Planet Money - The hack that almost broke the internet
Episode Date: May 17, 2024Last month, the world narrowly avoided a cyberattack of stunning ambition. The targets were some of the most important computers on the planet. Computers that power the internet. Computers used by ban...ks and airlines and even the military. What these computers had in common was that they all relied on open source software. A strange fact about modern life is that most of the computers responsible for it are running open source software. That is, software mostly written by unpaid, sometimes even anonymous volunteers. Some crucial open source programs are managed by just a single overworked programmer. And as the world learned last month, these programs can become attractive targets for hackers. In this case, the hackers had infiltrated a popular open source program called XZ. Slowly, over the course of two years, they transformed XZ into a secret backdoor. And if they hadn't been caught, they could have taken control of large swaths of the internet. On today's show, we get the story behind the XZ hack and what made it possible. How the hackers took advantage of the strange way we make modern software. And what that tells us about the economics of one of the most important industries in the world. Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
I'm Rachel Martin.
You probably know how interview podcasts with famous people usually go.
There's a host, a guest, and a light Q&A, but on Wild Card we have ripped up the typical
script.
It's a new podcast from NPR where I invite actors, artists, and comedians to play a game
using a special deck of cards to talk about some of life's biggest questions.
Listen to Wild Card wherever you get your podcasts, only from NPR.
This is Planet Money from NPR.
Now that Richard Jones knows how close the entire world came to disaster, he's been
looking back for any hints, any clues that he might have missed.
For him, the first clue was this message that showed up in his inbox on February 26th.
So I remember I got this email and it was not anything unusual.
Richard is a senior engineer at Red Hat.
He helps make an operating system that is used all over the world.
We're talking Fortune 500 companies, major hospital systems, banks, even the US military.
And what's interesting about that operating system is that it is completely open source.
Meaning it's made out of all these different pieces of software that people are putting
out for free.
So Richard is often emailing with strangers on the internet.
I don't know who half the people I talk to on the internet about software are.
I don't know
who they are in real life. I've never met any of them. Instead, we'd work on reputation."
And that email he had gotten, it was from a guy who was new-ish on the scene, but who
had built up a pretty solid reputation, a guy named Jia Tan. For about a year, Jia
had been the volunteer in charge of this very popular software program
called XZ, which helps compress data.
It's not the fastest, but it is the one that compresses the most.
Very useful for us.
Look, I don't think I'm exaggerating when I say that compression is key for everything,
for storing files, for sending stuff over the internet,
everything.
In the email, Gia sounds pretty enthusiastic,
but in a way that a lot of open source volunteers
sound enthusiastic.
He says, hey, I just made this cool update to XZ.
Hope you guys can put it into your operating system.
And this email, I will say, it looks very innocent.
It's written in this chipper tone.
It's got smiley emojis.
It has exclamation points, which just signals, you know, no threat here.
And so Richard goes ahead.
He puts the new updated XZ code into a preliminary version of their
operating system to test out.
But pretty soon he starts getting these bug reports.
They were quite strange, but not totally unusual.
This new version of Xe, it seemed to be messing with other parts of the computer, like critical
parts of the memory.
But you know, bugs happen in software, right?
You know, software is full of bugs.
So Richard emailed Gia and asked him to, you know, take a look at the problem.
He came back within two or three days and said, I'm really sorry, we've just released
a new version which fixes this bug for you.
So could you upgrade to that?
Which Richard does and everything seems fine fine until about a month ago.
That is when someone discovers that this new version of XC, it is not what it seems to be.
And Jia Tan is not who he seems to be.
I was surprised.
I was a bit shocked.
I was angry.
I just didn't expect that somebody would try that.
I was shocked, I was angry. I just didn't expect that somebody would try that.
What we now know is that Jia Tan was a hacker, or probably a group of hackers.
And they were trying to pull off one of the most audacious cyber security attacks in history.
Over the course of two years, these hackers had infiltrated one of the most popular programs out there, XZ. And if they hadn't been caught, they would have had a secret
backdoor to some of the most important computers in the world.
Hello and welcome to Planet Money. I'm Jeff Guo.
And I'm Nick Fountain. If you peek under the hood of the internet, what you'll
find is that most of the computers powering it are running free open source software.
But here's a dirty secret.
A lot of that software is written by small teams,
sometimes teams of only one person,
which makes them pretty vulnerable and easy to infiltrate.
Today on the show, the story of the XZ hack,
how it took advantage of the strange way we
make modern software, and what it tells us about the economics of one of the most important
industries in the world.
