|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Mar 30, 2024 21:33 UTC (Sat) by MarcB (subscriber, #101804)
In reply to: Verify the identity of developers by epa
Parent article: A backdoor in xz

Politics are unavoidable, if you go that route. For example, the US in particular is a proven bad actor here - recall the Snowden revelations about the supply-chain attacks the NSA pulled off. They literally did what nowadays Chinese suppliers are alleged to do - and they used this against supposed allies as well, so there isn't even a "western world against China/Russia" scenario.

This "scale of rogue states" you envision would be one that goes downhill in every direction, no matter from whose perspective you look at it.

Also, if you assume nation-state attackers - which you should - and assume that developers will be working from their home country, then any meaningful verification is simply impossible. It is even unreliable and expensive if you hire employees and have them move to your country. If they stay abroad, it simply can't be done.

to post comments

Verify the identity of developers

Posted Mar 31, 2024 8:54 UTC (Sun) by epa (subscriber, #39769) [Link] (5 responses)

Indeed the US has a record here and if I were running a nuclear installation in Iran I would require verified Iranian programmers working within the country. But for the rest of us, there is a difference between western countries and others. Many American businesses and even the government rely on the security of Linux and free software. The black-helicopter guys generally have an interest in helping keep free software secure against attacks from ransomware gangs and hostile nation hacking teams. They may do targeted attacks but it doesn’t help them to poison the well as happened here. So I would still prefer to trust a developer with a known legal identity in a US ally over someone who may not be a real person at all. But again, this is politics, and not something where you’ll ever get everyone in agreement.

Verify the identity of developers

Posted Apr 1, 2024 13:28 UTC (Mon) by farnz (subscriber, #17727) [Link] (4 responses)

The USA has a track record of attacking its allies via secret programs (as does every other Western democracy I've looked into - the USA is not unique here). There's thus a constant tug-of-war going on; do I trust the USA because they'd prefer me to do well rather than their enemies, or do I distrust them because they would prefer to attack me in order to benefit the USA and American companies at my expense?

Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, since whatever leverage the nation-state can apply to them can also be applied to you. And that, fundamentally, comes down to a personal trust matter; can you trust the people you depend upon, or not? Can you "trust, but verify"? Or are you stuck with an untrustworthy partner whose behaviour cannot be verified?

Verify the identity of developers

Posted Apr 2, 2024 15:24 UTC (Tue) by MarcB (subscriber, #101804) [Link] (3 responses)

> Purely in terms of "can I trust their home nation", the only safe developers are those with the same national affiliation as you, ...

And even that is a best-case scenario. Many countries do not have strong civil rights and their secret services target their own citizens.

Verify the identity of developers

Posted Apr 2, 2024 16:08 UTC (Tue) by farnz (subscriber, #17727) [Link]

My expectation is that the secret services etc are as much a risk to you as they are to someone you deem "trusted". Basically, by trusting people in the same immigration situation as you and in the same country as you, you're trusting people inside the same "national security" boundary as you; the moment you go outside that, you're at risk of your colleague being targeted by a national security agency that cannot reach you, even if they are an upstanding person themselves.

So, while Canada is basically a safe country, as someone based in England, I'm in a separate "national security" boundary to a Canadian; it is at least theoretically possible that a Canadian agency can't get to me, but can compromise a Canadian contact, and it's also possible for a UK agency to compromise me, while being unable to compromise my Canadian contact.

This analysis still applies even if the two countries are evildoers; my local set of evil government agencies affect me and anyone else in the same country, and your local set affect you and anyone else in the same country. If we're in different countries, and you need only affect one of us, then the set of agencies to care about is the union of the sets we're affected by.

Verify the identity of developers

Posted Apr 3, 2024 17:39 UTC (Wed) by jafd (subscriber, #129642) [Link] (1 responses)

Also, moles exist.

Verify the identity of developers

Posted Apr 4, 2024 19:01 UTC (Thu) by epa (subscriber, #39769) [Link]

Running a mole is about a million times more expensive than creating a GitHub account under a completely made-up identity. That’s the idea.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds