How was your Easter holiday? Have you made good use of it, for example by preventing a globally destructive cyber attack? No? Then try harder.
This weekend, a tentative, long-standing, and near-successful attempt to put a backdoor in a widely used piece of open-source software was foiled – essentially by accident. From Dan Goodin of Ars Technica:
Researchers have found a malicious backdoor in a compression tool that found its way into widely used Linux distributions, including those from Red Hat and Debian.
Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it doesn’t really affect anyone in the real world.Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that’s only because it was discovered early due to the sloppiness of bad actors. If it had not been discovered, it would have been catastrophic for the world.”
The hacking attempt is known as a ‘supply chain’ attack. By carefully and slowly pushing updates to a little-known compression tool included with some Linux distributions, a free and open source operating system, the attacker almost gained a backdoor into millions of computers at once. Whether the intention was to bide their time and then use that access for a massive hacking campaign or to carry out a very patient and targeted attack on a single user is unclear at this point, although the patient and methodical nature of the attack is sufficient to Observers speculated that a state actor was behind it.
The backdoor itself was added to the tool by one of the two main developers, who had released three of them year making real and useful contributions and the past two have been one of two official administrators. There’s still a chance the account was compromised, but if it was, it was an extremely cautious takeover: the malicious code was added to the software periodically over a long period of time, with plausible explanations given each time, and then the last backdoor version was completed, the same user went to the developer site for a popular version of Linux to ask if it would use the updated version as soon as possible, because it would supposedly fix critical bugs.
And it came so close to be public. The backdoor version shipped in the beta versions of three different versions of Linux, and for two days in the main release of one distribution, Kali Linux. There, someone with the right private key could start a new encrypted connection and completely hijack the machine.
So how did it get noticed? One Microsoft developer was annoyed that a system was running slowly. That is it. The developer, Andres Freund, was trying to figure out why a system running a beta version of Debian, a Linux distribution, was lagging when making encrypted connections. The delay when logging in was only half a second. That’s it: previously it took Freund 0.3 seconds to log in, and after that it took 0.8 seconds. That annoyance was enough to make him pull out the metaphorical wrench and tear apart his system to find the source of the problem.
Many hands make light work, and many eyes make shallow insects. At least that’s the idea, and sometimes it works. Last month we discussed the ways the open source world can fail to meet expectations:
Giving away software for free is great for a whole host of reasons, but pretty bad at funding the further development of that software. There have been many attempts to solve this, from development models where the software is free but the support is paid, to large companies directly hiring maintainers of important open source projects. Many projects have ended up in a tip- or supporter-oriented model (remember anyone else?), which can work for large, complex tasks, but falls short for some of the simplest – yet most frequently used – pieces of work.
The attack on xz Utils almost became another example of the risks of relying on volunteer work to support some of the world’s most important digital infrastructure. A harried administrator with little time to spare for a side project was suddenly offered help and came under pressure to accept it – likely from the very same group, posting under a few assumed names. Slowly creeping away from his own project, things almost became very unpleasant.
But this case also shows the advantages of the approach. Supply chain attacks are not unique to the open source world, and the vague structure of the attack – getting a job building an underserved piece of critical infrastructure, and working slowly and carefully to find a secret weakness to introduce – is something that is possible, and that also happens in normal companies.
What doesn’t happen is that we can take apart the problematic software piece by piece and pinpoint the exact point at which a malicious backdoor was introduced. If a supply chain attack is successful against a closed company like Apple or Google, even discovering it is extremely difficult for third parties, and resolving it is effectively impossible.
Don’t forget Bureau
There has been a lot of discussion about tech antitrust lately – including in this newsletter – with a focus on two main trends: on the one hand, the rise of AI, and what the industry’s massive data and computing needs mean for competition ; and on the other hand, the increasing tension caused by “gatekeepers”, in EU parlance, who are generally seen as not monopolists in the classical sense of the word, but who nevertheless have market-distorting powers.
And then there’s Microsoft. Despite losing the most famous tech antitrust case in history and being the second-largest publicly traded company in the world, the Windows factory has remained more or less under the radar. Even the acquisition of Activision Blizzard, although the subject of intense scrutiny and a defining moment in the CMA’s growing self-confidence, was ultimately passed in the end.
So it’s sometimes strange to be reminded that doing things like “cloning a big piece of business software and then shipping it for free to all users of your own business software package” is actually exactly the kind of thing regulators look at. down to. And so Reuters reports:
Microsoft will sell its chat and video app Teams separately from its Office product worldwideS The tech giant said this on Monday, six months after it unbundled the two products in Europe in an effort to avoid a possible EU antitrust fine.
The European Commission has been investigating Microsoft’s linking of Office and Teams since a 2020 complaint from rival messaging app Slack, owned by Salesforce.
Since its launch in 2017, Teams has utterly defeated Slack in the enterprise market. How much of that is due to the fact that Microsoft was already dominant in the business office software market and used that position to cross-subsidize its own free-agent competitor to Slack? That’s impossible to say, but the answer probably won’t be “not at all.” Will reversing that now, years after Teams overtook Slack in terms of user count, change things? Reply to a postcard, but not a Teams message, please – the Guardian uses Google Chat.
To read the full version of the newsletter, subscribe to receive TechScape in your inbox every Tuesday