In order for them to check the build, they’d have to engineer reproducible builds anyway. So the costs have already been incurred. Might as well make them available to your auditors at no additional cost, so they can eliminate another trust point.
-
-
Replying to @matthew_d_green @taviso and
I also think you’re considering a model where there’s a binary choice between absolute trust and no consequences for serious bugs, and zero trust. There’s a spectrum.
1 reply 0 retweets 3 likes -
Replying to @matthew_d_green @halvarflake and
It would be nice if that was true, but every month the major vendors publish dozens of backdoor-equivalent vulns. Doesn't that prove there are no penalties for bugdoors? Worse, there might be social penalties or threats to you for discussing a bugdoor you discovered
1 reply 0 retweets 4 likes -
Replying to @taviso @halvarflake and
If you imagine deliberate bugdoors created by nation states, you also have to consider that good bugs can be discovered and exploited in both directions.
1 reply 0 retweets 1 like -
Replying to @matthew_d_green @halvarflake and
Not really, you already mentioned Dual-EC. As I understand it, they argue they generated them randomly and it was a genuine spec-bug. You argue is was a bugdoor, but it can only be exploited in one direction, right? The same is true for other bug classes.
1 reply 0 retweets 0 likes -
Replying to @taviso @halvarflake and
Like what? I’m curious what kinds of non-cryptographic bugs are NOBUS like Dual EC.
1 reply 0 retweets 2 likes -
Replying to @matthew_d_green @halvarflake and
Umm, stack buffer overflow parsing https://vendor/latestversion.txt? Nobody else can exploit that, right?
2 replies 0 retweets 2 likes -
Replying to @taviso @halvarflake and
I’m confused now. I thought you were arguing that there were vulns that could only be exploited by one side, a la Dual EC.
1 reply 0 retweets 0 likes -
Replying to @matthew_d_green @halvarflake and
Yes, you understand correctly. Who else can exploit the example I gave other than the vendor?
2 replies 0 retweets 0 likes -
Replying to @taviso @halvarflake and
Ah. But that’s a capability that degrades rapidly. And if every latest version is riddled with new bugs, eventually you’ll ring people’s alarms.
1 reply 0 retweets 0 likes
So if the second Tuesday of every month, Microsoft published dozens of new bugs, people might stop using Windows?
-
-
-
Replying to @matthew_d_green @halvarflake and
OK, but I'm guessing you still use an OS that has regular security updates of bugdoor-equivalent vulnerabilities? So the point remains, right? There would be no penalty for getting caught shipping a bugdoor.1 reply 0 retweets 1 like - 21 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.