It’s the damn bloated soystemd bullshit. I use artix btw
Lunduke is an anti-trans racist piece of dog shit. I don’t believe a thing he says.
It’s first I’ve run across him, but the idea of backdooring a new compiler for a popular language is not really outrageous.
i told you about the systemd bro, i warned you, dog!
🤣
Out of curiosity, how do you put a backdoor into a something that is open source with the code available for anyone to review? Also, why Arch? I would think it would be easier to put economic pressure on IBM/RedHat to tinker with Fedora.
He talks about this at the very start. It’s very easy to insert a backdoor into a compiler and very difficult to find it. The video isn’t really about Arch, but the rush to rewrite everything in Rust which is still an evolving language and only has a single compiler implementation. If that gets poisoned then you can poison everything downstream that’s compiled with it.
My programming experience was using basic and punch cards to run simple algebraic equations, so most of the article flew right over my head. I guess I must rethink my assumption that open source is some sort of magic wand that limits the damage that can be done by bad actors.
Basically, the breakdown of Ken Thompson’s terrifying compiler hack is that you can make a self-replicating backdoor. You poison a compiler, and when it builds programs, it slips in a secret vulnerability, like a hidden login. And of course, when you build a new compiler using it, the instructions to create that vulnerability are propagated into the new compiler’s code.
This creates an undetectable chain. Every new compiler inherits the ability to insert the backdoor, passing it on like a genetic trait. You can audit the source code all you want. It will look clean because the poison only lives in the compiled binaries themselves as a legacy passed down from the original infected compiler. And the really scary part is that most compilers are self-hosted, meaning they’re built using older versions of themselves, so once the infection starts it spreads everywhere.
All that means you can’t trust software unless you fully trust the compiler. And the only way to do that would be hand craft it in assembly since using another compiler can slip in the vulnerability. Our entire digital world rests on a tower of tools we didn’t write and can’t fully verify. It’s a perfect, ghostly hack because it erases its own tracks from the source code, living on only in the executables themselves.
Your technical prowess in seemingly unrelated topics never ceases to amaze me, comrade.
thanks, I try to keep on top of things :)
I think the simplest benevolent example of this is what I call “the newline virus”.
Basically, in most programming languages you represent the newline character inside strings with the escape sequence
'\n'(or equivalent), so naively you would expect to see a statement translating'\n'into its ASCII code10somewhere in the source code of the compiler, like this:case "\n": emit(10);but most likely, it will just say something like instead:
case "\n": emit('\n');That is, the fact that
'\n' == 10is nowhere to be seen!You only need the initial version of the compiler to state it explicitly, all future versions can rely on the previous compiler doing the right thing.
yeah great example
Can you explain how evaluating checksum doesn’t counter this? I don’t know much about this topic but am quite intrigued.
Checksum compared to what though? Like you have to compile the code first, and if your compiler is compromised then all the code it outputs is also consistently compromised. Checksum isn’t going to help you here. Literally the only way around this is to build a compiler from scratch in assembly, then use that to compile your code.
Thanks for the explanation. I don’t like this. Lmao.
Haha yeah it’s not great. Now that I thought about it some more, I wonder if you could use decompiling to verify that the compiler is doing what it says it does. If you compile a minimal program, and then decompile the assembly, you could see if there are any instructions that shouldn’t be there. It wouldn’t be trivial, but seems like it is a possible way to check that the compiler isn’t injecting something weird.
Compile the compiler? I presume there is some version that isn’t compomised? Or go all the way back to some bootstrapped c compiler?
Like I said, the only way you could really trust it is if you’re not using a compile to make it. You have to write a compiler directly in assembly and then use that to compile everything else.
I don’t know much about Rust, but from the discussion here, I get that it only has one compiler implementation and that it can’t be verified. So anything compiled with it is, technically, not fully verifiable. It doesn’t matter if the compiler I have on my computer is exactly the same as the one provided by the Rust devs (which is what checksums do), if the one provided by them is already tampered with.
