The Internet, as anyone who works deep in its trenches will tell you, is not a smooth, well-oiled machine.
It's a messy mosaic that's been put together for decades and held together with the digital equivalent of duct tape and chewing gum. Much of this depends on open source software that is thanklessly maintained by a small army of volunteer programmers who fix the bugs, plug the holes and ensure that the whole rickety contraption, which is responsible for trillions of dollars in global GDP, continues. working.
Last week, one of those programmers may have saved the Internet from a big problem.
His name is Andrés Freund. He is a 38-year-old software engineer who lives in San Francisco and works at Microsoft. His job is to develop open source database software known as PostgreSQL, the details of which would probably bore you if I could explain them properly, which I can't.
Recently, while performing some routine maintenance tasks, Mr. Freund inadvertently found a hidden backdoor in software that is part of the Linux operating system. The backdoor was a possible prelude to a major cyberattack that experts say could have caused enormous damage, if successful.
Now, in a Hollywood twist, tech leaders and cybersecurity researchers are hailing Freund as a hero. Microsoft CEO Satya Nadella twitter.com/satyanadella/status/1774581166039015641″ title=”” rel=”noopener noreferrer” target=”_blank”>praised his “curiosity and craftsmanship.” A fan twitter.com/vxunderground/status/1774071339671794134″ title=”” rel=”noopener noreferrer” target=”_blank”>I call it “The silverback gorilla of nerds”. Engineers have been circulating an old web comic famous among programmers about how all modern digital infrastructure is based on a project maintained by some random guy in nebraska. (According to them, Mr. Freund is just a random guy from Nebraska.)
In an interview this week, Freund (who is actually a soft-spoken, German-born coder who declined to have his photo taken for this story) said that becoming an Internet folk hero had been disorienting.
“It seems very strange to me,” he said. “I'm a pretty private person who just sits in front of the computer and hacks codes.”
The saga began earlier this year, when Freund was returning from a visit to his parents in Germany. While reviewing an automated test log, he noticed some error messages that he did not recognize. He was jet-lagged and the messages didn't seem urgent, so he filed them away in his memory.
But a few weeks later, while doing more testing at home, he noticed that an application called SSH, which is used to log into computers remotely, was using more processing power than normal. He traced the problem to a data compression toolset called xz Utils and wondered if it was related to previous errors he had seen.
(Don't worry if these names sound Greek to you. All you really need to know is that these are all little pieces of the Linux operating system, which is probably the most important piece of open source software in the world. vast majority of the world's servers (including those used by banks, hospitals, governments, and Fortune 500 companies) run on Linux, making their security a matter of global importance).
Like other popular open source programs, Linux is updated all the time and most bugs are the result of innocent mistakes. But when Freund closely examined the xz Utils source code, he saw clues that it had been intentionally manipulated.
In particular, he discovered that someone had placed malicious code in the latest versions of xz Utils. The code, known as a backdoor, would allow its creator to hijack a user's SSH connection and secretly execute their own code on that user's machine.
In the world of cybersecurity, a database engineer who inadvertently finds a backdoor in a core Linux feature is a bit like a bakery worker who smells a freshly baked loaf of bread and senses something is wrong. and correctly deduces that someone has tampered with the entire global supply of yeast. . It's the kind of intuition that requires years of experience and obsessive attention to detail, plus a healthy dose of luck.
At first, Freund doubted his own findings. Had he really discovered a backdoor in one of the world's most scrutinized open source programs?
“It felt surreal,” he said. “There were times when I thought I must have slept poorly and had some fever dreams.”
But his investigations continued to yield new evidence, and last week, Freund sent his findings to a group of open source software developers. The news set the technology world on fire. Within hours, some researchers credited him with preventing a potentially historic cyberattack.
“This could have been the most widespread and effective backdoor ever placed in any software product,” said Alex Stamos, chief trust officer at SentinelOne, a cybersecurity research firm.
Had it gone undetected, Stamos said, the backdoor would have “given its creators a master key to any of the hundreds of millions of computers around the world running SSH.” That key could have allowed them to steal private information, install crippling malware, or cause major infrastructure disruptions, all without being discovered.
(The New York Times has sued Microsoft and its partner OpenAI over allegations of copyright infringement involving ai systems that generate text.)
Nobody knows who put the back door. But the plot appears to have been so elaborate that some researchers believe only a nation with formidable hacking skills, such as Russia or China, could have attempted it.
According some researchers For those who went back and looked at the evidence, the attacker appears to have used a pseudonym, “Jia Tan,” to suggest changes to xz Utils as early as 2022. (Many open source software projects are governed by hierarchy; developers suggest changes to the code of a program, then more experienced developers known as “maintainers” have to review and approve the changes).
The attacker, who goes by the name Jia Tan, appears to have spent several years gradually gaining the trust of other xz Utils developers and gaining more control over the project, eventually becoming a maintainer and eventually pushing code with the hidden backdoor. at the beginning of this year. (The new compromised version of the code had already been released, but was not yet in widespread use.)
Freund declined to guess who might have been behind the attack. But he said whoever it was had been sophisticated enough to try to cover his tracks, even adding a code that made the back door harder to detect.
“It was very mysterious,” he said. “They clearly went to great lengths to try to hide what they were doing.”
Since his findings became public, Freund said, he has been helping teams who are trying to reverse engineer the attack and identify the culprit. But he's been too busy to rest on his laurels. The next version of PostgreSQL, the database software he works on, is due out later this year, and he's trying to make some last-minute changes before the deadline.
“I don't really have time to go for a celebratory drink,” he said.
<script async src="//platform.twitter.com/widgets.js” charset=”utf-8″>
