Mailinglist Archive: opensuse (1784 mails)
| < Previous | Next > |
Re: [SLE] A very interesting paper by Ken Thompson..
- From: jerrykreps@xxxxxxxxxxx (Jerry Kreps)
- Date: Thu, 7 Dec 2000 07:03:23 -0600
- Message-id: <00120707032301.09373@JLKreps>
From: Jerry Kreps <jerrykreps@xxxxxxxxxxx>
Date: Thu, 7 Dec 2000 07:03:23 -0600
Message-Id: <00120707032301.09373@JLKreps>
Subject: Re: [SLE] A very interesting paper by Ken Thompson..
That is the most absurd analogy I've ever been handed.
Anal has nothing to do with anything.
On Wednesday 06 December 2000 22:20, Michael wrote:
> I suppose you could write a C compiler from scratch and check to
> make sure but it seems a bit anal. If you can't trust the FSF when
> it comes to software there isn't anybody you are likely to be able
> to trust. You could just as easily say you can't trust your house
> not to spy on you because someone else cut the boards.
>
> *^*^*^*
> Have the courage to take your own thoughts seriously, for they will
> shape you. -- Albert Einstein
>
> On Wed, 6 Dec 2000, Jerry Kreps wrote:
> > On Wednesday 06 December 2000 17:40, Cliff Sarginson wrote:
> > > On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:
> > > > On Wednesday 06 December 2000 14:17, Michael wrote:
> > > > > Never trust anything that isn't opensource. Learn to code
> > > > > at least enough to look for obvious holes. Is the only way
> > > > > to be safe. :)
> > >
> > > Mmm. I hate to say this but a little bit of C coding is not
> > > going to teach you enough to find holes in a program of even
> > > moderate complexity, let alone in a compiler or complex network
> > > program. For encryption programs a pretty deep knowledge of
> > > algorithms and mathematics may also be required.
> >
> > My MS in Math and Physics and Biochemistry (professional student)
> > taught me that
> >
> > > Futhermore to understand the output of the compiler code
> > > generator you will need to be a red-hot assembly language
> > > programmer. And even then it would be a nightmare in optimised
> > > code.
> >
> > You're making my point !
> >
> > > The point about open-source is that you can compile it
> > > yourself, so you are not accepting blindly a binary file from
> > > somewhere. You have to trust the origin of the source of
> > > course.
> >
> > Here is where you missed my point. Compiling the source code for
> > an application is worthless protection against microcode already
> > planted in the compiler itself, and your points above reinforce
> > my argument that providing an absolutely guaranteed uncompromised
> > compiler is a task only the best of the best could accomplish.
> >
> > Ergo, how can you be sure that the gc++ compiler has not already
> > been compromised? You can't.. That was Ken Thompson's
> > conclusion. JLK
> >
> > > Cliff
> > >
> > > > Not true!
> > > > Take the gcc compiler, for example. How do you compile your
> > > > compiler without using your compiler? Unless you hand
> > > > assemble assembler code from keystrokes, you are using
> > > > something that could have embedded microcode in it.
> > > > JLK
> > > >
> > > > > *^*^*^*
> > > > > Have the courage to take your own thoughts seriously, for
> > > > > they will shape you. -- Albert Einstein
> > > > >
> > > > > On Wed, 6 Dec 2000, Cliff Sarginson wrote:
> > > > > > On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
> > > > > > > I don't know if my email from work made it through the
> > > > > > > firewall so I am resending the source for the pgp
> > > > > > > backdoor.
> > > > > > >
> > > > > > > http://www.cert.org/advisories/CA-2000-18.html
> > > > > > >
> > > > > > > JLK
> > > > > > >
> > > > > > > On Tuesday 05 December 2000 08:02, peter hollings wrote:
> > > > > > > > It's interesting (from a civil liberties perspective)
> > > > > > > > that there is a backdoor into PGP. Can you tell me
> > > > > > > > more? How did this come about? Was it publicized?
> > > > > > > > Does encryption technology without backdoors exist?
> > > > > > > > If so, how can we be sure?
> > > > > > > >
> > > > > > > > Also, of potential interest is the FBI's "Carnivore"
> > > > > > > > system. Carnivore basically automates the
> > > > > > > > surveillance process on the Internet. If one
> > > > > > > > combines backdoors with surveillance, one has quite a
> > > > > > > > capability. For a recent study on Carnivore see:
> > > > > > > > http://www.usdoj.gov/jmd/publications/carniv_entry.ht
> > > > > > > >m .
