Had it been widely distributed, the backdoor would have been a potential disaster for millions of people.
The project was subsequently commandeered by responsible parties and has since been fixed.
It certainly wont be the last.
Here, for the uninitiated, is our attempt to give you that tour.
The Web Runs on FOSS
Today, the vast majority of codebases rely on open-source code.
It is estimated that70 to 90 percentof all software stacks are composed of it.
Most people have never even heard of it.
Why Use Open Source?
Open-source projects can start as pretty much anything.
Often, they are small projects for digital tinkerers who simply want to build something new.
Eventually, some projects get popular, and private companies will begin incorporating them into their commercial codebases.
These days, most of those components come from the open-source community.
But with speed and agility comes vulnerability.
Those problems can get pretty hairy pretty quicklyoften with disastrous results.
Bugs From Hell
The XZ episode didnt end in disaster, but it easily could have.
One instance where web users werent so lucky was the notorious log4shell incident.
Unfortunately, log4js bugdubbed log4shellwasquite bad.
Like the XZ bug, it involved remote code execution.
Due to log4js popularity, the scope of the bug was massive.
Major, multi-billion dollar companies were affected.
Hundreds of millions of devices were vulnerable.
The discovery of the bug sent corporate America into a full-blownpanicand spooked the highest levels of the federal government.
Some of the biggest companies in the worldwere at riskmaking it a matter of national security.
The federal government, meanwhile, began developing its own strategies to further regulate the tech industry.
Understanding the risks in FOSS, however, isnt easy.
It requires a detour into the unique ecosystem that produces so much of the worlds software.
Indeed, security experts and FOSS proponents contend that the opposite is true.
Explaining the role of the maintainer is a little complicated.
Maintainers might aptly be compared to the construction workers whoin the real worldbuild our roads and bridges.
Or, the engineers who design them.
Maintainers host their open-source projects on public repositories, themost popular of which is Github.
These repositories include interactive mechanisms that are ultimately controlled by the maintainer.
Its through this collaborative process that open-source projects continually grow and transform.
Yet, for all of that work, a whole lot of maintainers are not paid particularly well.
Most are not paid at all.
Open source is supposed to be free, remember?
In fact, it was just the opposite.
FOSS grew out of an idealistic hacker movement from the 1980s called thefree software movement.
The idea behind the collection was user control.
Stallman balked at the idea that private companies could keep software behind a walled garden.
Reportedlyout of boredom, Torvaldscreateda new operating system and named it after himself, calling it Linux.
Today, there are hundreds of Linux distributions (or distros) that use the kernel that Torvalds created.
The hope was that businessmen would forget Stallmans hippy-dippy stuff and buy into the more pragmatic-sounding term.
It turns out that they did buy it.
Today, the world runs on open source, though its still a term Stallmancategorically rejects.
He still prefers the term free software.
A 2020 Linux Foundation survey of contributors similarlyfoundthat more than half of respondentsor approximately 51.65 percentsaid they were unpaid.
Maintainer burnout has beenblamed for the XZ incident.
This user ended up being the person who introduced the backdoor into the software component.
On Reddit, you’re able to findthreadafterthreadwhere developers discuss ways to bootstrap FOSS financing.
Somesuggestturning to Liberapay, an open-source crowdfunding platform known for doling out money to cash-stressed devs.
Others think Patreon isa good option.
As with most creative endeavors, begging for money ends up being the surest way to make a buck.
As Callas alludes to, the problem with OpenSSL seemed to inevitably come back to the maintainers.
It is a real problem, Callas said, of the open sources maintenance issues.
Figuring out how software packageswhich are basically [digital] infrastructureget supported and maintained is a huge issue.
Heartbleed exposed a real problem with what had been the operating paradigm for open-source security until that time.
For years, the FOSS world was guided by a doctrine that said open-source software wasmore securethan commercial software.
This is what is known as themore eyes argument.
There is an elegant logic to this argument but it also has shortcomings.
The more eyes argument works in an ideal worldone where FOSS projects get everything they need.
More often than not, FOSS projects have fewer eyes than they need, not more.
Or, maybe they might have the wrong eyes looking at themlike those of a cybercriminal.
Its undeniable that a certain amount of FOSS projects are incredibly secure.
The Linux kernel issaidto have been pored over by some 14,000 different contributors since 2005.
The incident fundamentally pivoted corporate Americas attention to the security issues surrounding open source for the first time.
Yet if Heartbleed was a canary in the digital coal mine, it ultimately wasnt one that everybody heeded.
Today, the problems arent limited to the occasional catastrophic bug.
Indeed, theyre a whole lot more complicated than that.
In our modern world, commercial software is everywhere.
Today, so-called software supply chain attacksare relatively common.
More often than not, the components that allow initialaccess into supply chains are FOSS.
One person who knows this complex threat landscape well is Dan Lorenc.
You cant necessarily trust everybody writing the code, said Lorenc.
The update enabled the criminal to hack into a certain brand of cryptocurrency wallets and steal their funds.
The malicious code,downloadedsome 8 million times, went unnoticed for approximately two months.
The trend of FOSS developers sabotaging their own projects has also been trending upward.
Actually, this sort of situation pops up all the time, he said.
But, really, its a complicated problem.
Taking Inventory
So, what to do?
That question has been keeping a lot of people up at night.
Weird as it may sound, a lot of companies dont do that.
Not super appealing, right?
Would you want to live or work in a building like that?
Such tools provide an inventory of a particular piece of software, collected via algorithm.
The software bill of materials is all about telling you whats in there and where it came from.
SBOMs have been around for years, but they have mostly beenused to weed out legal risks.
Now, however, theyre seeing adoption to mitigate an entirely different kind of risk.
Mackey said that, since the order went through, his industry has seen an explosion of interest.
Its been an incredible boost in business, he said.
In fact, they dont do anything to mitigate risks that exist in code.
They just give you a good baseline.
Some have argued that nothing short of a system-wide overhaul will secure the Internet.
Arasaratnam describes his job as securing the internet, a task he admits is incredibly difficult.
A better descriptor might be impossible.
If we get this right, we help 8 billion people, he says.
Two banks say Amazon has paused negotiations on some international data centers.
Pacific Rims TV Show Drifts to Prime Video
Good news for giant robot fans.
