FILE PHOTO: 3D printed models of people working on computers and padlock are seen in front of a displayed CYBER SECURITY words and binary code in this picture illustration taken, February 1, 2022. REUTERS/Dado Ruvic/Illustration/File Photo
Freund, who works for Microsoft out of San Francisco, discovered that the latest version of the open source software program XZ Utils had been deliberately sabotaged by one of its developers, a move that could have carved out a secret door to millions of servers across the internet. The near-miss has refocused attention on the safety of open source software – free, often volunteer-maintained programs whose transparency and flexibility mean they serve as the foundation for the internet economy.
Update logs available through the open source software site Github show that Tan’s role quickly expanded. By 2023 the logs show Tan was merging his code into XZ, a sign that he had won a trusted role in the project. Tan did not return messages sent to his Gmail account. Reuters has been unable to ascertain who Tan is, where he is, or who he was working for, but many of those who've examined his updates believe Tan is a pseudonym for an expert hacker or group of hackers - likely one working on behalf of a powerful intelligence service.
In the open source community, the discovery has been sobering. The volunteers who maintain the software that underpins the internet aren't strangers to the idea of little pay or recognition, but the realization that they were now being hunted by well-resourced spies pretending to be Good Samaritans was “incredibly intimidating,” said Arasaratnam, of the Open Source Security Foundation.