Explain the #xzbackdoor incident to your mom
[Not an April Fool’s Day joke]
#xzbackdoor is a very well-crafted and well-known backdoor insertion incident that has been making waves recently.
It all started with the xz project (a file compression program that is more efficient than zip) that is used in Linux servers all over the world. The project only had 1-2 volunteer maintainers (who worked for free out of passion), so it was not updated very often. Some users even complained that the updates were not timely enough.
A user named Jigar Kumar then pressured the maintainers to let someone named Jia Tan help out. Jia Tan had helped out with other projects in the past, so they seemed like a good candidate.
Jia Tan volunteered to help out with small tasks for 2 years, until the maintainers gave them the authority to approve code into the system.
One day, Jia Tan inserted code that would allow them to hack into the system. However, this code would only work if a special command was run (the code itself did not look dangerous).
Before it could be widely distributed, a developer from Microsoft named Andres Freund noticed that this code was making his SSH logins 0.5 seconds slower. He became suspicious and eventually discovered the cause.
How to explain it to your mother:
Matthew Prince made an interesting post about how to explain this incident to people outside of the tech industry. He compared it to a situation where an old, near-retirement oil pipeline caretaker is working alone for many years. Then, a young man volunteers to help out. After 2 years, the caretaker trusts the young man enough to let them take over.
The young man then secretly adds a special substance to the oil that would cause the city to explode. However, before the oil is sent to the pumps, a researcher at the facility notices that the engines are running 0.5 seconds slower. They then investigate the new ingredients and eventually find the substance.
About the Image:
The image is a long-standing meme in the Open Source world. It shows that behind all the modern systems in the world, there are many Open Source projects that are maintained by volunteers out of passion. They receive no compensation, no attention, and no thanks.
The fact that someone saw this as an opportunity to hack into the system has made people start to ask questions:
- Are there other cases like this?
- Are these Chinese-named developers working alone, or is there someone else behind them?
- How long will these people wait before they can insert malicious code into a project?
Summary:
- The #xzbackdoor incident is a backdoor insertion that was found in the xz program.
- Luckily, it was discovered before it could cause any damage.
- This incident has made people aware of the risks of Open Source.
- There is a need for more checks and support for Open Source projects.
