[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux removed from desktop cd spin?



On Wed, 2008-01-23 at 08:02 -0600, Les Mikesell wrote:
> Matthew Saltzman wrote:
> 
> >>> But the NSA would be at least as capable of introducing a hack that you 
> >>> could examine but not see as Ken Thompson:
> >>> http://www.everything2.com/index.pl?node=Reflections%20On%20Trusting%20Trust 
> >>>
> >>> I'd expect them to even be able to conspire with the CPU vendors to have 
> >>> certain undocumented opcode sequences do magical things.
> >> Sure. You can believe whatever you want to. I am merely stating a fact 
> >> that the bar to do this with open source software is way higher than 
> >> proprietary software and in fact is the highest that anyone can 
> >> practically go.
> > 
> > Also, in order to carry out a hack like that, you have to infect the
> > toolchain somewhere along the line, so that everyone building the code
> > is doing so with infected compilers..  With open-source code and an
> > open-source toolchain, that seems pretty unlikely.
> > 
> > Or are you suggesting, Les, that everyone's copy of gcc is derived from
> > one built by the NSA and smuggled into RMS's lab at some point in its
> > early history?
> 
> How many people have contributed code and how much do you know about 
> them or their motives?  But a more likely target would be the CPU 

Rahul's point (as I take it) is that at least OSS code gets a fair
amount of peer review by a wide variety of people who don't necessarily
share the NSA's nefarious motives.  Way more than can be expected from
proprietary code.  (Think Diebold...)  My point is that infecting an
open-source toolchain is much harder than infecting a proprietary one,
for the same reason.

I'll certainly acknowledge that there is no such thing as perfect
security.

> companies since there are only a couple that matter and this could make 
> the compiler portion pretty much invisible.  Is that any more paranoid 
> than thinking the major communication companies all have government taps 
> for everything passing through or that cell phones are all rigged so the 
> government can locate and listen at any time?

Probably not...

> 
-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]