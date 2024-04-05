A ‘fairly private person’ might have just saved the world from a giant cyberattack.

There’s an archetype in literature called the reluctant hero — basically, an ordinary man or woman called into an unusual situation that requires heroic exploits.

Think of Han Solo from the original Star Wars.

Or Katniss Everdeen in The Hunger Games.

Or if you’re a fan of the true classics, think of Humphrey Bogart’s Rick, from the movie Casablanca. It’s even better for the story if the world never really knows the degree to which the hero or heroine saved us all.

Imagine what it would be like if one of your employees did something to fill this role. How would you react? Because we now have a real-life, real-time name to add to the list: Andres Freund. Don’t know who Freund is? He’s a 38-year-old Microsoft engineer who describes himself as “a fairly private person who just sits in front of the computer and hacks on code.”

But his eagle-eyed action is being credited with quite possibly having saved the world from a giant cyberattack.

In other words: A reluctant hero for the digital age. He certainly gathered the attention of Microsoft CEO Satya Nadella. The story goes like this. Earlier this year, Freund noticed that a system he used that ran on Linux was giving error messages he didn’t recognize.

Strange. But at the time, according to Kevin Roose in the New York Times, who interviewed him recently, Freund filed the error messages away in his mind.

After he’d done that, he realized that another application called SSH, which is used to log into computers remotely, was running slowly — taking 0.8 second to log in, rather than 0.3 second. The half-second difference was enough to raise his suspicions, and Freund investigated.

I’m going to keep this article as accessible as possible by not diving overly deep into the details, but as Roose writes: “He traced the issue to a set of data compression tools called xz Utils, and wondered if it was related to the earlier errors he’d seen.”

Ultimately, Freund deduced that somebody had maliciously added code to xz Utils that could allow the creator to take over computers remotely, and install and run malicious code. Last week, he shared his discovery in a public group of open-source software developers: Hi,

After observing a few odd symptoms around liblzma (part of the xz package) on

Debian sid installations over the last weeks (logins with ssh taking a lot of

CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian’s package, but it turns out

to be upstream.

… It goes on for more than 1,600 words. Quoting it more would quickly violate my promise not to get too technical.

But if it hadn’t been identified, the problem might well have been the equivalent of “a master key to any of the hundreds of millions of computers around the world that run SSH,” according to one expert, Alex Stamos, the chief trust officer at cybersecurity research firm SentinelOne.

“This could have been the most widespread and effective backdoor ever planted in any software product,” Stamos told the Times. Fortunately, developers figured out a fix to shut it down. Freund was hailed as a hero. At Microsoft, Nadella tweeted:

“Love seeing how @AndresFreundTec, with his curiosity and craftsmanship, was able to help us all. Security is a team sport, and this is the culture we need everywhere.”

I found Nadella’s wording interesting. I think as a CEO, I’d want to acknowledge Freund, but also not get too far over my skis about what the effect was. For that matter, I also wouldn’t want to speculate about how big the danger might have been.

Because here’s the paradox: We’ll never know for certain how costly things could have been if Freund hadn’t caught this apparent hack–precisely because he did catch it. We don’t know, and maybe we never will, whether it was a state actor, or a group, or someone else responsible. We won’t know what damage might have been done.

So: “curiosity and craftsmanship.” It’s one of the few times that it probably makes sense as a leader to praise the effort, but stay quiet on the outcome.

The best kind of reluctant hero story is the one in which we never knew how much we needed them.

