Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Good and Bad Crypto

> From: Derek Martin [mailto:invalid at]
> On Tue, Apr 22, 2014 at 06:37:51PM +0000, Edward Ned Harvey (blu) wrote:
> > Supposing a bad guy writes software, open source, and makes it
> > available for download in source form as well as precompiled binary,
> > where he's compiled some trojan into the binary.
> Yes, this can happen.  And only if the source is available to you, do
> you have ANY opportunity to verify it or rule it out.  If there is no
> source, there is no possible way for you to know.

Even with the source available, you *still* don't have any way to rule out a trojan binary, because even if you build it yourself, you're very unlikely to get the same exact binary that the distributor distributes.

So if you don't trust the statements made by a software distributor, whether they be "This binary is compiled from the following sources," or "This compiled binary behaves according to the following spec," then literally the only thing you can do is to *both* read and understand all the source for everything you will use, *and* build it yourself.

Don't want to read and build everything yourself?  You're going to use a binary somebody else gave you?  Then you must believe they didn't compile a trojan into it, either because they claim it was built from the open source they've published, or because they claim it behaves according to a spec they've published.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /