ARI SHAPIRO, HOST:
Our next guest may have stumbled onto a discovery that prevented a major global cyberattack, and that has turned him into an internet hero. Andres Freund works as a software engineer for Microsoft in San Francisco. He was running some routine tests when he noticed something peculiar. In the open-source software that powers servers for governments, companies and banks, he found a sort of backdoor. He is here to tell us more about it, and we should note Microsoft is an NPR funder. Welcome to ALL THINGS CONSIDERED.
ANDRES FREUND: Welcome. Hello.
SHAPIRO: So when you were poking around and you saw something that might have possibly been amiss, what was your first reaction?
FREUND: Annoyance, I guess...
SHAPIRO: (Laughter).
FREUND: ...Because I was actually trying to do something else, and the symptoms seemed weird enough that I couldn't really justify to myself to not switch to looking into what was going on.
SHAPIRO: And when you looked into what was going on, what did you find?
FREUND: I was noticing that something seemed to be using too much resources in SSH, which is something that administrators use to control computers remotely, and that - even though, like, nobody was authorized to log into the machine I was working on. So something was amiss there. And then I looked further and further to see what could possibly cause a CPU usage and eventually figured out that somebody had injected some code into that process that seemed to allow somebody else to log in into the system.
SHAPIRO: You say this could have allowed someone else to log in to the system. That sounds so innocuous. What are the implications of that?
FREUND: Well, that means that whoever can log into the system without authorization can just do just about anything on that system. They could shut it down. Depending on what the system is used for, they could interrupt the use of that system. That could be, for example, some control system for some industrial processes. That could be a bank software. They could just shut down the banking system, or they could steal data from the system because they have all the rights to do stuff on the system.
SHAPIRO: So this small, hidden backdoor could have been a massive compromise of global internet security. Was there a moment that struck you or was it kind of a slow-dawning realization?
FREUND: I would say it was a slow-dawning realization with a few moments of - where, like, it became really apparent that something was wrong. And then for a while I thought, oh, I must be wrong. I must not have realized - I must have missed something. This can't be true. I am not believing myself - and then back to realizing that it might actually be true.
SHAPIRO: How difficult would it have been to build this backdoor? Is it something that any computer hacker could have done?
FREUND: It does not look like a single computer hacker. There - both in the way they injected the backdoor, that was multiple years of work to get to the point of being able to do it. And then the complexity of the backdoor itself was also significant, so that can't have been just, like, one lone individual doing it for a few weeks. That - there was, like, more effort behind it than that.
SHAPIRO: So the minute you sounded the alarm, people piled on. They fixed this flaw, and then they hailed you as a hero. One cybersecurity expert said, the world owes Andres unlimited free beer. How have you been dealing with this sudden fame?
FREUND: I would say that it was - definitely came as a surprise, and it feels very odd because I normally work on obscure stuff that a few other computer-interested people care about but not otherwise any wider audience. So it's putting me somewhere where I not normally am and not entirely comfortable...
SHAPIRO: You haven't always dreamed of being interviewed on NPR (laughter)?
FREUND: No, not really.
SHAPIRO: As I mentioned, this open-source software is depended on by governments, banks, hospitals, huge companies, and it's maintained by an army of volunteers. You said in a social media thread, we got unreasonably lucky here, and we can't just bank on that going forward. So what needs to change?
FREUND: Yeah. In this case, the software that was where the backdoor was actually introduced, that was maintained by a single person for close to 20 years. And that single person was, as far as I know, not being paid for it, despite the software being used extremely widely. And clearly, we have a problem that, like, large companies, governments depend on software that is being maintained by a few individuals.
There was another big vulnerability that was publicly talked about quite a while ago that was called Heartbleed in OpenSSL, which is one of the most crucial security building blocks, I would say, that is extremely widely used. And as a response to problems in the security of it, companies started to pay the maintainers of it so they can actually improve the security of it. And that has to happen more.
SHAPIRO: Andres Freund, thank you for keeping us all safe.
FREUND: My pleasure.
SHAPIRO: That's Microsoft engineer and internet hero Andres Freund.
(SOUNDBITE OF KOFFEE AND KANDEE SONG, "LOTS OF FUN") Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
