Full Disclosure mailing list archives
Re: Moox firefox/thunderbird builds. Anyone looked at these yet?
From: Valdis.Kletnieks () vt edu
Date: Thu, 11 Nov 2004 11:12:22 -0500
On Thu, 11 Nov 2004 05:42:54 CST, TK-421 said:
Yes, but because it's open source, you know that thousands of eyes are looking at it daily. Especially in larger projects like Mozilla/Firefox. I'm sure you'd hear about it if the Mozilla team was including backdoors. That is unless you think there's a widespread consipracy to keep you in the dark about backdoors in common internet applications. In that case, I think you need to adjust your tinfoil hat.
1) Go re-read Ken Thompson's "On Trusting Trust" (http://www.acm.org/classics/sep95) Sometimes a backdoor can be hidden someplace other than where you think it is. ;) 2) The Mozilla source tarball is 32 megabytes *bzip-ed* (for comparison, the entire Linux kernel source is 33M in .bz2). That's a *lot* of code, and Mozilla is a lot more twisty squirrelly C++ constructors and inherited classes and similar crap than the Linux kernel, and thus harder to wrap your brain around while auditing it. 3) These days, a backdoor isn't going to look like: if (!strcmp(source,"http://www.evil.com") { it's going to be something more sophisticated - like a failure to bounds-check something like number of font/style changes inside a single box in a table. Then if it ever *does* get found, you have plausible deniability, people will just say "Damn, another buffer overrun" and get on with their lives. The "lots of people" argument doesn't always hold up - Mozilla and the Linux kernel are about the same size, there's quite certainly more Linux kernel hackers than Mozilla hackers, and the ELF loader problems that Paul Starzetz reported yesterday have been there *AT LEAST* since Dec 16, 2001 (when 2.5.1 forked from the 2.4 tree - since 2.5/2.6 and 2.4 have the same bugs, it's code that was there at the time of the fork). So zillions of eyes, and 3 years or more before it's found.... 4) Now go buy more tinfoil.
Attachment:
_bin
Description:
Current thread:
- RE: Moox firefox/thunderbird builds. Anyone looked at these yet? Stuart Fox (DSL AK) (Nov 10)
- Re: Moox firefox/thunderbird builds. Anyone looked at these yet? TK-421 (Nov 11)
- Re: Moox firefox/thunderbird builds. Anyone looked at these yet? Michal Zalewski (Nov 11)
- Re: Moox firefox/thunderbird builds. Anyone looked at these yet? Valdis . Kletnieks (Nov 11)
- RE: Moox firefox/thunderbird builds. Anyone looked at these yet? Eric Paynter (Nov 11)
- Re: Moox firefox/thunderbird builds. Anyone looked at these yet? TK-421 (Nov 11)