|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Mar 30, 2024 17:48 UTC (Sat) by marcH (subscriber, #57642)
In reply to: Verify the identity of developers by dvdeug
Parent article: A backdoor in xz

> Crypto AG [...] that sold backdoored encryption systems to many nations. The NSA produced and promoted the Dual_EC_DRBG CSPRNG that could be used with SSL, with the general consensus being that they had a backdoor,

These are very real but they were also huge scandals. In dictatorships such stuff is business as usual.

In democracies these questions can be and are debated and there is some oversight on intelligence agencies. A poor level of control but much better than answering to a single person at the top.

Developers do not automatically risk jail or death or worse if they refuse a "proposition" from the intelligence agency of a democracy.

Democracies are fragile and very far from perfect but they're at least trying. So, verifying the identity of developers who live in a democracy would be very far from a silver bullet and I'm not even sure it would be a good idea in the first place but it would be for sure _very_ different from verifying the identify of developers surviving in a dictatorship.

Nothing's black and white here but there can be a huge differences between "light grey" and "dark grey"; let's be careful with "whataboutism".

PS: the main drive (and... sin) of the Western world is unabated greed and the fair dose of corruption that comes with it. Yet Western business is nowadays required to distance itself more and more from powerful dictatorships which is costing a LOT. Guess why.

to post comments

Verify the identity of developers

Posted Mar 30, 2024 18:15 UTC (Sat) by rra (subscriber, #99804) [Link] (3 responses)

> Developers do not automatically risk jail or death or worse if they refuse a "proposition" from the intelligence agency of a democracy.

I live in a country that is theoretically a democracy but has something called "National Security Letters" that are substantially similar to this description, which makes me dubious the line is quite this clear-cut.

Verify the identity of developers

Posted Mar 30, 2024 19:00 UTC (Sat) by marcH (subscriber, #57642) [Link] (2 responses)

I wrote "not automatically", "shades of grey" and used plenty other adverbs but apparently not enough.

Verify the identity of developers

Posted Mar 30, 2024 19:59 UTC (Sat) by rra (subscriber, #99804) [Link]

> I wrote "not automatically", "shades of grey" and used plenty other adverbs but apparently not enough.

I'm sorry, you're right, you did, and I should have acknowledged that. I still think I disagree with you somewhat about the intensity of the difference, but it's hard to quantify and there's nothing incorrect in what you said.

Verify the identity of developers

Posted Apr 1, 2024 15:31 UTC (Mon) by Lennie (subscriber, #49641) [Link]

For context, I'll post you a link to a talk by a brave man:

https://media.ccc.de/v/27c3-4263-en-resisting_excessive_g...

Resisting the state if they come knocking is euh... hard work to say the least.

Formally good actors can (be made to) turn or get their systems compromised.

Which is why we need to focus on checking code and making code more readable probably less focus less on the actors.

Verify the identity of developers

Posted Mar 30, 2024 19:50 UTC (Sat) by dvdeug (guest, #10998) [Link] (1 responses)

> These are very real but they were also huge scandals.

Huge scandals? Crypto AG, by the time it came out, was a minor historical note. I'd bet most Americans would consider it a good move that let us spy on foreign enemies, and many wouldn't bat an eye at the amount of spying done on allied powers. The NSA stunt annoyed some in the field of computer security, but few outside it.

> In dictatorships such stuff is business as usual.

I'm not sure. China isn't going to play around with Dual_EC_DRBG; you use their keys for SSL or else. They openly put taps in, and wouldn't bother with something nobody is going to trust. This skullduggery is part and parcel of Western intelligence agencies.

> Developers do not automatically risk jail or death or worse if they refuse a "proposition" from the intelligence agency of a democracy.

https://arstechnica.com/tech-policy/2013/04/wikipedia-edi... There's a risk of jail time. Nor do I think US intelligence agencies are above blackmail, though the CIA might reserve that for people outside the US.

> Nothing's black and white here but there can be a huge differences between "light grey" and "dark grey"

Yes, but at the same time, intelligence agencies, democracy or otherwise, are very clandestine and have a history of this type of stuff.

As another note, a new developer from the Western world could be a genuine newbie, but could also be someone who found a job posting on the dark web when looking to buy the "Easy Home Kit for Cooking Meth", and now gets paid for his identity, quite possibly with no idea who is paying him.

> Yet Western business is nowadays required to distance itself more and more from powerful dictatorships which is costing a LOT. Guess why.

More and more? If we're talking about China, it's got Cold War parallels, two large powers fighting over control of the world. Russia has even more Cold War parallels, and while pulling out of Russia is bad for business, so is letting Russia take over Eastern Europe. There's moral elements, and fears that Chinese products have backdoors. I'm really not sure what you're getting at here. I certainly don't see Western business having much trouble dealing with dictatorships that haven't pissed off the West.

Verify the identity of developers

Posted Apr 1, 2024 0:24 UTC (Mon) by marcH (subscriber, #57642) [Link]

> Huge scandals? Crypto AG, by the time it came out, was a minor historical note.

It was probably not mentioned in family dinners but it made the mainstream press which is very rare for topics like this. It also taught many "naive" countries to stop blindly trusting their allies. So yes, it was a pretty big deal.

> https://arstechnica.com/tech-policy/2013/04/wikipedia-edi... There's a risk of jail time.

Whether this particular case has merit or not, publishing classified information is of course pretty stupid and totally unrelated to inserting backdoors in open source projects.

> but could also be someone who found a job posting on the dark web

Yes verifying identities will never be a silver bullet. But it would be for sure more useful in a place with a functional legal system where such a person runs the risk of being caught and prosecuted (as opposed to getting a medal from their dictator).

> I'm really not sure what you're getting at here. I certainly don't see Western business having much trouble dealing with dictatorships that haven't pissed off the West.

My (admittedly confusing) tangent/PS was: businesses and monopolies tend to buy congressmen and run the show in democracies, especially in the US since "Citizens United vs FEC". As you noted, businesses generally don't care about dictatorships, only about money. That's why they are called "businesses". But even in these short-sighted, market-based countries, authorities are starting to realize the magnitude of the risks and problems and are (slowly) taking precautions affecting the bottom line of their uber rich and all powerful businesses. The IT naivety is (slowly) regressing and that's a good thing.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds