The fragility of open source

How a lone coder uncovered a Linux backdoor that could have sent shockwaves through the open source supply chain.

04 June 2024

Alistair Fairweather

On Good Friday, while most of the world was on holiday, a Microsoft software engineer named Andres Freund was fiddling with a problem only a dedicated craftsman would even notice. The tool he (and millions of other engineers) used to access remote computers, called SSH, was using more computing power than usual. He dug a bit deeper and stumbled onto a "back door", a piece of code that would allow hackers to directly control countless computers worldwide.

Over the next few days, it emerged that the backdoor in question had been painstakingly smuggled into XZ Utils – an opensource compression utility – over a period of two years. But wasn't Freund debugging SSH? Yes, and that neatly encapsulates both the power and the challenge of open source software – SSH relies on XZ Utils to function, a relationship that computer scientists call a "dependency".

ITWeb Premium

Get 3 months of unlimited access
No credit card. No obligation.

Already a subscriber Log in