On November 10, 2005 3:12 AM Andrey G. Grozin > > On Wed, 9 Nov 2005, C Y wrote: > > Years ago Ken Thompson proposed a diabolical attack on a > > computer that could be made by putting a trap door in a > > compiler, which would automatically build it into all software > > and subsequent versions of itself, undetectibly. (I think this > > is the article: http://www.acm.org/classics/sep95/) That kind > > of thing makes people (especially open source folk, I think) > > suspect all binaries, and for good reason.
It must be the approaching Winter season or maybe it is this pain in my back that wont go away anymore, but I seem to be disagreeing with almost everyone here lately... :( I believe that such an attack is technically possible, but I disagree strongly that therefore there is a good reason to suspect all binaries. Modern network computing (like life in general) is a social phenomenon. In social interactions it is extremely important that one establish relationships based on trust. It is only by trusting others that is possible to build a co-operative collaborative environment that is more than the sum of it's parts. Given the aggressive and competitive nature of people, companies and governments, no doubt this might seem a little naïve to some people, but trust me, it is not ... :) The implementation of trusted computing on the Internet is already quite well advanced. Many binary programs are available with electronic signatures that guarantee authenticity and origin. Yes, any system (at least those in common use now) can be broken, but we trust these people, e.g. the GNU free software foundation, or for that matter even the Axiom developers, not to behave in a malicious manner. No matter what we do technically, in the end security always comes down to trusted relationships, from computer to computer, computer to human, and human to human. > Yes. I dislike having any binaries in my system I have not > compiled myself. Therefore, I use Gentoo (installed from stage > 1, so I recompiled gcc too). Of course, this does not help > against the Thompson's attack. By arguing in favour of bootstrapping, I am certainly *not* arguing against the idea of compiling as much open source software from source as possible - from the kernel up. I think that such an approach does effectively deter Thompson's attack (but not prevent) because at least in principle the possibility of comparing the source to the generated binary does exist. > > > Not in light of things like Ken Thompson's proposed attack. > > Security people may be paranoid, but on the internet paranoia > > is a virtue. No. Paranoia is a disease, like depression. It is a social/medical condition that needs to be treated. Security is another thing all together. It consists of using the right technology, having a clear understanding of the way the system works, and establishing trusted relationships. Security is not a matter of hiding knowledge and hording control. > As one of my colleges said, > > For a sysadmin, the absence of paranoia is called professional > incompetence. > I think your colleague does not have a clear understanding of security. > Sorry for off-topic. > Andrey, I think that although this might be a side-issue, it is not really off-topic since as open source developers we do distribute both binaries and source code for Axiom. And I think we should take some steps that we are not taking now to help ensure that what we distribute is trusted by Axiom users. Regards, Bill Page. _______________________________________________ Axiom-developer mailing list Axiom-developer@nongnu.org http://lists.nongnu.org/mailman/listinfo/axiom-developer
