On 11/22/2013 11:35, Roman Mamedov wrote:
Why can't it be?
Well, maybe not the whole device down to the CPU Verilog design level, but
they could post source-code for the firmware with the instructions to build
and flash it, and since most likely this contains at least the Linux kernel
and some GPLed tools like Busybox, they are legally obligated to provide
source to whoever they distribute the binary to, on their request. But many
router manufacturers don't bother limiting it to just that, and simply post
the source code for public download on their websites.
How can one be sure that firmware that is running on the router is built
from this particular source code and not from some modified version or
different revision? Also how can one be sure that one extra service
wasn't added on top of this open source? I think the answer to both of
these questions is "impossible". In addition, governments have the power
to execute the secret order on the company to secretly add such back door.
Open source only makes sense when built and installed by the party
interested in security, or maybe when it is built by some trustworthy
organization, like some trusted linux distro, and not just some random
commercial company without any reputation.
Yuri
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk