Comment by mtgx
8 years ago
And just like they acquired Skype to please the NSA and make changes for its sake, I wonder if this is also a move to backdoor Github projects without the project owners and contributors noticing.
I, for one, would definitely stay away from any open source project that's still hosted on a Microsoft-owned GitHub.
It's tricky to backdoor git repositories, since it's a Merkle tree of hashes and as such immutable. Any attempts at tampering would break git push/pull for developers, and as such be immediately detected.
Binaries could be backdoored, potentially, but with the trend towards deterministic reproducible builds I don't see this happening.
Perhaps modifying code is out of the question, but consider how many juicy credentials / private keys etc must be tucked away in all those private repos...
GitHub is already an American company. What makes you think the NSA doesn't already receive a full copy of everything on their servers?
You place a surprising amount of trust in a hash algorithm with known collisions (SHA1).
Given the context this is not surprising at all.
A hash collision in git lets you show somebody one change, then substitute it for a different change (with the same hash) in a version others see that appears (to the first person) to be the same code.
This is a very narrow opportunity. It is _probably_ viable for a very powerful adversary (such as the NSA) to successfully trick someone working with binary blobs, like firmware for a black box. You can imagine a developer who (unusually) assiduously checks the firmware they're provided to see that it works as intended, then uploads a new version to github, and the NSA trap is sprung, they substitute a modification with the same hash but different firmware that, perhaps, causes your billion dollar spy satellite to point its cameras at the sun, destroying it.
But if the developer is less assiduous this was all pointless, just send the "burn spy sat" firmware to the original developer and lie.
Or if the spy camera owners decide not to take this mysterious last-minute update, or they try it on their ground-based prototype first to check it works... bzzt, your hugely expensive SHA-1 trick was a waste of time.
Yes, SHA-1 is broken. Nobody should use it for anything new, and things that already use it should have been migrating already _before_ the official announcement from Google et al. But, Merkle-Damgard hashes have done this before, and will do it again, and so we know how this goes. You get a collision but don't get anything else, critically you don't get second-pre-image.
This means, the NSA doesn't gain a way to substitute other stuff in a repo. They can only _collide_ their own things, by carefully choosing the inputs. So a plan where you just replace the _real_ firmware can't work.
Also, the nature of this MD attacks smashes up the input state, which for git will usually be source code. A mysterious anonymous contributor is surprising enough, but when their proposed patch adds dozens of bytes of what seems to be binary noise, you know something is up. That's why my example attack above involved firmware, where this might be less suspicious.
So yes, Git should have transitioned off SHA-1, and a window of opportunity for bad guys does exist, but it's not the sort of gaping window you imagine.
Collisions, yes, but preimages are the bigger concern with hostile actors in git IMO.