[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]

On Thu, 4 Mar 2021 08:10:45 -0500
Celejar <celejar@gmail.com> wrote:

> On Thu, 4 Mar 2021 09:41:13 +0000
> Joe <joe@jretrading.com> wrote:
> 
> ...
> 
> > Undoubtedly. But there is also no doubt that gcc and every other
> > serious compiler in the West has been compromised. Why would they
> > *not* be?  
> 
> Do you have any evidence for this, or is it just your assumption,
> because "why would they not be?"

No, of course not. I simply don't think the West's intelligence
services would tolerate the existence of computer equipment without
backdoors, in the same way that I don't think the unprecedented product
market share of Windows would have been permitted without some sort of
quid pro quo.

Much has been made of potential backdoors in Huawei network equipment.
My belief is that all Western network equipment is likely to have such
backdoors, though probably not reporting to the Chinese government. I
don't really believe that iptables/nftables would keep out the CIA, for
example.
> 
> > > The one aspect missing is, though, the "social" aspect: the
> > > software endeavour has become so devilishly complex that the idea
> > > of One Person (TM) checking everything down to some hypothetical
> > > "Trust Roots" is... theoretical, to state it politely. You gotta
> > > delegate some trust (well, most of it, actually).  
> > 
> > Indeed. The new heartbeat/data return function in OpenSSL, itself
> > the core of much Open Source security, was suggested by the
> > programmer himself, and the resulting code was audited by *one*
> > other person before approval and distribution. What could possibly
> > go wrong?  
> 
> The problem I have with your claim is that AFAIK none of the
> ostensible compromises you assume exist have ever been discovered. I
> know there's speculation that this was a backdoor:
> 
> https://www.debian.org/security/2008/dsa-1571
> https://freedom-to-tinker.com/2013/09/20/software-transparency-debian-openssl-bug/
> 
> but that's never been established, and my understanding is that it's
> considered unlikely.

It was certainly a backdoor for those who knew about it, whether it was
accidental or deliberate is not known, as with Heartbleed.

In both cases as I understand it, the error was clear in the source
code, and does not require the existence of a compromised toolchain.
But I don't believe that someone building, say, Linux From Scratch will
end up with a guaranteed backdoor-free system.
> 
> 
> Human beings being what they are, is it really plausible that no one
> involved has ever let the cat out of the bag? Are the TLAs really that
> good at what they do? I mean, we have Snowden ...
>
There was a maximum of two people involved in Heartbleed, apart from
any hypothetical intelligence paymasters. It really would be possible
for a bit of clandestine computer code to be known only to one or two
people in exactly the right position in an organisation. The VW
emissions fix would have been known to only a couple of people, and was
discovered empirically, not reported by a whistleblower.

On a rather smaller scale, my electronic bathroom scale has a feature
whereby if a person gets back onto the scale within thirty seconds of
the display blanking, *exactly* the same weight is reported. If more
than thirty seconds elapse, then a slightly different weight will often
result, as expected. I would assume that if the weight of the repeat
user was more than a certain amount different from the first user, a
second genuine weight would be shown. I *know* this a deliberate
feature of the software used, I don't have to see the code, and I don't
have to be told whether it is a bug accidentally introduced. But even
the manufacturing company's MD/CEO may not know about it.

-- 
Joe
Reply to: