Deep Dive
Shownotes Transcript
Support for NPR and the following message come from Edward Jones. What is rich? Maybe it's less about reaching a magic number and more about discovering the magic in life. Edward Jones Financial Advisors are people you can count on for financial strategies that help support a life you love. Edward Jones, member SIPC. This is Planet Money from NPR.
Now that Richard Jones knows how close the entire world came to disaster, he's been looking back for any hints, any clues that he might have missed. For him, the first clue was this message that showed up in his inbox on February 26th. So I remember I got this email and...
It was not anything unusual. Richard is a senior engineer at Red Hat. He helps make an operating system that is used all over the world. We're talking Fortune 500 companies, major hospital systems, banks, even the U.S. military. And
And what's interesting about that operating system is that it is completely open source, meaning it's made out of all these different pieces of software that people are putting out for free. So Richard is often emailing with strangers on the Internet. I don't know who half the people I talk to on the Internet about software are. I don't know who they are in real life. I've never met any of them. Instead, we work on reputation.
And that email he had gotten, it was from a guy who was new-ish on the scene, but who had built up a pretty solid reputation. A guy named Gia Tan. For about a year, Gia had been the volunteer in charge of this very popular software program called XZ, which helps compress data. It's not the fastest, but it is the one that compresses the most data.
It's very useful for us. Look, I don't think I'm exaggerating when I say that compression is key for everything, for storing files, for sending stuff over the internet, everything.
In the email, Gia sounds pretty enthusiastic, but in a way that a lot of open source volunteers sound enthusiastic. He says, hey, I just made this cool update to XZ. Hope you guys can put it into your operating system. And this email, I will say, it looks very innocent. It's written in this chipper tone. It's got smiley emojis. It has exclamation points, which just signals, you know, no threat here.
And so Richard goes ahead. He puts the new updated XZ code into a preliminary version of their operating system to test out. But pretty soon he starts getting these bug reports. They were quite strange, but not totally unusual. This new version of XZ, it seemed to be messing with other parts of the computer, like critical parts of the memory. But, you know,
Bugs happen in software, right? You know, software is full of bugs. So Richard emailed Gia and asked him to, you know, take a look at the problem. He came back within two or three days and said, I'm really sorry, we've just released a new version which fixes this bug for you. So could you upgrade to that? Which Richard does, and everything seems fine.
Until about a month ago. That is when someone discovers that this new version of XC, it is not what it seems to be. And Gia Tan is not who he seems to be. I was surprised. I was a bit shocked. I was angry. I just didn't expect that somebody would try that.
What we now know is that Jia Tan was a hacker or probably a group of hackers. And they were trying to pull off one of the most audacious cybersecurity attacks in history. Over the course of two years, these hackers had infiltrated one of the most popular programs out there, XZ. And if they hadn't been caught, they would have had a secret backdoor to some of the most important computers in the world.
Hello and welcome to Planet Money. I'm Jeff Guo. And I'm Nick Fountain. If you peek under the hood of the internet, what you'll find is that most of the computers powering it are running free open source software. But here's a dirty secret. A lot of that software is written by small teams, sometimes teams of only one person, which makes them pretty vulnerable and easy to infiltrate.
Today on the show, the story of the XC hack, how it took advantage of the strange way we make modern software, and what it tells us about the economics of one of the most important industries in the world. This message comes from Capital One. Banking with Capital One helps you keep more money in your wallet with no fees or minimums on checking accounts. What's in your wallet? Terms apply. See CapitalOne.com slash bank for details. Capital One N.A., member FDIC.
This message comes from NPR sponsor, American Express. Take your business further with the smart and flexible American Express Business Gold Card. You can earn four times points on your top two eligible spending categories every month, like transit, U.S. restaurants, and gas stations. That's the powerful backing of American Express. Four times points on up to $150,000 in purchases per year. Terms apply. Learn more at americanexpress.com slash businessgoldcard.
