Trust is an interpersonal thing. If you don’t trust Daniel or anyone who reviews his work then either you just have to use something else that is controlled or reviewed by people you trust enough.
That’s ok for privilege escalations, but many other backdoors are possible. Sandbox won’t help you if curl is patched to generate tls keys guessable by a 3rd party.
Then you can either not run it and run something else, or you can audit the source code and then build it (instead of relying on distro/other package management to build possibly unknown source for you).
It’s a nice idea, but not realistic for any normal project. People don’t have time/budget/skills to do this. Realistically it’s cheaper to write the part of curl you want to use yourself than to audit curl to a a degree where you have confidence there’s no hidden backdoor.
Kind of reminds me of Ken Thompson’s classic ACM Turing Award Lecture, Reflections on Trusting Trust. He talked about getting a Trojan Horse into the system via the C compiler.
It’s been a while since I last read that; it is indeed a classic.
Reminded me of a story a family member shared, they worked in a secure office, the sort of place with faraday cages and true air gapped networks. A breach had been detected in one of the offices and “everything with a microchip needs to now go in the shredder” they were informed as someone turned up with a big machine with teeth on wheels.
An entire room of equipment was destroyed that day to be replaced the same day due to it having lost all trust all because one machine on that network being potentially compromised.
Buy Google ads on curl search and present a download page with a backdoor?
All of these assume that the developers are to be trusted. What if that is not the case? What if Daniel goes rogue?
Trust is an interpersonal thing. If you don’t trust Daniel or anyone who reviews his work then either you just have to use something else that is controlled or reviewed by people you trust enough.
No technical measure will get you around that.
You put curl in a sandbox on your machine.
That’s ok for privilege escalations, but many other backdoors are possible. Sandbox won’t help you if curl is patched to generate tls keys guessable by a 3rd party.
Then you can either not run it and run something else, or you can audit the source code and then build it (instead of relying on distro/other package management to build possibly unknown source for you).
It’s a nice idea, but not realistic for any normal project. People don’t have time/budget/skills to do this. Realistically it’s cheaper to write the part of curl you want to use yourself than to audit curl to a a degree where you have confidence there’s no hidden backdoor.
My point being, those are your options. That’s it. If you trust no one, then write things yourself.
Kind of reminds me of Ken Thompson’s classic ACM Turing Award Lecture, Reflections on Trusting Trust. He talked about getting a Trojan Horse into the system via the C compiler.
It’s been a while since I last read that; it is indeed a classic.
Reminded me of a story a family member shared, they worked in a secure office, the sort of place with faraday cages and true air gapped networks. A breach had been detected in one of the offices and “everything with a microchip needs to now go in the shredder” they were informed as someone turned up with a big machine with teeth on wheels.
An entire room of equipment was destroyed that day to be replaced the same day due to it having lost all trust all because one machine on that network being potentially compromised.