this post was submitted on 17 Apr 2024
80 points (98.8% liked)

Technology

974 readers
46 users here now

A tech news sub for communists

founded 2 years ago
MODERATORS
 

Key points:

Russian-born IT entrepreneur Pavel Durov said that he was “pressured” by the FBI during his stays in America

The US government had wanted a backdoor to Telegram in order to potentially spy on its users, the social media platform’s founder Pavel Durov said in an interview with American journalist Tucker Carlson. The attention from the FBI was one of the reasons Durov dropped the idea of setting up the company in San Francisco, he said.

In an interview published on Wednesday, Durov said that he visited the US several times and even met with former Twitter CEO Jack Dorsey. He was under the watchful eye of the FBI, which made his stays in America uneasy, he said.

According to Durov, one of his top employees once told him that he had been approached by the US government. “There was a secret attempt to hire my engineer behind my back by cybersecurity officers,” the businessman said.

“They were trying to persuade him to use certain open-source tools that he would then integrate into Telegram’s code that, in my understanding, would serve as backdoors,” Durov said. He added that he believes the employee’s account. “There is no reason for my engineer to make up (such) stories.”

Extremely alarming that there is a claim here certain open-source tools act as back-doors for the western intelligence agencies but it makes perfect sense. Engineered bugs in upstream libraries and tools used by tons of commercial and open source software would always get you your best bang for the buck compromising lots of things. Unlike for example the recent xz debacle I expect these are likely much more well hidden and engineered to hide their nature as nothing but mistakes. There are multiple ways to accomplish this from having NSA/GCHQ employees working directly on these projects as core contributors to paying off or blackmailing core contributors.

I expect this particular revelation to likely be ignored by many of the usual privacy people and spaces just because Tucker Carlson (who has grown funnily more hated for interviewing Putin than anything else he's done among liberals) was the interviewer and of course because Durov is a Russian.

(Archive link)

you are viewing a single comment's thread
view the rest of the comments
[–] gila@lemm.ee 18 points 7 months ago (1 children)

I don't think FOSS is being targeted in spite of being fringe, it's being targeted because it powers the internet. It isn't fringe at all in an enterprise server context, and I think it stands to reason that the gathered data from this kind of source would be significantly more valuable on average than that gathered from end-user desktops. But in turn, so long as there is a legal means for private companies to safeguard their privacy generally against any external actor, there is a significant vested interest in safeguarding FOSS against backdoors. Indeed the xz backdoor was disclosed by an employee of a company whose own enterprise server software product is proprietary.

[–] itsraining@lemmygrad.ml 3 points 7 months ago

Totally agree with that. Also good to note that in general it it easier to create a backdoor for FOSS because of the general code availability. For a proprietary product, you'd have to somehow gain access to the closed source, which is harder. Also, many FOSS projects have few maintainers doing a great amount of job for free, so with a bit of social engineering you can pressurise them into accepting code they don't entirely understand.

On the other hand, many FOSS projects have more than one maintainer, so more eyes watching the code. Also, you have to find a way to conceal the backdoor, so that it can't be easily identified.

All in all, open-source is certainly better, because you don't have to blindly trust some company, but there are many factors which come to play in both camps. Ultimately, trust is not the only thing that matters since even a trusted repository can be compromised/hacked. Then you can only rely on fast mitigation of consequences, that is hope that the compromised code hasn't been there for long.