Drake and Kendrick Lamar have been lobbing some serious accusations at each other.
You've probably heard the diss tracks and wondered, what's just a low blow and what's
actually criminal?
I'm Brittany Luce, host of It's Been A Minute from NPR, and I'm getting into what's
art and what's worthy of criminal investigation and who those accusations hurt the most on
It's Been A Minute from NPR.
You care about what's happening hurt the most. On It's Been A Minute from NPR. make this journey while you're doing the dishes or driving your car. State of the World podcast
from NPR. Vital international stories every day. The hack that we're talking about today,
the XC hack, could not have happened if it weren't for the weird way that most modern
software is made. We have these trillion dollar corporations working side by side with unpaid,
sometimes even anonymous volunteers to write the software that powers the internet.
Right, and so before we can get into
how the XZ hack went down,
we're first gonna have to understand
how modern software got to be this way.
For that, we went to one of the founders
of the open source software movement, Bruce Perrins.
Back when I was starting this,
you would have asked what drugs I was using and where you could get some.
Bruce says, for him, it all started with this epiphany he had about how to write software efficiently.
At the time, it was the 1980s and he was a young programmer at Pixar.
He wrote software that helped make movies like Toy Story 2.
I'm a bigger fan of 4, but whatever. Bruce would keep running into this annoying problem.
His programs, they would glitch out
and they would accidentally overwrite
other parts of the computer.
Yeah, and you know, these bugs,
they would happen all the time back then.
It was like the Wild West of software.
So Bruce's solution was to write up a piece of software
that would monitor other programs and it would
alert him whenever a program started to overwrite stuff that it shouldn't be writing over.
It would stop your program in the instant that happened and let you see the exact instruction
that you had wrong.
And I called this electric fence because when you touch the fence, it would zap you. Bruce says electric fence proved to be pretty handy so he shared it with his
colleagues at Pixar but then he thought maybe other people would find it useful
too and at the time there were these online bulletin boards where programmers
would hang out and Bruce was a regular he says this community had a culture of
sharing programmers from different companies would show each other new ways of doing things,
even provide code for others to copy.
So all of the engineers, software engineers at the time, started sharing software together.
And we started using it in our work.
And no one in management or legal knew that was happening.
Bruce went ahead and he posted the code for electric fence onto that bulletin board.
And electric fence became incredibly popular. All of a sudden, people around the world started using
it. Someone wrote to me and said, your electric fence program has
just saved my job. If you ever go to Ireland, please stay in my home.
My gosh, did you go? No, no, I never met this guy, but you know, I was getting fans.
That felt pretty good. But then something even more gratifying started to happen.
Some of Bruce's fans, some of these programmers he'd never met, they made their own improvements
to Electric Fence.
And they shared these improvements with Bruce.
They sent him their tweaks and upgrades to his code.
And I thought, you know, whatever work I've put into this, I just got back.
And it kept happening.
This experience helped Bruce realize two things.
First, it illustrated an unexpected benefit of giving away your code.
Because not only could your code help other people, these total strangers, but now those
strangers could help make your code better.
And second, Bruce realized that if they all worked together this way, they could write software so much faster and better.
Yeah, Bruce says a lot of programmers in their day-to-day jobs would spend hours doing essentially the same thing as their counterparts at other tech companies.
Writing the same basic code to solve the same basic problems. So back then it would be like building a house and you'd have to dig up this clay
and fire all the bricks. And open source was the idea was we would all chip in on
making all the different bricks and we would give them to each other for free.
Uh huh.
And now you are not wasting your time on the bricks.
You're building the architecture.
This is where Bruce saw the beginnings of a powerful idea.
Because there's already this culture of sharing software in order to be a good citizen,
or to promote a free society, or whatever.
But Bruce saw that this could also transform the whole economic model for making software.
Bruce believed that if people could get together to produce software in an open and crowd-sourced
way, you could out-compete even the mightiest corporations. Now, Bruce wasn't the only one who
realized this. By the 1990s, a lot of programmers were attracted to this open-source model, but
they weren't taken too seriously.
But the open-source movement would soon have an opportunity to prove itself.
Yeah, you see, by the late 90s,
the internet was really starting to take off.
Remember, this was the era when there were so many AOL online CDs floating around,
people were using them as coasters.
What a time to be alive.
The big question at that time was,
what software would this new internet run on?
And a person who would play a pivotal role in the war
over the internet was Sam Ramji.
Software was becoming infrastructure.
It was becoming the roads and bridges
that we built the emerging internet out of.
