Impact of the developer's location on the security of a project?

Hello all, I’ve been an avid Qubes user since version 4.0, this is my first post :slightly_smiling_face: :

Since we are privacy/security conscious IT users,
I would like to know your opinion on the following:

To what extent the country in which the developers of a given project reside should (or should not) impact our assessment of the trustworthyness of such project ?

For example there are countries with strong protection of one’s own rights, and there are also countries in which a dictator might be able to arbitrarily phisically coherce a developer.

I would like your feedback on this: would a project like (for example) Qubes be weaker (security-wise) if its developers were based in a more dictatorial country vs in a country where people can expect a higher level of safeguards as long as they follow the law ?

There is no such thing as trustworthy country. If you give me an example like Switzerland I’ll give you an example as well:

in 2020, it was established following a parliamentary investigation that the Swiss government and its intelligence services were aware of the spying activities of Swiss-based Crypto for many years and had “benefited from the US-led spying”.[14]

2 Likes

Let me clarify my question with an hypothetical example:

1- let’s say for example that I trust the developers of a given project, say for example Qubes (I trust that they are not putting backdoors in the code).
2- let’s say I also believe that every man has a breaking point, therefore for example, a man might decide to put a backdoor under duress.
3- let’s say that the developers now live in country A, and I believe that in country A the government is not able to use duress to coerce law-abiding people.
4- let’s say the developers all of a sudden move and go to live to country B, where I consider that the government has numerous ways to apply pressure on people, including duress, fear for their family, etc…

In the above example, would I automatically stop trusting the Qubes project ?
Or is my reasoning somehow moot ?

Why couldn’t country B coerce the developers who live in country A without the developers ever moving?

Personally I don’t understand how anyone can trust their government in this day and age.
Even if they follow the law to the letter there are many loopholes in it.
Easiest example is 5/14 eyes alliance:

In recent years, documents of the FVEY have shown that they are intentionally spying on one another’s citizens and sharing the collected information with each other.[11][12][13][14][87] Shami Chakrabarti, the director of the advocacy group Liberty, claimed that the FVEY alliance increases the ability of member states to “subcontract their dirty work” to each other.[88] The former NSA contractor Edward Snowden described the FVEY as a “supra-national intelligence organisation that doesn’t answer to the laws of its own countries”.[10]

So do you believe that there is no such alliance for duress?
There are many secret detention centers even in EU:

A European Union (EU) report adopted on February 14, 2007, by a majority of the European Parliament (382 MEPs voting in favor, 256 against and 74 abstaining) stated the CIA operated 1,245 flights and that it was not possible to contradict evidence or suggestions that secret detention centers where prisoners have been tortured were operated in Poland and Romania.[3][7] After denying the fact for years, Poland confirmed in 2014 that it has hosted black sites.[8]

And since there is no boarders in EU it’s very easy to kidnap someone from Switzerland for example (and they will just close their eye on this in silent agreement) and transport him to one of these detention centers for a talk without any obstacles like boarder control etc.
And who know what happens there? Maybe one day we’ll know some things as with Guantanamo.

strange question…
obviously the government of country B has more cohercive powers within its own borders.
In a dictatorship the whole law/judicial apparatus can be used for that.

I could give you countless examples of political dissidents that had to either shut-up or flee country B for fear of their lives. But once given asylum in another country they could start speaking up again and even lead the political opposition in exile.

Sure there are a handful of cases in which country B has killed dissidents outside the country, but it can’t afford to do that all the time.

From my point of view the world is not based on laws but on power.
So if you reside in some small country A with very good laws regarding your freedom can you be so sure that it’ll be able to protect you from much more powerful countries?
So the question is in which powerful country zone of influence is country A located.
Let’s say that country A is located in the zone of influence of powerful country B. So powerful country C will have a hard time to reach you in powerful country B zone of influence. But you’ll be in full mercy of powerful country B.

1 Like

I agree with your reasoning here.
Still, there are differences on how people are (mis)treated in countries like B and in countries like C.
Given the choice I know where I would have better chances to uphold my rights.

Today you have a right to remain silent, or you’ll at least finish under cancelling-(whatever)-storm.
How to test this?
Question in your country where you “can uphold your rights” it’s policy on a recent war in Ukraine (not about the war itself, but about the policy).
It’s amazing how massive became that slowly-coocked-frogs in a pot scream about frogs boiled in another pot.

The solution to the trust problem is open source, ongoing qualified audit, bounties, responsible security researchers etc. And NONE of it will give you a guarantee.

In the end it’s about the trustworthiness of a project, which includes a collection of qualified people. These people watch the code and sign the changes. And how much attention the project gets from unaffiliated security researches. While Qubes OS might get little, the technologies it relies upon (XEN, Linux) get plenty.

So no: the location of a contributor doesn’t come into it. Because no contributor by themself is trustworthy. It’s the collection of contributors who from the project in which you are forced to place some amount of trust. … because it is not practical for you to audit & understand every line of code and every change on an ongoing basis – and even if you somehow were, what makes you think you could spot all the issues?

I don’t think there will be more rights for you in Guantanamo than in the Russian or Chinese equivalent.

1 Like

This makes a lot sense. Perhaps a transparent and open process with community oversight is the best that can be achieved, and that’s not dependent on a single individual or location.

I just came here with a similar question, after I read about russian team contributing Windows-related code to Qubes project.
I wanted to learn about them more, so I visited their site, and found there just couple of text paragraphs, basically saying “we’re in Moscow, we’re open to proposals”. I cannot find nothing more about them.
I know, that Qubes-OS is an open-source project, but it was way easier for me to trust just Qubes team, now I have to trust more parties. Since I lack knowledge to verify things myself, I can only decide to trust developers, mostly based on their reputation and previous history. Which, at least for me, is lacking with tabit-pro team.
Please, correct me if I’m wrong.

What’s so different in them compared to any other contributor? Qubes is open source project and anyone can contribute to it be it CIA or KGB agent or just random anonymous person. The contributed code will be reviewed by Qubes team before accepting or rejecting it. The source of this code will play some role in the review thoroughness of course but it won’t be the basis for rejection or acceptance of the contribution.
You can check their contributions yourself if you’re interested:
tabit-pro · GitHub

4 Likes

The contributed code will be reviewed by Qubes team before accepting or rejecting it

That’s what I actually wanted to hear. Just finished reading closely related thread How can Qubes OS protect itself from Malicious Code Contributions, and already found that “There are very few people with commit rights to Qubes OS”. Actually, that thread is more related to my concerns.

What’s so different in them compared to any other contributor?

It wouldn’t be an issue for me, if, for example, Patrick Schleizer made such contributions.
I really do think that Moscow-based “cyber-security team”, which activity consists only of Qubes-related commitments, deserves a lot of “review thoroughness”.

Maybe I’m too biased, because I spend a lot of time in a bomb-shelter lately. But, personally, I do believe that developer’s location matters. Wouldn’t you be concerned if some previously unknown group of developers from North Korea or Iran started to actively make contributions to Qubes?
As for “Guantanamo” argument and CIA contributors - it is inevitable, I’m sure they can have everything they need. But we could and should resist less capable state actors.

Like Linux, Qubes is usable by all, and contributions may be made by folks who follow the Qubes team’s guidance.

Most organizations that utilize Qubes and/or provide Qubes-related services do not publish the list of all their clientele. Whether Poland-based, US-based or Russia-based. Whether end-users are journalists, criminals, intelligence operators or regular Jill/Joe down the street.

During the port of the tabit-pro QWT changes into the Qubes repos, I watched @marmarek reviewing the PRs from @jevank/tabit-pro across several repos. This is done in public on GitHub. Good two-way discussion, changes were explained, reworked, etc.

In the end you either trust the Qubes team and their processes or you don’t. But you do have the opportunity to review all of the changes and the processes used, as all of it is public in GitHub.

B

5 Likes

It doesn’t matter who submits a PR. All PRs are scrutinized with a skeptical eye regardless of their alleged origin. After all, we have no way of knowing whether:

  • Someone hijacked a trustworthy person’s GitHub account in order submit this PR.
  • Someone hacked the computer of a trustworthy person in order to submit this PR.
  • A person who we thought was trustworthy is actually malicious.
  • Someone hacked into GitHub’s infrastructure in order to create this PR.
  • A malicious employee at GitHub created this PR.
  • An otherwise-good employee at GitHub was coerced into creating this PR.
    etc.

(The only semi-exception to this is PRs that are signed by trusted keys, but that’s a whole other discussion.)

4 Likes