[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]

On Thu, 4 Mar 2021 15:05:29 +0000
Joe <joe@jretrading.com> wrote:

> On Thu, 4 Mar 2021 08:10:45 -0500
> Celejar <celejar@gmail.com> wrote:
> 
> > On Thu, 4 Mar 2021 09:41:13 +0000
> > Joe <joe@jretrading.com> wrote:

...

> > > Indeed. The new heartbeat/data return function in OpenSSL, itself
> > > the core of much Open Source security, was suggested by the
> > > programmer himself, and the resulting code was audited by *one*
> > > other person before approval and distribution. What could possibly
> > > go wrong?  
> > 
> > The problem I have with your claim is that AFAIK none of the
> > ostensible compromises you assume exist have ever been discovered. I
> > know there's speculation that this was a backdoor:
> > 
> > https://www.debian.org/security/2008/dsa-1571
> > https://freedom-to-tinker.com/2013/09/20/software-transparency-debian-openssl-bug/
> > 
> > but that's never been established, and my understanding is that it's
> > considered unlikely.
> 
> It was certainly a backdoor for those who knew about it, whether it was
> accidental or deliberate is not known, as with Heartbleed.
> 
> In both cases as I understand it, the error was clear in the source
> code, and does not require the existence of a compromised toolchain.
> But I don't believe that someone building, say, Linux From Scratch will
> end up with a guaranteed backdoor-free system.

Well, yes, if you redefine "backdoor" to mean "a vulnerability that
enables outsiders to access a system," then I agree that realistically,
there will never be any "guaranteed backdoor-free system," at least not
with current technology.

> > Human beings being what they are, is it really plausible that no one
> > involved has ever let the cat out of the bag? Are the TLAs really that
> > good at what they do? I mean, we have Snowden ...
> >
> There was a maximum of two people involved in Heartbleed, apart from
> any hypothetical intelligence paymasters. It really would be possible
> for a bit of clandestine computer code to be known only to one or two
> people in exactly the right position in an organisation. The VW
> emissions fix would have been known to only a couple of people, and was
> discovered empirically, not reported by a whistleblower.

A fair point. But I still don't find it that plausible that this kind
of thing would be widespread with barely any hint of it ever coming to
light.

Celejar
Reply to: