undefined | Better HN

undefined | Better HN

0 comments

cesarb2y ago

> I think we should seriously consider something like a ts clearance as mandatory for work on core technologies.

Was xz/lzma a core technology when it was created? Is my tiny "constant time equality" Rust crate a core technology? Even though it's used by the BLAKE3 crate? By the way, is the BLAKE3 crate a core technology? Will it ever become a core technology?

With free software in general, things do not start a "core technology"; they become a "core technology" over time due to usage. At which point would a maintainer have to get a TS clearance? Would the equivalent of a TS clearance from my Latin America country be acceptable? And how would I obtain it? Is it even available to people outside the military and government (legit question, I never looked)?

zeroCaloriesOP2y ago

We probably shouldn't use your code at all, is the real answer. You can get TS, it just costs a lot of money.

stackskipton2y ago

In United States, you cannot apply for a clearance. You must get a job that requires a clearance, then start application process and wait.

msm_2y ago

Who is "we"? Are you from the US by any chance? Do you mean that the US government should rewrite every piece of core architecture (including Linux, Ssh, Nginx...) from scratch? Because they are all "contaminated" and actually were created by non-americans.

If that's the case, you do you. Do you also think that all other countries should do the same, and rewrite everything from scratch for their government use (without foreign, for example American, influence)? And what about companies? Should they be forced to switch to their government's "safe" software, or can they keep using Linux and ssh? What about multi-national companies? And what even counts as a "core" software?

So yeah, I don't think it's a good idea.

zeroCaloriesOP2y ago

We can keep it between NATO plus friends.

AnonymousPlanet2y ago

Wow, I can't decide which is the bigger act of sabotage to open source, your ideas or the actual backdoor.

csdreamer72y ago

The Linux kernel is complaining about a lack of funding for CI-one of the highest visibility projects out there. Where will the money come from for this?

Corps? Aside from Intel most of them barely pay to upstream their drivers.

The govt? The US federal government cut so much of it's support since the 70s and 80s.

zeroCaloriesOP2y ago

You're right, but accepting code from random Gmail accounts can't be the solution. Honestly the Linux kernel is a bloated mess, and will probably never be secured.

imiric2y ago

Accepting code from any source without properly reviewing it is surely the actual problem, no? This person only infiltrated this project because there was no proper oversight.

Maintainers need to be more stringent and vigilant of the code they ship, and core projects that many other projects depend upon should receive better support, financial and otherwise, from users, open source funds and companies alike. This is a fragile ecosystem that this person managed to exploit, and they likely weren't the only one.

zeroCaloriesOP2y ago

Maintainers can't fully review all code that comes in. They don't have the resources. Even if they could give it a good review, a good programmer could probably still sneak stuff in. That's assuming a maintainer wasn't compromised, like in this case. We need a certain level of trust that the contributors are not malicious.

AnonymousPlanet2y ago

That's a very US centric view and would practically split the open source community along the atlantic at best and fracture it globally at worst. Be careful what you wish for.

zeroCaloriesOP2y ago

I trust NATO members.

AnonymousPlanet2y ago

Oh, how generous.

rieter2y ago

Even Turkey?

Meetvelde2y ago

That's hard to do when the development of these libraries is so international. Not to mention that it's already so hard to find maintainers for some of these projects. Given that getting a TS clearance is such a long and difficult process, it would almost guarantee more difficulty in finding people to do this thankless job.

zeroCaloriesOP2y ago

It doesn't need to be TS for open source(but for closed, I'm leaning yes). But all code for these core technologies need to be tied to a real person that can be charged in western nations. Yes, it will make it harder to get people, but with how important these technologies are, we really should not be using some random guys code in the kernel.

guinea-unicorn2y ago

Don't forget that the NSA bribed RSA (the company) to insert a backdoor into their RNG. Being in western jurisdiction doesn't mean you won't insert backdoors into code. It just changes whom you will target with these backdoors. But they all equally make our technology less trustworthy so they are all equally despicable.

zeroCaloriesOP2y ago

It will significantly cut down on Russian and Chinese back doors, which is still an improvement, Mr. Just Made an Account.

rwmj2y ago

That just means the bad actors will all have clearance while putting in a bunch of hurdles for amateur contributors. The only answer is the hard one, constant improvement in methods to detect and mitigate bugs.

zeroCaloriesOP2y ago

"Constant improvement" sounds like "constantly playing catch-up". Besides that, someone with TS can be arrested and charged, and I don't want amateur contributors.

msm_2y ago

>and I don't want amateur contributors.

And you're free to not accept amateur contributions to the OS projects you maintain. Hell, you can require security clearance for your contributors right now, if you want.

zeroCaloriesOP2y ago

Software like that already exists. I'm saying open source should do better.

isbvhodnvemrwvn2y ago

This only ensures the backdoors are coming from governments that issued the clearances, nothing more. I prefer more competition, at least there is incentive to detect those issues.

zeroCaloriesOP2y ago

It will ensure that my OS doesn't have code from random Gmail accounts. If someone with U.S clearance submits a backdoor, they should either be charged in the U.S, or extradited to somewhere that will charge them. We have no idea who this person is, and even if we did we probably could not hold them accountable.

colinsane2y ago

how many people in PRISM had such clearance? and how many of them would i trust? precisely zero.

failbuffer2y ago

Killing your pipeline for innovation and talent development doesn't make you secure, it makes you fall behind. The Soviet Union found this out the hard way when they made a policy decision to steal chip technology instead of investing in their own people. They were outpaced and the world came to use chips, networks, and software designed by Americans.

zeroCaloriesOP2y ago

That's the exact opposite of what I'm saying we do. We need to invest in engineers we can trust, and cut off those we can't.

mardifoufs2y ago

Who's we? Americans? Sure that's fine for you, but Americans aren't exactly trustworthy outside of the US either and I say that as someone who's usually pro US. This sort of mentality just shows a lack of understanding of how most of the world sees the US. Even in places like say, france, the us is seen as an ally but a very untrustworthy one. Especially since out of all the confirmed backdoors up until now, most of them were actually US made.

If this backdoor turns out to be linked to the US, what would your proposal even solve?

zeroCaloriesOP2y ago

"We" doesn't have to be the U.S. This is a false dichotomy that I see people in this thread keep pushing. I suspect in bad faith, by the people that want to insert backdoors. As a baseline, we could keep the contributors to NATO and friends. If a programmer is caught backdooring, they can be charged and extradited to and from whatever country.

vmladenov2y ago

This seems infeasible for projects like LLVM that depend on international collaboration.

j / k navigate · click thread line to collapse