Proprietary vs Open Source Backdoors : linuxmemes

[–] [email protected] 38 points 4 days ago (2 children)

This is why open source, total transparency, radical free speech and democracy is the one and only way. Because if there's even one little shadow there will be a scorpion hiding in it.

[–] [email protected] 19 points 4 days ago* (last edited 4 days ago) (5 children)

Is this still true in the age of targeted social media propaganda?

Seems to me that radical free speech without moderating for basic accuracy or malicious disinfo has pretty much kicked of the downfall of the American experiment

load more comments (5 replies)

[–] [email protected] 34 points 4 days ago (15 children)

radical free speech

If that includes calling company money "free speech" (which the US does) I don't agree. I'm also not ok with holocaust denial and Naziism.

load more comments (15 replies)

[–] [email protected] 12 points 4 days ago (2 children)

Makes me remember, wasn't there a well respected dev who, out of the blue, decided to add a vulnerability in a linux package last year?

[–] [email protected] 23 points 4 days ago (2 children)

yeah this meme is referencing xz

[–] [email protected] 4 points 4 days ago

https://m.youtube.com/watch?v=F7iLfuci75Y

Greate little video on it

load more comments (1 replies)

[–] [email protected] 89 points 4 days ago

[+] [email protected] -30 points 5 days ago (3 children)

Open source software is full of bugs and security vulnerabilities. Most code doesn’t get read by more than two people.

[–] [email protected] 2 points 4 days ago

We got Einstein reincarnation over here

[–] [email protected] 15 points 4 days ago* (last edited 4 days ago)

Lemmy is open source, so feel free to go back to Reddit

[–] [email protected] 55 points 4 days ago* (last edited 4 days ago) (2 children)

Your statement is even more true about closed source. As someone who worked in multiple companies, I can tell you that 99% of the code is written, PRed, QAed, and then ignored forever.

[–] [email protected] 23 points 4 days ago (3 children)

Bold to assume that there a QA step

[–] [email protected] 16 points 4 days ago

Production is a form of QA old man!

[–] [email protected] 11 points 4 days ago

Real programmers use production

load more comments (1 replies)

[–] [email protected] 10 points 4 days ago (1 children)

I can confirm. Unless the code causes issues people notice, nobody thinks about it after the PR.

OSS has the benefit of people WANTING to do the work, so I feel they make more effort to make sure it's stable and efficient. Taking the extra time for testing and random scenarios, whereas people in corporate software will more often than not simply meet the reqs of the request, and then do minimal testing, send it off to the corporate machine.

OSS also has the benefit of randos across the whole world being able to view and audit changes.

load more comments (1 replies)

[–] [email protected] 19 points 5 days ago

i save that meme for the next time a huge psyops heist like with xz gets uncovered and people talk about how it shows the flaws of free open source. If It's proprietary it's easier to just get a job at the company, then gaining trust and building pressure with multiple fake accounts, and hiding it in one of the testing tarballs and then get uncovered anyway by a postgres admin doing performance benchmarks

[–] [email protected] 53 points 5 days ago (1 children)

Also, many proprietary softwares rely on open source libraries. So unless they catch, patch, and do not contribute those fixes, proprietary will be at least as vulnerable as the oss they depend on.

[–] [email protected] 11 points 4 days ago (1 children)

It always seems like it depends on really old libraries with major security flaws

load more comments (1 replies)

[–] [email protected] 16 points 5 days ago

The proprietary backdoors come with spies doing much more gymnastics to gain access to those who know the secrets to access those backdoors.

[–] [email protected] 323 points 5 days ago (10 children)

Immediately get noticed

Realistically, though, we are only aware of that one because it was noticed in that unlikely scenario and then widely reported. For all we know, most open source backdoors are alive and well in our computers, having gone unnoticed for years.

[–] [email protected] 11 points 4 days ago

For all we know...

This isn't something we need to speculate about. The vulnerability histories of popular closed and open source tools are both part of public data sets.

Looking into that data, the thing that stands out is that certain proprietary software vendors have terrible security track records, and open source tools from very small teams may be a mixed bag.

[–] [email protected] 27 points 4 days ago

I feel like its a mixed bag. Certainly there's an infinitely higher chance of someone randomly noticing a backdoor in OSS than in closed source simply because any OSS project in use has someone looking at it. Many closed systems have dusty corners that haven't had programmer eyes on them in years.

But also, modern dev requires either more vigilance than most of us have to give or more trust than most of us would ideally be comfortable offering. Forget leftpad, I've had npm dependencies run a full python script to compile and build sub dependencies. Every time I run npm update, it could be mining a couple of bitcoins for all I know in addition to installing gigs and gigs of other people's code.

The whole industry had deep talks after leftpadgate about what needed to be done and ultimately, not much changed. NPM changed policy so that people couldn't just dissapear their packages. But we didn't come up with some better way.

Pretty much every language has its own NPM now, the problem is more widespread than ever. With Rust, it can run arbitrary macros and rust code in the build files, it can embed C dependencies. I'm not saying it would be super easy to hide something in cargo, i haven't tried so I don't know, but i do think the build system is incredibly vulnerable to supply chain attacks. A dependency chain could easily pull in some backdoor native code, embed it deep into your app, and you might never realize it's even there.

[–] [email protected] 24 points 4 days ago (3 children)

I haven't really seen any evidence to support this

[–] [email protected] 19 points 4 days ago (1 children)

Exactly

[–] [email protected] 3 points 4 days ago

Which in itself is worrying to me; given that there are now tens of thousands of in-use libraries and millions of programmers, the chances are high that someone tried at least once more than we have heard about .

And I know there have been several attempts, but there seems to be a lack of information about them all in one easy to read place

load more comments (2 replies)

[–] [email protected] 44 points 5 days ago (3 children)

Thats not really how open source works. If you use an open source tool like say, nano. It has been looked at and improved for many years by many people who have worked up an understanding of the code.

I realize that this can only be natively understood by a programmer.

What we (I) do when we work at open source projects is reading through the code for so long until we "get it". It means we start to understand what does what. If you want so change something, you must locate it, finding out what it is not. The chance that someone stumbles across something that then sparks a full blown investigation isnt that low. Of course you can hide something in extremely long and boring code but its alas automatically tested by most software shops.

In short: we dont do this since yesterday and opeb source is so many universes better than closed source is a truth that only a fool would disregard.

[–] [email protected] 1 points 4 days ago (1 children)

automatically tested by most software shops.

Really?

load more comments (1 replies)

[–] [email protected] 42 points 5 days ago (1 children)

Are you sure?

All I'm saying is leftPad, if you still remember.

As a programmer I do not believe you when you claim that you read through all the code of all the libraries you include.

Especially with more hardcore dependencies (like OpenSSL), hardly anyone reads through that.

[+] [email protected] -7 points 5 days ago (3 children)

So you're a programmer yourself. That helps me understand where you are coming from. Thanks for clarifying.

As a programmer, you know that you need to depend on the work of others. Otherwise you cant use libraries at all. Of course the libraries are only as good as their own people. But the important part here is that the library doesnt have a makefile for example, which renders your former argument moot. They are often included in huge projects which themselves both have automated and manual reviews.

Somehow I dont believe you have experience in foss programming, at least not in larger projects. Tons of stuff is being done which ensures tons of eyes go over every bit of code, over time. for example in kodi, I have to depend on the upstream people doing their work. they have upstream themselves, etc. All of this is reviewed over and over and over again.

Also, leftpad is a prime example of how you are completely unable to do your thing in a cooperative. you will always get shut down. maybe not immediately but eventually.

Thats why foss is the ultimately better system.

