HackerLangs
TopNewTrendsCommentsPastAskShowJobs

arter4

no profile record

comments

arter4
·2 ปีที่แล้ว·discuss
>Your "mindset" is basically allowing bad code into the Kernel and hoping that it gets caught.

Not at all. I'm talking about running more and more rigorous security tests because you have to catch vulnerabilities, 99% of which are probably introduced accidentally by an otherwise good, reliable developer.

This can be done in multiple ways. A downstream distribution which adds its own layers of security tests and doesn't blindly accept upstream commits. An informal standard on open source projects, kinda like all those Github projects with coverage tests shown on the main repo page. A more formal standard, forcing some critical companies to only adopt projects with a standardized set of security tests and with a sufficiently high score. All these approaches focus on the content, not on the authors, since you can have a totally good-willing developer introducing critical vulnerabilities (not the case here, apparently, but it happens all the time).

On top of that, however, you should also invest in training, awareness, and other "soft" issues that are actually crucial in order to actualy improve cybersecurity. Using the most battle-tested operating systems and kernels is not enough if someone actually puts sensitive data on an open S3 bucket, or if someone only patches their systems once a decade, or if someone uses admin/admin on an Internet-facing website.
arter4
·2 ปีที่แล้ว·discuss
The "core systems of Linux" include the Linux kernel, openssh, xz and similar libraries, coreutils, openssl, systemd, dns and ntp clients, possibly curl and wget (what if a GET on a remote system leaks data?),... which are usually separate projects.

The most practical way to establish some uniform governance over how people use those tools would involve a new OS distribution, kinda like Debian, Fedora, Slackware,... but managed by NIST or equivalent, which takes whatever they want from upstream and enrich it with other features.

But it doesn't stop here. What about browsers (think about how browsers protect us from XSS)? What about glibc, major interpreters and compilers? How do you deal with random Chrome or VS Code extensions? Not to mention "smart devices"...

Cybersecurity is not just about backdoors, it is also about patching software, avoiding data leaks or misconfigurations, proper password management, network security and much more.

Relying on trusted, TS cleared personnel for OS development doesn't prevent companies from using 5-years old distros or choosing predictable passwords or exposing critical servers to the Internet.

As the saying goes, security is not a product, it's a mindset.
arter4
·2 ปีที่แล้ว·discuss
I guess it depends on the ultimate goal.

If the ultimate goal is to avoid backdoors in critical infrastructures (think government systems, financial sector, transportation,...) you could force those organizations to use forks managed by an entity like CISA, NIST or whatever.

If the ultimate goal is to avoid backdoors in random systems (i.e. for "opportunistic attacks"), you have to keep in mind random people and non-critical companies can and will install unknown OSS projects as well as unknown proprietary stuff, known but unmaintained proprietary stuff (think Windows XP), self-maintained code, and so on. Enforcing TS clearances on OSS projects would not significantly mitigate that risk, IMHO.

Not to mention that, as we now know, allies spy and backdoor allies (or at least they try)... so an international alliance doesn't mean intelligence agencies won't try to backdoor systems owned by other countries, even if they are "allies".
arter4
·2 ปีที่แล้ว·discuss
If it's just an extradition issue, the US has extradition treaties with 116 countries. You'd still have to 1) ensure that user is who they say they are (an ID?) and 2) they are reliable and 3) no one has compromised their accounts.

1) and 3) (and, to an extent, 2) )are routinely done, to some degree, by your average security-conscious employer. Your employer knows who you are and probably put some thought on how to avoid your accounts getting hacked.

But what is reliability? Could be anything from "this dude has no outstanding warrants" to "this dude has been extensively investigated by a law enforcement agency with enough resources to dig into their life, finances, friends and family, habits, and so on".

I might be willing to go through these hoops for an actual, "real world" job, but submitting myself to months of investigation just to be able to commit into a Github repository seems excessive.

Also, people change, and you should be able to keep track of everyone all the time, in case someone gets blackmailed or otherwise persuaded to do bad things. And what happens if you find out someone is a double agent? Rolling back years of commits can be incredibly hard.
arter4
·2 ปีที่แล้ว·discuss
But how? Let's say you're one of 10 maintainers of an open source project. A new user wants to contribute. What do you do? Do you ask them to send you some form of ID? Assuming this is legal and assuming you could ensure the new user is the actual owner of an actual, non counterfeit ID, what do you do? Do you vet people based on their nationality? If so, what nationality should be blackballed? Maybe 3 maintainers are American, 5 are European and 2 are Chinese. Who gets to decide? Or do you decide based on the company they work for?

Open source is, by definition, open. The PR/merge request process is generally meant to accept or refuse commits based on the content (which is why you have a diff), not on the owner.

Building consensus on which commits are actually valid, even in the face of malicious actors, is a notoriously difficult problem. Byzantine fault tolerance can be achieved with a 2/3 + 1 majority, but if anyone can create new identities and have them join the system (Sybil attack) you're going to have to do things differently.
arter4
·2 ปีที่แล้ว·discuss
Indeed. For tech companies and a few non-tech companies but with a strong tech environment (think HFT), IT is where you gain an edge on your competitors. Everywhere else, you win customers because of better prices, negotiating nice deals with suppliers, great salespeople and a good SEO presence, and so on, not because you use the latest Kubernetes version that finally introduces support for that sweet annotation you were looking for, or because you use Quarkus instead of Spring (or whatever).
arter4
·2 ปีที่แล้ว·discuss
It is crazy because it dilutes the interview experience and you never know when it's going to end and when they're going to decide (and actually tell you).

And why should you talk to all those people? Talk to the tech folks, then to the CTO, then the founder, then what, the VC investors, the whole board? Can the CTO not describe the company vision and how IT fits in that picture? It does smell of a lack of vision or an inability to delegate.
arter4
·2 ปีที่แล้ว·discuss
Sure but do you actually need the absolute best people around? An average company probably doesn't need exceptional developers. If you're not a tech company and you don't have an extremely challenging setup, your survival as a company doesn't rely on exceptional IT skills. You can do a lot with less than 10 virtual machines, any decent web app framework (Spring? Laravel?), and a version control system. Even apparently insane requirements are entirely reasonable: 100 thousands transactions per day is... 1 TPS. Make that 10 TPS to adjust for peaks. Unless you're doing extremely complex queries, you can definitely handle 10 TPS with reasonably limited resources.

Meanwhile, cargo culting and FOMO leads companies to adopt tech stacks, interview styles,... that make sense for FAANGs and other unicorns, but not for your average setup.
arter4
·2 ปีที่แล้ว·discuss
>For a typical job there were four or five interviews: an initial interview with a recruiter, an interview with a hiring manager, one or two technical interviews (either live coding, or going through a take-home assignment). There could also be an interview with a product manager, and/or one with a CTO or founder. All in all, quite a time commitment.

This is not news at this point, but it is pretty crazy.