Last month, while conducting extensive performance testing, German software developer Andres Freund discovered strange behaviour in a little-known programme. What he discovered throughout his investigation has alarmed the software industry and caught the interest of government representatives and company leaders.

Freund, a San Francisco-based Microsoft employee, learned that one of the open-source software programme XZ Utils’s creators had purposefully hacked the most recent version of the programme, potentially creating a backdoor to millions of servers on the internet.

The world was spared a digital security crisis, according to security experts, only because Freund discovered the modification before the most recent version of XZ had been widely implemented.

“We really dodged a bullet,” said Satnam Narang, a security researcher with Tenable who has been tracking the fallout from the find. “It is one of those moments where we have to wipe our brow and say, ‘We were really lucky with this one.’”

The near-miss has brought attention back to the security of open source software, which is free and frequently maintained by volunteers. Because of its flexibility and transparency, open source software forms the backbone of the internet economy.

Numerous similar projects rely on a small group of unpaid volunteers battling to emerge from under a mountain of requests for updates and corrections.

For an extended period, XZ, a collection of file compression utilities integrated into Linux OS releases, was overseen by a solitary creator, Lasse Collin.

Samsung announced on Friday that its earnings expectations are higher than those of analysts.

He seemed to be under pressure in the last several years.

In June 2022, Collin stated he was coping with “longterm mental health issues” in a statement sent to a public mailing list, opens new tab. He also hinted that he was working privately with a new developer named Jia Tan and that “perhaps he will have a bigger role in the future.”

Github, an open-source software platform, offers update logs that demonstrate how Tan’s involvement grew rapidly. Tan was merging his work into XZ by 2023, according to the logs, indicating that he had gained a reliable position in the project.

However, after going through the logs, cybersecurity specialists claim that Tan was posing as a helpful volunteer.

They claim that Tan added an almost imperceptible backdoor into XZ during the course of the following few months.

Collin stated on his website that he would not speak with media until he had a sufficient understanding of the situation and that he would not react to inquiries requesting comment.

Messages made to Tan’s Gmail account were not answered. While Reuters has not been able to determine Tan’s identity, whereabouts, or employer, many of those who have looked over his updates assume Tan is an alias for a skilled hacker or gang of hackers, most likely one operating on behalf of a significant intelligence agency.

Omkhar Arasaratnam, general manager of the Open Source Security Foundation, which supports initiatives like XZ, declared, “This is not kindergarten stuff.” “This is really well-developed.”

If Freund, the Microsoft developer, hadn’t observed that the most recent version of XZ was occasionally consuming an unusually high amount of processing power on the PC he was evaluating, Tan could have easily gotten away with it.

Microsoft refused to grant Freund an interview, but in an email that was made public, along with a new tab that he opened and a social media post, Freund claimed that a sequence of subtle but obvious cues led him to the backdoor.

On the social media platform Mastodon, Freund stated that the discovery “really required a lot of coincidences.”

Over the weekend, Freund received congratulations from Microsoft CEO Satya Nadella, who wrote on the social network X that he was thrilled to see how the developer, “with his curiosity and craftsmanship, was able to help us all.”

The news has been depressing for the open source community. The idea of receiving little compensation or recognition is nothing new to the volunteers who maintain the software that powers the internet, but Arasaratnam of the Open Source Security Foundation described the realisation that they were now being pursued by well-funded spies posing as Good Samaritans as “incredibly intimidating.”

Concerns about how to safeguard open source software have been highlighted by the near-miss, and officials are currently considering the ramifications.

In order to defend open source code, “there are a lot of conversations that we need to have about what we do next,” Assistant National Cyber Director Anjana Rajan told Politico, opens new tab.

According to the Cybersecurity and Infrastructure Security Agency (CISA), American businesses who utilise open source software have been a major source of funding for the communities that create and maintain it. In addition to vetting open software, CISA adviser Jack Cable told Reuters that IT businesses should also “contribute back and help build the sustainable open source ecosystem that we get so much value from.”

Software companies may not have the right incentives to achieve this. Complaints about tech firms expecting volunteers to debug open source software—which these corporations use to generate billions of dollars in revenue—abound on online mailing groups for open source.

Almost everyone believes that something needs to change after watching the XZ episode, regardless of the answer.

“We got unreasonably lucky here,” said Freund in another Mastodon post, opens new tab. “We can’t just bank on that going forward.”

(Adapted from ChannelNewsAsia.com)