March 2024:
Andres Freund is not happy. The latest version of Xz does not work as expected. The program, which, roughly speaking, is used by millions of servers to compress data, is a bit too slow and uses too much processing power.
The German Microsoft employee takes a closer look. He looks at the code. He looks at the accompanying documentation. He finds clues, seemingly unrelated coincidences, that all ultimately point to the same conclusion:
Someone under the pseudonym Jia Tan has been actively trying to use Xz to take control of a large portion of the world's servers for several years.
Freund publishes his findings. The alarm creates panic. The emergency brakes are applied. The Xz update is stopped. Jia Tan's attack is stopped on the goal line.
“Just a name online”
March 2026:
In a sun-drenched residential area in Huddinge, south of Stockholm, a middle-aged man sits in his living room and sees similarities between the Xz attack and the project he himself has been running for the past 30 years.
It was like a person on the inside. It was someone on the team. I also have people in my project that I don't meet every day. I don't have a face. I just know that there is a name online, says Daniel Stenberg.
He is the man behind curl, or cURL, a “program” for transferring data digitally.
Both curl and Xz are “programs” that form the cornerstones of the modern internet. They are also both ideas that were started by one or a few individuals as independent, often unpaid, projects and then grew to their current status as supporting pieces in the ever-changing Jenga-like structure that is “the internet.”
Curl has been installed an estimated 20 billion times in everything from cars to mobile phones, helicopters and dishwashers. If anything connects to the internet, it's probably using curl.
The building blocks of the Internet
The world looks quite different today than it did when I started this, says Daniel Stenberg.
One aspect, however, remains intact today from the early physical hacker gatherings in the mid-1990s that were Stenberg's starting point for developing curl - the lure of sharing something with like-minded people. Today, many of the Internet's building blocks, like curl or Xz, are powered by publicly available information and testing.
Open to all, used by all. Checked, double-checked and triple-checked by many. But also, as the Xz attack shows, extremely vulnerable if someone were to take control of the building block against all odds.
- There are large actors who can spend any amount of time, entire teams of people to carry out attacks.
“Turn off half the internet”
In the case of “Jia Tan” and Xz, experts have put forward different theories about who or what was behind the attack. Some point to state actors such as China, Russia, Iran or Israel. Others point to hacker groups that either acted themselves or on behalf of a state.
“Jia Tan” disappeared as soon as the attack became known. It is unlikely, but not impossible, that something similar would happen again, according to Stenberg.
We have to do something that protects us from the percentage of users who will try to find stupidity in this, he says.
So far it has worked. Curl definitely contains errors and bugs, as Stenberg puts it, but no hidden attempts to take over the world.
The even more cynical question is, if someone were to take my family hostage and threaten me, what's the worst I could do without anyone discovering it?
TT: When I spoke to Pontus Johnson, a professor at KTH and deputy director of Cybercampus, he expressed it as if you would be “able to turn off half the internet”.
I can't. I don't have a button to push that controls it that way.
TT: What do you say about the truth of the statement then?
Possibly, if I've made a mistake somewhere, which someone manages to exploit. In the worst-case scenario with a security problem in an open-source code... It could be really bad, so in that way he might be right.
But if someone suspected that I had a button somewhere that could shut everything down, then people wouldn't use curl and believe it. Then they'd just throw my stuff away and go another way. Trust is all I have here. I can't break it or risk it.
The development of curl took off in the mid-1990s when Daniel Stenberg needed a tool to retrieve updated information about currency rates.
Over the years, the tool has grown to become a mainstay in millions of technological gadgets that need to connect to the internet, everything from cars to mobile phones uses curl.
Curl is an open-source project, meaning that anyone can access it and follow or contribute to its development. The openness makes it easier for different companies and organizations to adapt the tool to their needs than, for example, a tool developed by an individual company.
Large parts of the internet's infrastructure, and other popular digital services, are based on building blocks that are made with open-source code.
Source: Daniel.haxx.se
