Farash Abugadije
Appearances
The Changelog: Software Development, Open Source
The great escape room (Friends)
Yeah, so I think the XZutils backdoor was really eye-opening to a lot of developers. It showed the vulnerability of the open-source ecosystem. You had this maintainer who had been tirelessly maintaining this package for 15 years, who was targeted by nation-state actors. who created like literally, it's like a spy movie, right?
The Changelog: Software Development, Open Source
The great escape room (Friends)
They had multiple personas, fake personas that were contacting this poor maintainer and working on him psychologically to convince him over the course of two years to add them to the repository and give them publish permissions. And they did this through a bunch of kind of negative messages, but also by being helpful and by sending good positive pull requests.
The Changelog: Software Development, Open Source
The great escape room (Friends)
And what they were able to do is get access to this package. This is built into pretty much every Linux server out there. And what this would have let them do is it would let them SSH into any server and run any command without knowing the password, without being authenticated to the server. So this would have been like a world ending, potentially kind of an attack, right?
The Changelog: Software Development, Open Source
The great escape room (Friends)
It would have been probably the worst attack we've ever seen. I'm not exaggerating. It could have been that bad. But we were lucky. Through a total accident, this backdoor dependency had made it into the beta builds of some popular Linux distros. And a developer who was testing out the beta versions of these Linux distros noticed some weird behavior.
The Changelog: Software Development, Open Source
The great escape room (Friends)
He noticed that his SSH connection was taking half a second too long. And so he he pulled the thread and traced it back to this this backdoor dependency. And we were we were all saved because of this total accident. It's mind blowing to me in a couple for a couple of reasons.
The Changelog: Software Development, Open Source
The great escape room (Friends)
Like one, obviously, like, wow, there's there's there's literally states out there, countries that are that are trying to target open source now. Clearly, there's like a team behind this. They probably didn't just work on this one dependency. They were probably working on getting access to many other ones in parallel.
The Changelog: Software Development, Open Source
The great escape room (Friends)
If you just look at the time between the emails they sent to the maintainer, they were about a month between some of these emails. So they were probably working on other maintainers and trying to get access during that time. So that's really scary. I also think it's pretty scary to see kind of the fact that it took an accident to find the attack.
The Changelog: Software Development, Open Source
The great escape room (Friends)
It makes me think like how many have we not caught as a community? How many have we missed if this one was caught by a total accident? It was eye-opening to a lot of people and it made people realize that there really is a threat in the open source ecosystem. And it's not because most people are bad, it's the opposite.
The Changelog: Software Development, Open Source
The great escape room (Friends)
Most people are good, but there are few bad actors out there taking advantage of the trust in the system. That's really where we come in. We're trying to give every company the tools to protect themselves from those types of attacks. And that's what we do at Socket.