But
according to security expert Michał Zalewski, about two years ago a developer “with no prior online footprint” and calling himself Jia Tan appeared out of the blue and started making helpful contributions to the XZ Utils library [linux file in almost universal use]. “Shortly after the arrival of ‘Jia’,” Zalewski continues, “several apparent sock puppet accounts showed up and started pressuring Lasse to pass the baton; it seems that he relented at some point in 2023.” And it seems that the two malware-infected updates were released by this Jia character.
So now the plot thickens. Cybersecurity experts are clearly taking the attack seriously. “The backdoor is very peculiar in how it is implemented, but it is really clever stuff and very stealthy,” a well-known South African security guru
told the Economist. Even more interesting is the existence of a concerted online campaign to persuade Lasse Collin to pass control of XZ Utils to “Jia Tan”. This particular guru suspects that the SVR, the Russian foreign intelligence service behind the SolarWinds penetration of US government networks, might even have played a role in the attack.
Who knows? But two clear lessons can be drawn from what we know so far. The first is that we have constructed a whole new world on top of a technology that is intrinsically and fundamentally insecure. The second is that we are critically dependent on open-source software that is often maintained by volunteers who do it for love rather than money – and generally without support from either industry or government.
