The XZ Utils Backdoor has (finally?) penetrated the non-tech press

Those of us who are deep in the tech world remember about 6 weeks ago when all our social media and news feeds were talking about the XZ Utils backdoor. (Here’s a great writeup from my favorite tech site, Ars Technica)

Really quick, bulleted recap:

  • XZ Utils is a really awesome compression format. (In fact, earlier this month I got some Linux image files to run off an SD card that were compressed in xz
  • SSH uses XZ Utils
  • Only one guy was effectively maintaining it
  • Someone or some group pretending to be one person social engineered the maintainer to giving them commit access
  • they used that to put some backdoors
  • Because it’s in SSH it would have made every computer on the net vulnerable
  • LUCKILY it was found (by accident – see the Ars Technica story) before it made it out of most (all?) Linux distro test repositories

I was incredibly surprised to hear about it today on Planet Money’s episode: The hack that almost broke the Internet. It’s a really great episode to share with your non-techie friends who want to understand what you were stressed about and which it matters to everyone, not just techies. Of all the Linux distros, they start off interviewing someone from Red Hat! (My favorite Linux distro family) The episode then goes back to the 1980s to explain the origins of open source (not FLOSS, there’s no rms here – it’s Bruce Perens they interview) before bringing it back to the present and explaining the how the social engineering attack happened and what it affected. (Also a quick moment that explained how MS went from hating OSS to supporting it) I thought it was an incredibly well-produced episode that brings everything into context for those who aren’t neck-deep in Linux and/or open source. Give it a listen and pass it along!