开源软件未遂漏洞震惊业界

Update Required To play the media you will need to either update your browser to a recent version or update your Flash plugin.

German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program. He decided to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials.
德国软件开发人员安德烈斯·弗罗因德上个月在进行性能测试时，注意到一个不知名的程序出现了奇怪的行为。他决定调查一下。他的发现吓坏了软件界人士，并引起了科技行业高管和政府官员的注意。

Freund works for Microsoft in California. He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers. The action could have created a secret door to millions of servers across the internet.
弗罗因德在加利福尼亚的微软公司工作。他发现开源软件程序XZ Utils的最新版本被其一名开发者破坏了。这一行为可能为互联网上数百万台服务器打开了一扇暗门。

Freund noticed the change before the latest version of XZ became widely used. His observation, security experts say, helped save the world from a digital security crisis.
弗罗因德在最新版本的XZ被广泛使用之前就注意到了这一变化。安全专家表示，他的观察帮助了将世界从数字安全危机中拯救出来。

The near-miss has re-centered attention on the safety of open-source software. Open-source software is free. Volunteers often maintain the programs. Their openness means they serve as the foundation for the internet economy.
这次未遂事件将人们的注意力重新集中在开源软件的安全性上。开源软件是免费的。通常由志愿者维护这些项目。它们的开放性意味着它们是互联网经济的基础。

Many such projects depend on a small number of unpaid volunteers working on fixes and improvements.
许多此类项目依赖于少数无偿志愿者进行修复和改进。

XZ is a collection of file compression tools for the Linux operating system. It was long maintained by a single person, Lasse Collin.
XZ是用于Linux操作系统的文件压缩工具的集合。它由拉斯·科林这一个人长期维护。

But in a message published in June 2022, Collin said he was dealing with mental health issues. He suggested he was working privately with a new developer named Jia Tan.
但在2022年6月发布的一条消息中，科林称其正在治疗心理健康问题。他暗示自己正在与一位名叫Jia Tan的新开发人员私下合作。

Update logs available through the open-source software site Github show that Tan's role quickly expanded. By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
通过开源软件网站Github提供的更新日志显示，Tan的角色迅速扩大。到2023年，日志显示Tan在XZ中使用了他的代码。这表明他在这个项目中赢得了一个值得信赖的角色。

But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
但研究过这些日志的网络安全专家表示，Tan只是装成一个乐于助人的志愿者。他们说，在接下来的几个月里，Tan为XZ引入了一个几乎隐形的后门。

Tan did not return messages sent to his email account. Reuters has been unable to find out who Tan is, where he is, or who he was working for. But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers. Experts say Tan was likely working for a powerful intelligence service.
Tan没有回复发送到他的电子邮件帐户的信息。路透社一直无法找到Tan是谁，他在哪里，或者他为谁工作。但许多查看过他的最新消息的人士认为，Tan是一名专业黑客或一群黑客的化名。专家表示，Tan很可能为一个强大的情报机构工作。

Tan could easily have gotten away with the actions if Freund had not noticed something unusual. He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
若弗洛伊德并没有注意到异常，Tan的行为会很容易取得成功。他注意到最新版本的XZ有时会在他正在测试的系统上使用出乎意料的处理能力。

Microsoft did not make Freund available for an interview. But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
微软没有让弗罗因德接受采访。但弗罗因德在社交媒体上公开的电子邮件和帖子中表示，一系列容易被遗漏的线索让他发现了这个后门。

The find "really required a lot of coincidences," Freund said on the social network Mastodon.
弗罗因德在社交网络Mastodon上说，这一发现“确实需要很多巧合”。

Among those in the open-source community, the discovery has been concerning. The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition. But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam. He is with the Open Source Security Foundation.
在开源社区中，这一发现令人担忧。维护那些支撑互联网的软件的志愿者已经习惯了几乎没有报酬或认可的想法。Omkhar Arasaratnam说，但他们现在被资源充足的伪装成志愿者的间谍“捕猎”的想法“令人难以置信地恐惧”。他在开源安全基金会工作。

For government officials, the incident has raised concerns about how to protect open-source software. Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
对于政府官员来说，这一事件引发了人们对如何保护开源软件的担忧。美国国家网络局助理局长安贾娜·拉詹对在线新闻机构Politico表示，“我们需要就下一步要做什么进行很多对话”，以保护开源代码。

Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
无论解决方案是什么，几乎所有人都同意XZ事件表明开源社区必须有所改变。

"We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
弗罗因德在Mastodon的另一篇帖子中说：“我们在这方面运气太好了。我们不能指望一直好运下去。”

