Comment by bluejekyll
8 years ago
The same statement could be made about any organization. If you get a sleeper agent into Apple, Google, Microsoft, whatever... There is a certain amount of goodwill we rely on in this world.
8 years ago
The same statement could be made about any organization. If you get a sleeper agent into Apple, Google, Microsoft, whatever... There is a certain amount of goodwill we rely on in this world.
It's not quite the same thing as, AFAIK, the debian project doesn't have the same power as an employer does to do background checks before hiring.
There's a significant level of risk around open source projects changing hands, something which may be invisible to the users of those projects, especially as they become more heavily used and therefore more tempting targets for attackers.
Employers only have that power because you grant it to them. Of course you don't have a lot of choice if you want the job.
In theory, Debian or any organization could do the same background check, but is that the best use of their limited resources? And would they want to do it anyway given the ideals of the general OSS community?
Sure, my point was companies do do that checking and Debian doesn't do that checking, so from the perspective of this risk, it would be harder for an attacker to do this to a large corporate like Microsoft than it would to do it to an open source project like debian.
But companies wouldn't give commit access to somebody they just "hired" over the internet that "wants to help", and they'd (hopefully) have multiple layers of code sign-off before it ends up in the repository. Having worked in PCI-DSS environments, it would not be easy to get code into production without anybody else noticing.
Open-source projects often have random people "from the internet" working together with a great deal of individual autonomy (authority doesn't go down well when you are contributing for free). This ad-hoc style works well for open-source development, but it does make some kinds of code/system subversion a lot easier and we'd do well to keep that in mind.
Besides, I'm into open-source and security exactly because I don't want to rely on the goodwill of Apple, Google and Microsoft. ;)
Most large software companies do continuous scans of their own source code looking for potential backdoors. Obviously this is not guaranteed to catch such attempts but definitely necessary in the current environment where Zero days are so valuable.
Most of the tools I know in this space look for known issues.
OSS teams could spend the time and money running these tests, but this seems like a good area where governments and companies can step in to help.
Exactly, no organisation is immune to sabotage.