On Thu, Nov 13, 2003 at 01:28:05AM +0200, Boaz Rymland wrote: > > > Stanislav Malyshev wrote: > > >BR>> Isn't that a demonstration of the *real* (no FUD) open source model > >BR>> security break points? > > > >Well, that looks like open source _strong_ point. If the same code was > >closed, what chance someone - except, of course, for original programmer > >and probably his associates - would notice that? If, say, Windows function > >GetProcessSomeObscureAttribute would get you administrator > >privilege for some combination of flags - what is a chance someone would > >ever discover that? > > > > You're defenitly right in your point - in OSS many more eyes see the > code and can spot potential malicious pieces quickly. But this was not > my initial point - and maybe I should have clarified it: > Open Source model allows many bad minds access to the code, planning and > inserting sofisticated/obfuscated pieces of code, that hopefully will go > unnotinced, at least for some time, and that will grant them > non-legitimate power. Such a method for gaining this power is not > possible for the public in closed source enviroments. This malicious act > is an option only for employees of the company creating the specific > piece of SW (well, or for anyone else with access to their source code). > This seems to me, a weak point in the OSS development model, probably a > point which should not go unnotinced, as I'm sure happening, as in fact > did not go unnoticed in that example.
[ For the record: the case above did not serve as a test-case for detecting obsure bugs by multiple eyes. The suspicous piece of code was spotted by Larry McVoy because of some checksum mismatch. He didn't spot the "=" instead of "==" by himself, but the circumstances looked very suspicious so he immidietly removed this code and sounded the alarm ] Certainly not possible in a respctable OS. We all trust Microsoft, Sun, Apple, IBM and the rest to hire only trust-worthy programmers for system programming. We know that there's no chance in the world that they can one such programmer could leave a time bomb. I mean, if you can't trust them, who can you trust? (And while we're on the subject: RedHat is probably such a trustworthy company as well. I mean: for certain version they give yo their word that it has no easter eggs ;-) ) But then again, they don't have access to the source code of all the drivers. Suppose the nice display driver would give you root for a certain pixel combination? A network card driver also offers quite a few places for back doors. So this is not a weak point of the open-source development model, but of the distributed development model. To clarify this: Suppose I have plenty of money and patiantce, and I want to backdoor many computers. One possible method is to try to get a backdoor code somehow into a software distibution channel. I figure that it would be best that the code won't be exposed too long, because once I start using back-doored systems, there is a very good chancethat someone will figure out how they were trojaned. It would also be nice to minimize the time others would have the potential to view my code. A useful shortcut is the security updates mechanism. There are quite a few of them, actually. All I need to do is to find such a system that updates enough machines, and that I can somehow get my code into. Not very easy. But given enough money, time to wait for the next security fix and "will power" this is not unthinkable with debian. I'm not sure about other system. -- Tzafrir Cohen +---------------------------+ http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend| mailto:[EMAIL PROTECTED] +---------------------------+ ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
