A recent scare in a little known but widely used utility has security researchers ringing alarms about open source software. This class of software is free and often developed by a small team of volunteers or even a single individual. The term “open source” comes from the actual programming code being available to any who wish to view it. This is in contrast to most commercial software, for which the code is highly confidential. One of the purported benefits of open source software is that, because anyone can review it, mistakes and vulnerabilities can be more readily found and fixed. Except in the case of a Linux utility called “XZ Utils”. Along with legitimate code, a secret backdoor was added to the software by a volunteer contributor that cybersecurity experts now believe was working for a government intelligence service. The vulnerability was discovered almost by chance by a Microsoft developer who became curious about some odd behavior in the software. Thankfully, that iteration of the code had not been widely deployed yet and was able to be patched relatively quickly. I occasionally use open source software and am grateful to those who contribute to the projects, but that designation shouldn’t be seen as analogous to perfectly safe.
- Emma Lake Boydston
Comments