Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies

[ljknews <ljknews () mac com>]

At 7:31 PM -0500 4/29/04, Tad Anhalt wrote:

<using Green Hills as an example>

>  How did they bootstrap their system?  In other words, how did they
> ensure that they could trust their entire tool chain in the first place?
> They hint that the whole system was written by a few trusted persons.

Begging the question "trusted by whom?".  Some organizations require
"trusted by the agency issuing security clearances" for certain
(primarily non-tool) software.

> Did they write the whole tool chain as well?  The scheme above protects
> against future attack, but not against something that was there before
> they started.  I'm sure that they have an answer for that question,
> it's a pretty obvious one to ask...  Maybe I missed it on my read-through?
>
>  That's the whole point of the Thompson lecture.  The hole is really
> deep.  How far can you afford to dig?  How do you decide what to trust?

Ideally, if you find you cannot afford to dig far enough to satisfy your
need, a revision of your business plan is required.

>  Green Hills Software obviously has a vested interest in convincing the
> reader that it's worth paying them whatever it is that they're charging
> for the extra depth...  In some situations, it may be...  That's a risk
> management decision.

And one solution acceptable in many conditions is determining whether
the vendor has deep enough pockets that a lawsuit after the fact would
mean something.  I don't know much about finance, but I know that suing
Green Hills software has more potential than suing the person from whom
you got a copy of Linux.

Not all checks and balances are embedded in the software itself.