Right, but really the problem goes beyond Rust itself. Other compilers could be compromised as well. Of course, when you have multiple compiler implementations, the situation is better because you can compare differences in binaries they output. Another approach you could take is to make am minimal program and decompile it, and see if there’s anything funky.
About this issue:
The self-replicating back door is a… real stretch of an argument. This is the kind of things that governments and billion dollar corporations think about. It’s (one of) the reasons the Apple has maintained it’s own programming languages. Big tech agencies often house their own compilers and make their developers use it (even if it’s just a copy of the open source ones) to ensure that if a compiler is compromised, they can continue working on it under their own direction. Also, if Germany could get a self-replicating compiler vulnerability in a compiler, it would hit much harder and further to just attack GCC, which is the main compiler for 90% of c code, which is 90% of the infrastructure of software (Yes, many of those language libraries you use, use C underneath, or at least, their compiler is written in C).
Furthermore, this is a problem for any language that only has one compiler, and a second implementation of rust has been in the works for gcc for awhile (gccrs I believe). Also, there’s many many places where there’s a push to move C code to Rust to increase security, this isn’t ‘wierd’.
There are so many other problems to consider before going down this route. supply chain attacks, trust verification, code signing, all these come in play way before this. Plus it’s not like Germany owns rust, they can’t necessarily inject a compiler issue into rust the way Lunduke argues.
The real issue is that most security vulnerabilities are caused by things Rust seeks to fix, use-after-free and double-free causing crashes that can be taken advantage off by a clever malware writer. Writing in Rust is (a slow and somewhat painful way of) making software more secure, not less.
About the agency
Additional note, this govt agency (and I’m no fan of Germany’s govt necessarily, but just to note) has given millions to many open source projects. Let’s encrypt, pypi, yocto, the openprinting stack, activitypub (you know, from the fediverse, how this platform runs…). They’ve also recommended languages other than Rust for projects too.
About Lunduke
He’s a racist transphobe maga hat wearing techie (keeps the hat hidden, also don’t know if he’s actually a fan of trump, but he’s an alt-right conspiracy theorist). I’m “passionate” about talking about him because I followed him for a number of years, now kinda regrettably (we all make mistakes, it’s best to learn and move on, but still, this one hurt, I was a big fan for awhile).
He used to live in Portland, Oregon, and during the pandemic, he moved away because the city had become something that he “didn’t like”. That was when the city started to show its real anti-fascist and anti-Trump sentiments. That was also when the whole anti-police movement happened in Portland and Seattle.
I became suspicious of him after that, and then he basically said that he didn’t want to talk in public about the things he actually wanted to talk about, but that you could pay him money to subscribe to his journal and he would actually discuss those topics. He then left YouTube on his other channel and, I think, left the Lunduk Journal channel, but later came back for a video once in awhile.
I found some of his writings that were public and non-paid, and he talked about anti-trans topics, gender-neutral bathrooms, and things like that. He has a big enough base that he can pretty much single-handedly create controversy. Although he’s a big Linux fan, he’s a massive critic of all the diversity, equity, and inclusiveness that the field tends to promote.
He really fuels the conspiracy that “the left” is the worst part of technology. He wants to make technology seem like a right-wing thing. He’s been denouncing the fall of Linux for a while now, mostly because he thinks the developers of Linux are too woke.
Big tech agencies often house their own compilers and make their developers use it (even if it’s just a copy of the open source ones) to ensure that if a compiler is compromised,
That’s precisely what makes Rust appealing here with it being a new language and only having a single compiler implementation.
Also, there’s many many places where there’s a push to move C code to Rust to increase security, this isn’t ‘wierd’.
I actually do find it weird that there’s a massive push to rewrite all the stable and battle tested software that’s been known to work fine for decades in a new language that’s still evolving.
There are so many other problems to consider before going down this route. supply chain attacks, trust verification, code signing, all these come in play way before this.
Why assume that’s mutually exclusive? Intelligence agencies would pursue a multi pronged approach, and if one trick works that’s all you need.
The real issue is that most security vulnerabilities are caused by things Rust seeks to fix, use-after-free and double-free causing crashes that can be taken advantage off by a clever malware writer. Writing in Rust is (a slow and somewhat painful way of) making software more secure, not less.
Sure, the idea of Rust seems generally useful. However, the features Rust provides are entirely tangential to the discussion.
Additional note, this govt agency (and I’m no fan of Germany’s govt necessarily, but just to note) has given millions to many open source projects. Let’s encrypt, pypi, yocto, the openprinting stack, activitypub (you know, from the fediverse, how this platform runs…). They’ve also recommended languages other than Rust for projects too.
That of itself doesn’t really let us know anything one way or the other.
Finally, I personally was not familiar with Lunduke, sounds like he’s a massive piece of shit. I don’t think that has anything to do with the question of whether it is problematic that there’s a mass push to rewrite mature software in a new language that only has a single compiler implementation.
So for sure, everything you said is correct. One compiler, the push to rewrite software (This one I do 100% agree with, I do write Rust, but for greenfield stuff, it’s not really useful to rewrite working, stable, secure software, in Rust). Security work isn’t mutually exclusive, and what agencies do elsewhere doesn’t represent what it doe here.
I guess my best argument here is that I don’t think Lunduke cares about what he claims, I think he’s a right wing propagandist that looks for any reason, no matter how small, to push controversy and pull people to his blog to make money.
So yeah, you’re right, security wise it’s not a nothing burger, and is suspicious. Though I will still say that even though the Rust evangelists have rightfully been told to back off a bit, there’s lots of companies that have decided to rewrite a lot in Rust.
Sure, Lunduke is a terrible person and we obviously shouldn’t take anything he says as gospel. But the conversation itself is very much worth having. It’s too bad he had to be the guy to bring it up since that immediately taints the whole discussion. I didn’t really think to look him up when I saw the video, otherwise I would’ve just made a post without referencing him.
Fair!
I watched a long video from that guy once. He is a racist sexist crybaby who doesn’t know how to think or research.
never heard of him before
Yeah, not everything he says is necessarily garbage, but he’s a maga hat wearing techie who keeps the maga part under wraps because of the “woke police”. He has a written blog that’s more public, and talks anti-trans and whatnot.
He’s convinced all govt is bad, but not for the reasons us commies do :P
Rule of thumb is that if he’s complaining of something, it’s probably some alt-right nazi shit underneath (But a broken clock is right twice a day soooooo)
Yeah, it’s definitely good to know for the future. The particular point here raises here is definitely a valid concern, the fact that compilers can be poisoned is definitely something people should be more aware of.
I trust nothing by this person. Disappointed to see people reference them here. All probably FUD.
We don’t have to trust him on anything here. The problem he describes is unfortunately very real.
What other distro should I use then? I have used Arch for the past 5 years or so
It’s more about Rust compiler getting compromised rather than Arch specifically, but it is speculative at this point.
Oh man I didnt realize that the video is from the Lunduke journal, I just read the headline. He is a reactionary on line with american MAGA conservatives and lets that shine through in most videos and also generally believes in some conspiracy etc
this one was my first encounter with him, tech sector is full of reactionaries unfortunately
'twas fedora for me. I switched after arch broke my browser and after a month of tinkering around i just gave up.
artix
spoiler
btw
I wonder if there exists, or could be created, some sort of compiler checker for the binaries it creates to check for this sort of thing.
You’d have to trust the checker.
Personally, I doubt this. Putting aside the fact that this is coming from Lunduke, it’s not uncommon for governments or companies to sponsor open source projects. The STF currently also invests in various projects like Python and ActivityPub, I don’t see this as necessarily nefarious and seriously doubt this is some evil scheme to backdoor arch.
I found a YouTube link in your post. Here are links to the same video on alternative frontends that protect your privacy:
