What US based open source software should one reconsider after Jan. 20? (lemmy.zip)

submitted 1 day ago* (last edited 1 day ago) by sith@lemmy.zip to c/cybersecurity@sh.itjust.works

19 comments fedilink hide all child comments

I'm thinking that software like Signal, Bitwarden, Firefox and RHEL is more likely to be pushed (by unconventional methods) to introduce backdoors under Trump 2.0. Less complex software that is developed by an international community is of course less suseptible.

What do you think? Will the risk be higher during Trump 2.0 or is the FOSS community diverse and international enough? Am I just paranoid and irrational?

Closed source software and cloud is of course a no brainer since always. But clompex FOSS with centralized development and hosting pretty much suffers from the same problem.

top 19 comments

sorted by: hot top controversial new old

[-] sugar_in_your_tea@sh.itjust.works 1 points 45 minutes ago

Will the risk be higher during Trump 2.0

Why would it?

I think you're paranoid and irrational, and should probably step away from social media and go talk to some actual Trump supporters. That's not me, but my family largely voted for that clown, so I think I know a thing or two about what his supporters want.

In essence, they want Trump to cut spending, stop drug trafficking, and create jobs. I think it's far more likely that he cuts the FBI and related law enforcement and potentially merges them than to put them on the attack. He cares more about stopping illegal immigration than spying on residents, so that's where his attention will be.

FOSS

FOSS + self-hostable is always the right answer. I don't think who the President is matters all that much because data requests are an agency level thing and not something the President or even the cabinet member is involved in (outside of perhaps very high profile issues).

If it's not on your machine, you won't know if the server admin has been forced by the courts to give up the data. I use a VPS, but it doesn't actually store anything, it just forwards packets to my computer on my network, so if LE wants my data, they have to get it from me directly.

If you're paranoid about the government spying on you, it doesn't matter who's in the Oval Office, what matters is if they can get access to your data without you knowing. So my tier list for this is:

Self-hosted, FOSS, E2EE with no data stored on the server (e.g. Simplex)
Self-hosted, with data stored on the server (e.g. Matrix) - only if it's on your LAN
FOSS client, E2EE (e.g. Signal)
Hosted in a country with strong privacy protections and no agreements with your country for exceptions (e.g. Proton)

Pretty much everything else is unacceptable IMO.

[-] theonlytruescotsman@sh.itjust.works 15 points 1 day ago

The old adage isn't just for show; if you're up against a state actor, or believe you need to secure yourself against a state actor, you're fucked.

That being said if you're not already secured against the 5/13 eyes and you think Trump makes a difference you're too naive to ever be targeted and nothing you do matters to them.

Trump makes no difference in terms of the US government attempting to breach privacy. Every anti privacy measure the US has ever pushed has been bipartisan, including the patriot act which was written by Joe Biden. You're not paranoid enough or far too paranoid.

[-] schizo@forum.uncomfortable.business 14 points 1 day ago

I mean, if you want to carry that line of reasoning out, the Linux kernel is governed under a US-based foundation, so should the kernel itself be suspect?

How about FreeBSD? Or something like Debian? Or Ubuntu, which isn't US-based but they're in a typically cooperating jurisdiction?

You're def being paranoid and somewhat irrational, since it's unlikely to happen and if it did, it's not like you could trust anything at all anyways.

[-] wildbus8979@sh.itjust.works 1 points 1 day ago* (last edited 1 day ago)

Why roll Debian in that? It doesn't have a formal structure. I know it's kind of moot, but still.

[-] schizo@forum.uncomfortable.business 5 points 1 day ago

Well, yes, it does: https://www.debian.org/intro/organization

But the corporation that handles all their funding and owns their trademarks is in the US, so they're possibly subject to the same pressure. And of course a good number of those people in that org tree are in the US, so again, same issue.

My point was more 'this is silly, because if you REALLY think that, there's nobody and no project that's got any ties at all to the US that can be considered safe, and you should maybe get rid of all your computing devices now', rather than an intent to say that Debian or anyone there is at more or less risk.

[-] wildbus8979@sh.itjust.works 1 points 1 day ago* (last edited 1 day ago)

While the organizational structure exists, it isn't represented in a legal manner like a 501c3.

Software For The Public Interests is, but they only handle trademarks and like you said some rare funding.

[-] schizo@forum.uncomfortable.business 5 points 1 day ago

Sure, but the way this usually works is that the government tells you to do something and if you don't, they'll find someone (or a couple of someones) on that list, arrest them, and charge them with a crime.

Doesn't matter if they did the crime, and it doesn't matter if they'd be convicted, but the play is to keep your friends in jail until you capitulate to what they want. This is actually something that's happened with tech companies before, like what they did with GoDaddy's C-level in India.

The problem is that there's no damn way I'd want to be arrested by the upcoming US administration, because I'd bet $100 that their playbook will portray not doing what they're demanding as a national security or terrorism offense, and if you've been watching ANYTHING for the last damn near 25 years, that's a free pass for them to basically just vanish you until they feel like doing otherwise.

It's fantastic leverage against organizations that have US people and are, presumably, not willing to just let their friends spend who-knows amount of time in prison, and could probably result in some cooperation.

And I'm about to both get downvoted and WELL AKSHULLY'd about how you can't just vanish people under the US justice system, and sure, you're technically correct. Except we've passed law after law after law since 9/11 that have basically given the government the ability to do any damn thing they please if they call you a national security risk or terrorist, up to and including Gitmo, in case you've forgotten that existed: which you shouldn't have, because we STILL have prisoners sitting there.

This is doomer as fuck, and horribly unlikely, but so is a demand to stuff backdoors into everything. But, if we head down that road, the only safe software will be ones that can't be blackmailed like this which is essentially none of the major projects.

[-] sith@lemmy.zip 0 points 20 hours ago* (last edited 20 hours ago)

Ditching the Linux kernel is probably a good idea. Or at least run your own fork. Which I expect that many state actors and large companies already do. Also, I suspect that we'll see more large public kernel forks sooner rather than later. Even sooner if Linus retires.

To be honest, I don't care that much for myself. Guess I wasn't completely honest in OP. I'm just a nobody who gladly exposes his soft parts in exchange for cheap and easy access cat videos and general dopamine. Rather I'm thinking about what strategies policy makers, companies, NGOs and the general public should consider, as we crash into even more exciting times.

[-] sugar_in_your_tea@sh.itjust.works 1 points 39 minutes ago

Ditching the Linux kernel is probably a good idea.

It's certainly not. There are so many actors with opposing agendas that are motivated to keep it secure that its incredibly difficult to slip something through.

If you're going to attack Linux, you won't attack the kernel, but instead you'd go for some obscure component that most distros use but is only maintained by one or two people (e.g. xz).

If you abandon Linux, you're likely going to have more vulnerabilities. Security through obscurity is no security at all.

[-] orbital@infosec.pub 15 points 1 day ago

To answer your question, yes, you're being paranoid and irrational.

[-] orvorn@slrpnk.net 4 points 1 day ago

That depends on your threat model, like most things.

[-] BaroqueInMind@lemmy.one 11 points 1 day ago* (last edited 1 day ago)

Paranoia is good, but in this case, all the software you mentioned may already be compromised.

[-] corsicanguppy@lemmy.ca 6 points 1 day ago

RHEL is more likely to be pushed (by unconventional methods) to introduce backdoors under Trump 2.0.

Source is open, and every part of the build can be reproduced openly -- and every file in the deliverable is checksummed into a signed manifest. You can tell when a file is polluted or just rebuild.

Enterprise OSes are different. Levels of validation is one way.

[-] Brkdncr@lemmy.world 4 points 1 day ago

The US has historically had better luck with foreign closed source software/hardware.

[-] baatliwala@lemmy.world 2 points 1 day ago

What is on Jan 20?

[-] M1nds3nd@lemmy.ca 5 points 22 hours ago

The orange std officially infects America.

[-] baatliwala@lemmy.world 2 points 12 hours ago

My condolences

[-] sunzu2@thebrainbin.org 2 points 1 day ago

I don't see how Trump makes any difference or how his second term has anymore impact on the glowies and their desire to spy on everything.

You have to assume everything is back doored, you are just making your fed earn his salary with some good habits.

As others have said... Touch some grass lol

Jfc

[-] thezeesystem@lemmy.blahaj.zone -3 points 1 day ago

Your not being irrational, but paranoid but I think in a good way. Many people here don't understand what horrible things may happen to disenfranchised people next year with ~~Nazism 2.0~~ project 2025.

Good to learn and understand these things and figuring it out to help others. Wish more people looked into this. I may not know but makes me feel helpful others are looking into these things more

this post was submitted on 21 Dec 2024

21 points (74.4% liked)

Cybersecurity

5847 readers

48 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social