In the mid-2000s, Sam worked for one of the biggest software companies in the world, Microsoft.
Here's where we mentioned that both Microsoft and the Gates Foundation are funders of NPR.
And Microsoft wanted this emerging internet to be built on top of Microsoft stuff,
Microsoft operating systems, software that Microsoft owned and controlled.
I was in the business development group working in Silicon Valley trying to get startups to
adopt more Microsoft software, which was a hard sell actually.
Yeah, because the open source alternatives, they were becoming popular.
Sam started to notice that all the new hot startups, companies like Google and Salesforce,
they weren't interested in what he and Microsoft
had to offer.
No, most of these startups, they were cobbling together something DIY.
They were using a free open source operating system called Linux and free open source software
that ran on top of Linux.
It was open source on top of open source on top of open source.
You had a stack of software, right? The whole stack just made sense together.
And yeah, a lot of the open source software at the time was kind of janky. There were bugs,
there were missing features. But Sam, he noticed that there was also this kind of snowballing
effect. The more startups that were building their products on top of that open source software stack,
the better that software became.
This was this huge emerging economic movement
of how software was going to get shipped,
licensed, distributed, used,
and Microsoft was nowhere to be found.
So Sam writes this kind of cheeky memo to his superiors,
tells him, look,
Microsoft is not going to win the battle over the internet.
It never will.
We've already lost.
Open source is the future.
If we can't figure out how to work with and use open source software, we're going to go
out of business.
So your message was there's no way we're going to beat them.
We have to join them.
That's exactly right.
And so you send it off and what are you feeling?
How do you think they're going to receive it?
Chepidation.
This memo eventually makes it all the way to Bill Gates.
And to Sam's surprise, the higher-ups at Microsoft
are like, yeah, you do have a point here.
And so they promote him.
They put him in charge of open source strategy at Microsoft.
They ask him to help turn around the ship.
And this was a huge deal.
Microsoft had kind of pioneered the idea that people should pay for software.
And now it was changing its business model, slowly, to embrace open source.
Over the next decade, it stopped seeing Linux as the enemy.
And it starts making sure that Microsoft software works on Linux, even uses Linux on its own servers.
Also, Microsoft starts giving away some of its own software for free, making it open source.
Sam says that's extremely common these days. All the major tech companies do it. Like Meta, for example, they started sharing all the tools they use to make interactive websites.
Yeah, and to be clear, these companies aren't giving away all their software.
Like Meta is not giving away the Facebook algorithm.
But what they've realized is that it's more valuable for them to share some of their internal software
and have the public suggest fixes or build off of it, then it is to keep all of it secret.
Open source is now the default way to make modern software.
Bruce's dream of having this library of open source building blocks,
these free bricks for anyone to use, that dream came true.
Those free bricks are now the foundation for most of the software we use today.
But there's also a weakness to this open source model,
a weakness that became painfully obvious when
the XZ hack went down.
That is after the break.
["Planet Money Theme Song"]
Numbers that explain the economy. We love them at the indicator from Planet Money, and
on Fridays we discuss indicators in the news, like job numbers, spending, the cost of food,
sometimes all three.
So my indicator is about why you might need to bring home more bacon to afford your eggs.
I'll be here all week.
Wrap up your week and listen to the Indicator podcast from NPR.
From the campaigns to the conventions, from now through election day and beyond, the NPR
Politics podcast has you covered.
As Joe Biden and Donald Trump square off again, we bring you the latest news from the trail
and dive deep into each candidate's goals for a second term.
Listen to the NPR Politics podcast every weekday.
It's Been A Minute is a culture show you don't want to miss. second term. Listen to the NPR politics podcast every weekday.
It's Been A Minute is a culture show you don't want to miss. Every week, we help you see
the culture angle behind the headlines, the forces behind the trends, and the thinkers
behind the next big thing. Tune in for the sharp cultural analysis and captivating interviews.
Listen now to the It's Been a Minute podcast from NPR.
Feel like the world is on fire? Shortwave is your antidote. We find joy and beauty in the science of the planet we live on. How people are taking action in the face of climate change, the many
weird and wonderful ways animals have adapted to a changing world in the past and present, and how technology is pushing us forward.
Listen now to the Shortwave Podcast from NPR.
Darien Woods here.
As the US federal debt grows, so too does the interest on it.
And this year, it hit a milestone.
Interest payments this year will actually be larger
than national defense spending for the first time.
And that's not a small number.
That is one of the largest items in the entire federal budget.