I'm Dan Novak.
我是丹·诺瓦克。(51VOA.COM原创翻译，请勿转载，违者必究！)

go top

Tech Companies Want to Build Artificial General Intelligence (24/4/11)
OpenAI Introduces Voice Cloning Tool, But Waits for Public Release (24/4/10)
EU Climate Agency: Another Record High Temperature for March (24/4/9)
Study Aims to Find Out Why Some People Are Left-handed (24/4/9)
Mars Explorer Arrives at New Area in Search for Evidence of Water, Life (24/4/7)
NASA Wants Faster Clock for Moon (24/4/7)
As Climate Changes, Herders Feed Reindeer (24/4/6)
Deforestation, Severe Weather Worsen Disasters in Indonesia (24/4/4)
Google to Destroy Billions of Personal Data Files as Part of Legal Settlement (24/4/3)
In Romania, Europe Builds a Powerful Laser (24/4/3)

[ti:Near-miss Cyberattack Worries Officials, Tech Industry]
[by:www.51voa.com]
[00:00.00]快捷键：S播放/暂停，A快退，D快进，W循环。
[00:00.04]German software developer Andres Freund
[00:03.48]was running performance tests last month
[00:06.68]when he noticed strange behavior
[00:08.96]in a little-known program.
[00:10.76]He decided to look into it.
[00:13.36]What he found frightened those in the software world
[00:17.24]and drew attention from tech executives
[00:20.28]and government officials.
[00:23.16]Freund works for Microsoft in California.
[00:26.56]He discovered that the latest version of
[00:29.56]the open-source software program XZ Utils
[00:33.72]had been sabotaged by one of its developers.
[00:37.24]The action could have created a secret door
[00:40.36]to millions of servers across the internet.
[00:44.96]Freund noticed the change
[00:46.84]before the latest version of XZ became widely used.
[00:51.60]His observation, security experts say,
[00:55.00]helped save the world from a digital security crisis.
[01:00.48]The near-miss has re-centered attention
[01:03.20]on the safety of open-source software.
[01:06.36]Open-source software is free.
[01:09.80]Volunteers often maintain the programs.
[01:13.44]Their openness means they serve
[01:16.04]as the foundation for the internet economy.
[01:20.84]Many such projects depend on
[01:23.16]a small number of unpaid volunteers
[01:26.24]working on fixes and improvements.
[01:30.28]XZ is a collection of file compression tools
[01:34.48]for the Linux operating system.
[01:37.32]It was long maintained by a single person, Lasse Collin.
[01:43.48]But in a message published in June 2022,
[01:47.40]Collin said he was dealing with mental health issues.
[01:50.96]He suggested he was working privately
[01:53.80]with a new developer named Jia Tan.
[01:58.12]Update logs available through the open-source
[02:01.08]software site Github
[02:02.84]show that Tan's role quickly expanded.
[02:07.28]By 2023 the logs show Tan was using his code in XZ.
[02:13.12]It is a sign that he had won a trusted role in the project.
[02:18.52]But cybersecurity experts who have studied the logs
[02:22.20]say that Tan was only acting like a helpful volunteer.
[02:26.52]Over the next few months, they say,
[02:29.20]Tan introduced a nearly invisible backdoor into XZ.
[02:34.72]Tan did not return messages sent to his email account.
[02:38.80]Reuters has been unable to find out who Tan is,
[02:42.60]where he is, or who he was working for.
[02:45.88]But many people who have examined his updates
[02:49.68]believe Tan is a pseudonym
[02:51.96]for an expert hacker or a group of hackers.
[02:55.28]Experts say Tan was likely working for
[02:58.48]a powerful intelligence service.
[03:02.76]Tan could easily have gotten away with the actions
[03:06.36]if Freund had not noticed something unusual.
[03:09.96]He noticed the latest version of XZ
[03:13.60]sometimes using an unexpected amount
[03:16.36]of processing power on the system he was testing.
[03:21.44]Microsoft did not make Freund available for an interview.
[03:25.64]But in publicly available emails and posts to social media,
[03:30.72]Freund said a series of easy-to-miss clues
[03:34.28]led him to discover the backdoor.
[03:38.28]The find "really required a lot of coincidences,"
[03:41.88]Freund said on the social network Mastodon.
[03:46.64]Among those in the open-source community,
[03:49.20]the discovery has been concerning.
[03:51.88]The volunteers who maintain the software
[03:54.76]that supports the internet
[03:56.40]are used to the idea of little pay or recognition.
[04:00.44]But the idea that they were now being hunted
[04:03.60]by well-resourced spies pretending to be volunteers
[04:07.68]was "incredibly intimidating," said Omkhar Arasaratnam.
[04:12.56]He is with the Open Source Security Foundation.
[04:17.88]For government officials, the incident has raised concerns
[04:21.48]about how to protect open-source software.
[04:25.64]Assistant National Cyber Director Anjana Rajan
[04:29.52]told the online news organization Politico
[04:33.00]that "there's a lot of conversations
[04:35.40]that we need to have about what we do next"
[04:37.96]to protect open-source code.
[04:41.56]Whatever the solution, almost everyone agrees
[04:45.00]the XZ incident shows that something must change.
[04:49.96]"We got unreasonably lucky here,"
[04:52.32]said Freund in another Mastodon post.
[04:55.44]"We can't just bank on that going forward."
[04:59.44]I'm Dan Novak.