Information Security News mailing list archives
Re: Uncovering the secrets of SE Linux
From: James Goldston <jgoldston () SSES NET>
Date: Mon, 12 Mar 2001 12:49:48 -0600
Hmmm. I'm guessing Mr. Loeb is a writer and not a security practitioner, because a practitioner wouldn't be so quick to vet the Agency's (or anyone's) source code. As Ken Thompson stated in "Reflections on Trusting Trust," Communications of the ACM, Vol 27, No. 8, Aug 84, pp 761-763, "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code..." The quote above is just as applicable then as now. I am not saying I recommend we not use external code. Indeed, everyone is somewhat dependent on externally-developed software. However, proving the absence of malicious software is beyond our capabilities except for the smallest code fragments. James At 10:42 PM 3/8/01 -0600, InfoSec News wrote:
But, they seem to mean it. The distribution .tgz file contains no secret Trojan horse that reads the data on your hard disk and then sends it all back to Fort Meade. There's no way to hide a trap door in code that all can comment upon and analyze.
ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Uncovering the secrets of SE Linux InfoSec News (Mar 09)
- <Possible follow-ups>
- Re: Uncovering the secrets of SE Linux James Goldston (Mar 12)
- Re: Uncovering the secrets of SE Linux InfoSec News (Mar 12)
- Re: Uncovering the secrets of SE Linux InfoSec News (Mar 13)