Are open source libraries compromised?
Posted by R7950@reddit | linuxadmin | View on Reddit | 48 comments
During the interview between Tucker Carlson and Pavel Durov, he implied certain open source libraries could contain backdoors.
How true is this? Any thoughts?
segfault0x001@reddit
Maybe save yourself the time and just don’t watch Tucker Carlson.
kai_ekael@reddit
Tucker "NOT A CARLSON"
-- source, a real Carlson
Mountain_Big_1843@reddit
I’ll bet if you hadn’t mentioned Tucker Carlson you would have gotten different or more meaningful answers. People are so automatically polarized they are just triggered by divisive figures on the left or right.
I have been in technology a long time and I am very sure that there are little known libraries maintained by 1 person that are nested within other libraries that bad actors can absolutely take advantage of. I think of the log4j vulnerability - so much of every single piece of software used that functionality for logging no one batted at eye at adding it to their projects. Turns out that it had a major vulnerability and there was a lot of scrambling everywhere to patch it. I’m also sure that there are critical systems in far flung places that never patched it.
There is a great XKCD for this very problem and people here aren’t considering these at all because they heard you say some magic name.
https://www.explainxkcd.com/wiki/index.php/2347:_Dependency
matthewstinar@reddit
A propagandist interviewing a propagandist is not a sound jumping off point for an intellectual discussion about a consequential subject. Their words carry no weight and are more likely than not to point the discussion in an unproductive or counterproductive direction.
Mountain_Big_1843@reddit
If you really want to understand propaganda try watching the Adam Curtis documentary The Century of the Self. It is very well researched and shows how we all (citizens of western countries) have been victims of intense propaganda for the last 100 years using academic psychological research and the advertising industry. All western governments do it and the hyperpartisan social media atmosphere is a feature not a bug. If you keep your population divided they will be so busy fighting each other they won’t know what is actually happening. This is a long standing tactic used first by the Roman’s to great effect and then the British Empire and trickled down to the US.
I am a liberal but I now look at everything with a much more critical eye. I’ve been a technologist since the 1980’s and have a good understanding how our current house of cards with regards to our global IT infrastructure could be exploited. Also no legislation has ever resulted from the Snowden leak. There is no reason to just blindly believe that there aren’t state actors - even from within the US government who wouldn’t try to build in back doors to open source code. In fact there’s a long history of tampering - look up what happened with TrueCrypt!!
https://thehackernews.com/2014/05/encryption-tool-truecrypt-shuts-down.html?m=1
https://isc.sans.edu/diary/True+Crypt+Compromised++Removed%3F/18177#
So I don’t know why you are automatically casting disdain on the conversation when indeed what they are saying has already happened multiple times
matthewstinar@reddit
Well if you don't understand why starting the conversation by listening to two people with a reckless indifference for the truth might be problematic, I'm not sure I can help you. I'm not saying a broken clock isn't right twice a day; I'm saying don't start with a broken clock.
Mountain_Big_1843@reddit
You again didn’t even address the technical proof I gave you and instead because someone mentioned the magical words “Tucker Carlson” you discount any point they have to make. Doesn’t this sound a LOT like how Trump supporters will not even consider any evidence to the contrary. You don’t even realize you are doing the same thing. I just proved that technically this is a major concern and they are right.
How do you know the clock is broken? Consider this - Tucker got spit out by the media for whom he enjoyed a quite comfortable life. He has made terrible comments in the past. probably because he got paid handsomely to do so and was encouraged to continue until for some reason obscured to us and known only to Fox and Tucker he suddenly was fired. It doesn’t seem to be about sexism or the usual reasons so one must consider it was some very powerful reason because he was their number one rated show. However - due to cancel culture - we are lead to believe that no one can change and that no one can develop a different point of view after receiving new information. Cancel culture doesn’t allow for the actual nuance that is real life. He may have come through that power atruggle with a clearer understanding of the power structures in America.
Maybe consider this - he saw the hands behind the terrible puppet show at Fox - which is the same terrible puppet hands behind CNN and all major media. He now is an independent journalist trying to tell you what Carl Bernstein discovered almost 50 years ago - our media has been high jacked by the US intelligence agencies which are not supposed to do things to Americans citizens. Literally there were no hearings as a result of this very well researched and proven article. There was no legislation. In fact there is no reason on earth to believe that not only this behavior and reckless disregard for our freedom of speech was stopped - instead there’s every indication that it has escalated. This is exactly what Snowden was trying to tell us. There also were zero hearings or legislation as a result of Snowden’s revelations.
