Bradley attorney Steve Snyder was quoted in Linux Insider on Deepin Linux computing platforms, an open source Chinese operating system that has the potential to create security risks for the U.S. government. The concern is that the open source nature of the system allows for components to filter information back to Chinese governmental agencies.
One advantage with Linux is the ability to audit the code. However, the code base of an entire operating system is large. You cannot really scrutinize it all, Snyder explained.
Lawyers and security experts face this situation on many fronts. Similar issues exist with foreign-made cellphones, he added.
For example, news reports recently focused on the threat of malware installed on microchips.
"Security experts can't always agree on finding malware. So what can we expect when dealing with an entire operating system?" Snyder pondered.
Dealing with potential security worries related to Deepin Linux certainly is a concern, Snyder said, calling it a common problem with technology.
There are plenty of opportunities to hide things in an enormous code base. Even if you looked for a security hole, you might not find it or recognize how all the components were working together to enable some sort of back door for bad actors, he explained.
"From my perspective this is a huge concern, because at the very least there has been some evidence that some actors, maybe China, have tampered with the supply chain in different areas. So you can't just take it on face value that we can trust it," Snyder said.
The flip side is that rather than giving everything more scrutiny, the bigger risk is assuming software is safe because we sourced it from an ally. Problems can turn up later when we learn that it was compromised before the source acquired it, he pointed out.
This type of scenario poses a 50-50 situation. A project based in China should get higher scrutiny than some other open source projects, Snyder said.
"I think it is something to monitor. On a personal level, I'm not sure that it is any riskier than anything else," he concluded.
"It is open source code sitting out there -- but we are more on guard with China. It would be kind of brazen of them to fiddle with something like that, but maybe someone will say, 'We'll try it.'"
The original article, “Deepin Linux: Security Threat or Safe to Use?,” first appeared in Linux Insider on May 31, 2019.