-
(单词翻译:双击或拖选)
German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program. He decided1 to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials.
Freund works for Microsoft in California. He discovered that the latest version of the open-source software program XZ Utils had been sabotaged3 by one of its developers. The action could have created a secret door to millions of servers across the internet.
Freund noticed the change before the latest version of XZ became widely used. His observation, security experts say, helped save the world from a digital security crisis
The near-miss has re-centered attention on the safety of open-source software. Open-source software is free. Volunteers often maintain the programs. Their openness means they serve as the foundation for the internet economy.
Many such projects depend on a small number of unpaid4 volunteers working on fixes and improvements.
XZ is a collection of file compression tools for the Linux operating system. It was long maintained by a single person, Lasse Collin.
But in a message published in June 2022, Collin said he was dealing5 with mental health issues. He suggested he was working privately6 with a new developer named Jia Tan.
Update logs available through the open-source software site Github show that Tan's role quickly expanded. By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
But cybersecurity experts who have studied the logs say that Tan was only acting7 like a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
Tan did not return messages sent to his email account. Reuters has been unable to find out who Tan is, where he is, or who he was working for. But many people who have examined his updates believe Tan is a pseudonym8 for an expert hacker9 or a group of hackers10. Experts say Tan was likely working for a powerful intelligence service.
Tan could easily have gotten away with the actions if Freund had not noticed something unusual. He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
Microsoft did not make Freund available for an interview. But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
The find "really required a lot of coincidences," Freund said on the social network Mastodon.
Among those in the open-source community, the discovery has been concerning. The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition. But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam. He is with the Open Source Security Foundation.
For government officials, the incident has raised concerns about how to protect open-source software. Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
"We got unreasonably11 lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
Words in This Story
sabotage2 - v. the act of destroying or damaging something deliberately12 so that it does not work correctly
maintain - v. to reduce the size of by using special software
compression - n. to reduce the size of by using special software
role - n. a part that someone or something has in a particular activity or situation
invisible - adj. impossible to see
pseudonym - n. a name that someone uses instead of his or her real name
interview - n. a meeting at which people talk to each other in order to ask questions and get information
coincidence - n. a situation in which events happen at the same time in a way that is not planned or expected
pretend - v. to act as if something is true when it is not true
intimidate13 - v. to make afraid
conversation - n. an informal talk involving two people or a small group of people
bank on- phrasal v. to feel confident or sure about
收听单词发音 |
1
decided
|
|
| adj.决定了的,坚决的;明显的,明确的 | |
参考例句: |
|
|
|
|
2
sabotage
|
|
| n.怠工,破坏活动,破坏;v.从事破坏活动,妨害,破坏 | |
参考例句: |
|
|
|
|
3
sabotaged
|
|
| 阴谋破坏(某事物)( sabotage的过去式和过去分词 ) | |
参考例句: |
|
|
|
|
4
unpaid
|
|
| adj.未付款的,无报酬的 | |
参考例句: |
|
|
|
|
5
dealing
|
|
| n.经商方法,待人态度 | |
参考例句: |
|
|
|
|
6
privately
|
|
| adv.以私人的身份,悄悄地,私下地 | |
参考例句: |
|
|
|
|
7
acting
|
|
| n.演戏,行为,假装;adj.代理的,临时的,演出用的 | |
参考例句: |
|
|
|
|
8
pseudonym
|
|
| n.假名,笔名 | |
参考例句: |
|
|
|
|
9
hacker
|
|
| n.能盗用或偷改电脑中信息的人,电脑黑客 | |
参考例句: |
|
|
|
|
10
hackers
|
|
| n.计算机迷( hacker的名词复数 );私自存取或篡改电脑资料者,电脑“黑客” | |
参考例句: |
|
|
|
|
11
unreasonably
|
|
| adv. 不合理地 | |
参考例句: |
|
|
|
|
12
deliberately
|
|
| adv.审慎地;蓄意地;故意地 | |
参考例句: |
|
|
|
|
13
intimidate
|
|
| vt.恐吓,威胁 | |
参考例句: |
|
|
|
购买
在百度中搜索