Secure Code

[dbl221]

If it is impossibe to "know" what closed source" software is doing and most people use M$ closed source stuff it is possible for NSA and others to install backdoors.

  Therefore

Secure Code = Open Source

[voidmain]

As much as I would *love* to agree with that, it isn't quite true.  The only way you can truly be confident that there are no backdoors are if you actually write the compiler from scratch.  I read an interesting article about a way that a backdoor can be coded into the compiler in such a way as to create back doors in programs such as "login" and no trace of the back door would be seen in the source code of the "login" program OR the source for the "compiler".  It sounded far fetched to me and I'll post the article if I can find it again.  It was *very* interesting and made one think.  

I couldn't help but think that if RedHat were evil they could have a deal like this with the NSA.  And RedHat is known for jumping the gun on the 2.96 version of GCC.  Makes me wonder a little.  I'll post it as soon as I find it (see, I don't blindly support Linux, but it is 1000 times better than any MS OS).

[ March 01, 2002: Message edited by: VoidMain ]

[voidmain]

Ahhh, here it is:
http://www.acm.org/classics/sep95/

Read the whole thing carefully. I think you will find it very interesting (especially if yer a code weenie).

[dbl221]

Hmm.....I have heard of this kind of thing before.  The solution is of course to use a compiler that is open-source.

I believe gcc fits that bill.   But I will read the article.

[voidmain]

[ March 01, 2002: Message edited by: VoidMain ]

[voidmain]

Actually after you read the article you will find that being open source does not matter, since you need the compiler to compile the compiler source and it's the original compiler binary that will add the back door into the new compiler binary (almost like a virus).  The back door does not have to be in the new compiler source for it to replicate.

[dbl221]

Well its a chicken and egg problem thats for sure.  I know people who write their own assembly code because they don't "trust" the code that handles mouse click events etc.

Ultimately everything comes down to "trust".  Our entire financial system is a house of cards resting upon trust.   Remember that lesson from monetary history class about how everyone thougth tuilips were worth loads of cash.....eventually the trust  was questioned and the whole house came crashing down.

I bet your local ATM machine is using VTAM or X.25 to do its thing.........but who ever thinks to question the source code for these protcols.

The point is "trust" is relative and must be earned........we can trust the open-source people more that we can trust a big company like M$.   Money and power corrupt......M$ has both so they can't be trusted .........CGU and FSF have almost no money so they are accorded more trust.

Whom do you trust???

[voidmain]

I agree.  The worst part about it is the back door code wouldn't *have* to be in the compiler or any other part of the OS.  It could be in the microcode (BIOS/CPU). Remember the V chip? Maybe they just added the code to the intel CPU.  Hell, there must be *some* reason for those billions of circuits in the bloated Intel chips.

[cahult]

I

[dbl221]

Well as  I recall there were a few bugs in the first pentiums.  But I think VoidMain and the ACM article were talking about a deliberate back door placed in the microcode-rom or some op-code that left a door open......the floating point bug was an accident......or so we are told.

I recal a news story about some software that the Canadian spy agency, CSIS was using that was riddled with back doors........hmm!