Skip to content
  • Categories
Collapse
Brand Logo

Talks
  1. Home
  2. English
  3. Zero trust: How the ‘Jia Tan’ hack complicated open-source software

Zero trust: How the ‘Jia Tan’ hack complicated open-source software

Scheduled Pinned Locked Moved English
1 Posts 1 Posters 3 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    S Offline
    SrGuard
    wrote on last edited by
    #1

    The volunteers that maintain open-source software have always been knocked around by the tech community. The Jia Tan hack made it all so much worse.

    Matteo Collina has written software that’s on your computer. You probably aren’t aware of it, but it’s definitely there, maybe even being used to read this very article.

    He also considers himself a vampire hunter.

    Not the Van Helsing type, mind you. In Collina’s world of open-source software, he considers “vampires” to be anyone that wants those responsible for operating and maintaining open-source projects — known as maintainers — to provide “one-on-one support … without being willing to give anything” in return.

    Collina, the co-founder of backend development tool Platformatic, has been a key maintainer in the open-source software community for more than a decade. He is one among many responsible for NodeJS, a tool that allows developers to use JavaScript in their web applications. Collina is responsible for writing, updating and securing code that is used in millions of projects around the world.

    Collina is well-attuned to the pressures that come from maintaining a vital open-source project. He has missed numerous holidays and gotten into disputes with giant tech companies over his ability to support the code base without receiving any compensation for his labor. He has done this all while watching the once-thriving open-source community struggle to remain sustainable without burning through developers.

    That was all before April, when it was discovered that a lone maintainer, suspected to actually be a nation-state-backed hacker, nearly turned a widely used open-source software component into a dangerous Trojan horse. A developer noticed unusual performance in a beta version of the compression utility XZ Utils and discovered that code inserted by the maintainer ‘Jia Tan’ was actually a back door that would have granted hackers administrative privileges to anyone running the code. The back door was caught before it was distributed in an update, preventing a catastrophic outcome for many common Linux distributions.

    Full article:
    https://cyberscoop.com/open-source-security-trust-xz-utils/

    1 Reply Last reply
    0

    • Login
    • Don't have an account? Register
    Powered by NodeBB Contributors
    • First post
      Last post
    0
    • Categories