On May 9, 2024, the Berkeley Institute for Data Science (BIDS) partnered with the Center for Long-Term Cybersecurity (CLTC) and the Kavli Center for Ethics, Science, and the Public to host “Understanding the XZ Security Breach and Open Source Security”, not long after the XZ security breach was discovered. This event is the first of a series that BIDS will host, ones that correspond with current events and align with BIDS’ role at UC Berkeley and the new Open Source Program Office (OSPO).
BIDS Faculty Director Fernando Pérez began with describing the XZ security breach and why it is so important not only to the open source community but to the entire world. It was a stroke of luck that the security problem was detected. The goal of this event was to discuss what can be done to mitigate security problems going forward and to discuss the benefits and challenges.
The discussion included a panel of three experts:
- K. Jarrod Millman, Senior Open Source Scientific Python Developer, Berkeley Institute for Data Science
- Nick Merrill, Director, Daylight Lab, UC Berkeley Center for Long-Term Cybersecurity
- Juanita Gomez, Computer Science PhD student, Community leader for the Scientific Python project, University of California, Santa Cruz
Fernando asked each panelist to spend a few minutes sharing a bit about their interest in this topic to set the stage for the conversation. Jarrod Millman leads the Open Source Program Office (OSPO) at UC Berkeley. Topics like this one are closely related to work the OSPO will do as a central campus hub of open source interactions. Juanita Gomez’s work is also tied to the UC Santa Cruz OSPO. Her research addresses maintainer's security pain points by looking for ways to help implement better security practices. Nick Merrill considers the financial resources and support for the developers, most of whom work as volunteers, since attacks like this one had been cultivated over many years.
The first question was simply “How widespread was the attack?” Jarrod explained that this was not exclusively an XZ or SSH attack -- it was a piece in the middle called system D which provides vendors with a lot of usability and functionality. Juanita pointed out that there are countless other things happening that we don’t know about, because we don’t yet have the right tools and people to find them. And Nick concluded by noting that the security issue goes beyond the open source packages themselves, that package managers have them too. Bad actors could get inside of package managers to manipulate or deny access, causing significant disruptions and damage.
Since academics and researchers have close relationships with open-source work and culture, Fernando asked the panelists if they feel it could affect these open, welcoming, and collaborative environments. Nick doesn't see a case for limiting or closing these efforts. Nick’s faith in open source has not been shaken. Juanita believes the future must include educating graduate students on how to work securely when building software. Jarrod noted that getting funding for security will be as vital as funding for hardware, so that the environment may continue to thrive.
This part of the discussion led to a follow-up question: “Can you think of concrete changes in the world of burdened maintainers of open source projects and for people whose focus is not security?” Juanita described Scorecard which can look at activity and commits. It is helpful to get a sense of the metrics that have been identified by other people. She also suggested using language that a maintainer can comfortably understand: “20 things that will make your software more secure”. Nick believes for-profit companies can play a greater role and contribute to security, since they also use open source software. And, in reference to Nick’s comment, Jarrod pointed out that OSPOs will be looking for allies. Jarrod also noted that there may be a need for new policies and economic models.
The audience was invited to participate. The questions ranged from tools for improving security to the social engineering aspect of the problem to tracking issues around open science. Overall, the event was highly informative and was a launching point for conversations about open source and open science in the BIDS community and beyond.
Related Resources
- Did One Guy Just Stop a Huge Cyberattack? | New York Times
- What we know about the xz Utils backdoor that almost infected the world | arstechnica
- Red Hat Security: Discover how we reduce risk in any environment and across the open source ecosystem | Red Hat blog
- History of Linux | Wikipedia