That's from our latest bonus episode.
It's my conversation with a long-time debt hawk
about the potential risks to the economy
and when spending makes sense.
You can check that out now if you're a Planet Money Plus listener.
If that's you, thanks for your support.
If it's not, it could be.
You get bonus content, sponsor-free listening, and support the work of Planet Money.
Go to plus.npr.org.
There's this kind of famous cartoon about how the internet works.
You might have seen it.
It's from the webcomic XKCD.
It's this drawing of a giant Jenga tower, all these blocks stacked on top of each other,
and the whole thing is balancing on this one tiny skinny little block.
I know exactly what you're talking about.
It all rests, the entire internet relies on this one guy in Nebraska.
Omkar Arasaratnam is not that one guy in Nebraska, but he thinks a lot about the Jenga Tower
problem.
He's the head of the Open Source Security Foundation.
And he says, yeah, they worry about how fragile this whole internet Jenga Tower is.
See, open source software is this huge decentralized community of people building software on top
of other software, top of other software on top of other
software and that is an incredibly efficient way of making software but it can also lead to these
weak spots. Which brings us back to the story of XZ. In this story the proverbial guy in Nebraska is
well not in Nebraska we actually couldn't confirm where he's from. He wouldn't return our emails, but his website's hosted in Finland.
So a lot of people think he's Finnish.
Anyway, his name is Lasse Kotlin.
He's the main creator of XE.
Amkar remembers when Lasse first published XE back in 2009.
It was one of these breakthroughs in compression, right?
It was one of these things where, oh my God, this literally got two to 300%
increase in,
in compression performance overnight.
And so everyone started using XC building programs on top of it.
XC became one of the most widely distributed programs in the entire world.
There's a good chance it's on your phone. There's a good chance that it's on your TV.
It's everywhere.
This, this is how the Jenga tower problem starts,
how the whole world can come to depend on one random person. Omkar says this is pretty common
that there are a lot of critical software projects that rely on just one person. And the big problem
with this is that it is an ongoing job. Software isn't just a thing you write once and that's that.
You got to maintain it.
Computers change, operating systems change, new processors are released, new kinds of computers come out.
And thus we have to keep our software up to date or it rots.
And someone needs to oversee all of these small little updates.
It's not the most glamorous work.
Most open source volunteers want to be contributing to new projects, not looking after old ones.
So for many years, the work of maintaining XE falls to Lasse.
Fast forward to 2021.
This is when the hacker or hackers calling themselves Gia Tan come onto the scene.
And here's what we know about how their ingenious plot unfolded.
This Jia Tan character basically appears out of nowhere
and soon starts suggesting some improvements to XZ,
which is great.
This is how open source is supposed to work, right?
What makes it so special?
Strangers on the internet helping each other out.
Heartwarming.
But a few months later,
Lasse starts getting these emails from users of XE.
They're complaining that Lasse's been falling behind
on maintaining XE.
One of them's kind of nasty.
It's saying how sad it is that Lasse clearly
does not care about this project anymore.
Hey, this has been delinquent for a long time.
How come nobody's updated this?
When are you gonna get to it, that kind of thing? That's pretty rude. I'm sorry, like this guy delinquent for a long time. How come nobody's updated this? When are you gonna get to with that kind of thing?
That's pretty rude.
I'm sorry.
Like this guy's doing it for free.
Well, you know, this is the,
I guess this is one of the failure modes
of how society has consumed open source.
The overhead of having to deal with this stuff
can become overwhelming.
Lasse tells these people, you know,
I'm sorry, the work is going slow. I'm dealing with some personal can become overwhelming. Lasse tells these people, you know, I'm sorry the work is going slow.
I'm dealing with some personal stuff right now.
But his critics are still not satisfied.
Someone suggests, why doesn't he just step down
and let someone else manage this thing?
And pretty soon, that's what Lasse does.
He decides to pass the baton on to that new volunteer,
Gia Tan.
Now Gia is gonna be the one holding up that Jenga
tower instead of Lasse.
Amkar says what we know now is that Gia Tan is probably an invented personality. But also
these people harassing Lasse, they too seem to be invented personalities, people who were
created just to convince Lasse to pass that baton to Gia. It was literally a social engineering attack.
Somebody basically running along Khan
and tricking Lasse into doing things
and giving permission that they shouldn't have.
