Daniel Stenberg, creator of the widely used curl program, draws parallels between his project and a cyberattack that nearly succeeded two years ago. In an interview in Huddinge, he stresses the importance of trust in open-source software underpinning the internet. An expert warns he could theoretically shut down half the internet.
In March 2024, Andres Freund, a Microsoft employee, discovered a backdoor in the Xz program inserted by Jia Tan under a pseudonym over several years. Xz is used for data compression on millions of servers. The update was halted at the last moment after Freund raised the alarm, foiling the attack.
Daniel Stenberg, who has developed curl since the mid-1990s, sees similarities with his own project. Curl, a tool for digital data transfer, has been installed about 20 billion times in devices like cars, mobile phones, and helicopters. "It was like an insider. One in the team. I also have people in my project I don't meet daily. No face. Just an online name," Stenberg says.
The project began as a way to fetch currency rates and relies on open source, open to contributions from anyone. Stenberg notes the world has changed since 1990s hacker meetups, but the appeal of sharing persists. "We must do something to protect us from that percentage of users trying to find mischief," he says.
KTH professor Pontus Johnson claims Stenberg could "shut down half the internet." Stenberg responds: "Trust is everything I have here. I can't break it or risk it." He acknowledges a security flaw in open source could have severe consequences but stresses suspicions would undermine its use.
