|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Mar 30, 2024 10:51 UTC (Sat) by mss (subscriber, #138799)
In reply to: Verify the identity of developers by epa
Parent article: A backdoor in xz

But what if GitHub required all contributors to use their real name and strongly verified their identity? Then for key roles you could require someone with a clear track record and resident in a Western country where they could be prosecuted for maliciously introducing backdoors.

This would be blatant discrimination of most of the world population, which isn't lucky enough to live in a Western country.

And if you drop the "Western country" requirement then a rogue nation-state is in the best position to provide its operatives with as many "genuine" identity verification documents as they might need.

to post comments

Verify the identity of developers

Posted Mar 30, 2024 12:38 UTC (Sat) by epa (subscriber, #39769) [Link] (9 responses)

Yeah… I didn’t say it would be nice. For security sensitive jobs it’s standard practice to do background checks and to require the person be a US citizen, or whatever. And the check that the person exists (and isn’t a made-up identity or pseudonym) is so basic for any job that it’s not even mentioned.

Anonymous or pseudonymous entities (like “Satoshi”) can make valuable contributions but it may be unwise to put them in a trusted position where code they write is directly executed or installed on millions of systems.

Verify the identity of developers

Posted Mar 30, 2024 17:54 UTC (Sat) by sjj (guest, #2020) [Link] (8 responses)

Believe it or not, but there are legitimate “security sensitive jobs” that are not in the US, or require American citizens.

Would for example Kenyan devs be “Western” enough for you?

Verify the identity of developers

Posted Mar 30, 2024 19:52 UTC (Sat) by epa (subscriber, #39769) [Link] (7 responses)

Indeed, I was using Western as shorthand. And now we get into politics. There is surely a scale with rogue states like North Korea on one side and … some other countries on the other side. LWN isn’t the place for a discussion of whether a developer in Kenya can be considered a real person (not a fake identity made by security services) and whether some country has enough rule of law that someone doing malicious things would be prosecuted (rather than sheltered by the authorities). We are not discussing a technical proposal. It gets messy and of course there are those who don’t trust the USA or allies either. All I can say is that we may be forced, unhappily, to start thinking about this stuff.

Verify the identity of developers

Posted Mar 30, 2024 21:33 UTC (Sat) by MarcB (subscriber, #101804) [Link] (6 responses)

Politics are unavoidable, if you go that route. For example, the US in particular is a proven bad actor here - recall the Snowden revelations about the supply-chain attacks the NSA pulled off. They literally did what nowadays Chinese suppliers are alleged to do - and they used this against supposed allies as well, so there isn't even a "western world against China/Russia" scenario.

This "scale of rogue states" you envision would be one that goes downhill in every direction, no matter from whose perspective you look at it.

Also, if you assume nation-state attackers - which you should - and assume that developers will be working from their home country, then any meaningful verification is simply impossible. It is even unreliable and expensive if you hire employees and have them move to your country. If they stay abroad, it simply can't be done.

Verify the identity of developers

Posted Mar 31, 2024 8:54 UTC (Sun) by epa (subscriber, #39769) [Link] (5 responses)

Indeed the US has a record here and if I were running a nuclear installation in Iran I would require verified Iranian programmers working within the country. But for the rest of us, there is a difference between western countries and others. Many American businesses and even the government rely on the security of Linux and free software. The black-helicopter guys generally have an interest in helping keep free software secure against attacks from ransomware gangs and hostile nation hacking teams. They may do targeted attacks but it doesn’t help them to poison the well as happened here. So I would still prefer to trust a developer with a known legal identity in a US ally over someone who may not be a real person at all. But again, this is politics, and not something where you’ll ever get everyone in agreement.

Verify the identity of developers

Posted Apr 1, 2024 13:28 UTC (Mon) by farnz (subscriber, #17727) [Link] (4 responses)

The USA has a track record of attacking its allies via secret programs (as does every other Western democracy I've looked into - the USA is not unique here). There's thus a constant tug-of-war going on; do I trust the USA because they'd prefer me to do well rather than their enemies, or do I distrust them because they would prefer to attack me in order to benefit the USA and American companies at my expense?

Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, since whatever leverage the nation-state can apply to them can also be applied to you. And that, fundamentally, comes down to a personal trust matter; can you trust the people you depend upon, or not? Can you "trust, but verify"? Or are you stuck with an untrustworthy partner whose behaviour cannot be verified?

Verify the identity of developers

Posted Apr 2, 2024 15:24 UTC (Tue) by MarcB (subscriber, #101804) [Link] (3 responses)

> Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, ...

And even that is a best-case scenario. Many countries do not have strong civil rights and their secret services target their own citizens.

Verify the identity of developers

Posted Apr 2, 2024 16:08 UTC (Tue) by farnz (subscriber, #17727) [Link]

My expectation is that the secret services etc are as much a risk to you as they are to someone you deem "trusted". Basically, by trusting people in the same immigration situation as you and in the same country as you, you're trusting people inside the same "national security" boundary as you; the moment you go outside that, you're at risk of your colleague being targeted by a national security agency that cannot reach you, even if they are an upstanding person themselves.

So, while Canada is basically a safe country, as someone based in England, I'm in a separate "national security" boundary to a Canadian; it is at least theoretically possible that a Canadian agency can't get to me, but can compromise a Canadian contact, and it's also possible for a UK agency to compromise me, while being unable to compromise my Canadian contact.

This analysis still applies even if the two countries are evildoers; my local set of evil government agencies affect me and anyone else in the same country, and your local set affect you and anyone else in the same country. If we're in different countries, and you need only affect one of us, then the set of agencies to care about is the union of the sets we're affected by.

Verify the identity of developers

Posted Apr 3, 2024 17:39 UTC (Wed) by jafd (subscriber, #129642) [Link] (1 responses)

Also, moles exist.

Verify the identity of developers

Posted Apr 4, 2024 19:01 UTC (Thu) by epa (subscriber, #39769) [Link]

Running a mole is about a million times more expensive than creating a GitHub account under a completely made-up identity. That’s the idea.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds