[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]

On Thu, 4 Mar 2021 16:14:08 +0100
tomas@tuxteam.de wrote:

> On Thu, Mar 04, 2021 at 09:21:46AM -0500, Celejar wrote:
> > On Thu, 4 Mar 2021 14:17:59 +0100
> > <tomas@tuxteam.de> wrote:
> > 
> > > On Thu, Mar 04, 2021 at 08:10:45AM -0500, Celejar wrote:
> > > > On Thu, 4 Mar 2021 09:41:13 +0000
> > > > Joe <joe@jretrading.com> wrote:
> > > > 
> > > > ...
> > > > 
> > > > > Undoubtedly. But there is also no doubt that gcc and every other
> > > > > serious compiler in the West has been compromised. Why would they *not*
> > > > > be?
> > > > 
> > > > Do you have any evidence for this, or is it just your assumption,
> > > > because "why would they not be?"
> > > 
> > > You mean GCC specifically or some examples of build chain attacks
> > > in general? Because in the second case there are some nice specimens
> > > out there.
> > 
> > I'm interested in anything, although my comment was focused
> > particularly on things as critical, fundamental, and ubiquitous as GCC
> > and "every other serious compiler."
> 
> Two off the top of my head
> 
> - Sometime 2017 [1], Microsoft put out a version of Visual Studio
>   which baked "phone home" functionality into its compiled "products".
>   Make no mistake: it phoned Microsoft. Imagine you compile an
>   application for your customer, and this app phones... Microsoft.
> 
>   Some hilarity ensued. They said "oh, sorry. It wasn't with bad
>   intentions" and reverted it.
> 
>   I call this pattern "Emergent Evil".

Outrageous, certainly - this sort of thing is one of the reasons I
use linux and avoid Microsoft products to the extent I find practical.
But I don't consider this a "build-chain attack."

> - NPM buildchain attacks are more and more frequent. Just publish
>   a package out there and wait until someone takes the bait.
>   An especially nice one was the event-stream [2] episode, where
>   the malicious code only injected malicious code (yes, really)
>   when it noticed that it was "in" the right build environment.
>   Nice read. I'm sure this ain't the only one in this context.

Agreed - this sort of thing is scary. I know I can't avoid the risk
entirely, but this is one of the reasons I try hard to limit my use of
software to stuff in the repos. I understand it's no magic bullet
against this type of thing, but in my (not very informed) judgment, it's
less likely to happen to stuff that Debian is vetting. I.e., I'm hoping
that all those hoops that Debian makes packages jump through, which
prevent stuff I do want from entering the repos, will work here in my
favor ;)

> Note that I'm no specialist. Otherwise the top of my head would
> be heavier ;-)
> 
> Cheers
> 
> [1] https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/
> [2] https://lwn.net/Articles/773121/

Celejar
Reply to: