On Mon, 09 Sep 2013 02:39:09 +1000, Chris Angelico wrote: > On Mon, Sep 9, 2013 at 2:08 AM, Charles Hottel <chot...@earthlink.net> > wrote: >> I think this article is relevant althought the code examples are not >> Python but C: >> >> http://cm.bell-labs.com/who/ken/trust.html > > That is quite true, and yet not truly helpful here :) It's like pointing > out that we could be being fed false information, and then suggesting > that The Matrix is technically possible. Once you start distrusting to > that level, you become paranoid to a point that's inappropriate to all > but the most critical situations. I'd accept and maybe even recommend > that sort of paranoia if you're running a nuclear power station, or an > automated weapon system capable of firing missiles that destroy the > planet, or a bank that holds everyone's money. For the average Joe, > there's no point panicking. > > Also: That hack works beautifully when there's precisely one C compiler. > In today's world, there are many (well known ones like gcc, clang, MS > Visual Studio (whatever the compiler from that is called), and a bunch > of lesser-known ones as well), and it's pretty easy to just grab a > different compiler and build. The chances that your code will be falsely > compiled by TWO compilers would have to be infinitesimal, and you > needn't stop at two.
That logic is dubious. Compilers aren't compromised by chance, and we don't know the a priori probability of any specific compiler being compromised. That depends on the attacker, surely? We know, for example, that the NSA has compromised multiple brands of router, smart phone and similar. If they, or some other similar organisation with equivalent capabilities, were going to attack compilers in the same manner, they surely wouldn't stop at one. Would people notice? How often do people compare the machine code output of two different compilers, looking for back-doors in the generated code? Would you know where to look? If you found some differences, wouldn't you likely just chalk it up to different compilers producing different code? I think the best argument against this suggestion is that it would be an order of magnitude harder to compromise open source compilers, as you discuss below, and therefore gcc is *probably* (but not certainly) safe. But closed source? If Microsoft inserted a backdoor into Windows 8 on behalf of the NSA, as seems to be the case, then surely they'd also do the same to Visual Studio if asked. Organisations like the NSA don't operate under the rule "if there is one single uncompromised machine on the planet, we've lost". It's a numbers game. If (hypothetically speaking) they had inserted backdoors into Visual Studio, gcc and clang, but not Larry's Cool C Compiler, I don't think they're going to lose sleep over that. > Since many people build (to take one example) gcc > from source, using an old version of gcc, the hack would have to be > propagated to all current gcc builds in some way - you can't simply > build once and install the binary as the official C compiler, not in > today's distributed society. (If you're truly paranoid, you might > believe that gcc has had the hack in it since its inception. But some > people build gcc using other compilers, too.) Yep, I agree -- although probably no individual has inspected the entire tool chain involved in building gcc, enough people have inspected each individual component that we can be reasonably confident that it is okay. > If you can't trust any code you didn't write yourself, You trust yourself? You sheeple! The truly cautious man doesn't even trust himself. You might be an unconscious sleeper agent. Haven't you watched The Running Man? (Ha ha only serious.) -- Steven -- https://mail.python.org/mailman/listinfo/python-list
