages sent to his email account.
  • 21
  • Reuters has been unable to find out who Tan is, where he is, or who he was working for.
  • 22
  • But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers.
  • 23
  • Experts say Tan was likely working for a powerful intelligence service.
  • 24
  • Tan could easily have gotten away with the actions if Freund had not noticed something unusual.
  • 25
  • He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
  • 26
  • Microsoft did not make Freund available for an interview.
  • 27
  • But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
  • 28
  • The find "really required a lot of coincidences," Freund said on the social network Mastodon.
  • 29
  • Among those in the open-source community, the discovery has been concerning.
  • 30
  • The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition.
  • 31
  • But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam.
  • 32
  • He is with the Open Source Security Foundation.
  • 33
  • For government officials, the incident has raised concerns about how to protect open-source software.
  • 34
  • Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
  • 35
  • Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
  • 36
  • "We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
  • 1
  • German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program. He decided to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials.
  • 2
  • Freund works for Microsoft in California. He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers. The action could have created a secret door to millions of servers across the internet.
  • 3
  • Freund noticed the change before the latest version of XZ became widely used. His observation, security experts say, helped save the world from a digital security crisis
  • 4
  • The near-miss has re-centered attention on the safety of open-source software. Open-source software is free. Volunteers often maintain the programs. Their openness means they serve as the foundation for the internet economy.
  • 5
  • Many such projects depend on a small number of unpaid volunteers working on fixes and improvements.
  • 6
  • XZ is a collection of file compression tools for the Linux operating system. It was long maintained by a single person, Lasse Collin.
  • 7
  • But in a message published in June 2022, Collin said he was dealing with mental health issues. He suggested he was working privately with a new developer named Jia Tan.
  • 8
  • Update logs available through the open-source software site Github show that Tan's role quickly expanded. By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
  • 9
  • But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
  • 10
  • Tan did not return messages sent to his email account. Reuters has been unable to find out who Tan is, where he is, or who he was working for. But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers. Experts say Tan was likely working for a powerful intelligence service.
  • 11
  • Tan could easily have gotten away with the actions if Freund had not noticed something unusual. He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
  • 12
  • Microsoft did not make Freund available for an interview. But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
  • 13
  • The find "really required a lot of coincidences," Freund said on the social network Mastodon.
  • 14
  • Among those in the open-source community, the discovery has been concerning. The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition. But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam. He is with the Open Source Security Foundation.
  • 15
  • For government officials, the incident has raised concerns about how to protect open-source software. Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
  • 16
  • Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
  • 17
  • "We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
  • 18
  • Dan Novak adapted this story for VOA Learning English based on reporting from Reuters.
  • 19
  • _____________________________________________
  • 20
  • Words in This Story
  • 21
  • sabotage - v. the act of destroying or damaging something deliberately so that it does not work correctly
  • 22
  • maintain - v. to reduce the size of by using special software
  • 23
  • compression - n. to reduce the size of by using special software
  • 24
  • role - n. a part that someone or something has in a particular activity or situation
  • 25
  • invisible - adj. impossible to see
  • 26
  • pseudonym - n. a name that someone uses instead of his or her real name
  • 27
  • interview - n. a meeting at which people talk to each other in order to ask questions and get information
  • 28
  • coincidence - n. a situation in which events happen at the same time in a way that is not planned or expected
  • 29
  • pretend - v. to act as if something is true when it is not true
  • 30
  • intimidate - v. to make afraid
  • 31
  • conversation - n. an informal talk involving two people or a small group of people
  • 32
  • bank on- phrasal v. to feel confident or sure about