The hack that we're talking about today, the XZ hack, could not have happened if it weren't for the weird way that most modern software is made. We have these trillion dollar corporations working side by side with unpaid, sometimes even anonymous volunteers to write the software that powers the Internet. Right. And so before we can get into how the XZ hack went down, we're first going to have to understand how modern software got to be this way.
For that, we went to one of the founders of the open source software movement, Bruce Perrins. Back when I was starting this...
You would have asked what drugs I was using and where you could get some. Bruce says, for him, it all started with this epiphany he had about how to write software efficiently. At the time, it was the 1980s, and he was a young programmer at Pixar. He wrote software that helped make movies like Toy Story 2. I'm a bigger fan of 4, but whatever. Bruce would keep running into this annoying problem. His programs, they would glitch out, and they would accidentally overwrite other parts of the computer. Yeah.
Yeah, and you know, these bugs, they would happen all the time back then. It was like the Wild West of software. So Bruce's solution was to write up a piece of software that would monitor other programs, and it would alert him whenever a program started to overwrite stuff that it shouldn't be writing over. It would stop your program in the instant that happened and let you see the exact instruction.
That you had wrong. And I called this electric fence because when you touch the fence, it would zap you.
Bruce says electric fence proved to be pretty handy, so he shared it with his colleagues at Pixar. But then he thought maybe other people would find it useful, too. And at the time, there were these online bulletin boards where programmers would hang out. And Bruce was a regular. He says this community had a culture of sharing. Programmers from different companies would show each other new ways of doing things, even provide code for others to copy.
So all of the engineers, software engineers at the time, started sharing software together. And we started using it in our work. And no one in management or legal knew that was happening.
Bruce went ahead and he posted the code for electric fence onto that bulletin board. And electric fence became incredibly popular. All of a sudden, people around the world started using it. Someone wrote to me and said...
Your electric fence program has just saved my job. If you ever go to Ireland, please stay in my home. My gosh, did you go? No, no, I never met this guy. But, you know, I was getting fans. That felt pretty good. But then something even more gratifying started to happen.
Some of Bruce's fans, some of these programmers he'd never met, they made their own improvements to Electric Fence. And they shared these improvements with Bruce. They sent him their tweaks and upgrades to his code. And I thought, you know, whatever work I've put into this, I just got back.
And it kept happening. This experience helped Bruce realize two things. First, it illustrated an unexpected benefit of giving away your code. Because not only could your code help other people, these total strangers, but now those strangers could help make your code better.
And second, Bruce realized that if they all worked together this way, they could write software so much faster and better. Yeah, Bruce says a lot of programmers in their day-to-day jobs would spend hours doing essentially the same thing as their counterparts at other tech companies, writing the same basic code to solve the same basic problems. So back then, it would be like building a house and you'd have to dig up this clay and fire all the bricks and
And open source was the idea was we would all chip in on making all the different bricks and we would give them to each other for free. Uh-huh. And now you are not wasting your time on the bricks. You're building the architecture. This is where Bruce saw the beginnings of a powerful idea.
Because there's already this culture of sharing software in order to be a good citizen or to promote a free society or whatever. But Bruce saw that this could also transform the whole economic model for making software. Bruce believed that if people could get together to produce software in an open and crowdsourced way, you could outcompete even the mightiest corporations. Now, Bruce wasn't the only one who realized this.
By the 1990s, a lot of programmers were attracted to this open source model, but they weren't taken too seriously.
But the open source movement would soon have an opportunity to prove itself. Yeah, you see, by the late 90s, the Internet was really starting to take off. Remember, this was the era when there were so many AOL online CDs floating around. People were using them as coasters. What a time to be alive. And the big question at that time was, what software would this new Internet resource,
And a person who would play a pivotal role in the war over the internet was Sam Ramji. Software was becoming infrastructure. It was becoming the roads and bridges that we built the emerging internet out of. In the mid-2000s, Sam worked for one of the biggest software companies in the world, Microsoft.
Here's where we mentioned that both Microsoft and the Gates Foundation are funders of NPR. And Microsoft wanted this emerging internet to be built on top of Microsoft stuff, Microsoft operating systems, software that Microsoft owned and controlled. I was in the business development group working in Silicon Valley trying to get startups to adopt more Microsoft software, which was a hard sell, actually. Yeah, because the open source alternatives, they were becoming popular. See,
Sam started to notice that all the new hot startups, companies like Google and Salesforce, they weren't interested in what he and Microsoft had to offer. No, most of these startups, they were cobbling together something DIY. They were using a free open source operating system called Linux and free open source software that ran on top of Linux. It was open source on top of open source on top of open source.
You had a stack of software, right? The whole stack just made sense together. And yeah, a lot of the open source software at the time was kind of janky. There were bugs, there were missing features. But Sam, he noticed that there was also this kind of snowballing effect.
The more startups that were building their products on top of that open source software stack, the better that software became. This was this huge emerging economic movement of how software was going to get shipped, licensed, distributed, used,
And Microsoft was nowhere to be found. So Sam writes this kind of cheeky memo to his superiors, tells them, look, Microsoft is not going to win the battle over the internet. It never will. We've already lost. Open source is the future. If we can't figure out how to work with and use open source software, we're going to go out of business. So your message was, there's no way we're going to beat them. We have to join them. That's exactly right.
And so you send it off and what are you feeling? How do you think they're going to receive it? Trepidation. This memo eventually makes it all the way to Bill Gates. And to Sam's surprise, the higher ups at Microsoft are like, yeah, you do have a point here. And so they promote him. They put him in charge of open source strategy at Microsoft. They ask him to help turn around the ship. And this was a huge deal.
Microsoft had kind of pioneered the idea that people should pay for software. And now it was changing its business model, slowly, to embrace open source. Over the next decade, it stopped seeing Linux as the enemy. And it starts making sure that Microsoft software works on Linux, even uses Linux on its own servers. Also, Microsoft starts giving away some of its own software for free, making it open source.
Sam says that's extremely common these days. All the major tech companies do it. Like Meta, for example. They started sharing all the tools they use to make interactive websites. Yeah, and to be clear, these companies aren't giving away all their software. Like, Meta is not giving away the Facebook algorithm. But
What they've realized is that it's more valuable for them to share some of their internal software and have the public suggest fixes or build off of it than it is to keep all of it secret. Open source is now the default way to make modern software. Bruce's dream of having this library of open source building blocks, these free bricks for anyone to use, that dream came true. Those free bricks are now the foundation for most of the software we use today. But...
There's also a weakness to this open source model, a weakness that became painfully obvious when the XZ hack went down. That is after the break.
Support for NPR and the following message come from Edward Jones. What does it mean to be rich? Maybe it's less about reaching a magic number and more about discovering the magic in life. Edward Jones Financial Advisors are people you can count on for financial strategies that help support a life you love. Because the key to being rich is knowing what counts.
Learn about this comprehensive approach to planning at edwardjones.com slash findyourrich. Edward Jones, member SIPC.
Support comes from our 2024 lead sponsor of Planet Money, Amazon Business. Everyone could use more time. Amazon Business offers smart business buying solutions so you can spend more time growing your business and less time doing the admin. You'll see why they call it smart. Learn more about smart business buying at amazonbusiness.com.
This message comes from NPR sponsor Dell Technologies. During their back-to-school event, learn how Dell is helping underserved communities around the world. Make a difference with Dell and shop AI-ready PCs powered by Snapdragon X series processors at dell.com slash deals.
This message comes from NPR sponsor, Quince. Planning your next trip, Quince has all the high-quality essentials you'll want for your next getaway at 50 to 80% less than similar brands. Go to quince.com slash pack for free shipping and 365-day returns.
Darian Woods here. As the U.S. federal debt grows, so too does the interest on it. And this year, it hit a milestone. Interest payments this year will actually be larger than national defense spending for the first time. And that's not a small number. That is one of the largest items in the entire federal budget.
That's from our latest bonus episode. It's my conversation with a longtime debt hawk about the potential risks to the economy and when spending makes sense. You can check that out now if you're a Planet Money Plus listener. If that's you, thanks for your support. If it's not, it could be. You get bonus content, sponsor-free listening, and support the work of Planet Money. Go to plus.npr.org.
There's this kind of famous cartoon about how the internet works. You might have seen it. It's from the webcomic XKCD. It's this drawing of a giant Jenga tower, all these blocks stacked on top of each other, and the whole thing is balancing on this one tiny, skinny little block. I know exactly what you're talking about, and it all rests, the entire internet relies on this one guy in Nebraska. Awesome.
Umkar Arasaratnam is not that one guy in Nebraska, but he thinks a lot about the Jenga Tower problem. He's the head of the Open Source Security Foundation. And he says, yeah, they worry about how fragile this whole internet Jenga Tower is.
See, open source software is this huge decentralized community of people building software on top of other software on top of other software. And that is an incredibly efficient way of making software, but it can also lead to these weak spots.
Which brings us back to the story of XZ. In this story, the proverbial guy in Nebraska is, well, not in Nebraska. We actually couldn't confirm where he's from. He wouldn't return our emails. But his website's hosted in Finland, so a lot of people think he's Finnish. Anyway, his name is Lasse Collin. He's the main creator of XZ. Amkar remembers when Lasse first published XZ back in 2009. It was one of these breakthroughs in compression, right? It was one of these things where, oh my god, this...
literally got two to 300% increase in compression performance overnight. And so everyone started using XC, building programs on top of it. XC became one of the most widely distributed programs in the entire world. There's a good chance it's on your phone. There's a good chance that it's on your TV.
It's everywhere. This, this is how the Jenga tower problem starts. How the whole world can come to depend on one random person. Omkar says this is pretty common, that there are a lot of critical software projects that rely on just one person.
And the big problem with this is that it is an ongoing job. Software isn't just a thing you write once and that's that. You got to maintain it. Computers change. Operating systems change. New processors are released. New kinds of computers come out.
And thus we have to keep our software up to date or it rots. And someone needs to oversee all of these small little updates. It's not the most glamorous work. Most open source volunteers want to be contributing to new projects, not looking after old ones. So for many years, the work of maintaining XE falls to Lasse. Fast forward to 2021. This is when the hacker or hackers calling themselves Gia Tan come onto the scene.
And here's what we know about how their ingenious plot unfolded. This Gia Tan character basically appears out of nowhere and soon starts suggesting some improvements to XZ, which is great. This is how open source is supposed to work, right? What makes it so special? Strangers on the internet helping each other out. Heartwarming. But...
A few months later, Lasse starts getting these emails from users of XE. They're complaining that Lasse's been falling behind on maintaining XE. One of them's kind of nasty, saying how sad it is that Lasse clearly does not care about this project anymore. Hey, this has been delinquent for a long time. How come nobody's updated this? When are you going to get to it? That kind of thing. That's pretty rude. I'm sorry. Like, this guy's doing it for free. Well, you know, this is the, I guess this is one of the failure modes for,
of how society has consumed open source. The overhead of having to deal with this stuff can become overwhelming. Lasse tells these people, you know, I'm sorry the work is going slow. I'm dealing with some personal stuff right now. But his critics are still not satisfied. Someone suggests, why doesn't he just step down and let someone else manage this thing? And pretty soon, that's what Lasse does.
He decides to pass the baton on to that new volunteer, Jia Tan. Now Jia is going to be the one holding up that Jenga tower instead of Lhasa. Amkar says what we know now is that Jia Tan was probably an invented personality. But also these people harassing Lhasa, they too seem to be invented personalities. People who were created just to convince Lhasa to pass that baton to Jia.
It was literally a social engineering attack. Somebody basically running a long con and tricking Lassie into doing things and giving permission that they shouldn't have. Gia takes over. And over the course of the next few years, Gia starts to make all these little changes to XZ. Seemingly innocuous changes that start to turn XZ into a Trojan horse.
You see, a lot of programs depend on XC, including a very important program called OpenSSH. It's basically the garage door opener for the Internet. It lets you remote control other computers. Pretty much every web server is running it. It is literally the thing that controls access to
to every server on the internet. It is really important. This garage door opener program is a really well-guarded piece of software. Everybody has their eye on it.
But what Gia Tan, or what the hacker group behind the identity known as Gia Tan, had figured out was that if they could secretly sabotage XZ, they could sabotage this garage door opener and give themselves access to basically every important computer on the internet. This was incredibly well orchestrated. I think somebody should make a movie about this. I mean, I'd definitely watch it. I'd watch it in IMAX.
Earlier this year, Gia starts pressuring the major open source operating systems to use their new sabotaged version of XC. That's when they send emails to people like Richard from the top and the compromised XC starts slowly spreading across the Internet. Now, the way this hack was eventually discovered is kind of by accident. It was discovered by this programmer at Microsoft named Andreas Freund, who works on open source software, actually.
A couple months ago, Andreas noted that the garage door opener software was acting kind of slow. And he started picking it apart and he pulled that thread.
And he eventually unpacked all the stuff we know now. Andres sends out an email about this. He's like, hey guys, I think one of the most important pieces of software in the world has been compromised. And also, I'm pretty sure this is exactly how they did it. When Omkar sees this email, he almost falls out of his chair. My first reaction was, oh my god, how many people have downloaded this? Love.
Luckily, the sabotaged XZ was caught before it got widespread distribution and mostly only got onto computers running experimental or beta software. Can you run me through, like, what the nightmare scenario would have been if Andreas hadn't caught this? Nightmare scenario is it gets broad distribution. Whoever Giatan is quietly logs into computers all over the internet, stealing money, your personal information, money.
I mean, anything, stealing your email. It could have been anything. Umgar says it was a pretty shockingly close call. And it has started to make people reconsider the entire economic model of open source. The open source movement succeeded beyond anybody's wildest dreams. It started with these programmers who were writing code in their free time because they thought it was fun or they wanted to make something cool or they wanted to make the world a better place.
But over the last three decades, all those volunteers have built this efficient, decentralized, maybe even beautiful system of writing software. Software that became the foundation for the internet. Yeah, but...
out of this efficient and decentralized and beautiful system, you also get the Jenga Tower problem, where one person can write a program that's so good it changes the world and it leads to the whole world depending on that one person.
Omkar says the solution is not that open source software goes away, but we have to reconsider how we treat the open source software community. He says open source has become this incredibly valuable public good. It's become like the pipes and sewers of the Internet. And like any public good, there aren't really strong incentives for people to help maintain them. Open source folks.
How many vulnerable programs like XZ are there?
Unkar says there could be a lot. He and his colleagues are working on this giant census to try and identify all the single little Jenga blocks holding up the Internet. He says they expect to have new results later this year.
On our next episode, layoffs. They happen all the time. They're a business reality. But of course, they can be really destabilizing. Honestly, I felt like I was being swallowed by a sinking hole. Like when this person lost his job, he and his husband had a lot of questions.
especially for the HR rep who handled the layoff. Like, do you get training on how to be human in these conversations? Those questions and more on our next episode. This episode was produced by Emma Peasley and engineered by Sina Lafreda. It was edited by Jess Jang and fact-checked by Sierra Juarez. Alex Goldmark is our executive producer. I'm Jeff Guo. And I'm Nick Fountain. This is NPR. Thank you for listening.
This message comes from NPR sponsor Shopify, the global commerce platform that helps you sell and show up exactly the way you want to. Customize your online store to your style. Sign up for a $1 per month trial period at shopify.com slash NPR. This message comes from NPR sponsor Capella University. Capella's programs teach skills relevant to your career, so you can apply what you learn right away. See how Capella can make a difference in your life at capella.edu.
Waylon, how much do you think it would cost to buy one of those big digital billboards in Times Square to promote our show, the indicator from Planet Money and Big Lights? In this economy? I mean, you're probably right. But this question is the exact kind of thing that we find answers to on our show. We take one big economic idea, make it understandable and, you know, even fun. That's the indicator from Planet Money and NPR.