> > > > > > > >
> > > > > > > > For SuSE this may be off-topic. If we hear any
> > > > > > > > objection, I propose that we move it off the list.
> > > > > >
> > > > > > I would think anyone on this list concerned with security
> > > > > > would be well advised to take an interest in this !
> > > > > >
> > > > > > (just when you thought it was safe to go into the
> > > > > > water...)
> > > > > >
> > > > > > Cliff
> > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Peter Hollings
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Jerry Kreps" <jerrykreps@xxxxxxxxxxx>
> > > > > > > > To: "zentara" <zentara@xxxxxxxxxxxxx>; "peter
> > > > > > > > hollings" <phollings@xxxxxxxxxxxxxxxx>
> > > > > > > > Cc: <adams@xxxxxxxxxxx>; <jkreps@xxxxxxxxxxxxxxx>;
> > > > > > > > "suse-linux-e" <suse-linux-e@xxxxxxxx>
> > > > > > > > Sent: Monday, December 04, 2000 5:28 PM
> > > > > > > > Subject: Re: [SLE] A very interesting paper by Ken
> > > > > > > > Thompson..
> > > > > > > >
> > > > > > > > > On Monday 04 December 2000 15:36, zentara wrote:
> > > > > > > > > > peter hollings wrote:
> > > > > > > > > > > Yes, the NSA is a possibility, but I'd be more
> > > > > > > > > > > concerned about the ill effects on society that
> > > > > > > > > > > could be brought about via a widely
> > > > > > > > > > > distributed, closed, proprietary system such as
> > > > > > > > > > > Windows. It's another reason for using Linux.
> > > > > > > > > >
> > > > > > > > > > I'm an old windows basher, but as the article
> > > > > > > > > > stated, no OS is immune to the microcode attack.
> > > > > > > > > > I was discussing a while back whether pgp and
> > > > > > > > > > other encryption programs had "backdoors" in
> > > > > > > > > > them, the answer was "if it exists, it's in our c
> > > > > > > > > > compilers", controlled by very high level people.
> > > > > > > > > > I have a paranoid streak. :-)
> > > > > > > > >
> > > > > > > > > It's not paranoia if it true, and with regards to
> > > > > > > > > pgp it is true. The NSA backdoor to version 6.x of
> > > > > > > > > pgp (I don't remember if 5.x has the backdoor) is
> > > > > > > > > verified. That is why there was a recent mass
> > > > > > > > > movement from pgp to gpg
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Scientific theories, according to Sir Karl Popper,
> > > > > > > > > can be "falsified," or
> > > > > > > >
> > > > > > > > proven wrong, by experiment.
> > > > > > > >
> > > > > > > > > Unscientific theories -Marxist dialectical history
> > > > > > > > > and Freudian psychology
> > > > > > > >
> > > > > > > > were Popper's favorites-
> > > > > > > >
> > > > > > > > > are formed in such a way that they cannot be
> > > > > > > > > falsified by data.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > To unsubscribe send e-mail to
> > > > > > > > > suse-linux-e-unsubscribe@xxxxxxxx For additional
> > > > > > > > > commands send e-mail to suse-linux-e-help@xxxxxxxx
> > > > > > > > > Also check the FAQ at
> > > > > > > > > http://www.suse.com/support/faq
> > > > > >
> > > > > > --
> > > > > > To unsubscribe send e-mail to
> > > > > > suse-linux-e-unsubscribe@xxxxxxxx For additional commands
> > > > > > send e-mail to suse-linux-e-help@xxxxxxxx Also check the
> > > > > > FAQ at http://www.suse.com/support/faq
> > > >
> > > > --
> > > > Scientific theories, according to Sir Karl Popper, can be
> > > > "falsified," or proven wrong, by experiment. Unscientific
> > > > theories -Marxist dialectical history and Freudian psychology
> > > > were Popper's favorites- are formed in such a way that they
> > > > cannot be falsified by data.
> >
> > --
> > Scientific theories, according to Sir Karl Popper, can be
> > "falsified," or proven wrong, by experiment. Unscientific
> > theories -Marxist dialectical history and Freudian psychology
> > were Popper's favorites- are formed in such a way that they
> > cannot be falsified by data.
--
Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
| < Previous | Next > |