Volunteer Programmer Prevents Major Cyber Attack
In March 2024, a volunteer programmer, Andres Freund, discovered a malicious “backdoor” code which had been planted in Linux, the operating software used by the majority of the world’s web servers. If undetected, this backdoor could have resulted in a potentially devastating cyber attack by allowing attackers to steal encrypted data or plant malware on millions of computers worldwide.
Linux is used on the servers hosting most of the webpages on the internet, including Facebook, Google, Wikipedia, and the servers used by banks, hospitals, governments and Fortune 500 companies. The security of the software is therefore a matter of global importance. Despite this importance, Linux is predominantly maintained by a small group of volunteer programmers who fix bugs and patch holes in the software.
While conducting routine maintenance, Freund noticed an anomaly in an application on Linux called SSH, used to log into computers remotely, which was consuming excessive processing power. He traced the issue to a data compression toolset on Linux called XZ Utils, where he found the backdoor. This backdoor could have enabled attackers to control a user’s SSH connection and secretly execute code, potentially leading to data theft or malware installation. Freund promptly reported his findings to the open-source community and a fix was developed within hours.
Investigations revealed that the anonymous attacker had spent years assisting in the maintenance of XZ Utils to gain the trust of other developers, eventually becoming one of two official maintainers of XZ Utils, before planting the backdoor earlier this year.
This incident underscores the security risks inherent in our reliance on this potentially insecure, volunteer-maintained technology, which forms the backbone of the internet.
Author: Cristin Hunt 2023/2024 Articling Student-At-Law
Photo Credit: https://unsplash.com/@towfiqu999999
Expertise
Insights
-
Technology
Whoop and the Wearable Health Market
In March 2026, Whoop Inc. (“Whoop”) completed a Series G funding round for US$575 million, valuing the leading fitness wearable company at US$10.1 billion. Whoop received investment from many notable… -
Technology
The Smartest World Cup Yet: Inside FIFA’s Latest Officiating Innovations
The 2026 FIFA World Cup will showcase some of the most advanced officiating technology ever used in soccer. Building on systems introduced in previous tournaments, FIFA is rolling out new tools… -
Technology
Betting on the Future: How Prediction Markets Are Changing Everything
Recently, the Canadian Investment Regulatory Organization (“CIRO”) approved Wealthsimple to offer forecast contracts. Forecast contracts are investment products that offer investors binary “yes” or… -
Technology
Four Legal Takeaways from the Proposed Canadian Social Media Legislation
On June 10, 2026, the federal government introduced Bill C-34, also known as the Safe Social Media Act. The proposed legislation represents a sweeping effort to regulate social media platforms… -
Technology
Dreaming of a Good Sleep? Technology Might Help
The “sleep economy” is growing rapidly with more than just sleep masks, weighted blankets and melatonin products on the market selling a good night’s rest. Sleep technology has evolved from tracking… -
Privacy and Data Protection
Canadian Privacy Regulators Publish Findings and Guidance on OpenAI Privacy Compliance
Following a multi-year joint investigation, federal and provincial privacy regulators recently published their findings with respect to OpenAI’s collection and use of personal information to train…