[–] [email protected] 21 points 5 days ago* (last edited 5 days ago) (2 children)

My former argument? You might be confusing who you are talking to, since you answered to my first post in this thread.

You also seem to remember leftPad wrong. What happened there was that someone made a tiny library that did nothing but to pad a string. Something so trivial that any programmer should be able to do that within a minute. But still tens of thousands of projects, even large and important libraries, would rather add a whole dependency just to save writing a line of code. In fact, in most dependency management systems it requires more characters to add that dependency than to write that oneliner yourself.

The issue with leftpad was that the maintainer of that "library" was angry for unrelated reasons and pulled all his libraries, which then broke thousands of projects and libraries because leftpad wasn't available any more.

My point was that everyone just relies on upstream doing their stuff and hardly anyone bothers to check that the code they include is actually doing what it should. And everyone just hopes that someone else already did their job of reviewing upstream, because they can't be bothered to do it themselves.

A better example though would be Heartbleed. OpenSSL is used in everything. It's one of the core libraries for modern online communication. Everyone and their grandma used it, most distros, all the cloud providers and so on. Everyone has been making money using the security that OpenSSL provides. Yet OpenSSL was massively underfunded with only one permanent developer who was also underpaid for what he was doing. And apparently nobody thoroughly reviewed the OpenSSL code. Somehow in version 1.0.1 someone made a mistake and added the Heartbleed bug. Stuff like that happens, nobody's perfect, and if there's only one person working on this, mistakes are bound to happen.

And then this massive security vulnerability just stayed in there for over two years, allowing anyone to read out whatever's in the memory of any server using OpenSSL. Because nobody of the billions of people using OpenSSL daily actually reviewed and analysed their code. Because "so many people use OpenSSL, someone surely already reviewed it".

Or take Log4Shell. That's a bug that was so trivial it was even documented behaviour. To find this, someone wouldn't even have had to review the code, just reviewing the documentation of Log4J would have been enough. And still this one was in production code for 8 years. For a library that's used in almost every Java program.

Nobody reviews upstream.

If upstream makes a mistake, that mistake is in the code. And then everyone just happily consumes what they get.

And upstream is often just a random library thanklessly maintained by some dude in their spare time.

Edit: Just to prove my point: Think of your last big FOSS project that you worked on. Can you list every single dependency and every single transient dependency that your project uses? For each of these dependencies, do you know who maintains it and how many people work on each of these dependencies? Do you know if everyone of these people is qualified and trustworthy enough to put reliable and secure code in your project? Or do you, like everyone else, just hope that someone else made sure it's all good?

[–] [email protected] 9 points 4 days ago* (last edited 4 days ago) (1 children)

You talk as though closed-source developers reviewed all the upstream code. The exact same problem exists with closed-source, except there isn't even the possibility of reviewing all the code if you want to. At worst, the lack of review in FOSS projects is on par with closed-source projects. At best, it's a much smaller problem .

[–] [email protected] 13 points 4 days ago (7 children)

That's definitely a problem with every bit of code, that everyone relies on stuff they don't or can't review.

My point is that FOSS provides a false sense of security ("Millions of people use this library. Someone will already have reviewed it.").

But the bigger issue is that FOSS is massively underfunded. If OpenSSL was for-profit, it would be a corporate project with dozens if not hundreds of developers. Nobody would buy a piece of core security infrastructure from a self-employed dude working away in his basement. That would be ridiculous to even think about that. And if this standard component was for-profit, even very low license fees would generate huge amounts of revenue (because it's used in so many places) and this would allow for more developers to be employed.

And since it would be an actual thing that companies would actually buy, they'd demand that third-party security audits of the software would be done, like on any paid-for software that companies use. They'd also demand some SLA contracts that would hold this fictional for-profit OpenSSL accountable for vulnerabilities.

