Hacker News new | ask | show | jobs
by selfhoster11 1757 days ago
It's worth noting that the above comment, while it might sound paranoid to some, is IMO entirely justified.

I'm 50/50 on whether someone at some point hasn't executed a successful Trusting Trust attack (see Ken Thompson). With modern machines that have megabytes of binary blobs, different co-processors that have access to the RAM while they can't be reprogrammed to be on the user's side, and techniques that can actually tell when sensitive operations are happening, such attacks are becoming more feasible.
1 comments
pabs3 1757 days ago
There definitely have been compromised build toolchains before:

https://en.wikipedia.org/wiki/XcodeGhost

link
tremon 1757 days ago
That's only half of the trusting trust-attack though; the other half is being able to make the compiler compromise propagate itself, i.e. not just inserting any backdoor in compiled code, but inserting itself in any compiler built using the compromised tool.
link
selfhoster11 1757 days ago
Mobile and Electron apps often weight hundreds of megs. That's enough data to hide an entire classic-style OS in the spaces between the data. While I don't know whether someone did insert such a recursive compiler, they certainly can do it unobtrusively enough that it doesn't raise any suspicion.
link
selfhoster11 1757 days ago
Thank you, I wasn't familiar with this case.
link