The Hard Truth
As I learnt once, when I was working in the cybersecurity space, “every system is breakable if there is an individual or entity with enough incentives or motivation to break in”. So the idea of cybersecurity is not to actually make the system invulnerable, which may be even impossible, but to make it so hard to break, that most of potential attackers would decide to try somewhere else.
And it seems there is a very motivated bad actor that wants to compromise this (and other) libraries from GNU/Linux projects. For the sake of understanding, this attack was designed to create a backdoor into sshd which means if successful, they could access ANY system that had that version of xz installed. If it was not catched, it would potentially lead to have a backdoor to millions of systems, from companies, to governments and individuals. Terrifying.
And the question that pops to mind if: who did this? At this point, it would be reasonable to consider a state actor. Double-terrifying.
The Cleverness of the Attackers
Reading about the details of the attack in here, for example, makes it almost impossible to not wonder and recognize the cleverness and craft of the attack. But it also makes me wonder who was financing this, because it required a lot of time to design such a clever scheme and each step, working an implementation, at least 2 (probably more) individuals working its way into a position of trust and being involved in the development of that project. And on top of that, the work of splitting the whole scheme into small chunks of commits and changes that would work together but were apparently unrelated.
In all honesty, I didn’t understand all of it. And I believe not many people do. Obviously this is also a consequence of not being familiar or involved with that library and the way it is working to test, compile, etc. But also because I think the people doing this are really good. And that is scary.
Really good programmers/engineers working with some bad actor with deep pockets for a long time in order to achieve a backdoor to every system that uses xz means that they have strong motivation and incentives to break into it. On the other side, you think of the people maintaining those open source projects in their free time, putting effort and knowledge without being paid, just out of passion. And it looks like the losing side in the long term.
Open Source is Doomed Then, right?
Or not. There is a discussion that sparked after the hack was discovered, with one side saying this is a reason why it is unsafe and dangerous to use OSS, and the other side saying that if this happens in a close software it would not be discovered easily or at all.
I see the point of each side of the discussion. And I think I don’t know enough to have a strong position.
On the side of people say this is proof the OSS is doomed and it is a vector of attack and because the contributors are, mostly, working for free on their free time, they have nothing to do against coordinated and sophisticated attacks like this one (that in this case, it could be a country’s intelligence agency, if you ask me). And they have a point. As I quoted at the beginning, an enough motivated bad actor could potentially break or introduce backdoors in any open source project and create vulnerabilities very difficult to discover. Considering how relevant and widespread use of these open source projects (related with Linux distributions), it is a clear target for these hackers.
However, and it is a big however, experience shows us that this could also happen in proprietary software. It may be more difficult to pull off this particular one, considering they would have to introduce two individuals into a company, rise into power position and then being able to approve those changes. But they could do other thousands of things that would allow them to have some backdoors too and nobody would have a chance to find it out. People working in a company may try to do their best, but at the end of the day, they cannot decide to spend a week or a month analysing some weird behaviour that bugs them enough, because they will have another tasks imposed on them.
The reality is that we are in unknown waters. We don’t have a solution to this problem of having attackers with motivation, extreme skills and financial support. Besides, to me this is like the arms race: since the beginning, one tribe developed a new weapon that helped them win their opponents… until the opponents developed a countermeasure to render that weapon useless. And rinse and repeat.
Probably the only option is to help and incentivize engineers and developers to improve their skills, to become better and to take ownership of the software they create. As well as the credits where the credit is due.