Washington: German software developer Andres Freund was running some detailed performance tests last month when he noticed strange behavior in a little-known program. What they found when they investigated caused a stir throughout the software world and attracted the attention of technology executives and government officials. Freund, who works for Microsoft in San Francisco, found that open source software programs Internet.Security experts say it’s only because Freund spotted the change before the latest version of XZ was widely deployed that the world was saved from a digital security crisis.Satnam Narang, a security researcher at Tenable , who is monitoring the results of the search, said, “We really dodged a bullet.”
“It’s one of those moments where we have to wipe our brow and say, ‘We really got lucky with this.'” The near-miss has refocused attention on the security of open source software — free, often. Volunteer-maintained programs whose transparency and flexibility mean that they serve as the foundation of the Internet economy. Many such projects rely on a small group of unpaid volunteers to wade through the pile of requests for improvements and upgrades. .
In a message posted to the public mailing list, opens new tab June 2022, Collin said he was dealing with “long-term mental health issues” and indicated he was working privately with a new developer named Jia Tan. Tan’s role has grown rapidly. Update logs available through the open source software site Github show Tan’s role has grown rapidly. By 2023, logs show Tan was merging his code into Was pretending as. Over the next few months, Tan introduced a nearly invisible back door in the XZ, he says.
Colin did not respond to messages seeking comment and said on his website that he would not respond to journalists until he thoroughly understood the situation. Tan did not respond to messages sent to his Gmail account. . Reuters has been unable to find out who Tan is, where he is, or who he was working for, but many of those who have checked his updates believe Tan is an expert hacker or hackers. The group is pseudonymous – presumably working on behalf of a powerful intelligence service. “This is not kindergarten stuff,” said Omkhar Arasaratnam, general manager of the Open Source Security Foundation, which works to protect projects like XZ. . “It’s incredibly sophisticated.
“Tan could have easily avoided this, had it not been for Microsoft developer Freund, whose curiosity was piqued when he noticed that the latest version of He was testing. Microsoft declined to make Freund available for an interview, but in publicly available emails, opening new tabs and posts on social media, Freund said there were a number of easy-to-miss clues. The series inspired him to discover the backdoor. “This discovery really required a lot of coincidences,” Freund said on the social network Mastodon, opens new tab. Microsoft CEO Satya Nadella told Freund over the weekend. In a post on the social network Is.
The volunteers who maintain the software that governs the Internet are no strangers to the idea of low pay or recognition, Arasararatnam said, but the feeling that they are being preyed upon by well-resourced spies pretending to be Good Samaritans, Was “incredibly scary”. , of the Open Source Security Foundation. Government officials are also assessing the implications of the near-miss, which has highlighted concerns about the security of open source software. Opens new tab Anjana Rajan, assistant national cyber director, told POLITICO that “we need to have a lot of conversations about what to do next to protect open source code.”
The Cybersecurity and Infrastructure Security Agency (CISA) says it has been relying on US companies that use open source software to funnel resources back into communities. Who builds and maintains it. Jack Cable, a CISA adviser, told Reuters the burden was on tech companies not only to scrutinize open software, but also to “contribute and help build the sustainable open source ecosystem that gives us so much value.” “It is not clear that software companies are appropriately incentivized to do this.
Online open source mailing lists are filled with complaints about tech giants demanding that volunteers troubleshoot issues with the open source software that companies use to earn billions of dollars. Whatever the solution, almost every One agrees that the XZ episode shows that something has to change. “We got unreasonably lucky here,” Freund said in another Mastodon post, opens new tab. “We can’t rely solely on that to move forward.”
#missed #cyberattack #put #officials #tech #industry #risk
2024-04-07 05:17:33