The New York Times technology column awarded the Excellence in Technology Award to Microsoft engineer Andres Freund for discovering the XZ backdoor

Kevin Luce, the well-known writer of the New York Times technology column, recently announced the column's annual Outstanding Technology Award. There are several winners of this technology award, including Microsoft database engineer Andres Freund. Andre Freund won the award because he discovered the backdoor vulnerability of XZUtils, an open source library widely used by the entire technology industry, and this vulnerability may cause serious security impacts on a global scale.

Since this open source library is also widely integrated into Linux systems, attackers can use the vulnerability to launch attacks on countless Linux servers around the world (they can bypass SSH authentication and directly control the server), and the poisoning process of the entire XZ project is also very thought-provoking.

The XZ project was maintained by only one main maintainer. Then a developer named JIATAN frequently participated in the project for two years and gained the trust of the main maintainer. JIATAN's ultimate goal was to become the maintainer of the project and implant a backdoor.

In the end, JIATAN's purpose was considered successful. XZ5.6.0~5.6.1 was implanted with vulnerabilities and merged into multiple Linux distributions. Thanks to Andre Freund's timely discovery of the problem, a global-level security incident was avoided.

The industry has not yet discovered JIATAN's true identity, but it is speculated that he lives in Eastern Europe and is trying to impersonate a Chinese for supply chain poisoning. I wonder if there will be a chance to find this person's true identity in the future.

Kevin Blue said during the award ceremony:

He encountered some strange errors while performing routine maintenance on a little-known open source software package, XZUtils. During his investigation, he accidentally discovered a huge security hole in the Linux operating system, which could allow hackers to control hundreds of millions of computers and bring the world to a standstill.

It turns out that much of our digital infrastructure relies on similar acts of nerdy heroics (Blue Dot Note: sic). After writing about Freund’s findings, I received tips about other disasters involving open source software projects, many of which were due to eagle-eyed volunteers finding bugs and fixing critical code in time to thwart the bad guys.

I can't name them all, but this award says: I see you, open source maintainers, and I appreciate your service.