Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies

[Crispin Cowan <crispin () immunix com>]

Tad Anhalt wrote:


Jeremy Epstein wrote:
 

I agree with much of what he says about the potential for 
infiltration of bad stuff into Linux, but he's comparing apples and 
oranges.  He's comparing a large, complex open source product to a 
small, simple closed source  product.  I claim that if you ignore the
open/closed part, the difference in trustworthiness comes from the 
difference between small and large.
   



 It's a lot deeper than that.  Here's the link to the original Ken
Thompson speech for convenience sake:
        http://www.acm.org/classics/sep95
 

Ok, someone has mentioned Ken Thompson's Turing Award speech in a "my 
security is better than yours" flamewar^W discussion. This almost 
warrants a security-geek version of Godwin's law :)


But taking the remark seriously, it says that you must not trust 
anything that  you don't have source code for. The point of Thompson's 
paper is that this includes the compiler; having the source code for the 
applications and the OS is not enough, and even having the source for 
the compiler is not enough unless you bootstrap it yourself.


Extrapolating from Thompson's point, the same can be said for silicon: 
how do we know that CPUs, chipsets, drive controllers, etc. don't have 
Trojan's in them? Just how hard would it be to insert a funny hook in an 
IDE drive that did something "interesting" when the right block sequence 
comes by.


For a really interesting long-term extrapolation of this point of view, 
I strongly recommend reading "A Deepness in the Sky" by Vernor Vinge 
http://www.tor.com/sampleDeepness.html


While it is a science fiction novel, Vinge is also a professor of 
computer science at UCSD, and a noted visionary in the future of 
computing, having won multiple Hugo awards. Vinge wrote the first 
cyberpunk story "True Names" in the mid-70s.


The horrible lesson from all this is that you cannot trust anything you 
do not control. And since you cannot build everything yourself, you 
cannot really trust anything. And thus you end up taking calculated 
guesses as to what you trust without verification. Reputation becomes a 
critical factor.


It also leads to the classic security analysis technique of amassing 
*all* the threats against your system, estimating the probability and 
severity of each threat, and putting most of your resources against the 
largest threats. IMHO if you do that, then you discover that "Trojans in 
the Linux code base" is a relatively minor threat compared to "crappy 
user passwords", "0-day buffer overflows", and "lousy Perl/PHP CGIs on 
the web server". This Ken Thompson gedanken experiment is fun for 
security theorists, but is of little practical consequence to most users.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/