| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dc718edc0501071754154b694f@mail.gmail.com> From: kkadow at gmail.com (Kevin) Subject: Backdoors and source code (was Re: Multiple Backdoors found...) On Sun, 02 Jan 2005 20:27:09 -0800, Blue Boar <BlueBoar@...evco.com> wrote: > Dave Aitel wrote: > > Of course, this sort of thing is basically impossible to disprove - > > especially without source. > > If I were looking for a well-hidden backdoor, I wouldn't bother with > source. There's no guarantee that a particular binary was produced by a > particular group of source unless you can compile it yourself to the > same set of bytes. And even when you have two binary files built by the same compiler version on two different machines running the same OS version, it's not uncommon for the two files to not produce the same set of bytes. See the recent thread on 'httpd cleanup' from the OpenBSD 'tech' list. > Even then, you've got no guarantee the backdoor > isn't introduced as part of the build process or a compiler quirk, > rather than being in the source. On the subject of "visible source" as a protection against backdoors, I notice that PGP.Com offers source code to their products for download for exactly this purpose, but does *not* provide any instructions on how to validate that the binaries produced from the "visible source" PGP desktop for Windows match up with the binary executables and libraries distributed when you install a licensed PGP desktop build.
Powered by blists - more mailing lists