TubeReads

The Internet Was Weeks Away From Disaster and No One Knew

In 2021, a hacker uncovered a fatal weakness embedded in the world's most critical infrastructure—Linux, the operating system powering billions of servers, nuclear submarines, and hospital networks. For two and a half years, a meticulous attacker named «Jia Tan» quietly infiltrated a volunteer-maintained compression tool maintained by a single exhausted developer. By the time anyone noticed, the backdoor was weeks away from landing in production systems everywhere. How did a jammed printer in 1984 lead us to this precipice? And what does it reveal about the invisible foundations holding up the entire internet?

Veritasium8 People mentioned5 Glossary terms
Video length: 53:00·Published Feb 25, 2026·Video language: English
7–8 min read·9,377 spoken wordssummarized to 1,451 words (6x)·
Watch on YouTube
1

Key Takeaways

1

The XZ backdoor was discovered purely by accident when a Microsoft engineer noticed SSH connections running 400–500 milliseconds slower than expected—had the attacker optimized for speed, the exploit would likely have gone undetected.

2

A multi-year social engineering campaign pressured a single unpaid maintainer into handing over control of a critical compression library used across the entire Linux ecosystem, demonstrating that code dependencies are less vulnerable than the exhausted humans maintaining them.

3

The attacker's backdoor was technically brilliant: it used IFUNC resolvers, audit hooks, and custom encryption to hijack SSH authentication in a narrow «Goldilocks zone» during system startup, evading detection through extreme caution and obfuscation.

4

Despite fears that open source is fundamentally insecure, the XZ backdoor was caught precisely because the code is public—closed source systems likely harbor similar state-sponsored backdoors that will never be discovered or discussed.

5

The Linux ecosystem rests on thousands of unpaid volunteers maintaining critical infrastructure; the XZ crisis reveals we have built the foundation of the internet on goodwill, not sustainability.

In a Nutshell

A state-sponsored hacker nearly compromised millions of Linux servers by exploiting the most human vulnerability: a single overworked volunteer maintaining critical infrastructure for free. The attack was stopped by sheer luck—half a second of slowdown noticed by one curious developer.

2

The Jammed Printer That Started a Revolution

A simple printer jam in the 1980s sparked the free software movement.

Richard Stallman couldn't fix a jammed Xerox 9700 because the company refused to share the source code. Years earlier, he'd solved a similar problem by writing a simple alert program, but now Xerox required non-disclosure agreements that locked developers out. This was the moment Stallman saw «a social phenomenon that was important and affected a lot of people».

Stallman quit MIT and in 1985 founded the Free Software Foundation, establishing four basic freedoms: to run, study, change, and share software. To enforce those freedoms legally, he created the General Public License and began the GNU Project—a Unix clone built from scratch to avoid AT&T lawsuits. By 1991, a Finnish student named Linus Torvalds contributed the missing piece: a kernel he renamed Linux.

Because the code was open and free, a new model of software development took hold. Anyone could inspect, improve, and fix flaws. Linux spread into vacuum cleaners, cameras, TVs, weapon systems, all 500 of the world's top supercomputers, and the majority of internet servers. The entire ecosystem rested on one key assumption: that the code was secure because enough eyes were watching.

3

The Single Point of Failure

Lasse Collin maintained a critical compression tool alone and unpaid for two decades.

I haven't lost interest, but my ability to care has been fairly limited, mostly due to long-term mental health issues, but also due to some other things. It's also good to keep in mind that this is an unpaid hobby project.

Lasse Collin

4

How Open Source Really Works

🧱
The XKCD Prophecy
A famous comic shows modern infrastructure balanced on a tiny block maintained by «some random person in Nebraska». The XZ crisis proved this wasn't satire—it was documentation.
🔧
Dependency Chains
Linux isn't one project. It's thousands of small tools and libraries doing different jobs. If one person's nights-and-weekends passion project becomes useful, millions of machines can end up relying on it.
📉
Burnout by Design
Lasse Collin maintained XZ since 2005 with no pay. When pressure mounted from impatient users, his mental health suffered. The system had no support for the person holding it up.
🎭
The Perfect Target
XZ was so good at compression it became used in almost every major Linux distribution. Compromising that one tool meant access to almost any server on the internet.
5

The Anatomy of SSH

SSH's encryption protects remote logins; the backdoor weaponized that same protection.

1

Secure the Channel Two machines agree on a shared secret using a paint-mixing analogy: each adds a private color to a shared public color, exchanges results, then mixes again to arrive at identical final colors no eavesdropper can replicate.

2

Authenticate the User The server publishes a big number (product of two secret primes). The client encrypts with it; only the server, knowing the prime factors, can decrypt. This RSA system foils man-in-the-middle attacks.

3

Universal Adoption Tatu Ylonen created Secure Shell (SSH) in 1995 after a password sniffing attack. OpenSSH became the most widely used implementation, forming the «maintenance backbone of the entire internet».

