双语新闻:未遂的网络攻击令官员和科技行业担忧
German software developer Andres Freund was running performance tests last month when he noticed strange behavior in a little-known program. He decided to look into it. What he found frightened those in the software world and drew attention from tech executives and government officials.
德国软件开发人员Andres Freund上个月在进行性能测试时,注意到一个鲜为人知的程序出现了奇怪的行为。他决定调查一下。他的发现吓坏了软件界的人,并引起了科技高管和政府官员的注意。
Freund works for Microsoft in California. He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers. The action could have created a secret door to millions of servers across the internet.
Freund在加利福尼亚的微软工作。他发现开源软件程序XZ Utils的最新版本被其一名开发者破坏了。这一行动可能为互联网上数百万台服务器打开了一扇秘密之门。
Freund noticed the change before the latest version of XZ became widely used. His observation, security experts say, helped save the world from a digital security crisis.
Freund在最新版本的XZ被广泛使用之前就注意到了这一变化。安全专家表示,他的观察有助于将世界从数字安全危机中拯救出来。
The near-miss has re-centered attention on the safety of open-source software. Open-source software is free. Volunteers often maintain the programs. Their openness means they serve as the foundation for the internet economy.
这次未遂事件将注意力重新集中在开源软件的安全性上。开源软件是免费的。志愿者经常维护这些项目。它们的开放性意味着它们是互联网经济的基础。
Many such projects depend on a small number of unpaid volunteers working on fixes and improvements.
许多此类项目依赖于少数无偿志愿者进行修复和改进。
XZ is a collection of file compression tools for the Linux operating system. It was long maintained by a single person, Lasse Collin.
XZ是用于Linux操作系统的文件压缩工具的集合。它是由拉斯·科林一个人长期维护。
But in a message published in June 2022, Collin said he was dealing with mental health issues. He suggested he was working privately with a new developer named Jia Tan.
但在2022年6月发布的一条信息中,科林说他正在处理心理健康问题。他暗示自己正在与一位名叫Jia Tan的新开发商私下合作。
Update logs available through the open-source software site Github show that Tan's role quickly expanded. By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
通过开源软件网站Github提供的更新日志显示,Tan的角色迅速扩大。到2023年,日志显示谭在XZ使用他的代码。这表明他在这个项目中赢得了一个值得信赖的角色。
But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
但研究过日志的网络安全专家表示,谭只是在做一个乐于助人的志愿者。他们说,在接下来的几个月里,Tan给XZ引入了一个几乎看不见的后门。
Tan did not return messages sent to his email account. Reuters has been unable to find out who Tan is, where he is, or who he was working for. But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers. Experts say Tan was likely working for a powerful intelligence service.
Tan没有回复发送到他的电子邮件账户的信息。路透社一直无法查明Tan是谁,他在哪里,或者他为谁工作。但很多看过他更新的人认为,Tan是一个黑客专家或黑客组织的化名。专家表示,谭很可能为一个强大的情报机构工作。
Tan could easily have gotten away with the actions if Freund had not noticed something unusual. He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
如果不是弗伦德注意到一些不寻常的地方,Tan很容易就能逃脱惩罚。他注意到最新版本的XZ有时会在他正在测试的系统上使用意想不到的处理能力。
Microsoft did not make Freund available for an interview. But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
微软没有让弗伦德接受采访。但在公开的电子邮件和社交媒体上的帖子中,Freund说,一系列容易被忽视的线索让他发现了后门。
The find "really required a lot of coincidences," Freund said on the social network Mastodon.
弗洛因德在社交网站乳齿象上说,这一发现“确实需要很多巧合”。
Among those in the open-source community, the discovery has been concerning. The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition. But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam. He is with the Open Source Security Foundation.
这一发现引起了开源社区的关注。维护支持互联网的软件的志愿者们已经习惯了很少的报酬和认可。但是,他们现在正被伪装成志愿者的资源丰富的间谍追捕,这种想法“令人难以置信地害怕”,奥姆哈尔·阿拉萨拉特南说。他就职于开源安全基金会。
For government officials, the incident has raised concerns about how to protect open-source software. Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
对于政府官员来说,这起事件引发了他们对如何保护开源软件的担忧。国家网络事务助理主任Anjana Rajan告诉在线新闻机构Politico,“我们需要就下一步该做什么进行很多讨论”,以保护开源代码。
Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
无论解决方案是什么,几乎所有人都同意,XZ事件表明,某些事情必须改变。
"We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
Freund在另一篇乳齿象的帖子中说:“我们在这里非常幸运。”“我们不能只指望这一点。”
德国软件开发人员Andres Freund上个月在进行性能测试时,注意到一个鲜为人知的程序出现了奇怪的行为。他决定调查一下。他的发现吓坏了软件界的人,并引起了科技高管和政府官员的注意。
Freund works for Microsoft in California. He discovered that the latest version of the open-source software program XZ Utils had been sabotaged by one of its developers. The action could have created a secret door to millions of servers across the internet.
