Comment by jiggawatts
4 months ago
A trivial method for circumventing code review is to simply push a targeted update of the firmware to devices subject to a government search order.
There are no practical end-user protections against this vector.
PS: I strongly suspect that at least a few public package distribution services are run by security agencies to enable this kind of attack. They can distribute clean packages 99.999% of the time, except for a handful of targeted servers in countries being spied upon. A good example is Chocolatey, which popped up out of nowhere, had no visible source of funding, no mention of their ownership structure anywhere, and was incorporated along with hundreds of other companies in a small building in the middle of nowhere. It just screams of being a CIA front, but obviously that's hard to prove.
> Chocolatey, which popped up out of nowhere
Chocolatey assuredly did not "pop up out of nowhere" - it was a labour of love from Rob Reynolds to make Windows even barely usable. It likely existed for years before you ever heard of it.
> had no visible source of funding
Rob was employed by Puppet Labs to develop it until he started the commercial entity which now backs it.
> a small building in the middle of nowhere.
As I recall, Rob lives in Topeka, Kansas. It follows that his business would be incorporated there, no?
There was no evidence of any of this on the website until recently (maybe 2 or 3 years ago?), and I did look at every page on there. Similarly, I searched on Google for a while and raised the question in more than a few forums. I dug through the business registration records, etc... and found none of the above.
Sure, now, they have staff photos and the actual names of people on their about page, but just a few years ago it was almost completely devoid of information: https://web.archive.org/web/20190906125729/https://chocolate...
Look at it from the perspective of a paranoid sysadmin half way around the world raising a quizzical eyebrow when random Reddit posts mention how convenient it is, but it's distributing binaries to servers with absolutely no obvious links back to any organisations, people, or even a legitimate looking business building.
The end user protection is to sign updates and publish the fingerprints. It should not be possible for one device to get a different binary than everyone else.
How exactly do you plan on implementing this as an end user?
Even if you somehow manage to ensure 100% consistency with other users for updates you manually “pull” from the vendor, the vendor could simply have your device automatically reach out and update itself with a stealth update.
Or everyone can get the same exact binary, but it has a hash code check on it that activates the evil bits only on your device.
Etc…
Telegram author claims this is the case [1]:
> They were curious to learn which open source libraries are integrated to the Telegram app. You know, on the client side," Durov said. "And they were trying to persuade him to use certain open source tools that he would then integrate into the Telegram code
[1] https://www.newsweek.com/telegram-tucker-carlson-government-...