The hack that almost broke the internet

Key Takeaways

• The modern software industry relies heavily on open source software, which is often maintained by small teams or even single individuals, making it vulnerable to hacking
• The XZ hack was a sophisticated two-year infiltration of a popular open source compression program, which could have given hackers access to critical internet infrastructure if not caught
• Open source software has become the foundation of the internet, but the incentive structure means volunteers often focus on new projects rather than maintaining existing ones
• This "Jenga tower" problem, where the whole system depends on a few key pieces, is a major vulnerability that the open source community is now trying to address

Introduction

This episode of Planet Money tells the story of a near-disastrous cyberattack that was recently uncovered. The target was some of the most important computers powering the internet - systems used by banks, airlines, the military, and more. What these computers had in common was that they all relied on open source software.

Open source software, written largely by unpaid volunteers, has become the foundation of modern computing. But this decentralized model also creates vulnerabilities, as crucial programs are often maintained by just a single overworked programmer. The XZ hack took advantage of this weakness, slowly infiltrating and subverting a popular open source compression program over the course of two years.

Topics Discussed

The Origins of Open Source Software (6:15)

• In the 1980s, programmer Bruce Perens had an epiphany about how to write software more efficiently by sharing code with others
• Perens posted his "electric fence" program on online bulletin boards, and other programmers started contributing improvements, leading to the rise of open source collaboration
• This allowed programmers to avoid duplicating basic work and focus on more innovative projects, transforming the economics of software development

The Rise of Open Source and the Challenge to Microsoft (10:44)

• By the late 1990s, the open source movement was gaining steam, with startups like Google and Salesforce building their products on open source software stacks
• Microsoft executive Sam Ramji recognized the threat this posed to Microsoft's proprietary software model and pushed the company to embrace open source
• This marked a major shift, as Microsoft went from seeing open source as the enemy to actively participating in and contributing to open source projects

The "Jenga Tower" Problem of Open Source (17:48)

• While open source has become the foundation of modern software, it also creates a "Jenga tower" problem - the whole system depends on a few key pieces
• A prime example is the XZ compression program, which was maintained by a single volunteer programmer named Lae Collin
• When Lae became overwhelmed, he handed off maintenance to a new volunteer named Gia Tan, who turned out to be a hacker in disguise

The XZ Hack and Its Potential Impact (18:49)

• Over two years, the hacker group posing as Gia Tan infiltrated and subverted XZ, turning it into a Trojan horse that could have given them access to critical internet infrastructure
• The hack was only discovered by chance when a Microsoft programmer noticed the XZ-dependent "open" software was acting strangely
• If the hack had gone undetected, the hacker group could have gained control of servers and computers across the internet, with disastrous consequences

The Challenges of Maintaining Open Source Software (25:30)

• Open source has become a valuable "public good" like infrastructure, but there are few incentives for volunteers to maintain older, less glamorous projects
• Omkar Arasaratnam of the Open Source Security Foundation says the community is incentivized to work on "new shiny things" rather than the "sewer pipes" that keep the system running
• His team is working on a "census" to identify all the vulnerable single points of failure in critical open source software

Conclusion

The XZ hack illustrates the profound paradox at the heart of modern software development. Open source has transformed the industry, allowing for rapid innovation and collaboration. But it has also created a system where crucial infrastructure is maintained by a patchwork of volunteers, leaving it vulnerable to sophisticated attacks.

As the open source community grapples with this challenge, it highlights the need to rethink the economics and incentive structures around maintaining public digital goods. The "Jenga tower" problem is not going away, and addressing it will be crucial to ensuring the long-term stability and security of the internet and the systems that power the modern world.

You May Also Like

How flying got so bad (or did it?)

Planet Money

July 5, 2024 • 25min

The two companies driving the modern economy

Planet Money

July 3, 2024 • 20min

The Vapes of Wrath

Planet Money

June 21, 2024 • 27min

Why is everyone talking about Musk's money?

Planet Money

June 19, 2024 • 28min

What's with all the tiny soda cans? And other grocery store mysteries, solved.

Planet Money

June 14, 2024 • 24min

Bringing a tariff to a graphite fight

Planet Money

June 12, 2024 • 25min

How much national debt is too much?

Planet Money

June 7, 2024 • 26min

The history of light (classic)

Planet Money

June 5, 2024 • 21min

How the FBI's fake cell phone company put criminals into real jail cells

Planet Money

May 31, 2024 • 23min

So you've been scammed, now what?

Planet Money

May 29, 2024 • 27min

Previous slideNext slide