Free beer is not OK

The phrase “free, as in beer” is often used in connection with Open Source software, to indicate that the software is being given to users without any expectation of payment. This distinguishes it from “free, as in speech” which might erroneously suggest that the software could do whatever it liked.

Actually, were it not for Andres Freund’s recent discovery, a certain piece of software called xz utils might have actually become free to do whatever it liked (or more correctly, whatever its evil master desired). NIST gives it a criticality of 10/10. Freund announced his discovery a month after the tainted xz had been released, though thankfully before it had worked its way into production systems.

The xz utilities provide various data compression features that are widely used by many other software packages and notably sshd, the software responsible for providing secure access to a server by administrators. By compromising sshd, an attacker armed with a suitable digital key (matching the one injected into the poisoned xz utilities) could easily access the server and do absolutely anything. Steal data. Initiate fraudulent transactions. Forge identities. Plant additional malware. Encrypt or destroy everything on the server, and anything securely connected to the server. The ramifications are terrifying.

This was no ordinary attack. The attacker(s) created a number of personas as far back as 2022, notably one named Jia Tan, to gradually pressure the XZ Utils principal maintainer Lasse Collin into trusting the malicious contributors. Once trust had been established, a complex set of well-hidden modifications were made, and Tan released version 5.6.0 to the unsuspecting world. An attack so sophisticated suggests nation-state involvement, and fingers are pointing in many directions.

There is currently no universally accepted mechanism to determine the bona fides of open source contributors. Pressuring a lone project maintainer to let you into the inner circle, especially one who is exhausted/poor/vulnerable, is therefore a viable attack vector. Given the number of “one person” open source projects out there, many of which have roles in critical infrastructure, it would surprise nobody if it were to be revealed that other projects have also been subject to similar long-term attacks.

For now, the best we can hope for is increased vigilance, more lucky breaks like that of Andres Freund and perhaps better support/funding for the open source developers.

Categorised as: Coding, Operating Systems, Security, Technology

Comment Free Zone

Comments are closed.