Firas Bukidji

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

Yeah, so I think the XZutils backdoor was really eye-opening to a lot of developers. It showed the vulnerability of the open-source ecosystem. You had this maintainer who had been tirelessly maintaining this package for 15 years, who was targeted by nation-state actors. who created like literally, it's like a spy movie, right?

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1440.214

They had multiple personas, fake personas that were contacting this poor maintainer and, you know, working on him psychologically to convince him over the course of two years to add them to the repository and give them publish permissions. And they did this through a bunch of kind of negative messages, but also by being helpful and by sending good positive pull requests.

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1461.34

It's really like, I really think it's out of a spy movie, just kind of the level of effort that they put into this. And what they were able to do is get access to this package. This is built into pretty much every Linux server out there. And what this would have let them do is it would have let them SSH into any server and run any command on the server without...

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1480.191

knowing the password without being authenticated to the server. So this would have been like a world ending, potentially kind of an attack, right? It would have been probably the worst attack we've ever seen. I'm not exaggerating. It could have been that bad, but we were lucky.

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1493.7

Through a total accident, this backdoor dependency had made it into the beta builds of some popular Linux distros, but it hadn't made it all the way out to the stable version yet. And a developer who was testing out the beta versions of these Linux distros noticed some weird behavior, he noticed that his SSH connection was taking half a second too long.

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1514.471

And so he pulled the thread and traced it back to this backdoor dependency and we were all saved because of this total accident. It's mind blowing to me for a couple reasons. One, obviously, wow, there's literally states out there, countries that are trying to target open source now. Clearly there's like a team behind this. They probably didn't just work on this one dependency.

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1533.818

They were probably working on getting access to many other ones in parallel. If you just look at the time between the emails they sent to the maintainer, they were about a month between some of these emails. So they were probably working on other maintainers and trying to get access during that time. So that's really scary.

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1546.847

I also think it's pretty scary to see kind of the fact that it took an accident to find the attack. It makes me think like, how many have we not caught as a community? How many have we missed if this one was caught by a total accident? It was eye opening to a lot of people and it made people realize that there really is a threat in the open source ecosystem.

The Changelog: Software Development, Open Source

The wrong place to slap a person (Friends)

1563.899

And it's not because most people are bad. It's the opposite. Most people are good, but there are few bad actors out there taking advantage of the trust in the system. That's really where we come in. We're trying to give every company the tools to protect themselves from those types of attacks. And that's what we do at Socket.