rjordan at numb.ca
Sun Apr 1 19:29:06 EDT 2007
> You trust the code you download? Uh, why? I certainly don't trust any of
> the code I download. There have been quite a few cases of back doors
> inserted into code, both on purpose and by "vandals".
> You can *never* trust the code you download. You can only "trust" it
> after you perform an internal security audit on that full code tree, and
> _then_ validate any changes and updates as they come in.
And how much of linux kernel, gnu userland utilities, the X windowing
system, the C compiler, glibc, firefox, staroffice and whatever other
utilities have you audited?
It would be great, in theory, to rigorously review all this stuff,
but its frankly way too much code for massive corporation let alone
a single person to adequatly review. OpenBSD has done a reasonable job,
but this has been mainly accomplished by reducing the auditing surface
by removing functionality from the code (and even then, they miss things
like the remote exploit discussed a few weeks ago)
At some point you either need to blindly trust the code, trust the
code because of their authors, or trust the code because someone else
said its good. Either that, or unplug your system.
Speaking as someone who does operating system security reviews in
my day job.
More information about the OCLUG