On 1/11/07, Paul Abrahams
On Thursday 11 January 2007 8:59 pm, James Knott wrote:
#1 How can I know that the software that I install is the same as what the source is?
Compile from source.
Many years ago Ken Thompson (or maybe it was Dennis Ritchie) gave the ACM Turing Lecture on, essentially, coding tricks. He showed how it was possible to booby-trap a compiler using repeated bootstraps in such a way that the compiler was corrupted, yet its visible source code was clean. Recompiling the compiler would retain the corruption. And such a corrupted compiler could do anything, of course.
Paul --
IIRC, He didn't show that it was possible, he actually did it and had it in the C compiler for years before announcing that it was in there. Due to the backdoor, Ken Thompson could log into any UNIX machine at the time. A brief google found this: Along with Dennis Ritchie, Ken Thompson received the ACM Turing award in 1983, for "for their development of generic operating systems theory and specifically for the implementation of the UNIX operating system.". In his Turing award lecture, Reflections On Trusting Trust, Ken Thompson described a hack that he placed into early UNIX systems: the C compiler would insert a back door whenever it compiled the login program, allowing Ken Thompson to access any UNIX system. The scheme was so fiendish that if you tried remove the back-door generating code from the source code and recompile the compiler, the compiler would reintroduce the back door generation into the source code! Greg -- Greg Freemyer The Norcross Group Forensics for the 21st Century -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org