Verify the identity of developers
Verify the identity of developers
Posted Mar 30, 2024 17:54 UTC (Sat) by sjj (guest, #2020)In reply to: Verify the identity of developers by epa
Parent article: A backdoor in xz
Would for example Kenyan devs be “Western” enough for you?
Posted Mar 30, 2024 19:52 UTC (Sat)
by epa (subscriber, #39769)
[Link] (7 responses)
Posted Mar 30, 2024 21:33 UTC (Sat)
by MarcB (subscriber, #101804)
[Link] (6 responses)
This "scale of rogue states" you envision would be one that goes downhill in every direction, no matter from whose perspective you look at it.
Also, if you assume nation-state attackers - which you should - and assume that developers will be working from their home country, then any meaningful verification is simply impossible. It is even unreliable and expensive if you hire employees and have them move to your country. If they stay abroad, it simply can't be done.
Posted Mar 31, 2024 8:54 UTC (Sun)
by epa (subscriber, #39769)
[Link] (5 responses)
Posted Apr 1, 2024 13:28 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (4 responses)
The USA has a track record of attacking its allies via secret programs (as does every other Western democracy I've looked into - the USA is not unique here). There's thus a constant tug-of-war going on; do I trust the USA because they'd prefer me to do well rather than their enemies, or do I distrust them because they would prefer to attack me in order to benefit the USA and American companies at my expense?
Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, since whatever leverage the nation-state can apply to them can also be applied to you. And that, fundamentally, comes down to a personal trust matter; can you trust the people you depend upon, or not? Can you "trust, but verify"? Or are you stuck with an untrustworthy partner whose behaviour cannot be verified?
Posted Apr 2, 2024 15:24 UTC (Tue)
by MarcB (subscriber, #101804)
[Link] (3 responses)
And even that is a best-case scenario. Many countries do not have strong civil rights and their secret services target their own citizens.
Posted Apr 2, 2024 16:08 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
My expectation is that the secret services etc are as much a risk to you as they are to someone you deem "trusted". Basically, by trusting people in the same immigration situation as you and in the same country as you, you're trusting people inside the same "national security" boundary as you; the moment you go outside that, you're at risk of your colleague being targeted by a national security agency that cannot reach you, even if they are an upstanding person themselves.
So, while Canada is basically a safe country, as someone based in England, I'm in a separate "national security" boundary to a Canadian; it is at least theoretically possible that a Canadian agency can't get to me, but can compromise a Canadian contact, and it's also possible for a UK agency to compromise me, while being unable to compromise my Canadian contact.
This analysis still applies even if the two countries are evildoers; my local set of evil government agencies affect me and anyone else in the same country, and your local set affect you and anyone else in the same country. If we're in different countries, and you need only affect one of us, then the set of agencies to care about is the union of the sets we're affected by.
Posted Apr 3, 2024 17:39 UTC (Wed)
by jafd (subscriber, #129642)
[Link] (1 responses)
Posted Apr 4, 2024 19:01 UTC (Thu)
by epa (subscriber, #39769)
[Link]
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers
Verify the identity of developers