On Sun, Oct 13, 2013 at 12:03 PM, Jim Thompson <[email protected]> wrote: > > But first, on the tail of the recent thread that erupted here, consider this > backdoor that someone (?) recently (?) discovered > (?) in the firmware for > certain D-link routers: > http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ >
Indeed re: subject. This same thing has happened on numerous occasions on SOHO grade routers. The ones that don't have explicit back doors tend to have some exploitable issue in their web interface which commonly aren't patched. Many other types of embedded devices have back door accounts, including a lot in the industrial control systems space. These are by all accounts from a complete lack of security in the development process, not some state-sponsored back door. Those kinds of issues are impossible for us to introduce without causing an uproar from it being easily and quickly discovered. These are things most commercial router vendors have had an issue with at some point. > To the best of our ability so far, pfSense is both observable and verifiable. > The source code is on github > (https://github.com/pfsense/), > and the build process is quasi-documented. Getting something like the > ‘backdoor by Joel’ above into the codebase > without detection > would be difficult if not impossible. (There are more subversive means, > which I touched on mid-thread, but they still fail in > the presence of a > public development process.) It's watched closer than people realize. Several of those employed by us review all commits. But in addition to that, I'm surprised how many community members review all commits or nearly all. So much as a typo in a comment doesn't slide by, much less a back door. Some people seem to have the impression that while the source is open, no one actually checks it (see previous thread). Nothing could be further from the truth. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
