On Sun, Mar 31, 2024 at 5:36 PM Wol <antli...@youngman.org.uk> wrote: > > On 31/03/2024 20:38, Håkon Alstadheim wrote: > > For commercial entities, the government could just contact the company > > and apply pressure, no need to sneak the backdoor in. Cf. RSA . > > Serving a "secret compliance" notice on a third party is always fraught > with danger. Okay, I probably can't trust my own government to protect > me, but if the US Government served a compliance notice on me I'd treat > it with the respect it deserved - probably use it as loo paper!
I imagine most large companies would just comply with their local government, but there are some major limitations all the same: 1. It isn't necessarily the local government who wants to plant the back door. The FBI can't just call up Huawei and get the same results they would with Google. 2. Even if the company complies, there are going to be more people who are aware of the back door. Some of those could be foreign agents. If you infiltrate the company and obfuscate your code, then only your own agents are aware there is an intrusion. 3. The methods employed in your attack might also be sensitive, and so that's another reason to not want to disclose them. If you have some way of subtly compromising some encryption scheme, you might not want any employees of the company to even know the cryptosystem weakness even exists, let alone the fact that you're exploiting it. When the methods are secret in this way it is that much easier to obfuscate a clandestine attack as well. When you look at engineer salaries against national defense budgets, it wouldn't surprise me if a LOT of FOSS (and other) contributors are being paid to add back doors. On the positive side, that probably also means that they're getting paid to fix a lot of bugs and add features just to give them cover. To bomb a power plant might take the combined efforts of 1-2 dozen military aircraft in various roles, at $100M+ each (granted, that's acquisition cost and not operational cost). Installing a trojan that would cause the plant to blow itself up on command might just require paying a few developers for a few years, for probably less than $1M total, and it isn't even that obvious that you were involved if it gets discovered, or even after the plant blows up. -- Rich
