For open source/free software code, provided that it is well designed, transparent, and straightforward to review, its nation of origin does not matter. The history can be relevant to maintainers, to understand why certain decisions were made. But "this code was written by someone in country-I-like" is not a code review shortcut.
"Straightforward" might not be a great choice of words, BUT, if you have enough money and engineers, you could get them to do a full audit of everything. The source code is freely available, there's nothing stopping you.
Compare this to something like, for example, TikTok, where the code is completely closed. The only kind of auditing one may do is looking at network traffic, and maybe some disassembly/hex-editing.
I'm not saying that everything needs to be OSS but it is nice to have options.
Also, in the specific case of the kernel, the auditor would only need to audit the subset of code they plan to compile and use. A lot of the kernel code is drivers and the auditor probably doesn't need all of them.
Source code access makes surprisingly little practical difference for discovering security vulnerabilities. People routinely find security vulnerabilities in major closed source operating systems like Windows and iOS and submit their findings to MS/Apple for bounty, or sell them to exploit brokers. Reverse engineering tools like Ghidra can decompile code back to C to make auditing easier, and black box fuzzers have proven massively useful for discovering vulnerabilities without auditing code line by line.
Tiktok is far smaller, and has a smaller attack surface. If there was money in it, people would audit Tiktok all day.
Open source makes security vulnerabilities and bugs somewhat easier to discover, but the real benefit is that it makes them easier to fix once discovered. With proprietary closed-source codebases, you must wait for them what have access to fix anything reported, which in some cases never happens, or can take a very long time. With open source, anyone who has the knowledge and skill can step up and fix anything they feel like, and submit said fix back to the codebase for review and possible inclusion, or fork the code and apply the fix themselves if necessary.
>On the other hand, some pundits believe nefarious foreign state data access is the greatest existential threat to the safety of the world’s richest democracies.
Id say its something else entirely. Zucc needed a foil to get the president trained on something other than his own platform which, until the convenience of TikTok, was looking at serious legislative curtail. Knowing our president has the attention span of a jack russel terrier made it all the easier to torpedo what is arguably his biggest competition for Gen Z and younger, the lifeblood of his platform and what his advertisers arguably want the lions share of.
I find it silly that this is seemingly the same privacy issues other privacy conscious people have pointed to for years with the more legacy tech/SM companies. However, now a Chinese company comes into the picture and it’s a big deal. Pretty sure if China govt wanted this data so bad they would have it, probably do.
Why is it silly that Americans and the US government would make a distinction between a US-based company and a Chinese company? The CCP certainly makes this distinction.
Maybe I’m just in a cohort that doesn’t trust US companies with this data either. If it’s stored, CCP can find a way to get it, it’s probably as easy as offering to buy it. So I don’t see a big difference. I operate from a mindset that TikTok isn’t opening a new floodgate of data. Maybe I don’t fully understand what data they’re allegedly collecting and if it’s any different than what Google, FB would have on an active user. That said, I still don’t agree that we should strive to be like CCP in terms of censorship, audits, govt regulations, etc.
Probably the issue then is that the US government trusts US companies more than Chinese companies, when they shouldn't. I agree with the parent company that if China wanted this data they could probably get it very easily and they most likely probably have it.
The frustration is that for years, privacy advocates have been trying to find the right set of words to make people understand that it is bad for US companies have so much data on so many Americans. The argument is always dismissed as not being an important issue, or that it's good for rooting out terrorists or pedophiles. But privacy advocates have also been saying this whole time, "what if this data falls into the wrong hands" on deaf ears.
In an ideal world we would ban TikTok but also regulate how user data is obtained, stored, and used by US companies.
Trust is based on shared information, therefore access to backdoors is reality of what’s at stake. This spectacle to inform the targeted populace on this one is just modern rallying around the flag. If there were a higher motive than the current fight for most-privileged relationship status between govs and corps this news could be more interesting.
My problem with this is now it shifts the goal post on what's considered bad. Chinese companies collecting data is bad, US companies collecting data is better so we don't focus on it as much. When in fact in general massive data collection is a problem and should be dealt with. This is providing a smoke screen.
The US has much stronger legal barriers and recourse for abuse of data as well as strong separation between state and industry. It's not hard to think of why corporate data collection should be treated very differently in the two countries.
Unfortunately, only "top tier" companies really care about your data. I get where you are coming from, I just wish we'd also pass legislation that did something about negligent custodians of data.
It's not just about whether the US government trusts US companies more than Chinese companies; it's about gaining access to that data.
You can issue warrants warrants for your own jurisdiction, within your own country. Once data crosses country borders, it's much harder to get access to. The US (understandably) wants this data within their own country. Similarly, China also wants this data within their own country.
I certainly trust Chinese companies more than US companies as long as I don't think the Chinese government is interested in hurting me or anyone I care about, at which point I trust US companies more - even if the US government also wanted to get me.
