@SteveBellovin Today you posted a note about how someone appears to have injected a Trojan into the source of XV. (Oops, I mean xz.) And there was another post about the increase in complex tool chains and dependencies that are larding-up the software many of us use.
That made me wonder about whether national security bodies - intelligence, military, or other - or social movements, e.g. ISI) might be injecting similar things into source trees.
It would be relatively easy to hide such things, particularly via the tool chains or Makefiles - like who is going to notice a sed script in a autoconfig part of a build chain?
Like good spies, such things could be planted years in advance and only triggered, if ever, when desired.
This is not an open source issue, it is a ubiquitous issue. And in light of Ken Thompson's "Reflections on Trust" some of these could be quite invisible in some kinds of source code.
I am very nervous about the vulnerability and brittleness of our new world of tech as a utility.
reshared this
Jonathan Lamothe
in reply to Karl Auerbach • •Karl Auerbach
in reply to Jonathan Lamothe • • •@me Yse, open source allows inspection (and testing). When we were doing an open reference design/implementation for California for voting systems we slightly changed things to encourage testing *and* to openly publish test results. (But we also closed the door a bit on viral redistribution to throw a bone to encourage private implementations of our reference software/hardware/procedures with proprietary, i.e. you-pay-for, enhancements.)
However, I've been wrestling with tool chains for several years and it seems to me that those are good places to hide "bad things" without anyone looking very hard to find them.
Jonathan Lamothe
in reply to Karl Auerbach • •