Gia takes over, and over the course of the next few years,
Gia starts to make all these little changes to XZ,
seemingly innocuous changes
that start to turn XZ into a
Trojan horse. You see a lot of programs depend on XZ, including a very important program called
OpenSSH. It's basically the garage door opener for the internet. It lets you remote control other
computers. Pretty much every web server is running it. It is literally the thing that controls access
to every server on the internet.
It is really important.
This garage door opener program is a really well
guarded piece of software.
Everybody has their eye on it.
But what Jiatan or what the hacker group behind
the identity known as Jiatan had figured out was that if they could secretly sabotage XZ,
they could sabotage this garage door opener and give themselves
access to basically every important computer on the internet.
This was incredibly well orchestrated.
I think somebody should make a movie about this. I mean, I, I definitely watch it.
I watched it in IMAX. Earlier this year, Gia starts pressuring the major open
source operating systems to use their new sabotaged version of XE. That's when they
send emails to people like Richard from the top and the compromised XE starts slowly spreading
across the internet. Now, the way this hack was eventually discovered
is kind of by accident.
It was discovered by this programmer at Microsoft
named Andreas Freund,
who works on open source software actually.
A couple months ago,
Andreas noted that the garage door opener software
was acting kind of slow.
And he started picking it apart and he pulled that thread
and he eventually unpacked all the
stuff we know now.
Andres sends out an email about this.
He's like, Hey guys, um, I think one of the most important pieces of software in the world
has been compromised.
And also I'm pretty sure this is exactly how they did it.
When Omkar sees this email, he almost falls out of his chair.
My first reaction was, Oh my God god how many people have downloaded this. Luckily that sabotaged XZ was caught before it got widespread
distribution and mostly only got onto computers running experimental or beta
software. Can you run me through like what the nightmare scenario would have
been if Andreas hadn't caught this nightmare scenario is it gets broad distribution
whoever G a tan is quietly logs into computers all over the internet stealing
money your personal information I mean anything stealing your email it could
have been anything um car says it was a pretty shockingly close call and it has started to make
people reconsider the entire economic model of open source.
The open source movement succeeded beyond anybody's wildest dreams.
It started with these programmers who were writing code in their free time.
Cause they thought it was fun or they wanted to make something cool or they
wanted to make the world a better place
But over the last three decades all those volunteers have built this efficient
Decentralized maybe even beautiful system of writing software software that became the foundation for the internet
Yeah, but out of this efficient and decentralized and beautiful system
You also get the the Jenga tower, where one person can write a program that's so good it changes the world and it leads
to the whole world depending on that one person.
Omkar says the solution is not that open source software goes away, but we have to reconsider
how we treat the open source software community.
He says open source has become this incredibly valuable public good.
It's become like the pipes and sewers of the internet.
And like any public good, there aren't really strong incentives for people to help maintain them.
Open source folks are all incentivized to work on the new shiny thing, right?
To build skyscrapers.
In the meantime, the less interesting projects
that we're all relying on, the proverbial sewer pipes,
nobody's taking care of them.
And when the sewage backs up, we're all in trouble.
How many vulnerable programs like XZ are there?
Unclar says there could be a lot.
He and his colleagues are working on this giant census to try and identify all the single
little Jenga blocks holding up the internet.
He says they expect to have new results later this year. On our next episode, layoffs.
They happen all the time, they're a business reality, but of course, they can be really
destabilizing.
Honestly, I felt like I was being swallowed by a sinking hole.
When this person lost his job, he and his husband had a lot of questions.
Especially for the HR rep who handled the layoff.
Like do you get training on how to be human in these conversations?
Those questions and more on our next episode.
This episode was produced by Emma Peasley and engineered by Sina LaFreda.
It was edited by Jess Jang and fact checked by Sierra Juarez.
Alex Goldmark is our executive producer.
I'm Jeff Guowe.
And I'm Nick Fountain.
This is NPR.
Thank you for listening.
On the Code Switch podcast, conversations about race don't start and stop with the
news cycle.
We know that race is always relevant and we have new topics, new voices,
and new stories for you every single week. Listen to the Code Switch podcast from NPR.
For the seventh year on the Code Switch podcast, conversations about race and identity go way
beyond the day's headlines. Because we know what's part of every person is part of every story.
We're bringing that perspective
with new episodes every week.
Listen on the Code Switch podcast from NPR.
The Bullseye podcast is, according to one journalist,
the quote, kind of show people listen to
in a more perfect world.
So make your world more perfect.
Every week, Bullseye puts the pop in culture, interviewing
brilliant authors, musicians, actors, and novelists to keep you on your pop culture target. Listen to
the Bullseye podcast only from NPR and Maximum Fun.