Hacker News new | ask | show | jobs
by chgs 670 days ago
Better.

Imagine a closed source company with cost pressures employing a random developer who can commit code, perhaps without any peer review, but certainly limited peer review from harried employees.

Now imagine why a nation state would want to get staff working in such a company.

Now if companies like Microsoft or Amazon or Google want to pay people to work on these open source projects that’s a different thing, and a great thing for them to do given how much they rely on the code.
2 comments
davidfiala 670 days ago
There's a ton of great truth here. It's hard to bite the bullet and believe that insiders already exist (everywhere), but I can share that from my experience working in big tech:

- There 100% will be bad actors. Many of them.

- But not always nationstate. Instead, they do it for (dumb) personal reasons, too. Also, don't forget lulzsec as a great example of just doing it for fun. So we cannot presume to know anything about the 'why'. The bad guys I caught did it for the most asinine reasons...

But the good news is that we have options:

- Strategic: Develop processes and systems that account for the perpetual existence of unknown bad actors and allow for successful business operation even when humans are compromised.

- Reactive: Structural logging that makes sense in the context of the action. Alerts and detection systems too.

- Reduction: Reduce access to only what is needed, when it is needed.

- Proactive (not always necessary): Multi party approvals (a la code review and production flag changes or ACL changes, too)

- Social: Build a culture of security practices and awareness of bad actors. Don't make people feel guilty or accusatory, just empower them to make good design and process decisions. It's a team sport.

Bonus: By guarding against evil actors, you've also got some freebie good coverage for when an innocent employee gets compromised too!

---

Companies like Google and Amazon do the techniques above. And they don't generally rely on antiquated technology that cannot and will not change to meet the modern standards.

I know because I was the person that built and Google's first time-based access system and rational-based access systems. And multi party approval systems for access. (Fun fact: The organizational challenge is harder than the technical).

And, those strategies work. And they increase SRE resilience too!

---

But even with the best UX, the best security tooling, the best everything, etc there's no guarantees that it matters if we just reject anything except the old system we're used to.

It's like a motorcycle helmet: Only works if you use it.

link
wannacboatmovie 670 days ago
Your argument is a model that does no vetting of contributors whatsoever, which resulted in the catastrophe that is the topic of discussion, is better than a hypothetical company which is full of compromised developers that have free reign to commit to the source tree with no oversight? That sounds extremely contrived.
link
adolph 670 days ago
If you are positing that government infiltration of companies is hypothetical and not a real threat, here is an example of compromised corporate staff:

https://en.wikipedia.org/wiki/Saudi_infiltration_of_Twitter

link
chgs 670 days ago
This wasn’t a contributor to OpenSSH, it was a deep level supply chain attack - something that closed source commercial companies are not immune to.

Given how much closed source companies love BSD/apache/etc licenses where they can simply use these low level libraries and charge for stuff on the top I’m not sure how they would be immune from such an attack.

The risk from this was highlighted in xkcd back in 2020

https://xkcd.com/2347/

link
wannacboatmovie 669 days ago
Moving the goalposts and splitting hairs. The fact remains the open source model allowed an imaginary person, operating on behalf of a threat actor, to obtain privileged commit access to a widely used open source project without any vetting whatsoever. Let me repeat that. They were given control of the repo without even verifying this person exists. To do this at a commercial company you actually have to show up and interview which is an order of magnitude more difficult than creating an anonymous Gmail account and be given the keys to the kingdom.
link
anthk 669 days ago
You are the one who moved the goalpost here. Vanilla OpenSSH doesn't link against xz, period. Not even the portable versions as LibreSSL does for OpenSSL.

If distros randomly patch OpenSSH because of SystemD, it's their problem.

link