Re: Moox firefox/thunderbird builds. Anyone looked at these yet?

[Valdis.Kletnieks () vt edu]

On Thu, 11 Nov 2004 05:42:54 CST, TK-421 said:

> Yes, but because it's open source, you know that thousands of eyes are
> looking at it daily.  Especially in larger projects like
> Mozilla/Firefox.  I'm sure you'd hear about it if the Mozilla team was
> including backdoors.  That is unless you think there's a widespread
> consipracy to keep you in the dark about backdoors in common internet
> applications.  In that case, I think you need to adjust your tinfoil
> hat.

1) Go re-read Ken Thompson's "On Trusting Trust" (http://www.acm.org/classics/sep95)
Sometimes a backdoor can be hidden someplace other than where you think it is. ;)

2) The Mozilla source tarball is 32 megabytes *bzip-ed* (for comparison, the
entire Linux kernel source is 33M in .bz2).  That's a *lot* of code, and
Mozilla is a lot more twisty squirrelly C++ constructors and inherited classes
and similar crap than the Linux kernel, and thus harder to wrap your brain
around while auditing it.

3) These days, a backdoor isn't going to look like:

        if (!strcmp(source,"http://www.evil.com";) {

it's going to be something more sophisticated - like a failure to bounds-check
something like number of font/style changes inside a single box in a table.
Then if it ever *does* get found, you have plausible deniability, people will
just say "Damn, another buffer overrun" and get on with their lives.

The "lots of people" argument doesn't always hold up - Mozilla and the Linux
kernel are about the same size, there's quite certainly more Linux kernel
hackers than Mozilla hackers, and the ELF loader problems that Paul Starzetz
reported yesterday have been there *AT LEAST* since Dec 16, 2001 (when 2.5.1
forked from the 2.4 tree - since 2.5/2.6 and 2.4 have the same bugs, it's code
that was there at the time of the fork).  So zillions of eyes, and 3 years or
more before it's found....

4) Now go buy more tinfoil.

Attachment: _bin
Description: