This month I want to highlight a video, XZ Exploit, by Dr Richard G Clegg on the Computerphile YouTube channel. This video discusses a hack from one year ago that almost created a backdoor to millions of computers across the world. The hack was found in a test environment prior to release but came close to being the worst – and most effective – hack of all time.

The XZ exploit is notable for several reasons: 1\ the hacker was patient, spending three years to gain trust prior to submitting the offending code, 2\ the hack was cleverly obfuscated making it near impossible to detect without deep analysis, and 3\ the hacker remains a mystery to this day. This video does a wonderful job describing the hack in a simplified way, and frankly it’s frightening how close this hack came to being released.

One year later, the XZ exploit is a good reminder to reflect on a few computer security truths that remain relevant, but are easy to ignore during quiet times:

1. Your systems are vulnerable. What is the opposite of security? Accessibility. If you want a 100% secure system, it must be 0% accessible to anyone, at all times. This is clearly impossible because an inaccessible system has no ostensible value, thus…all systems are vulnerable, including your systems.
2. No news is not good news. Hackers are patient and motivated. The XZ exploit had a three year time horizon. The hacker gained trust, gained access, and eventually injected their malicious code and data. The absence of news is not a good sign, we must be proactive with our security checks and assume bad actors are constantly trying to gain access to our systems.
3. Security is everyone’s job. Security is often delegated to experts in companies. This makes sense because the security field is dynamic and the experts benefit from constant connection and communication. However, having a security team does not absolve others from considering security in all aspects of their system design, implementation, and testing. Security is all of our jobs at all times, and we should ensure our implementers have a security-first mindset.

“…they can run whatever command they like on whatever Linux computer they like if it has sshd going.”