Freund在加利福尼亚的微软工作。他发现开源软件程序XZ Utils的最新版本被其一名开发者破坏了。这一行动可能为互联网上数百万台服务器打开了一扇秘密之门。
Freund noticed the change before the latest version of XZ became widely used. His observation, security experts say, helped save the world from a digital security crisis.
Freund在最新版本的XZ被广泛使用之前就注意到了这一变化。安全专家表示,他的观察有助于将世界从数字安全危机中拯救出来。
The near-miss has re-centered attention on the safety of open-source software. Open-source software is free. Volunteers often maintain the programs. Their openness means they serve as the foundation for the internet economy.
这次未遂事件将注意力重新集中在开源软件的安全性上。开源软件是免费的。志愿者经常维护这些项目。它们的开放性意味着它们是互联网经济的基础。
Many such projects depend on a small number of unpaid volunteers working on fixes and improvements.
许多此类项目依赖于少数无偿志愿者进行修复和改进。
XZ is a collection of file compression tools for the Linux operating system. It was long maintained by a single person, Lasse Collin.
XZ是用于Linux操作系统的文件压缩工具的集合。它是由拉斯·科林一个人长期维护。
But in a message published in June 2022, Collin said he was dealing with mental health issues. He suggested he was working privately with a new developer named Jia Tan.
但在2022年6月发布的一条信息中,科林说他正在处理心理健康问题。他暗示自己正在与一位名叫Jia Tan的新开发商私下合作。
Update logs available through the open-source software site Github show that Tan's role quickly expanded. By 2023 the logs show Tan was using his code in XZ. It is a sign that he had won a trusted role in the project.
通过开源软件网站Github提供的更新日志显示,Tan的角色迅速扩大。到2023年,日志显示谭在XZ使用他的代码。这表明他在这个项目中赢得了一个值得信赖的角色。
But cybersecurity experts who have studied the logs say that Tan was only acting like a helpful volunteer. Over the next few months, they say, Tan introduced a nearly invisible backdoor into XZ.
但研究过日志的网络安全专家表示,谭只是在做一个乐于助人的志愿者。他们说,在接下来的几个月里,Tan给XZ引入了一个几乎看不见的后门。
Tan did not return messages sent to his email account. Reuters has been unable to find out who Tan is, where he is, or who he was working for. But many people who have examined his updates believe Tan is a pseudonym for an expert hacker or a group of hackers. Experts say Tan was likely working for a powerful intelligence service.
Tan没有回复发送到他的电子邮件账户的信息。路透社一直无法查明Tan是谁,他在哪里,或者他为谁工作。但很多看过他更新的人认为,Tan是一个黑客专家或黑客组织的化名。专家表示,谭很可能为一个强大的情报机构工作。
Tan could easily have gotten away with the actions if Freund had not noticed something unusual. He noticed the latest version of XZ sometimes using an unexpected amount of processing power on the system he was testing.
如果不是弗伦德注意到一些不寻常的地方,Tan很容易就能逃脱惩罚。他注意到最新版本的XZ有时会在他正在测试的系统上使用意想不到的处理能力。
Microsoft did not make Freund available for an interview. But in publicly available emails and posts to social media, Freund said a series of easy-to-miss clues led him to discover the backdoor.
微软没有让弗伦德接受采访。但在公开的电子邮件和社交媒体上的帖子中,Freund说,一系列容易被忽视的线索让他发现了后门。
The find "really required a lot of coincidences," Freund said on the social network Mastodon.
弗洛因德在社交网站乳齿象上说,这一发现“确实需要很多巧合”。
Among those in the open-source community, the discovery has been concerning. The volunteers who maintain the software that supports the internet are used to the idea of little pay or recognition. But the idea that they were now being hunted by well-resourced spies pretending to be volunteers was "incredibly intimidating," said Omkhar Arasaratnam. He is with the Open Source Security Foundation.
这一发现引起了开源社区的关注。维护支持互联网的软件的志愿者们已经习惯了很少的报酬和认可。但是,他们现在正被伪装成志愿者的资源丰富的间谍追捕,这种想法“令人难以置信地害怕”,奥姆哈尔·阿拉萨拉特南说。他就职于开源安全基金会。
For government officials, the incident has raised concerns about how to protect open-source software. Assistant National Cyber Director Anjana Rajan told the online news organization Politico that "there's a lot of conversations that we need to have about what we do next" to protect open-source code.
对于政府官员来说,这起事件引发了他们对如何保护开源软件的担忧。国家网络事务助理主任Anjana Rajan告诉在线新闻机构Politico,“我们需要就下一步该做什么进行很多讨论”,以保护开源代码。
Whatever the solution, almost everyone agrees the XZ incident shows that something must change.
无论解决方案是什么,几乎所有人都同意,XZ事件表明,某些事情必须改变。
"We got unreasonably lucky here," said Freund in another Mastodon post. "We can't just bank on that going forward."
Freund在另一篇乳齿象的帖子中说:“我们在这里非常幸运。”“我们不能只指望这一点。”
