[TriLUG] Green Hills calls Linux 'insecure' for defense

Mike M linux-support at earthlink.net
Mon Apr 12 21:47:29 EDT 2004 

On Mon, Apr 12, 2004 at 09:10:48PM -0400, Chris Knowles wrote:
> On Mon, 2004-04-12 at 20:49, Mike M wrote:
> > On Mon, Apr 12, 2004 at 06:54:20PM -0400, Rick DeNatale wrote:
> > > This is not at all an argument against open source, just a more
> > > sophisticated view of the role of source in security auditing.
> > 
> > Requesting more clarity here please.  I can't tell what is open or
> > closed in your description: the compiler source, the source the compiler
> > is compiling, or both, or neither.
> 
> <SNIP>
> 
> Both are open.
> 
> And he shouldn't have presented it as if this were theoretical wanking. 
> Ken Thompson actually did this.  
> 
> http://www.catb.org/~esr/jargon/html/B/back-door.html

Thanks for the link.  That cleared up a lot.  In the description the
possibility of using yet another compiler was not raised.  The
dilemma arose from the lack of an alternative compiler that was
untainted. Maybe back in
kt's early days, yet another untainted compiler was not an easy 
option.  Today, it is trivial.

Perusing the source would detect the evil and this is 
recognized in link article.  Again, back when this evil scheme was 
devised, the concept of world-wide code review was not in effect.  If
this sort of thing were detected today, the www and lists would be lively 
with its presentation, analysis, and discussion.

The commercial concerns have a built in motivation to plant and/or find
evil in F/OSS.  They have not be terribly successful at it from what I
can tell.
> 
> And yup, it's fiendish and really scary.  But I'm not convinced that OSS
> is more vulnerable to this than say certain proprietary network hardware
> OS's.  (*cough* CISCO *cough*)

Hmmm.  That's _closed_ source, right?  Nobody reviews it without
getting paid, right?  You can't profit by reviewing code, right? The
profit picture is not robust right now, right?  So there's probably
not a lot of code reviewing for the heck of it, right? OTH, people
review F/OSS for the glory of finding holes - wierd as it may sound.
I sleep better knowing such geeks exist though.
-- 
Mike

Moving forward in pushing back the envelope of the corporate paradigm.

More information about the TriLUG mailing list