On Thu, Mar 04, 2021 at 09:21:46AM -0500, Celejar wrote: > On Thu, 4 Mar 2021 14:17:59 +0100 > <tomas@tuxteam.de> wrote: > > > On Thu, Mar 04, 2021 at 08:10:45AM -0500, Celejar wrote: > > > On Thu, 4 Mar 2021 09:41:13 +0000 > > > Joe <joe@jretrading.com> wrote: > > > > > > ... > > > > > > > Undoubtedly. But there is also no doubt that gcc and every other > > > > serious compiler in the West has been compromised. Why would they *not* > > > > be? > > > > > > Do you have any evidence for this, or is it just your assumption, > > > because "why would they not be?" > > > > You mean GCC specifically or some examples of build chain attacks > > in general? Because in the second case there are some nice specimens > > out there. > > I'm interested in anything, although my comment was focused > particularly on things as critical, fundamental, and ubiquitous as GCC > and "every other serious compiler." Two off the top of my head - Sometime 2017 [1], Microsoft put out a version of Visual Studio which baked "phone home" functionality into its compiled "products". Make no mistake: it phoned Microsoft. Imagine you compile an application for your customer, and this app phones... Microsoft. Some hilarity ensued. They said "oh, sorry. It wasn't with bad intentions" and reverted it. I call this pattern "Emergent Evil". - NPM buildchain attacks are more and more frequent. Just publish a package out there and wait until someone takes the bait. An especially nice one was the event-stream [2] episode, where the malicious code only injected malicious code (yes, really) when it noticed that it was "in" the right build environment. Nice read. I'm sure this ain't the only one in this context. Note that I'm no specialist. Otherwise the top of my head would be heavier ;-) Cheers [1] https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/ [2] https://lwn.net/Articles/773121/ - t
Attachment:
signature.asc
Description: Digital signature