6

Jia Tan's Three-Step Masterplan

🐴
Step 1: Trojan Horse
Jia hid malicious code inside binary test blobs that nobody reads. A small change in the build script unpacked the payload into the XZ library without ever appearing in human-readable source code on GitHub.
🕐
Step 2: Goldilocks Zone
Using IFUNC resolvers and audit hooks, Jia rewrote the Global Offset Table entry for RSA Decrypt at the precise moment after it was filled but before it was marked Read Only—a tiny window of vulnerability.
🐱
Step 3: Cat Burglar
The backdoor listened for a hidden master key via mini cryptographic exchange, authenticated the attacker, executed the payload, then wiped all logs. It was cautious, meticulous, and nearly invisible.
7

The Half-Second That Saved the Internet

A Microsoft engineer's curiosity about a 500ms delay exposed the backdoor.

Andres Freund wasn't looking for a security flaw. He was testing a Postgres database update on Debian's unstable release when he noticed SSH connections were about 400–500 milliseconds slower than expected. It wasn't much, but it gnawed at him. He'd already seen strange Valgrind errors in XZ weeks earlier, and now he couldn't concentrate in meetings.

Digging deeper, Andres traced the delay to binary test files that were never actually used in tests. Eventually he saw it: a backdoor so meticulous it hunted through memory, decoded raw bytes, wrapped everything in custom encryption, and garbled its own strings. All of that caution took time—and that's what gave it away. One expert noted: «If they had done less obfuscation, I probably would not have noticed that anything was wrong».

Andres reported it directly to Debian security, bypassing the compromised XZ contact. Red Hat rolled back Fedora immediately. The entire open source community started dissecting the project. Andres became a hero, earning a shout-out from Microsoft's CEO. But mainstream media barely covered the story, even though millions of systems had been weeks away from compromise.

8

Who Is Jia Tan?

Evidence points to a multi-year state-sponsored operation, likely Russian or masked to look Chinese.

THE CAMPAIGN
Social Engineering Over Two Years
Jia Tan was likely a front for a group. Sock puppet accounts with free email addresses and no digital footprint pressured Lasse Collin for months, finally convincing him to hand over maintainer control. The operation cost an estimated million dollars and required extreme patience—hallmarks of a nation-state actor, not a criminal gang seeking quick returns.
THE SUSPECTS
False Flags and Time Zones
Aliases sound Asian, and commits were timestamped UTC+8 (Beijing time), suggesting China. But experts believe this is misdirection—why make it obvious when every other detail was meticulous? The attacker worked Chinese New Year but not Christmas, and nine commits fell in UTC+2 (Israel/Western Russia). Some suspect APT29 (Cozy Bear), a Russian state-backed group. Jia Tan vanished the moment the exploit was exposed.
9

The Real Vulnerability Isn't the Code

Open source's strength exposed the backdoor; closed systems likely hide worse.

💡

The Real Vulnerability Isn't the Code

Experts debated whether XZ proved open source is flawed, but most concluded the opposite. In closed systems, a state-sponsored backdoor might require only a court order or internal collusion—and no community member would ever notice a 500ms delay. It's only because Linux is public that this attack was dissected and turned into a conversation. The vulnerability isn't transparency; it's that we've built the internet's foundation on unpaid volunteers with no institutional support.

10

By the Numbers

The scale of Linux, the precision of the attack, and the luck that saved us.

Linux Devices Worldwide
Over 3 billion
Android alone runs on more than 3 billion devices; all are built on the Linux kernel.
Top Supercomputers Running Linux
500 out of 500
Every single one of the world's top 500 supercomputers runs Linux.
Duration of Jia Tan's Campaign
2.5 years
The attacker spent over two years slowly infiltrating the XZ project and building the backdoor.
SSH Connection Slowdown
400–500 milliseconds
The delay that caught Andres Freund's attention—had the attacker optimized better, the backdoor would likely have gone undetected.
Time Until Production Rollout
Weeks
The backdoor was in Fedora pre-release and Debian testing; it was weeks away from landing in Red Hat Enterprise Linux 10 and reaching millions of production servers.
Estimated Cost of Operation
~$1 million
Experts estimate the multi-year campaign required resources consistent with state-level funding, not a criminal organization.
11

People

Richard Stallman
Founder, Free Software Foundation
mentioned
Linus Torvalds
Creator of Linux kernel
mentioned
Lasse Collin
Maintainer of XZ compression tool
mentioned
Jia Tan
Suspected state-sponsored hacker
mentioned
Andres Freund
Microsoft software engineer / discoverer of backdoor
mentioned
Rich (last name not given)
Red Hat packager
guest
Derek Muller
Host / video creator
host
Henry (last name not given)
Narrator / security researcher
host
Glossary
SSH (Secure Shell)An encrypted protocol for remotely logging into and controlling computers over a network.
BackdoorA hidden method of bypassing normal authentication to gain unauthorized access to a system.
IFUNC ResolverA low-level tool that selects different versions of a function at runtime, often used to optimize code for specific hardware.
Global Offset Table (GOT)A table of memory addresses that tells a program where to find functions and variables from shared libraries.
LZMALempel–Ziv–Markov chain algorithm, a highly efficient data compression method used by XZ.

Disclaimer: This is an AI-generated summary of a YouTube video for educational and reference purposes. It does not constitute investment, financial, or legal advice. Always verify information with original sources before making any decisions. TubeReads is not affiliated with the content creator.