You are choosing to not even listen because the name Tucker Carlson was invoked and his have been conditioned to believe that nothing the other side has to say has any value. Look at the behavior of people on the right - you know this is true of THEM. The issue is that you don’t think that it has also happened on the left. You are equally lied to by our politicians on the left and our media.
matthewstinar@reddit
Correct, and I clearly stated why.
Correct. He has clearly demonstrated his character.
Incorrect. I have assessed his character and will not engage with such a person. I'm open to disagreeing with people who communicate in good faith, but he is not such a person.
Mountain_Big_1843@reddit
What about my technical points? I’ve been in technology and have assessed this as an issue for years. This is not due to hearing Tucker Carlson - it was a result of the whole TrueCrypt debacle and Snowden that opened my eyes to the situation
matthewstinar@reddit
Based on your reasoning above about the non-technological subjects, I'm concluding that you are not about to have a good faith discussion or that you are genuinely an unreasonable person. In either case, I don't see anything positive about discussing the technical matters with you.
I would be happy to discuss the subject with someone who isn't you.
Mountain_Big_1843@reddit
I find you aren’t having a good faith conversation. I brought up True crypt and Snowden and log4j as some of the best examples that open source can be vulnerable. I’m offering to talk simply tech with you and NO politics or monologues of any kind. Are you willing to discuss just the technical aspects of this?
matthewstinar@reddit
I'm having a conversation about how I still refuse to start having the conversation you want to have. I'd have a good faith conversation on the subject with just about anyone who doesn't make excuses for Tucker Carlson and all the other nonsense above.
Mountain_Big_1843@reddit
lol I voted for Biden, Obama, Clinton and will most likely vote for Harris but someone whispers the words “Tucker Carlson” suddenly you think I’m a q-anon supporter and what? We can’t have a conversation? Do you realize just how you sound like a reverse Trump supporter with your fingers in your ears going “la la la la la can’t hear you”. I’m just going to leave this all here so people can decide for themselves.
TrueCrypt proved that bad actors could insert code into open source and obfuscate the purpose. It was such a debacle that people had to not only abandon it but build replacement tools which took months.
Snowden showed us that the NSA and other intelligence agencies don’t give a flying fuck about our our civil rights and they are continuing to not give a fuck about our civil rights using both closed source and open source to achieve their objectives.
Log4j showed that little known libraries that are used ubiquitously can have dangerous security flaws that go unaddressed for years and therefore we don’t know what other small utilities or libraries that are integral to our technological ecosystem may end up with similar issues.
scottjl@reddit
Oh yes. When I want the latest in tech news I listen to Tucker Carlson. He knows what he’s talking about. 🤮
TheDunadan29@reddit
Well the Russian Professor he interviewed knows what he's talking about. He probably helped curate some of the malware he's talking about.
scottjl@reddit
ah yes. when it comes to tucker and his guests we can always expect total honesty.. 🥸
xlr8mpls@reddit
Did Durov mentioned how russian policemen read the content of the chats to the detained person? Or how he specialized in the russian army in the sphere of propaganda and psyops? Interesting.
TheDunadan29@reddit
Not during a current Psyop. Shhhh! He's working Tucker right now!
wrosecrans@reddit
Lol, don't consider Tucker Carlson interviews a source for infosec. That's just a fucking wild source to take seriously.
Anyhow, some libraries have security problems. Some libraries are open source, and some open source libraries have security problems. The open source ones tend to have a lot more visibility, so the problems tend to get noticed and fixed way more reliably and faster than in proprietary libraries. Regardless of whether you are talking about open or closed source libraries, it's a good idea to keep up to date with software updates because updates contain bugfixes, including fixes for security issues.
FlibblesHexEyes@reddit
That's the thing about Open Source. If there's an issue, there is transparency as the code is there for all to see.
Not so with closed source.
Wouldn't be surprised if this was supposed to be an attack on Open Source by Moron Carlson and co. He probably thinks giving software away like how Open Source does it is "socialist" or some other long word he doesn't know the meaning of.
gleep23@reddit
Tucker Carlson, talking about InfoSec? I immediately think..
What political angle is he playing? What is he trying to sell, or profit from? Which are the important lies, and where is he directing manipulation? Which friends of Tucker share an interest?
R7950@reddit (OP)
TC did not talked about InfoSec, it was Pavel himself saying it. Watch the interview yourself.
wrosecrans@reddit
Lol, I'm not gonna waste my time watching Tucker Carlson interviews. If you need to kill time, do something more productive, like nothing.
TheDunadan29@reddit
And who TF is Pavel Durov? Oh, a Russian? Good God Tucker really has gone full Soviet!
There are so many good Western computer science people to talk to, but Tucker goes to Moscow continues.
