From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 491C8158041 for ; Sun, 31 Mar 2024 21:52:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3170EE2ADA; Sun, 31 Mar 2024 21:52:19 +0000 (UTC) Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9D66CE2ACC for ; Sun, 31 Mar 2024 21:52:18 +0000 (UTC) Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-2d4a8bddc21so47749601fa.0 for ; Sun, 31 Mar 2024 14:52:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711921936; x=1712526736; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=o2lV6/lxvRTwbaWUG4gzIt25sLV/DolNbNrowpwqb84=; b=tvP25IfpYbOWkIIO13cAgltiF9Yr9lqMrcZpvpW6M0B1/K14kx1Yg06SQud/KHm8e4 EPrBNXB0n2VfYRy8eKX6xCvqKLhp6fXCf1lUTuQHJclQtoc42HTOc3Y3TuE5uaLTuBZB rWQ4gonecNuAV4ShFZVu0n3mqSJ/6Bssga/pNIrxp1oBt7oVj7uLsUHajPNzcA2QTxWT n6Q6+7cSZQ1qoWo9xEnFqb1jilwyPiHDOtgn/C/uHRQmLUDmMQ3FrBkcaHvXybpfnTr9 6hspcjjJ9lwYol+HV/5Bjhw8R1hBJL6RoC86twoPF90mNS12bDXRamvPhQwkfRnjsn91 9pkQ== X-Gm-Message-State: AOJu0YzPlbqne/MqAjcUtE5UVNgpn83WQ1eZyjoBFYkfJ4lIVhjhI4U7 k4fQDcIWIWIveZ50tTilkDdX1fH/7L1VXN7wXZdEVFveYDwpQoyRixZlZe8vzsWNlLY15xoq8hV oHBPLNcvTPxkS8pPtAF/YeG2pRMN7lY2B X-Google-Smtp-Source: AGHT+IHAufzunqKX9OA/wAODyyZBNLCeioKo+3bCT23qUzNVP+uNtsWqatKOarIQTKcnomLLMrFx3YJRpUV2qjbZ3o8= X-Received: by 2002:a2e:9c85:0:b0:2d6:d8a3:8c08 with SMTP id x5-20020a2e9c85000000b002d6d8a38c08mr4331246lji.12.1711921935930; Sun, 31 Mar 2024 14:52:15 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <79534154-5516-4760-9d73-9bcaf612c634@youngman.org.uk> In-Reply-To: <79534154-5516-4760-9d73-9bcaf612c634@youngman.org.uk> From: Rich Freeman Date: Sun, 31 Mar 2024 17:52:03 -0400 Message-ID: Subject: Re: [gentoo-user] Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 188fbb6f-1dab-4212-a772-95b298e9c4ef X-Archives-Hash: 23d0be5ad8608e1ad2f8edfa5f9121c4 On Sun, Mar 31, 2024 at 5:36=E2=80=AFPM Wol wrot= e: > > On 31/03/2024 20:38, H=C3=A5kon Alstadheim wrote: > > For commercial entities, the government could just contact the company > > and apply pressure, no need to sneak the backdoor in. Cf. RSA . > > Serving a "secret compliance" notice on a third party is always fraught > with danger. Okay, I probably can't trust my own government to protect > me, but if the US Government served a compliance notice on me I'd treat > it with the respect it deserved - probably use it as loo paper! I imagine most large companies would just comply with their local government, but there are some major limitations all the same: 1. It isn't necessarily the local government who wants to plant the back door. The FBI can't just call up Huawei and get the same results they would with Google. 2. Even if the company complies, there are going to be more people who are aware of the back door. Some of those could be foreign agents. If you infiltrate the company and obfuscate your code, then only your own agents are aware there is an intrusion. 3. The methods employed in your attack might also be sensitive, and so that's another reason to not want to disclose them. If you have some way of subtly compromising some encryption scheme, you might not want any employees of the company to even know the cryptosystem weakness even exists, let alone the fact that you're exploiting it. When the methods are secret in this way it is that much easier to obfuscate a clandestine attack as well. When you look at engineer salaries against national defense budgets, it wouldn't surprise me if a LOT of FOSS (and other) contributors are being paid to add back doors. On the positive side, that probably also means that they're getting paid to fix a lot of bugs and add features just to give them cover. To bomb a power plant might take the combined efforts of 1-2 dozen military aircraft in various roles, at $100M+ each (granted, that's acquisition cost and not operational cost). Installing a trojan that would cause the plant to blow itself up on command might just require paying a few developers for a few years, for probably less than $1M total, and it isn't even that obvious that you were involved if it gets discovered, or even after the plant blows up. --=20 Rich