|
Rockbox mail archiveSubject: Re: mp3 cutting and pastingRe: mp3 cutting and pasting
From: Fred Maxwell <rockbox_at_anti-spam.org>
Date: Mon, 09 Aug 2004 17:22:37 -0400 Long post warning! Johan Vromans wrote: > Actually, this proves that the principle works. The malicious code was > found and eliminated. Malicious code was found in many closed source projects, too, but I don't consider the discovery proof that closed source guarantees security. What concerns me is that, in both cases I mentioned, the malicious code went undetected for extended periods of time. > Most of these tools are closed software themselves. > Maybe you should (re)read Ken Thomson's famous article on "Reflections > on Trusting Trust". I have read it and went back to it to make sure that I was remembering it correctly. If you recall, he modified a C-compiler such that it compiled in a back-door. Ken Thomson's conclusion was: "You can't trust code that you did not totally create yourself," and that "no amount of source-level verification or scrutiny will protect you from using untrusted code." That seems to fly in the face of your assertion that having the source means that you can trust the code. Security is not a true/false kind of thing. One has to look at the risks and motivations. What is the risk for a company like ZoneLabs if their firewall was found to contain malicious code? What would their motivation be? What happens if the Sysinternals software is found to be malicious? Since it's designed to showcase the talents of Mark Russinovich and Bryce Cogswell, two of the most respected authors of Windows programming books and software tools, it could ruin them. What would they gain from your hard disk? Your credit card number? They probably have enough credit cards already and aren't likely to risk jail by stealing other people's. Now what's the risk to some 16 year old kid in Hungary to try to sneak some malicious software into Linux? If he's successful, he might have back-door access to many e-commerce web servers, home systems, etc. If he fails, there's a good chance he'll never be identified or prosecuted. None of the above is meant to imply that closed source is more secure than open source or vice-versa. Just that there are different checks and balances at work and that nothing is black and white. Regards, Fred Maxwell _______________________________________________ http://cool.haxx.se/mailman/listinfo/rockbox Received on 2004-08-09 Page template was last modified "Tue Sep 7 00:00:02 2021" The Rockbox Crew -- Privacy Policy |