CallTheDutch@reddit
He has been bought by russia years ago. Russia likes pavel durov.
When it's obvious it's obvious.
franky_reboot@reddit
Wasn't Pavel Durov thrown out of VKontakte due to not suppressing pro-Ukraine news back in 2014?
kreddulous@reddit
That might have been a good cover story. Telegram appears to be open-access to the Kremlin: https://www.wired.com/story/the-kremlin-has-entered-the-chat/ https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
This_Bitch_Overhere@reddit
And don’t forget that the “news organization,” for which he works had to legally call itself an entertainment organization due to its loose representation of the news.
FlibblesHexEyes@reddit
Much better way of putting it than I did :D
Should we tell him that his God's social media app Truth Social is just a repackaged open-source app (it's based on Mastodon)?
That would probably freak him out.
RemyJe@reddit
A regular security problem (bugs, poor review, etc) isn’t the same as intentional backdoors. They’re asking about the latter.
wrosecrans@reddit
No. Whether the backdoor is intentional or accidental doesn't actually make any difference to process or security. They are all security problems that need to be sound and fixed.
RemyJe@reddit
This true, but the context of this question is things like XZ.
kreddulous@reddit
Ha ha. Yes, anything can in principle have a backdoor. Maybe Mr. Durov should consider Telegram: https://www.wired.com/story/the-kremlin-has-entered-the-chat/
RemyJe@reddit
Practically unheard of, but it recently happened.
Generally speaking, security of the Software Supply Chain is a real concern, yes.
enigmaunbound@reddit
It's happened. Most recently and likely what they were referring was a back door being slowmrolled in the XZ lib used by a bunch of open source projects. https://medium.com/@DCSO_CyTec/xz-backdoor-how-to-check-if-your-systems-are-affected-fb169b638271 This was also identified and corrected before major issues occured. Sure does make good sound bytes form the talking heads.
edparadox@reddit
It should be added that, in the case of the zx lib, it never reached "production". What I mean is yes, it reached Arch repositories, but not Debian's for example.
This is why stability is an advantage for production systems, such as RHEL or Debian.
FryBoyter@reddit
From https://archlinux.org/news/the-xz-package-has-been-backdoored/ there was no real danger under Arch.
amoosemouse@reddit
That’s correct. The code specifically looked for Debian and Red Hat/Fedora style build environments so Arch included the malware in the source but the code never was injected into the liblzma library. If I recall, it’s because Arch does not patch sshd to use systemd notifications and without that, sshd won’t get liblzma into its libraries and the injection can’t happen. (Source: I was one of the folks doing response for a distro when it hit)
archontwo@reddit
I just remember how heartbleed shocked the Foss community (and businesses) out of their complacency that the internet is a safe place for people. It is not, it is a jungle out there.
Clean-Agent666@reddit
This just in: Software libraries could be compromised!
killfall@reddit
They may have been referring to the shenanigans that happened with xz. The Planet Money podcast did a great episode about it recently https://www.npr.org/2024/05/17/1197959102/open-source-xz-hack
darklinux1977@reddit
This is a non-topic, especially regarding encryption. But, the source code is accessible and documented. Open source is a "new" concept for the general public.
hellqvio@reddit
Sure it can, closed source libraries could contain backdoors too
R7950@reddit (OP)
Closed source libraries for sure that’s why we go open source. But how many actually take the time to (or know how to) verify the open source libraries for backdoors.
wrosecrans@reddit
I mean, you can just look up the contributors of a library to get an absolute floor on the number of people who are looking at the source code: https://github.com/google/boringssl/graphs/contributors The number of people who have looked at it at least in passing will pretty much always be higher than the number of people who have made changes that were actually accepted. No need to treat this sort of thing as vaguely un-knowable.
Any library in something like a Linux distribution will also have some sort of downstream package maintainers who may or may not be direct contributors, but are ensuring that anything in the distribution meets the distribution's quality standards.
Tons of university CS and infosec courses use audits of open source libraries as coursework, so lots of students outside the scope of maintainers and packagers are constantly looking for any low hanging fruit that will get them something easy to write up to get points. And independent security researchers, and people who work at companies that use the libraries and need to be responsible for systems that depend on them.
Basically, if the security standards of the open source community seem inadequate to you, WTF are you doing using software to post questions on the Internet instead of living in a wood cabin away from absolutely all technology?
hellqvio@reddit
How many take the time to verify closed source libraries?
sudoaptgetnicotine@reddit
You can see the source code so... I guess if it's in there you can see it. So I'm going with press X to doubt
bishopExportMine@reddit
Every single library could contain backdoors. But with open source you at least have the code available to inspect and audit.