Rich Freeman via plug on 3 Apr 2024 02:08:41 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] XZ scanner


On Tue, Apr 2, 2024 at 10:24 PM Steve Litt via plug
<plug@lists.phillylinux.org> wrote:
>
> Rich Freeman via plug said on Tue, 2 Apr 2024 18:43:44 -0400
>
> >On Tue, Apr 2, 2024 at 4:47 PM Steve Litt via plug
> ><plug@lists.phillylinux.org> wrote:
>
> 2) Nobody I knew wrote bubble sorts for production code.

I certainly know people who have done so.  There are a LOT of
developers out there, and half of them are below average.  Just
imagine how much code is going into projects right now straight from
ChatGPT without any editing...

> >> >Even on something like the kernel or
> >> >a browser I bet you could slowly work your contributors in such that
> >> >they become the majority of eyeballs in a single subsystem and
> >> >become trusted to get code far enough along the QA process that it
> >> >doesn't get as much close attention.
> >>
> >> Yes. This is what happens when software gets big, ugly, entangled,
> >> and poorly designed.
> >
> >Uh, how would you fix Linux or any of the modern browsers so that they
> >aren't "poorly designed?"
>
> How would your $1M/year gang of professionals fix these things? The
> Linux kernel is what it is: We just need to trust the crew for that,

I think you misunderstood my post.  The $1M/yr gang of professions is
there to make Linux LESS secure, by sneaking lots of pseudonyms into
the project by doing helpful things at first, and then once enough are
trusted you can start having them sneak in exploits.

I see 94 subsystems in the Linux docs whose maintainer status is "odd
fix" - ie they don't have time for anything serious but they can look
at the occasional patch.  Any/many of those could be replaced by a
nefarious actor most likely if they started doing serious work.  You
could probably work your way into bigger subsystems with a bit more
effort. That might not even be needed if you can just get a foothold
in enough minor ones.

This would all be under the radar.  You wouldn't have 10 people
suddenly show up being super helpful and committed despite a lack of a
known corporate affiliation.  Instead you'd have 1000 people slowly
roll in who are in reality 10 human beings with 100 sock puppet
accounts each.  They would all be overworked volunteers who can just
do little things here and there, but they'd all be helpful and would
get in.  They wouldn't appear to have anything to do with each other,
but they could take over entire mailing list threads and review each
other's work and so on.

I'm just pointing out that when projects are dominated by pseudonymous
volunteers it isn't necessarily that hard for somebody to sneak in a
conspiracy.  Look at the first season of Survior - when an alliance of
three players basically decided who was voted off for the entire
season.  Everybody was just playing "the way they were supposed to"
and not colluding, so a very small group voting as a block could swing
the entire thing.  Of course that only worked for the first season
since after that everybody and their uncle was backstabbing each other
in the way the show became famous for...

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug