Rockbox mail archiveSubject: Re: mp3 cutting and pasting
Re: mp3 cutting and pasting
From: Fred Maxwell <rockbox_at_anti-spam.org>
Date: Mon, 09 Aug 2004 17:22:37 -0400
Long post warning!
Johan Vromans wrote:
> Actually, this proves that the principle works. The malicious code was
> found and eliminated.
Malicious code was found in many closed source projects, too, but I
don't consider the discovery proof that closed source guarantees
security. What concerns me is that, in both cases I mentioned, the
malicious code went undetected for extended periods of time.
> Most of these tools are closed software themselves.
> Maybe you should (re)read Ken Thomson's famous article on "Reflections
> on Trusting Trust".
I have read it and went back to it to make sure that I was remembering
it correctly. If you recall, he modified a C-compiler such that it
compiled in a back-door. Ken Thomson's conclusion was: "You can't trust
code that you did not totally create yourself," and that "no amount of
source-level verification or scrutiny will protect you from using
untrusted code." That seems to fly in the face of your assertion that
having the source means that you can trust the code.
Security is not a true/false kind of thing. One has to look at the
risks and motivations. What is the risk for a company like ZoneLabs if
their firewall was found to contain malicious code? What would their
motivation be? What happens if the Sysinternals software is found to be
malicious? Since it's designed to showcase the talents of Mark
Russinovich and Bryce Cogswell, two of the most respected authors of
Windows programming books and software tools, it could ruin them. What
would they gain from your hard disk? Your credit card number? They
probably have enough credit cards already and aren't likely to risk jail
by stealing other people's. Now what's the risk to some 16 year old kid
in Hungary to try to sneak some malicious software into Linux? If he's
successful, he might have back-door access to many e-commerce web
servers, home systems, etc. If he fails, there's a good chance he'll
never be identified or prosecuted.
None of the above is meant to imply that closed source is more secure
than open source or vice-versa. Just that there are different checks
and balances at work and that nothing is black and white.
Received on 2004-08-09