If you’ve been in a cave the last few days, you probably missed the biggest security flaw in Linux history: Back Door XZ-Utils (CVE-2024-3094)!
Firstly, why is this so important? After all, backdoors come and go all the time, right?
Because of all the previously found BUGs in Linux, they were all the result of honest mistakes (real BUGs), but this backdoor, on the other hand, was inserted into xz-utils by a volunteer developer (named Jia Tan, probably a fake name) .
He worked on the project for about 3 years to gain the respect of the original maintainer and used social engineering by creating fake users to blame the original maintainer and force him to hand over/share control of the project. And the most important thing is that there is a high probability that this “attack” was financed by some nation-state.
Linux is supposed to be a relatively secure system with no known breaches inserted by governments. Unfortunately we can’t say the same for Windows (and it was recently discovered that Apple and Google allow the US government to access users’ notifications).
Remember the famous _NSAKEY case in Microsoft’s Windows 95/98 (later renamed to _KEY2 to avoid speculation)? Microsoft always said it was a conspiracy theory, until Edward Snowden showed documents proving it was real. There’s a cool video about it here: https://www.youtube.com/watch?v=x8JuUW41pbQ
So why are Linux and open source in danger now? Because all Linux systems are built on thousands of open source projects and something tells me this is just the first of thousands of attempted breaches that will occur over the next few years. And this is very serious, because many projects depend on just one single developer who is not paid to work on it and cannot work full time on his project.
Of course, this xkcd comics came to our mind: