If you use a binary distribution, you're already owned

Forget the days of hunting for exploits and probing for attack vectors.

The big boys have automated software systems for quickly identifying whole classes of exploits in software binaries, and frameworks for automatically generating rootkits using SAT/SMT solvers, concolic testing and attack synthesis. In a matter of minutes, they can have a print out of all of the exploits they can use, and software already to go to own your ass.

How the hell are you supposed to protect against this? Why are so many idiot project maintainers chasing after reproducible builds when this is exactly the type of shit the big boys love? Why aren't the major compiler projects invested in developing SMT-based code generators that can create different permutations of programs from random seeds that can possibly thwart this?

>>1
What you talking about? They have solved the halting problem and disproven Godel incompleteness theorems?

>>1

How the hell are you supposed to protect against this?

Well, couldn't software vendors use the same (or similar) automatic exploit detectors to help them fix these issues?

Calm down, black man. Nobody is wants to put you down.. Any such tools could be used for both defense and offense. Companies can use the same tools to check their software for security problems, before release.

The big boys have automated software systems for quickly identifying whole classes of exploits in software binaries, and frameworks for automatically generating rootkits using SAT/SMT solvers, concolic testing and attack synthesis.

proof or it didn't happen. preferably with source codes I could use. I work in vuln research and while there are automated tools for fuzzing, source code analysis, reversing and ROP chain generation, you still need to do a lot of shit manually - especially when working to bypass hardening like ASLR which is very platform-specific. three-letter agencies might have better automated tools but probably no magic, just a bunch of good hackers and a lot of money.

Why are so many idiot project maintainers chasing after reproducible builds when this is exactly the type of shit the big boys love?

because reliability and ease of use are often considered more important than security. sad but ture

Why aren't the major compiler projects invested in developing SMT-based code generators that can create different permutations of programs from random seeds that can possibly thwart this?

the kind of randomness you want is difficult to get right. OS devs create ASLR which is fairly unproblematic right now but can be bypassed, especially on 32-bit systems where bruteforcing is easy. polymorphic code which works exactly the same but looks different on the assembly/machine code level is popular among malware devs but it replicates bugs exactly,meaning the same exploits will work anyway. what you need is the exact same functionality but with built-in bug incompatibility between builds. this isn't easy to do. also, it's still just hardening - the bug is there, it's just more difficult to exploit.

more importantly, low-level bugs which give you shell are not the most common (and not necessarily the most dangerous, but that depends on the specific case - if you want to leak confidential data, getting into the database might be enough) security issues. business logic bugs, bugs related to high-level languages, bad cryptography, confidential data leaks, downgrades to insecure connection modes, weak passwords and many other fun issues won't be mitigated by non-deterministic compilation.

Here's a crazy idea, don't put sensitive info on computers.

>>6
Unfortunately only feasible for some applications. But yeah, I don't assume my data is really safe, either.
You could also go full retard in this respect, like Pike:

The world should provide me my computing environment and maintain it for me and make it available everywhere. If this were done right, my life would become much simpler and so could yours.

I read this as: most (all?) of my (computer) data is public, anyway, so just assume anyone can access it. Then why not just use this as convenience?

>>6
here's a thing: unless you're a deep cover secret agent or an ultra-1337 hacker who erased all the info about himself AND your secrecy is absolutely perfect (which is more or less impossible), your sensitive data is on computers even if you don't put it there. even if you don't use online banking, banks store your data on their servers. your employer stores your data on his servers. the government does it. if you use a mobile phone, all your communications go through computers both inside your phone and the ones used to handle telecom shit. wherever you go everyone is connected, let's all love Lain

>>8
Well, I'm reasonably ``off the grid'', but it's not a lifestyle choice that most people are willing to make. There's a tradeoff between privacy and convenience.

>>9
sometimes you can't choose this kind of lifestyle, a lot depends on your profession.

>>10
Profession is a choice. If your profession is keeping you from living the life you want to live, you should get out of it and find a new one.

>>2,5
There's been major breakthroughs in SAT/SMT solvers in the last few years. Yes, it's an NP-hard problem, but there are shortcuts, and big guys have lots of hardware to throw at the problem.

https://en.wikipedia.org/wiki/Satisfiability_modulo_theories

>>12
they do, but do you have a proof of SMT being used to find and exploit vulnerabilities in practice? academic breakthroughs and the idea that this could potentially be used for exploitation isn't a proof that:
1. we know how to use that for exploitation
2. we have hardware that can use that for exploitation
3. we know how to use that for quick, universal and completely automated exploitation of low level vulnerabilities
4. we have hardware that can use that for quick, universal and completely automated exploitation of low level vulnerabilities
5. doing that is cheaper, more efficient, more reliable and/or faster than just hiring good hackers
6. anyone would do all that to exploit low-level bugs instead of starting with high-level stuff and crypto shit which is often easier to exploit and more reliable due to platofrm independence
7. probabilistic compilation will save you from any of this shit

