[Jon_Lowtek]

Chinese Ministry of State Security can inject a coder/sysmin who adds vulnerabilities which are then used for espionage against corporations/governments. The National Security Agency has done things like that in the past, so it is safe to assume the chinese do it to.

[rad_gruchalski]

Playing devil’s advocate: what should the rest of the world do when using proprietary technology from the USA, given that NSA likes to have their nose in everything?

[lifty]

The software industry needs to adapt to the challenges of a fully digitized world and at the moment things are a bit behind. The first and most important part is to have reproducible builds and core signing, so in cases where the source is available, people should be able to easily trace what’s in the software they’re using and who contributed. I think this is a technical challenge and some software ecosystems are trying to solve it (Go, Rust etc.). The next thing that I would like to see happening is more commercial software licenses that allow making a living from selling software but that give access to the source. I prefer a world where I pay for software and developers can make a living, and at the same time be able to check that the promises that the developer makes are held.

[whydoyoucare]

How would code-signing help if NSA arm-twists you into introducing a backdoor in your code? Even for open-source, it is difficult for average-Joe to trace and figure out contributions (its like saying the automobile engine has blueprints available, so everyone should be able to figure out what's wrong). :-)

[joering2]

Arm-twist?

You know NSA is an American Agency, and America is not China - there is a free enterprise. The only way they can "arm-twist" you is by rules and regulations that every company has to follow. In other words - NSA cannot force you to break the law.

[jtsuken]

"The FBI wanted to work out an arrangement in which the developer would secretly feed its operatives information about Telegram’s inner workings—things like new features and other components of the service’s architecture that they might want to know about. The arrangement would be strictly confidential, and they were willing to pay." source: https://thebaffler.com/salvos/the-crypto-keepers-levine

[joering2]

Whats your point? Telegram owners are private enterprise. They could say "okay we do it for money", or say "we won't do it because of principles".

Where is this so-called "arm-twisting" ??

[nitrobeast]

This is an ok thing for some Americans to believe in, but at least Google encrypted all its traffic between data centers specifically to avoid NSA eavesdropping. And many people in the rest of the world don’t think US respects the rule of law as it advertizes.

[whydoyoucare]

Google encrypted it after Snowden documents revealed NSA was silently exfiltrating the data. [1]

[1] https://www.washingtonpost.com/world/national-security/nsa-i...

[Jon_Lowtek]

prefer open source and end2end encryption

... oh wait your premise disqualifies that.

Well Arabia and Russia are starting to force data being processed and stored in their territory by blocking foreign comm-tech. But i don't think that is a solution, that is just digital nationalism driven by fear of espionage and demand for the power of mass surveillance.

What "the world" should do is lobby against nation-states and mega-corps having their noses in everything, because it is a central building block of totalitarianism. Even if the state doesn't go all out authoritarian, it opens back doors that leave people vulnerable to abuse by bad actors.

[bamboozled]

This was probably my sentiments also, if you're not using open source technology, you're likely setting up for disappointment.

[otachack]

Use and contribute to open source alternatives?

[ryanlol]

So how do you keep MSS and NSA from planting bugdoors in the open source alternatives?

[MaxBarraclough]

Seems like a reasonable question. A relevant example: SELinux came from the NSA.

[smt88]

The rest of the world can (and should) avoid US software if they want do. Playing devil's advocate here doesn't make a lot of sense because no US regime has ever been anything close to CCP.

[ixtli]

To be fair we know from the Snowden leaks this is exactly what they do. Microsoft quite proudly cooperated with the NSA to backdoor it’s own apps.

[smt88]

Yes, there were backdoors in the US. I didn't say there weren't.

You sidestepped my main point, that US/CCP is a laughably false equivalency.

[Jon_Lowtek]

The US government can just walk in and say zoom.us has to feed all the data into MYSTIC for national security reasons. The CCPs ability to pressure some developers into adding bad code which might enable them to hack zoom infrastructure is laughable in comparison. Yes in theory they could attack some high value target that way, but only the hosting nation can exfiltrate mass surveillance without an alarm going off. Which is why zoom.cn is hosted in china.

[c22]

While it's probably a little easier with a "home field advantage" there's no reason to think they don't do this to stuff built outside of China also. As you say, the NSA does this, and certainly other large nations have institutions that do this as well. It's probably safe to assume all large communications systems are riddled with intentional errors.

[kortilla]

They don’t even need to do that. The government can much more easily coerce the existing employees to do things by threatening them or their family members. This is the risk that Chinese employees in the US with family back in China pose to US companies.

[hammock]

When did the en es aye plant a coder inside a private company to add vulnerabilities, that we know about?

[Jon_Lowtek]

Its a play on the whole "they warn about the dangers of supply chain hacks". If asked how they can be so sure that is happening, they say: well we would do it that way.

A proven case? Look at Crypto AG. Sure one might argue the whole company was planted, so it doesn't count ...

[ixtli]

They don’t have to be so secretive. The Snowden leaks told us that companies like Microsoft collaborate with the IC to backdoor their software.

[hammock]

That's why I was curious

[Angeo34]

So essentially there would be no difference if it was American or Chinese.