← Back to context

Comment by jiggawatts

1 day ago

A trivial method for circumventing code review is to simply push a targeted update of the firmware to devices subject to a government search order.

There are no practical end-user protections against this vector.

PS: I strongly suspect that at least a few public package distribution services are run by security agencies to enable this kind of attack. They can distribute clean packages 99.999% of the time, except for a handful of targeted servers in countries being spied upon. A good example is Chocolatey, which popped up out of nowhere, had no visible source of funding, no mention of their ownership structure anywhere, and was incorporated along with hundreds of other companies in a small building in the middle of nowhere. It just screams of being a CIA front, but obviously that's hard to prove.

3 comments

jiggawatts

Reply
brookst  1 day ago

The end user protection is to sign updates and publish the fingerprints. It should not be possible for one device to get a different binary than everyone else.

jen20  1 day ago

> Chocolatey, which popped up out of nowhere

Chocolatey assuredly did not "pop up out of nowhere" - it was a labour of love from Rob Reynolds to make Windows even barely usable. It likely existed for years before you ever heard of it.

> had no visible source of funding

Rob was employed by Puppet Labs to develop it until he started the commercial entity which now backs it.

> a small building in the middle of nowhere.

As I recall, Rob lives in Topeka, Kansas. It follows that his business would be incorporated there, no?

  • jiggawatts  18 hours ago

    There was no evidence of any of this on the website until recently (maybe 2 or 3 years ago?), and I did look at every page on there. Similarly, I searched on Google for a while and raised the question in more than a few forums. I dug through the business registration records, etc... and found none of the above.

    Sure, now, they have staff photos and the actual names of people on their about page, but just a few years ago it was almost completely devoid of information: https://web.archive.org/web/20190906125729/https://chocolate...

    Look at it from the perspective of a paranoid sysadmin half way around the world raising a quizzical eyebrow when random Reddit posts mention how convenient it is, but it's distributing binaries to servers with absolutely no obvious links back to any organisations, people, or even a legitimate looking business building.