Preface

The systems that run the modern world are built to feel effortless. A message sends, a payment clears, a server answers a request from the other side of the planet, and the machinery that carries all of it stays out of sight by design. The security journalist Nicole Perlroth, surveying the cyberweapons arms race, named the cost hidden in that smoothness. “We had bought into Silicon Valley’s promise of a frictionless society,” she wrote, and had “never paused to think that, along the way, we were creating the world’s largest attack surface” (2021). Her subject was the build-out of consumer devices and networks. The subject of this book lies one layer beneath hers, in open-source software, the code published for others to inspect, use, and improve that the rest of computing quietly runs on, and in the small, often unpaid, often unseen group of people who keep it running.

In March 2024 that dependency became visible for a moment. A backdoor, a hidden bypass of the normal checks on who is allowed into a system, was discovered inside XZ Utils, the open-source compression project whose liblzma library sits in the plumbing of Linux systems around the world. It had been put there over more than two years by a contributor known only as “Jia Tan,” through patient, courteous, technically expert work that was almost indistinguishable from genuine help. It was found before it reached the stable releases that most of the world runs, the conservative versions shipped to ordinary users and production systems, because a software engineer at Microsoft named Andres Freund noticed unusual processor use around remote logins, one symptom of which he could pin to a delay of about half a second, and decided the oddity was worth chasing.

This is an interpretive book, not an investigative one. Nearly everything in it was already public when the writing began, scattered across a security mailing list, the version history of a software project, a maintainer’s brief public statements, the work of a handful of researchers who took the backdoor apart, and two years of reporting. That reporting has been excellent and fragmentary, and what has been missing is the shape: the single continuous account that gathers the pieces and asks what they add up to. The contribution here is that synthesis, and an argument that runs through the story rather than sitting on top of it. The book breaks no news. It does not try to identify the person behind “Jia Tan,” it does not catalog every other attack of this kind, and it does not hand down a policy prescription. Those are other books, for other writers.

What it does instead is reconstruct, under a rule it does not bend: nothing in these pages is invented. Where the book attributes a thought or a reaction to Freund or to Lasse Collin, it is because one of them has described it in public, and the text says as much. The method is the one Patrick Radden Keefe set down at the front of Empire of Pain, his history of the Sackler family behind the opioid crisis: “no details are invented or imagined,” and any thought or feeling assigned to a person traces to that person’s own words or to someone who knew them (2021). The documentary record for this story is unusually deep. The oss-security mailing list preserved the disclosure and much of the correspondence that led up to it; the project’s version history recorded the operation almost commit by commit; the statements of Collin, who had maintained XZ Utils almost single-handedly and without pay, together with the published reverse-engineering and the policy documents that followed, fill in the rest. Together, those public records are the book’s spine.

The discipline matters most where the people at the center are quiet. Collin has said little to the press and owes no one more; the operator cannot be approached at all, and may never be named. Keefe, writing about subjects who declined to take part, set the precedent this book leans on. The Sackler family “did not cooperate,” he noted, and yet his account was “substantially built on the family’s own words,” assembled from the record they left rather than the interviews they withheld (2021). A person can decline to speak and still be portrayed fairly, carefully, and entirely from the record. That is the standard applied here to everyone who did not choose to be in these pages.

The book also belongs to a particular line of narrative nonfiction, and the inheritance is worth naming plainly so that the register reads as borrowed rather than assumed. Its opening move, an ordinary technical worker who trips over something small and follows it down, is the one Clifford Stoll made in 1989 in the book that founded the form, which begins not with a spy but with a baffled scientist: “Me, a wizard?” Stoll wrote. “Until a week ago, I was an astronomer, contentedly designing telescope optics” (1989). Its scale, a single modest artifact pulled apart until it discloses something vast, is the one Kim Zetter worked at in reconstructing the Stuxnet worm, a lone piece of software that “more than a dozen computer security experts around the world spent months deconstructing” before its meaning came clear (2014). This book works at that scale too: one backdoor, one continuous story, and beneath it the labor and the trust that hold up the digital commons.

Stoll also supplied the idea the whole book turns on, and that too is inherited rather than coined. “Networks aren’t made of printed circuits, but of people,” he wrote, meaning that the real substance of a connected system is the human arrangement of trust around it and not the hardware or the code (1989). The line has only grown more useful since 1989. The “people” now include a relatively small group of maintainers whose work supports infrastructure that trillions of dollars of economic activity assume to be stable, and the operation against XZ Utils got as far as it did by exploiting the trust that decides whose code is allowed to ship. Who ran that operation is still unknown. The book does not resolve it, and treats the blank as a finding rather than a failure: a world that runs on systems it cannot fully see can be reached by adversaries it cannot name, and the anonymity at the center of the operation is itself part of the argument.

A note for the reader who has never worked in software: no prior knowledge is assumed. Every technical term that carries weight is explained in plain language the first time it appears, and the explanations are written so that a reader who already knows them will not feel talked down to. And a note on what the book cannot do. The complete account is not yet possible; parts of the record remain closed, and the attribution remains open. The aim, following the method Keefe describes, is not to claim the last word but to assemble the public record clearly enough that later reporters and researchers can see where the remaining blanks begin (2021). What follows begins where the discovery did: late on an ordinary evening, with a login that was taking longer than it should.