So having the data in the hands of US companies - problem,
having the data in hands of Chinese companies - maybe less of a problem,
having the data in hands of Chinese companies when Chinese government doesn't like me for any reason - really big problem,
having the data in hands of US companies when American government doesn't like me - approximately as big a problem as before (depending on what reason US doesn't like me)
> as long as I don't think the Chinese government is interested in hurting me or anyone I care about
I can't imagine why you don't think that when the CCP actively pursues Chinese activists and Uighur Muslims, including Chinese-Americans with ties (like family) to the mainland. Or maybe those people just aren't anyone you care about.
sometimes stating something as a hypothetical - in which to give the widest possible latitude to opposing viewpoint in order to still triumph over it - can attract the attention of indignant moralists who then hector that no possible latitude must ever be given in argument; for those who give latitude are wallowing in corruption.
I generally think it's more productive to address assumptions and arguments head on instead of vaguely implying that criticism of your hypothetical scenario comes from indignant moralists. Perhaps there's a fault in my criticism you want to address? If you have something to say about the comment instead of the person who made it, I suggest you express it clearly and directly.
I argued one possible reason why people should fear Chinese companies more than American, you seem to be in agreement that people should fear Chinese companies as well, but the argument I used was not your argument, at which point you implied that there was something morally deficient with me (at least that is how I read your comment: "Or maybe those people just aren't anyone you care about.") for not making the argument you find preferable.
>vaguely implying that criticism of your hypothetical scenario comes from indignant moralists.
No, just your criticism so far. I'm sure there are other criticisms people might make but I read yours as an accusation of being morally bad for not hitting the notes you want hit, as if by not hitting those notes in this comment I cannot ever do so in another one should I feel the timing is right.
I guess you also feel you were making a comment on my immorality because otherwise you would have said something like "you've misread my comment, perhaps don't be so quick to aggravation"
I wasn't commenting on your morality and I probably could have phrased it more neutrally. I wanted to point out that China's actions aren't a mystery, so the scenario that you appeared to phrase as a possibility/hypothetical is more clear cut than that. I honestly found it odd that you'd phrase it with "as long as I don't think..." as if China's actions aren't well established.
My last sentence "Or maybe those people just aren't anyone you care about" isn't necessarily some kind of veiled insult, it's a real position that some people hold and one that I offered as an option. There was actually a reply to my comment (it's currently flagged so you may not be able to see it) that implied China's actions are justified because Falun Gong is a separatist group. This kind of reasoning is not uncommon in Chinese nationals, among others.
fair enough, I had meant "as long as I don't think" as something akin to a parameter passed to a function changing the result of that function, not as a true reflection of my current state of mind about anything.
So that said, sorry for taking offense. I guess I am on edge recently.
I don't trust US companies with the data either, but let me tell you the difference I see.
- US companies have data. Law requires that government must ask or hack to get that data.
- Chinese companies freely share data and government has unfettered access.
There's a fine line and I have 3 points to make.
1) In one companies can say "no." In the second, companies can't. The ability to say no is important because as consumer opinion is changing we've seen more companies exercise that power.
2) More data is more power. In the first model data is distributed, in the second model it is aggregated (this is why I'd also never install a WeChat like app even if it came from Facebook).
3) There's a big difference, as an American, if my data is held by another country or not. American politicians and companies have to care about my voice (even if not much) because I elect them and can sue them. I cannot influence CCP politics, laws, or trade agreements. So at least if the data is in an enemy's hands locally I have some chance of doing something about it.
One of the key points here is that disliking one doesn't equate to liking another. Disliking Chinese companies does not mean I like that US companies have it. Disliking that US companies have that data doesn't mean that there's no difference in China (enough of the 五毛党 talk). Nuance exits. Good and bad are not discrete values but a continuous spectrum. I'll fight to stop both, but fight harder to prevent the one I have less autonomy over.
Growing up in the US, I’m 36, we used to celebrate how we didn’t do un-democratic things like the CCP. Now, we seem to use them as an excuse to justify un-democratic actions.
That the USA doesn’t do undemocratic things is a bit of primary-school brainwashing if you look our international policy, interventionism, and decidedly undemocratic laws that have been created and enforced in this country since its very inception. (Voting rights, regulations, asset forfeiture, racist zoning laws, etc)
It’s more about the pliable reasoning than the actual action. That said, in this case, it is the government actively manipulating the “free market” through regulations.
Someone living in America should care a lot more about their government spying on them, than some country half-way around the world. Their own government has the power of pit and gallows over them, after all.
The government, in the meantime, sets a dangerous precedent, by blocking a foreign social app. It gives a great justification for other countries to block American social apps for similar reasons.
American social media was banned because they didn't want to follow the law and rules in China. While TikTok followed every regulation to the local law and rules in the US.
Now the US are forcing to sell or blocked every single non-american company whom already complied to all their law and rules, truly the first country in history doing this.
Yeah... I'm a pretty hardcore privacy advocate but I'm having a hard time listening to the discourse about TikTok and coming away with anything other than a strong anti-Chinese sentiment looking to legitimize itself. There are some real privacy concerns and I think it makes sense that government officials, military, and people with clearance should be wary of foreign tech companies due to the potential of that data being used for blackmail a la Grindr but for the rest of us I think it's just a wake-up call about how non-US countries feel about FB, Twitter, Instagram, etc..
It's only accusation and yet until now they didn't have any proof beside being jealous of what China and Chinese companies achieved while playing dirty by pressuring them.
TikTok is not software. It is a service that uses software. It is therefore not directly comparable with F/OSS projects.
I don't much care who contributes to an open source project. Let them inject their malware if they want to. Because it is OPEN source such efforts will be discovered and the bad actors brought to task. And F/OSS principals extend beyond the code. Because it is open, any user is free to walk away from suspect code. Fork the project. Create your own code. Use the version created by someone you do trust. If I suspect that the particular flavor of linux on my desktop has been infiltrated by bad actors, absolutely nothing is stopping me from switching to any of a hundred other distros. That freedom is the real power, the real safeguard against wrongdoers, not vetting who or who isn't allowed to contribute.
> Because it is OPEN source such efforts will be discovered and the bad actors brought to task
as the article points out this isn't realistic because nobody actually has the resources or time to audit every piece of software this rigorously, let alone read or understand the entire codebase. A ton of open-source code is maintained by one or two or at best a handful of people and we'd be none the wiser if they'd put malicious code into the software until its to late, and as the article points out the permissiveness of open-source software makes it impossible to know for sure who contributed, after all the point of open-source is to let everyone contribute.
So as a system of trust open-source is no solution. The economics of it make it impossible to audit every bit of code, and the code could come from anywhere regardless even of what a Github profile says.
(1) This issue isn't going away, no matter who wins the next election.
(2) Data collection is not the only goal or threat. The article mentions other critical systems: energy, financial, healthcare, transportation, military. Even agriculture is heavily software dependent now[1]. Also, once you depend on a cloud service, the open source used by it is brought into the attack surface.
(3) Open source is theoretically reviewable, which is good. But even if resources were brought to bear to review it at scale, you'd need to do it continually and track what has passed. This brings pressure to fork. Worse, because review is imperfect even with the best people and tools, it will never be enough by itself to establish that a system doesn't contain malicious code. Current program verification technology is simply not up to the task of formally verifying the behavior of large scale software systems. Maybe it could be used for smaller libraries.
Linux isn’t all of open source, nor likely to be the most attractive vector of infiltration for any given target, and not all of even Linux is examined with the same level of scrutiny.
54 comments
[ 3.0 ms ] story [ 127 ms ] thread[1] https://www.phoronix.com/scan.php?page=news_item&px=Linux-Ke...
Compare this to something like, for example, TikTok, where the code is completely closed. The only kind of auditing one may do is looking at network traffic, and maybe some disassembly/hex-editing.
I'm not saying that everything needs to be OSS but it is nice to have options.
If you don't have code you can't audit code!
Tiktok is far smaller, and has a smaller attack surface. If there was money in it, people would audit Tiktok all day.
Id say its something else entirely. Zucc needed a foil to get the president trained on something other than his own platform which, until the convenience of TikTok, was looking at serious legislative curtail. Knowing our president has the attention span of a jack russel terrier made it all the easier to torpedo what is arguably his biggest competition for Gen Z and younger, the lifeblood of his platform and what his advertisers arguably want the lions share of.
US government definitely trusts US companies more that Chinese companies.
I don't find it unreasonable to want to ban TikTok. Seems like the national security's risk is real.
The frustration is that for years, privacy advocates have been trying to find the right set of words to make people understand that it is bad for US companies have so much data on so many Americans. The argument is always dismissed as not being an important issue, or that it's good for rooting out terrorists or pedophiles. But privacy advocates have also been saying this whole time, "what if this data falls into the wrong hands" on deaf ears.
In an ideal world we would ban TikTok but also regulate how user data is obtained, stored, and used by US companies.
You can issue warrants warrants for your own jurisdiction, within your own country. Once data crosses country borders, it's much harder to get access to. The US (understandably) wants this data within their own country. Similarly, China also wants this data within their own country.
So having the data in the hands of US companies - problem,
having the data in hands of Chinese companies - maybe less of a problem,
having the data in hands of Chinese companies when Chinese government doesn't like me for any reason - really big problem,
having the data in hands of US companies when American government doesn't like me - approximately as big a problem as before (depending on what reason US doesn't like me)
on edit: formatting
I can't imagine why you don't think that when the CCP actively pursues Chinese activists and Uighur Muslims, including Chinese-Americans with ties (like family) to the mainland. Or maybe those people just aren't anyone you care about.
