Do you think National security agencies infiltrate people on open source communities to fill software with vulnerabilities?
Do you think National security agencies infiltrate people on open source communities to fill software with...
Angel Evans
Other urls found in this thread:
Lincoln Hernandez
Yes its called Lennart Poettering the CIA nigger.
Landon Miller
If they don't, they're not doing what I'm paying them to do. On the other hand, I'm also paying them to ensure the security of MY systems. On the gripping hand, it's hard to ensure the security on our work and reduce the security of others' work. Personally, I lean toward letting the bad guys be as secure as I am, rather that my being as insecure as the bad guys are.
Mason Fisher
But they couldn't infiltrate Linux/GNU could they? It's too closely watched, r-right?
Jose Baker
yes
next question
Bentley Allen
>he doesn't know about DUAL_EC_DRBG
Dylan Sanchez
Correct.
Eli Wood
Protip, you are the bad guy and these agencies exist not to protect you, but to protect the global elite from any would-be competition.
Grayson Carter
does that have to do with elliptic curve RNG?
William Fisher
>He doesn't know about the CIA Niggers
But to answer your question seriously, user, the fact that the source code is open means that anyone who tries to put a botnet into a project is completely incapable of hiding what they've done.
Even if they tried to release counterfeit binaries and trick people into thinking it matches the source code, a quick checksum would easily show that the source code when compiled does not match the false program and the NSA dickward that tried to pull that off would simply be laughed out of the room as a shit-tier worm programmer that needs to return to India.
Jose Morris
Dumb programmers that are and aren't on the government payroll make plenty of unintentional vulnerabilities that can be taken advantage of.
Nicholas Garcia
Wasn't there a snowden slide that talked about this? Maybe some user has it at hand and can post it
Juan Diaz
That would be the same bad guys as the ones who strengthened DES against an attack no one else knew about, right?
Owen Powell
not him here. I surely agree about protecting the global elite, but why is he a bad guy?
David Gray
Open source doesn't mean shit once it's compiled
Carter Reyes
>pull out dick to fap
>boot up systemd distro so there's an audience
Not seeing the problem
Anthony Cook
I think he meant that it isn't us who decide who the bad guys are. So, for someone controlling the NSA, you or anyone can be the "bad guy" as long as the one in control wants you to be.
Sebastian Gray
Not explicitly, what you're thinking of is the talk Phk gave about methods the NSA could easily sabotage free/open source projects without spending any money, which was based on the Snowden leaks that hinted this is exactly what they were doing: youtu.be
It's an extremely good talk, you'll start to notice shit like this happening if you look for it.
dj bernstein also has written extensively about attempts to sabotage 'open' standards by intel agency shills worldwide.
Easton Hill
What's stopping NSA from doing that
Aiden Kelly
TOX
Connor Roberts
I don't know if I got it - did he say that microsoft is a partner of NSA a bought skype so that the data now must pass trough microsoft servers where it can be wiretapped?
Jeremiah Flores
...
David Robinson
at 11:00
Benjamin Ramirez
What distros are least likely to get butt fucked by dat gov?
Jaxon Phillips
>Coming with such an autistic plan
>When they just pay up hardware manufacturers to include hardware backdoors and call it a day
Ayden Lopez
I'd rather NSA then Google. Mostly depends on which communities though. I am sure some are and some are not.
Sebastian Thomas
Botan really is best girl though.
Parker Perez
No, they probably just find exploits and keep them private.
Levi Cox
I've skipped the beginning.. it took me a lot of time to understand this was a spoof
Nathan Diaz
>he doesn't know about the SIGINT Enabling Project
jewgle it. It's not exactly open source, but it was a FIPS standard. You have to hear the whole story just to get the full flavor of the fuckery surrounding DUAL_EC.
>he doesn't know about offense in depth
Gavin Johnson
I mean they'd be stupid not to try, but I'd guess only for extremely high value stuff considering how much effort it would take to plant somebody and have them submit helpful code for long enough that they can submit an "accidental" vulnerability and not immediately get reverted. It probably takes way less effort to just comb through and find real vulnerabilities.
Isaac Brooks
>literally anyone can make a Linux distro
>literally anyone can make a repo
It's like asking if you torrent Game of Thrones from a public tracker if you'll get a DMCA.
Easton Baker
Or high impact stuff. A bug in Postfix has a small reach, but a bug in OpenSSL reaches a lot of people and a lot of software, some of which will literally never be upgraded.
I can't prove anything, but if I look at some of the stupid little errors that cause the big named vulns, I start to wonder if they weren't planted. Debian weak-keys, maybe, Heartbleed, almost certainly. Maybe we need to start walking crypto bug writers off the plank, whether it was deliberate or not.
James Kelly
>>he doesn't know about offense in depth
I'd like to know what it is about but duckduckgo said about it "We would like to show you a description here but the site won't allow us." I gont scared and wont open it
Kayden Wood
By analogy to defense in depth. That is, you break a little of everything. Then you can be almost certain at least one vuln will work when you need it and you won't need to escalate to TAO.
Jordan Williams
Most comfy girl fo sho.