>>13
to add a bit more to point 6: while low-level exploitation gives you a lot of power over an attacked machine, it's potentially louder than high-level attacks. kernel exploits, for example, might give you total control but they often require you to already have local access and if they go wrong they crash the machine with a scary-looking KERNEL PANIC screen that will surely make sysadmin look high and low for the attacker.

in comparison, finding a way to crack the most common ciphers (AES, RC4, RSA) could let you eavesdrop on more or less all the internet communications. finding weaknesses in hash functions would allow you to recover passwords and, when combined with cracking the ciphers, modify intercepted communications by subverting HMACs and signatures. this could be done almost completely silently.

in other words, if I was an NSA guy deciding how to fuck everyone on the internet in the ass, I'd spend billions on cryptanalysis and when it comes to exploitation stick to more traditional (but very elaborate) malware which doesn't seek to exploit EVERYONE EVER but targets specific vulnerabilities in a reliable way and combines knowledge of those specific exploit for a complex strategy of spreading, hiding, reporting and sabotaging (see: actual government malware like Stuxnet). fantasy super-malware is just too big of a gamble.

nobody cared who debian was until the reproducible builds
the big guys will be crashing your binaries with no survivers.

Why are so many idiot project maintainers chasing after reproducible builds when this is exactly the type of shit the big boys love?

I fail to see how reproducible builds can be a security issue (except when a compiler optimization produce binaries with insecure side effects, but in that case the issue is in the compiler or cpu)

just lol if you think the NSA doesn't already have all your data
- they have a server farm the size of Guam
- they have more money to play with than GOOG and MSFT combined
- only hire Ivy grads or extremely experienced pros
- they have to ship no product other than collecting information going through the world's digital networks

do the math.

>>13
You don't fucking get it man, they bought a hundred of d-wave's quantum annealing machines.

https://arxiv.org/pdf/1603.03111.pdf

>>17 gets it, the NSA has multi-billions of dollars annual budget and the spend every dollar of it every year

>>18

D-Wave's architecture differs from traditional quantum computers (none of which exist in practice as of today). It is unable to simulate a universal quantum computer and, in particular, cannot execute Shor's algorithm.

in other words, NSA can do nothing with these toys. Just your typical government kickback, when some smart Jewish boy at NSA gets paid a million for making government to buy these phony machines.

>>19
You're an idiot. Factoring primes isn't necessary to own your ass when you have a quantum SAT/SMT solver.

>>20
"SMT may refer to: Shin Megami Tense"

The whole Snowden/NSA craze us seems like overreaction conspiracy by crazy people building a fallout shelter from atomic zombies.

>>22
That's because you're a lamb. A sheep. A prole. A normie. A goy. A mundane. A slave.

The slaughterhouse awaits you.

Snowden's okay. But can he leak these dubs?

>>20
but computational power of modern quantum computers is low. speaking of Shor's algorithm, IIRC the highest number it factored was 15. it'll be a long time until they'll be able to make one that can magically hack anything - perhaps infinitely long.

>>22
Snowden stuff was legit and NSA are assholes but OP is either paranoid or just trolling

Take a look at CMU's AEG
https://www.youtube.com/watch?v=VPe1W7SIdBE
https://www.youtube.com/watch?v=qbfujXuJrbs
Note the dates.

>>25
You don't need shor's algorithm for automatic exploit generation, therefore you don't need general purpose quantum computing.

What you need is fast stochastic algorithms, and quantum annealing is the fastest, and quantum annealing machines are a reality.

>>27

ANEAL MY ANUS

Just use Gentoo. I do, and it's excellent.

I use binomial distributions.

QUANTUM ANNILINGUS

>>27

you still haven't proven that such thing can be used for automatic exploit generation IN PRACTICE. what I would like to see is an algorithm that given current state of quantum computing and OS hardening could automatically go from a simple buffer overflow (preferably on heap as they are more common) in an input function to an equally simple netcat-based shell without crashing target application. bonus points for running in linear or tractable polynomial time. not a program which we wouldn't be able to test anyway but an algorithm that is able to reliably and stealthily fingerprint the machine, find vulns and generates an exploit that bypasses ASLR and makes a ROPchain (keep in mind this might require fingerprinting the application itself given that some programming language/compiler constructs can make exploitation easier or harder - see: overwritable C++ vptrs which makes it easier and stack/heap canaries which make it harder).

more importantly, you haven't proven how not using binary distributions could help you. if something can find vulns in an application compiled by the devs, it will find vulns in an application compiled by tinfoil anon.

>>32
Check 'em