Re: Wiretapping Linux?

From: Steven Rostedt
Date: Tue May 16 2006 - 12:14:42 EST



On Tue, 16 May 2006, Jakob Oestergaard wrote:

>
> Read "Reflections on Trusting Trust" to see why compiling things from
> source gets you absolutely *zero* extra security in this regard.
>
> http://www.acm.org/classics/sep95/
>

Interesting article, and thanks for the link. In your *zero* extra
security comment, I still disagree.

Nothing is secure, but having the soure at least stops those that are not
as capable as Ken Thompson and Dennis Ritchie. OK, I'm sure lesser
programmers could also do it. But it limits the script kiddies that can
do easy and obvious stuff if they had access to modify the source of
closed source software.

But the source does help when lots of users are using it and seeing it.
So when a bug happens, anyone can fix it. In this act, the backdoor can
be discovered. Where close source doesn't have that luxury, since the one
who put the backdoor in would probably be the same programmer to fix the
bug.

Now, to bring up Marc's point about the NSA. They do have very clever
people. But usually the open source projects are a community of people,
and you have to first get trusted in what you do before it gets submitted
into the code. And if someone discovers that you planted a backdoor, that
would discredit you quite badly.

I also do lots of sniffing of my networks to see if suspicious packets are
floating around, as well as nmapping my computers to know that all ports
that are open are open to tools that I know about. And there has been
times I didn't like what I saw from the program and looked at the source
to see what was up, and then discovered it was nothing.

Again, this is not perfect, and I can still be fooled, but I trust it
_more_ than I would if I didn't have access to the source. So, I agree
that open source is still not secure. I still think it's more secure than
close source, just because it's harder to get things by people.

-- Steve

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/