>vaguely implying that criticism of your hypothetical scenario comes from indignant moralists.
No, just your criticism so far. I'm sure there are other criticisms people might make but I read yours as an accusation of being morally bad for not hitting the notes you want hit, as if by not hitting those notes in this comment I cannot ever do so in another one should I feel the timing is right.
I guess you also feel you were making a comment on my immorality because otherwise you would have said something like "you've misread my comment, perhaps don't be so quick to aggravation"
My last sentence "Or maybe those people just aren't anyone you care about" isn't necessarily some kind of veiled insult, it's a real position that some people hold and one that I offered as an option. There was actually a reply to my comment (it's currently flagged so you may not be able to see it) that implied China's actions are justified because Falun Gong is a separatist group. This kind of reasoning is not uncommon in Chinese nationals, among others.
So that said, sorry for taking offense. I guess I am on edge recently.
- US companies have data. Law requires that government must ask or hack to get that data.
- Chinese companies freely share data and government has unfettered access.
There's a fine line and I have 3 points to make.
1) In one companies can say "no." In the second, companies can't. The ability to say no is important because as consumer opinion is changing we've seen more companies exercise that power.
2) More data is more power. In the first model data is distributed, in the second model it is aggregated (this is why I'd also never install a WeChat like app even if it came from Facebook).
3) There's a big difference, as an American, if my data is held by another country or not. American politicians and companies have to care about my voice (even if not much) because I elect them and can sue them. I cannot influence CCP politics, laws, or trade agreements. So at least if the data is in an enemy's hands locally I have some chance of doing something about it.
One of the key points here is that disliking one doesn't equate to liking another. Disliking Chinese companies does not mean I like that US companies have it. Disliking that US companies have that data doesn't mean that there's no difference in China (enough of the 五毛党 talk). Nuance exits. Good and bad are not discrete values but a continuous spectrum. I'll fight to stop both, but fight harder to prevent the one I have less autonomy over.
Growing up in the US, I’m 36, we used to celebrate how we didn’t do un-democratic things like the CCP. Now, we seem to use them as an excuse to justify un-democratic actions.
https://www.cnn.com/2020/07/10/politics/dnc-warning-tiktok/i...
The House voted a 336-71 to bar usage on government-issued devices
https://www.politico.com/news/2020/07/20/house-tiktok-federa...
Seems to me there's strong, bipartisan backing.
The government, in the meantime, sets a dangerous precedent, by blocking a foreign social app. It gives a great justification for other countries to block American social apps for similar reasons.
That's up to them; when it comes to PRC at least, banning American social media is the norm.
Now the US are forcing to sell or blocked every single non-american company whom already complied to all their law and rules, truly the first country in history doing this.
I don't much care who contributes to an open source project. Let them inject their malware if they want to. Because it is OPEN source such efforts will be discovered and the bad actors brought to task. And F/OSS principals extend beyond the code. Because it is open, any user is free to walk away from suspect code. Fork the project. Create your own code. Use the version created by someone you do trust. If I suspect that the particular flavor of linux on my desktop has been infiltrated by bad actors, absolutely nothing is stopping me from switching to any of a hundred other distros. That freedom is the real power, the real safeguard against wrongdoers, not vetting who or who isn't allowed to contribute.
as the article points out this isn't realistic because nobody actually has the resources or time to audit every piece of software this rigorously, let alone read or understand the entire codebase. A ton of open-source code is maintained by one or two or at best a handful of people and we'd be none the wiser if they'd put malicious code into the software until its to late, and as the article points out the permissiveness of open-source software makes it impossible to know for sure who contributed, after all the point of open-source is to let everyone contribute.
So as a system of trust open-source is no solution. The economics of it make it impossible to audit every bit of code, and the code could come from anywhere regardless even of what a Github profile says.
(1) This issue isn't going away, no matter who wins the next election.
(2) Data collection is not the only goal or threat. The article mentions other critical systems: energy, financial, healthcare, transportation, military. Even agriculture is heavily software dependent now[1]. Also, once you depend on a cloud service, the open source used by it is brought into the attack surface.
(3) Open source is theoretically reviewable, which is good. But even if resources were brought to bear to review it at scale, you'd need to do it continually and track what has passed. This brings pressure to fork. Worse, because review is imperfect even with the best people and tools, it will never be enough by itself to establish that a system doesn't contain malicious code. Current program verification technology is simply not up to the task of formally verifying the behavior of large scale software systems. Maybe it could be used for smaller libraries.
[1]: https://www.deere.com/en/technology-products/precision-ag-te...
The track record of popular free software projects like for example Linux in preventing malicious code is very good as far as I know.