Cuckoos almost took control of our Cloud.

The utopian, high-trust model of open development is a problem in a low-trust world.

The Police call it “cuckooing” - when drug dealers take over the premises of a vulnerable, often handicapped person living in the community. It’s a quite horrible crime.

For the first time, I believe, a kind of "cuckooing" has been deployed by unknown actors - possibly, and most likely China - to undermine our IT infrastructure. A very audacious supply chain attack was undertaken that planted a back door in the Linux distributions used to power our data centres. It very nearly succeeded: it had already been released in some distributions, and eventually would have found its way into production systems. The computers in the Cloud would have belonged to attackers.

How so?

Key components of our critical infrastructure are maintained by lone volunteers. So it’s not surprising that loneliness and mental health issues arise, and can be exploited, too. This is what unknown unknown hackers did to seize control of the development of an open source compression library maintained by a Lasse Collin. I wrote about it this week at The Telegraph.

The takeaway, for those in a hurry: the open model of development that has served us so well with the development of first the internet protocols, and then open source platforms, is a very trusting one. But the world we live in is a low-trust world. This is not going to be easy to solve. I highlighted some of these issues in this week's Telegraph column. A few excerpts below:

Somewhere in Nebraska lives a lonely, overworked and very anxious man, who we shall call Hank. Between feeding his cat, dealing with mental health issues and sorting out his Mom’s medical prescriptions, Hank also looks after some computer code. Hank isn’t paid to do that – he’s a volunteer. But mistakes happen, and an oversight by Hank leads to China taking control of the free world’s IT systems, capturing our biggest cloud datacentres, and paralysing the G7’s economies.

Actually, Hank is the start of a very long but critical supply chain, that few people ever examine. Around 90 per cent of the systems in datacentres use Linux. The code is open, can be inspected by anyone, and anyone can submit code too. But it means a great deal of the coding effort remains voluntary, and in the hands of individual code “maintainers” like Hank.

Over two years, attackers carefully took control of one of the crucial nuts and bolts of a Linux system: a compression library called that zips and unzips files, one used thousands of times a day in datacentres. XZ Utils was originally developed by Lasse Collin in 2005, and he has looked after it ever since. In 2021, Collin began to receive contributions over the internet from someone calling himself “Jia Tan”. At first these seem like helpful and innocuous bug fixes. But then Tan began to pressure Collin for not being dutiful enough. Collin was very sorry, he explained, because he had “long-term mental health issues” to deal with. Gradually, the mysterious Mr Tan began to take control. More contributors emerged to “help” Collin, and like Tan, none of them had left a footprint anywhere else on the internet. But the tiny library that Collin maintained now contained a secret back door: the code patches Mr Tan and his friends had submitted helped an attacker to take full control of the entire system, without anyone realising.

“I’m surprised it’s taken this long for this kind of attack to be mounted”, says Tim Mackey, head of software supply chain risk strategy at the silicon design company Synopsys. “This may turn out to be a template for a new kind of social engineering,” he fears.

“Keep in mind this was an unpaid hobby project,” pleaded Collin on a mailing list.

It seems extraordinary that our economies rely so much on contributions from individual volunteers. How can so much economic value balance so precariously on something so fragile? Google and Amazon are among the biggest companies in the world, and the cloud computing market was worth almost half a trillion dollars in 2023, but critical parts still rely on unpaid volunteers. All this poses a unique challenge for governments.

Read more at The Telegraph.