Verify the identity of developers
Verify the identity of developers
Posted Mar 30, 2024 14:40 UTC (Sat) by dvdeug (guest, #10998)In reply to: Verify the identity of developers by epa
Parent article: A backdoor in xz
Crypto AG was a Swiss encryption company that turned out to be owned by the CIA and West German Federal Intelligence Service (BND) between 1970 and 1993, with the CIA owning it until 2018, that sold backdoored encryption systems to many nations. The NSA produced and promoted the Dual_EC_DRBG CSPRNG that could be used with SSL, with the general consensus being that they had a backdoor, as the possibility of an undetectable backdoor existing was well-known and there was little other reason to use it.
Even if we trust the CIA and NSA (and friends; the Crypto AG story also implicates Germany and Switzerland) blindly, the history of espionage says little for the security of blindly trusting people resident in western nations.
Posted Mar 30, 2024 16:15 UTC (Sat)
by epa (subscriber, #39769)
[Link]
I certainly do not advocate blindly trusting someone just because they are a known individual from a non-hostile country. We need all the other “many eyeballs”, verified supply chain, and sandboxing too. Once you have all that in place, the next step might be to start strongly identifying developers.
For cryptography the situation is a little different as the cipher is fully described but only experts can analyse it for weaknesses. A backdoor in a library does not require quite the same level of expertise to spot.
Posted Mar 30, 2024 17:48 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (6 responses)
These are very real but they were also huge scandals. In dictatorships such stuff is business as usual.
In democracies these questions can be and are debated and there is some oversight on intelligence agencies. A poor level of control but much better than answering to a single person at the top.
Developers do not automatically risk jail or death or worse if they refuse a "proposition" from the intelligence agency of a democracy.
Democracies are fragile and very far from perfect but they're at least trying. So, verifying the identity of developers who live in a democracy would be very far from a silver bullet and I'm not even sure it would be a good idea in the first place but it would be for sure _very_ different from verifying the identify of developers surviving in a dictatorship.
Nothing's black and white here but there can be a huge differences between "light grey" and "dark grey"; let's be careful with "whataboutism".
PS: the main drive (and... sin) of the Western world is unabated greed and the fair dose of corruption that comes with it. Yet Western business is nowadays required to distance itself more and more from powerful dictatorships which is costing a LOT. Guess why.
Posted Mar 30, 2024 18:15 UTC (Sat)
by rra (subscriber, #99804)
[Link] (3 responses)
I live in a country that is theoretically a democracy but has something called "National Security Letters" that are substantially similar to this description, which makes me dubious the line is quite this clear-cut.
Posted Mar 30, 2024 19:00 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (2 responses)
Posted Mar 30, 2024 19:59 UTC (Sat)
by rra (subscriber, #99804)
[Link]
I'm sorry, you're right, you did, and I should have acknowledged that. I still think I disagree with you somewhat about the intensity of the difference, but it's hard to quantify and there's nothing incorrect in what you said.
Posted Apr 1, 2024 15:31 UTC (Mon)
by Lennie (subscriber, #49641)
[Link]
https://media.ccc.de/v/27c3-4263-en-resisting_excessive_g...
Resisting the state if they come knocking is euh... hard work to say the least.
Formally good actors can (be made to) turn or get their systems compromised.
Which is why we need to focus on checking code and making code more readable probably less focus less on the actors.
Posted Mar 30, 2024 19:50 UTC (Sat)
by dvdeug (guest, #10998)
[Link] (1 responses)
Huge scandals? Crypto AG, by the time it came out, was a minor historical note. I'd bet most Americans would consider it a good move that let us spy on foreign enemies, and many wouldn't bat an eye at the amount of spying done on allied powers. The NSA stunt annoyed some in the field of computer security, but few outside it.
> In dictatorships such stuff is business as usual.
I'm not sure. China isn't going to play around with Dual_EC_DRBG; you use their keys for SSL or else. They openly put taps in, and wouldn't bother with something nobody is going to trust. This skullduggery is part and parcel of Western intelligence agencies.
> Developers do not automatically risk jail or death or worse if they refuse a "proposition" from the intelligence agency of a democracy.
https://arstechnica.com/tech-policy/2013/04/wikipedia-edi... There's a risk of jail time. Nor do I think US intelligence agencies are above blackmail, though the CIA might reserve that for people outside the US.
> Nothing's black and white here but there can be a huge differences between "light grey" and "dark grey"
Yes, but at the same time, intelligence agencies, democracy or otherwise, are very clandestine and have a history of this type of stuff.
As another note, a new developer from the Western world could be a genuine newbie, but could also be someone who found a job posting on the dark web when looking to buy the "Easy Home Kit for Cooking Meth", and now gets paid for his identity, quite possibly with no idea who is paying him.
> Yet Western business is nowadays required to distance itself more and more from powerful dictatorships which is costing a LOT. Guess why.
More and more? If we're talking about China, it's got Cold War parallels, two large powers fighting over control of the world. Russia has even more Cold War parallels, and while pulling out of Russia is bad for business, so is letting Russia take over Eastern Europe. There's moral elements, and fears that Chinese products have backdoors. I'm really not sure what you're getting at here. I certainly don't see Western business having much trouble dealing with dictatorships that haven't pissed off the West.
Posted Apr 1, 2024 0:24 UTC (Mon)
by marcH (subscriber, #57642)
[Link]
It was probably not mentioned in family dinners but it made the mainstream press which is very rare for topics like this. It also taught many "naive" countries to stop blindly trusting their allies. So yes, it was a pretty big deal.
> https://arstechnica.com/tech-policy/2013/04/wikipedia-edi... There's a risk of jail time.
Whether this particular case has merit or not, publishing classified information is of course pretty stupid and totally unrelated to inserting backdoors in open source projects.
> but could also be someone who found a job posting on the dark web
Yes verifying identities will never be a silver bullet. But it would be for sure more useful in a place with a functional legal system where such a person runs the risk of being caught and prosecuted (as opposed to getting a medal from their dictator).
> I'm really not sure what you're getting at here. I certainly don't see Western business having much trouble dealing with dictatorships that haven't pissed off the West.
My (admittedly confusing) tangent/PS was: businesses and monopolies tend to buy congressmen and run the show in democracies, especially in the US since "Citizens United vs FEC". As you noted, businesses generally don't care about dictatorships, only about money. That's why they are called "businesses". But even in these short-sighted, market-based countries, authorities are starting to realize the magnitude of the risks and problems and are (slowly) taking precautions affecting the bottom line of their uber rich and all powerful businesses. The IT naivety is (slowly) regressing and that's a good thing.
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers