[masraum]

Quote:

Originally Posted by 3rd_gear_Ted

Microsoft(wrong) developer did some nefarious stuff.

https://finance.yahoo.com/news/1-why-near-miss-cyberattack-151035964.html

FYI, some random developer named "Tan" did nefarious stuff. A Microsoft developer named Freund discovered the issue.

Excerpts from the article...

Quote:

Freund, who works for Microsoft out of San Francisco, discovered that the latest version of the open source software program XZ Utils had been deliberately sabotaged by one of its developers, a move that could have carved out a secret door to millions of servers across the internet.

Security experts say it’s only because Freund spotted the change before the latest version of XZ had been widely deployed that the world was spared a digital security crisis.

“We really dodged a bullet,” said Satnam Narang, a security researcher with Tenable who has been tracking the fallout from the find. “It is one of those moments where we have to wipe our brow and say, ‘We were really lucky with this one.’”

XZ, a suite of file compression tools packaged into distributions of the Linux operating system, was long maintained by a single author, Lasse Collin.

In recent years, he appeared to be under strain.

In a message posted to a public mailing list in June 2022, Collin said he was dealing with "longterm mental health issues" and hinted that he working privately with a new developer named Jia Tan and that “perhaps he will have a bigger role in the future.”

Update logs available through the open source software site Github show that Tan’s role quickly expanded. By 2023 the logs show Tan was merging his code into XZ, a sign that he had won a trusted role in the project.

Tan could easily have gotten away with it had it not been for Freund, the Microsoft developer, whose curiosity was piqued when he noticed the latest version of XZ intermittently using an unexpected amount of processing power on the system he was testing.