But since it's FOSS, nobody cares. Companies just use it, nobody donates. It's for free, so the decision to use it usually doesn't even go through procurement and anything related to it. I tried to get my old company to donate to OpenSSL in the wake of Heartbleed, and the company said they don't have a process to donate to something, so can't be done.

So everyone just uses this little project created by one solitary hero and nobody pays for it. And so that dude works alone in his basement, with literally the online security of the whole world resting on his shoulders.

Luckily after Heartbleed a lot of large corporations started to donate to OpenSSL, but there are hundreds of other equally important projects that still nobody cares about. As seen e.g. with the .xz near miss.

load more comments (7 replies)

load more comments (1 replies)

load more comments (2 replies)

[–] [email protected] 29 points 5 days ago (1 children)

That's assuming the attacker is stupid enough to put the exploit in the source code where it can be easily discovered.

The Xz exploit was not present in the source code.

It was hidden in the makefile as an obfuscated string and injected into the object file during the build process.

[–] [email protected] 10 points 5 days ago (1 children)

I saw the code. It was pretty obvious once you look at that particular piece. You have to adapt the makefile pretty often so you also would see gibberish. If you're a programmer and you encounter what YOU think is gibberish, all alarms go off.

i dont know your experience in coding but I dont see how a huge number (a given with old and popular code) of experienced people could overlook something like this.

[–] [email protected] 26 points 5 days ago (1 children)

But this is the crucial thing. It wasn't in the repository. It was in the tarball. It's a very careful distinction because, people generally reviewed the repository and made the assumption that what's there, is all that matters.

The changes to the make process only being present in the tarball was actually quite an ingenius move. Because they knew that the process many distro maintainers use is to pull the tarball and work from that (likely with some automated scripting to make the package for their distro).

This particular path will probably be harder to reproduce in the future. Larger projects I would expect have some verification process in place to ensure they match (and the backup of people independently doing the same).

But it's not to say there won't in the future be some other method of attack the happens out of sight of the main repository and is missed by the existing processes.

[–] [email protected] 4 points 5 days ago

Absolutely understand the point. They had a good idea. They failed. Done. my point stands. Foss is superior.

[–] [email protected] 19 points 5 days ago (2 children)

Reminds me of the old Debian OpenSSL vulnerability that went unnoticed for 2 years... but it did eventually get noticed.

https://lists.debian.org/debian-security-announce/2008/msg00152.html

[–] [email protected] 5 points 5 days ago

Heartbleed bug?

load more comments (1 replies)

[–] [email protected] 127 points 5 days ago (3 children)

Yup.
But in open source it CAN be noticed, by anyone determined enough to dig into its side effects.
Proprietary software? You file a regression bug that startup takes 500ms longer, and it might get looked at.

Also, backdoors that are discovered in open source software improve automated software auditing.

[–] [email protected] 23 points 5 days ago (1 children)

The flaw also highlighted a social engineering exploit. It’s not the first time some vulnerability has entered open source software due to social pressure on the maintainer. Notably EventStream exploit.

This is difficult to account for. You can’t build automated tooling for social engineering exploits.

[–] [email protected] 6 points 4 days ago

[–] [email protected] 76 points 5 days ago

500ms longer, and it might get looked at.

Why would you even lie to the poor fellow like that? 🤣 lol

load more comments (1 replies)

[–] [email protected] 65 points 5 days ago* (last edited 5 days ago) (2 children)

Wait, that references something that actually happened?

edit This?

https://www.runtime.news/how-a-500ms-delay-exposed-a-nightmare-scenario-for-the-software-supply-chain/

[–] [email protected] 57 points 5 days ago

Yes, this particular incident.

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[5]

Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[8] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind,[9] a memory debugging tool.[10]

[–] [email protected] 73 points 5 days ago (1 children)

Yup :D https://en.m.wikipedia.org/wiki/XZ_Utils_backdoor

[–] [email protected] 28 points 5 days ago

Wow, thanks, that’s way better than the link I found.

load more comments (3 replies)