On Thu, 4 Mar 2021 08:10:45 -0500 Celejar <cele...@gmail.com> wrote: > On Thu, 4 Mar 2021 09:41:13 +0000 > Joe <j...@jretrading.com> wrote: > > ... > > > Undoubtedly. But there is also no doubt that gcc and every other > > serious compiler in the West has been compromised. Why would they > > *not* be? > > Do you have any evidence for this, or is it just your assumption, > because "why would they not be?"
No, of course not. I simply don't think the West's intelligence services would tolerate the existence of computer equipment without backdoors, in the same way that I don't think the unprecedented product market share of Windows would have been permitted without some sort of quid pro quo. Much has been made of potential backdoors in Huawei network equipment. My belief is that all Western network equipment is likely to have such backdoors, though probably not reporting to the Chinese government. I don't really believe that iptables/nftables would keep out the CIA, for example. > > > > The one aspect missing is, though, the "social" aspect: the > > > software endeavour has become so devilishly complex that the idea > > > of One Person (TM) checking everything down to some hypothetical > > > "Trust Roots" is... theoretical, to state it politely. You gotta > > > delegate some trust (well, most of it, actually). > > > > Indeed. The new heartbeat/data return function in OpenSSL, itself > > the core of much Open Source security, was suggested by the > > programmer himself, and the resulting code was audited by *one* > > other person before approval and distribution. What could possibly > > go wrong? > > The problem I have with your claim is that AFAIK none of the > ostensible compromises you assume exist have ever been discovered. I > know there's speculation that this was a backdoor: > > https://www.debian.org/security/2008/dsa-1571 > https://freedom-to-tinker.com/2013/09/20/software-transparency-debian-openssl-bug/ > > but that's never been established, and my understanding is that it's > considered unlikely. It was certainly a backdoor for those who knew about it, whether it was accidental or deliberate is not known, as with Heartbleed. In both cases as I understand it, the error was clear in the source code, and does not require the existence of a compromised toolchain. But I don't believe that someone building, say, Linux From Scratch will end up with a guaranteed backdoor-free system. > > > Human beings being what they are, is it really plausible that no one > involved has ever let the cat out of the bag? Are the TLAs really that > good at what they do? I mean, we have Snowden ... > There was a maximum of two people involved in Heartbleed, apart from any hypothetical intelligence paymasters. It really would be possible for a bit of clandestine computer code to be known only to one or two people in exactly the right position in an organisation. The VW emissions fix would have been known to only a couple of people, and was discovered empirically, not reported by a whistleblower. On a rather smaller scale, my electronic bathroom scale has a feature whereby if a person gets back onto the scale within thirty seconds of the display blanking, *exactly* the same weight is reported. If more than thirty seconds elapse, then a slightly different weight will often result, as expected. I would assume that if the weight of the repeat user was more than a certain amount different from the first user, a second genuine weight would be shown. I *know* this a deliberate feature of the software used, I don't have to see the code, and I don't have to be told whether it is a bug accidentally introduced. But even the manufacturing company's MD/CEO may not know about it. -- Joe
