- But late last week, security experts uncovered a serious and deliberate flaw that could leave networked Linux computers susceptible to malicious attacks.
- The flaw has since been confirmed as a critical issue that could allow a knowledgeable hacker to gain control over vulnerable Linux systems.
- This system has created huge benefits for the world in the form of free software, but it also carries unique risks.
Open source and XZ Utils
- By contrast, with “open-source” software, the source code is openly available and people are free to do what they like with it.
- One recent study estimated the total value of open source software in use today at US$8.8 trillion.
- Until around two years ago, the XZ Utils project was maintained by a developer called Lasse Collin.
- The latest version of XZ Utils, containing the backdoor, was set to be included in popular Linux distributions and rolled out across the world.
A rapid response
- Well, despite initial appearances, it doesn’t mean open-source software is insecure, unreliable or untrustworthy.
- A response on this scale would not have been possible with closed-source software.
Lessons to be learned
- First, it demonstrates the ease with which online relations between anonymous users and developers can become toxic.
- One user account complained:
You ignore the many patches bit rotting away on this mailing list.
- I am sorry about your mental health issues, but its important to be aware of your own limits.
- Even now, that adversary will be learning from how system administrators, Linux distribution producers and codebase maintainers are reacting to the attack.
Where to from here?
- It is not only their code itself they will be worrying about, but also their code distribution mechanisms and software assembly processes.
- My colleague David Lacey, who runs the not-for-profit cybersecurity organisation IDCARE, often reminds me the situation facing cybersecurity professionals is well articulated by a statement from the IRA.
Sigi Goode does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.