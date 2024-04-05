



Listen to this story. Enjoy more audio and podcasts on iOS Or Android Your browser does not support element. F Electronic INVENTIONS in history have been as important to human civilization and as poorly understood as the Internet. It did not develop as a centrally planned system, but as a mosaic of devices and networks connected by makeshift interfaces. Decentralization makes it possible to manage such a complex system. But every once in a while, there's a chilling reminder that the whole edifice is uncomfortably precarious. On March 29, a lone security researcher announced that he had discovered, largely by chance, a secret backdoor in XZ Utilities. This obscure but vital software is built into the Linux operating systems that control the world's Internet servers. If the backdoor hadn't been spotted in time, everything from critical national infrastructure to the website hosting your cat's photos would have been vulnerable. The backdoor was planted by an anonymous contributor who had earned the trust of other coders by making helpful contributions for over two years. This patience and diligence bears the fingerprints of a state intelligence agency. Such large-scale supply chain attacks, which target not individual devices or networks but the underlying software and hardware they rely on, are becoming increasingly common. In 2019-2020, the RVS , Russia's foreign intelligence agency, penetrated U.S. government networks by compromising a network management platform called SolarWinds Orion. More recently, Chinese hackers modified the firmware of Cisco routers to gain access to economic, commercial and military targets in America and Japan. The Internet is inherently vulnerable to programs like XZ Utilities backdoor. Like so many others it relies on, this program is open source, meaning its code is publicly available; Much like Wikipedia, edits can be suggested by anyone. People who maintain open source code often do so in their spare time. A title from 2014, after the discovery of a catastrophic vulnerability in Open SSL a widely used tool for secure communications and with a budget of just $2,000, captured the absurdity of the situation: the Internet is protected by two guys named Steve. It is tempting to assume that the solution lies in the establishment of central control, either by states or by corporations. In fact, history suggests that closed source software is no more secure than open source software. Just this week, the Americas Cyber ​​Safety Review Board, a federal agency, chastised Microsoft for its dismal security standards that allowed Russia to steal a signing key, the cryptographic equivalent of the crown jewels for everything cloud service provider. This gave him extensive access to the data. In comparison, open source software has many advantages because it allows for collective control and accountability. The way forward, then, is to make the most of open source, while alleviating the enormous burden it places on a small number of unpaid and often harassed individuals. Technology can also help. Lets Encrypt, a nonprofit organization, has made the Internet safer over the past decade by using smart software to simplify the encryption of user connections to websites. More advanced artificial intelligence may eventually be able to detect anomalies in millions of lines of code in one fell swoop. The other fixes are regulatory. The U.S. Cyber ​​Strategy, released last year, makes clear that responsibility for failures should not fall on open source developers but on the stakeholders best able to act to avoid bad outcomes. In practice, this means that governments and tech giants both benefit enormously from free software libraries. Both are expected to increase funding and cooperation with nonprofit institutions, like the Open Source Initiative and the Linux Foundation, that support the open source ecosystem. The New Responsibility Foundation, a German think tank, suggests that governments could, for example, allow employees to contribute to open source software in their free time and relax laws that criminalize white hat or ethical hacking. They should act quickly. THE XZ The Utils backdoor is believed to be the first publicly discovered supply chain attack against crucial open source software. But that doesn't mean it was the first attempt. It probably won't be the last either.

Sources 1/ https://Google.com/ 2/ https://www.economist.com/leaders/2024/04/04/a-chilling-near-miss-shows-how-todays-digital-infrastructure-is-vulnerable The mention sources can contact us to remove/changing this article

