Linux Security

JSumrall

Limp Gawd
Joined
Jan 19, 2011
Messages
403
It seems like every day we hear more stories about security breaches, the amount of data that companies are gathering about us without our permission, and the general lack of privacy that has become the norm with use of electronic devices on the internet.

For many years we've probably all downloaded software, free or otherwise, and installed it on our machines. Linux distros, Virtual Machines, remote access apps like TeamViewer, Zoom, Rufus, Libre Office; the list could go on forever. But it's getting to the point where you can't trust anything you download.

Given what took place recently with Solar Winds, a thought crossed my mind regarding Linux security. Given that many distros are 'community driven', what is really keeping some nefarious person, organization, government, or company from inserting malicious code? I mean, we download this stuff and use it every day, but how secure and/or safe is it really?

I've never been a part of working on a distro in any way so I'm just curious if anyone has any insight on whether malicious code could somehow be inserted into a Linux distro and if so, what could be done about it to ensure it hasn't happened?
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
5,409
It seems like every day we hear more stories about security breaches, the amount of data that companies are gathering about us without our permission, and the general lack of privacy that has become the norm with use of electronic devices on the internet.

For many years we've probably all downloaded software, free or otherwise, and installed it on our machines. Linux distros, Virtual Machines, remote access apps like TeamViewer, Zoom, Rufus, Libre Office; the list could go on forever. But it's getting to the point where you can't trust anything you download.

Given what took place recently with Solar Winds, a thought crossed my mind regarding Linux security. Given that many distros are 'community driven', what is really keeping some nefarious person, organization, government, or company from inserting malicious code? I mean, we download this stuff and use it every day, but how secure and/or safe is it really?

I've never been a part of working on a distro in any way so I'm just curious if anyone has any insight on whether malicious code could somehow be inserted into a Linux distro and if so, what could be done about it to ensure it hasn't happened?
Code review, mostly. A patch comes in, somebody reviews it. "This looks odd, unnecessary, why is it in here?" Submitter explains, and either it's modified, added, or dropped in favor of a better solution.

Some code is also audited by security professionals before acceptance (or at least before it's used at the company), mostly stuff that's also used in enterprise settings like drivers, browsers, the kernel, probably the desktop environment too.
 

JSumrall

Limp Gawd
Joined
Jan 19, 2011
Messages
403
So what if the person assigned to do the code review has been compromised and is actively working to subvert the project, or even the entire project team is part of some hacker group, or government espionage? Is anyone watching the watchmen?
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
5,409
So what if the person assigned to do the code review has been compromised and is actively working to subvert the project, or even the entire project team is part of some hacker group, or government espionage? Is anyone watching the watchmen?
Then I guess you're SoL, unless you review the code yourself or hire an independant programmer/security specialist to do it for you.
 

longblock454

[H]ard|Gawd
Joined
Nov 28, 2004
Messages
1,941
So what if the person assigned to do the code review has been compromised and is actively working to subvert the project, or even the entire project team is part of some hacker group, or government espionage? Is anyone watching the watchmen?

You could say this for any project, code or otherwise.
 

chithanh

Gawd
Joined
Oct 18, 2010
Messages
869
With Solarwinds one particular problem was that the build server had been compromised, and was injecting the attacker's code into the software builds. So when looking at the source code there would be no backdoor, only the compiled binaries contained it. It is much easier to hide backdoors in binaries than in source code.

Linux distributions protect themselves against compromised build machines through reproducible builds, that means anybody with the source code can compile it and will receive a bit-identical result.
So what if the person assigned to do the code review has been compromised
That is a serious concern, because of the financial incentives to sell (some of the) discovered vulnerabilities to zeroday brokers rather than reporting them to the client. Generally the way to protect against this is to hire several independent code reviewers and hope that they do not collude.
 

JSumrall

Limp Gawd
Joined
Jan 19, 2011
Messages
403
I mean, I know I shouldn't be overly concerned about something that could happen, versus all of the other evil that IS happening with companies like Google, Microsoft, Facebook, Apple, and so many others spying on you and selling your personal data. I'm just trying to think of things I can do to start protecting myself from all the evil that's going on.
 
Top