Nice guy or spy? A preliminary overview of security management
Hi frens,
A maintainer contributing to the popular xz package since 2021, with the malicious activity only coming to light recently.
We have witnessed a backdoor was injected, and fortunately yet accidentally unveiled by a third party developer.
Here’s a brief overview of that incident:
To summarize in one question: how should we trust?
We’re in a cooperative society. We rely on various professionals to build our lives. As a software engineer, we don’t read every single line of source code we incorporated, and it’s impractical.
Let’s put a real-life example. Do we really check how every meal is prepared and trace the origin of each ingredient before we eat? That’s impossible. Instead, we trust the chef, the restaurant, and the safety control in the food industry. And yet, we had a severe contaminated food incident in the department store. Two lives have been taken by the deadly and rare bongkrekic acid.
Should we trust safety control or any management system? Sure, it’s probably the only systematic solution that scales. Typically, such as ISO system, involves a third party to conduct external audits. With increased involvement from auditors, consultants, and other specialists, the process quality is expected to enhance.
In the web3 world, people are a lot obsessed with code audit to secure their crypto assets. That’s good. However, you may have heard that external audits are generally expensive. Introducing tiered security standards could offer more affordable options, enhancing industry-wide protection and adoption.
Here’s the tricky part: What are the standard requirements? How did the audit proceed? Is the quality being maintained consistently?
How can we establish trust in these validators or systems?
I appreciate the Bitcoin ethos of “Don’t trust; verify,” emphasizing verification over trust, and I believe more people should be entitled for verifying.
That’s one of the reasons why I generally love open source software. As software engineers, we could look into the code and even compile the software by myself. And that’s how xz package backdoor was unveiled.
Those are hawk eyes or standardization from the outside. From the inside standpoint, we need people with craftsmanship that care about details in their daily work. Even if I mentioned “we don’t read every single line of source code we incorporated,” an experienced engineer would limit the scope of third party libraries, and often review the main source code multiple times. Experienced software engineers typically read code much more than they write it.
However, there’s another notion that “code will be rewritten in a few years anyway,” so let’s “move fast and break things” in the product business. That would require a broader discussion, and represent a fundamentally different set of values. Let’s leave it for the future.
Your friend,
Denken