Saagar Jha (@saagar@saagarjha.com)

Saagar Jha

03/31/2024 (replying to Saagar Jha)

Again, this isn’t to say that we shouldn’t do any of the obvious solutions. I want big companies who make billions in profit to invest in those first too. But I have yet to see an answer to the problem of “how do we prevent backdoors”. I think we might not be able to

2 replies →

2 replies

Ben Cohen

03/31/2024 (replying to Saagar Jha)

@saagar this thread is a lone voice of reason on my timeline, surrounded by boosts of the “this is entirely because we don’t pay maintainers” narrative.

Saagar Jha

03/31/2024 (replying to Ben Cohen)

@airspeedswift It’s one of those dangerous solutions because you look at it and it’s clearly better than the alternative (maintainers burn out and don’t get paid) and we *should* do it. But it doesn’t stop supply chain attacks in general (and maybe not even this one)

2 replies →

2 replies

Ben Cohen

03/31/2024 (replying to Saagar Jha)

@saagar yeah it seems lots of people are confusing correlation (the original maintainer burnt out) with causation (the original maintainer handed off to someone, as it happens because they burnt out but seems like if they'd moved on without burning out – which is a thing – the same events could have happened)

Helge Heß

03/31/2024 (replying to Saagar Jha)

@saagar @airspeedswift Aren’t both problems that Linux distri companies like RedHat and SuSE supposedly handle? (paying maintainers and also manage what exactly is packaged).

Noah Gibbs

04/01/2024 (replying to Helge Heß)

@helge @saagar @airspeedswift

In theory, yes. In practice there is far too much code for them to review, too.

Also, the difficulty with profit/paid solutions is that *not* reviewing all that code, or reviewing it badly, is *always* cheaper than reviewing it, let alone reviewing it all well -- which is certainly impossible under current conditions.

Maximilian Mackh

03/31/2024 (replying to Saagar Jha)

@saagar we probably need to re-think the computer paradigm. Local-first services/devices. I think the cloud was a giant mistake.

Saagar Jha

03/31/2024 (replying to Maximilian Mackh)

@mmackh I agree but I think this is orthogonal

Saagar Jha

03/31/2024 (replying to Saagar Jha)

But, perhaps, there is solace in the fact that this is basically all of computer security. We just shift around the calculus of which things are profitable to do as we steadily raise the bar everywhere. We can’t stop everything, but maybe it’s for the best that was a backdoor…

Saagar Jha

03/31/2024 (replying to Saagar Jha)

…because, I mean, the thing we usually see is people getting hacked because their code is just broken, not backdoored. So maybe we’ve finally reached the point where the code was just functional enough to make trying this attractive. One can hope, at least

Saagar Jha

03/31/2024 (replying to Saagar Jha)

*Or maybe not, which is the other thing I am a little hopeful about. The steps needed to find this were quite impressive but absent of any other information about backdoors, in particular the ones that actually stay hidden, this got discovered pretty quickly relatively speaking

Saagar Jha

03/31/2024 (replying to Saagar Jha)

So like, statistically, it might be that making a backdoor that is actually undetectable for a while is really difficult. “Many eyes make all bugs shallow” and whatnot, except in a kind of different Bayesian version that nobody really likes but is a little reassuring

1 replies →

1 replies

i.grok

04/02/2024 (replying to Saagar Jha)

@saagar I think there's some evidence for that, given the various commits to disable various checkers that were exposing that something hinky was going on in order to cover it up

The only reason this didn't get more attention is that our tools are too often noisy with false alarms

To me, that's an indication that making the attacks harder isn't a waste of time—and some of those tools didn't even exist a few decades ago, so we're making it better

Saagar Jha

04/03/2024 (replying to i.grok)

@igrok I feel like these tools make it harder to make a backdoor but I was surprised that the attacker didn’t just change their backdoor to operate cleanly in those environments. Maybe they just thought this was easier

i.grok

04/03/2024 (replying to Saagar Jha)

@saagar they were definitely rushing

Likely because systemd was about to disable their backdoor wrt sshd

But the tools definitely increased the profile and thus the risk. Not enough, but it complicated their lives enough to slow them down

Which is something we can be happy about

Saagar Jha

03/31/2024 (replying to Saagar Jha)

An extreme case of Hyrum’s Law I guess, where people will accidentally and unknowingly become dependent on their code not being backdoored