 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
D.E. Chadbourne writes: | John Chambers wrote: | > Someone wrote: | > | On Tue, 16 Mar 2004, D.E. Chadbourne wrote: | > | > Explosive Cold War Trojan has lessons for Open Source exporters | > | > http://www.theregister.co.uk/content/4/36270.html | > | | > | This story about US sabotage of Soviet pipelines has been rather | > | thoroughly debunked. | > | > So where has it been debunked? It certainly sounds like a | > PR story, but that doesn't necessarily make it true or | > false. ... | | hi again. i agree. i searched but no debunking has appeared. ... | so far i think that the story appears to be true. Well, maybe it's true; maybe it's not. But the take on the story in a lot of the world will probably be based on something else. It seems that a CIA guy has gone public with the story, presumably with the CIA's permission. Whether it's history or propaganda, we don't know. But we can conclude that there are people in the US government who consider this a Good Thing to do to their enemies (and innocent bystanders). And they don't mind the world knowing. So the idea that American software isn't to be trusted isn't paranoia, it's a rational response to apparent policies of the US government. Of course, a lot of software security people would openly state that this is not only true, but you shouldn't trust any software from any source. It's not just Americans; security means that you should make sure that your people have studied the source code and you've compiled it all yourself. And you've compiled the OS yourself. And you've compiled the compiler yourself (with a different compiler from a different source). And you've studied the firmware in the cpu. This can be expensive, so you want some help if you can find it. The Open Source crowd should be in a good position here. We can easily tell people "You shouldn't trust us. We don't trust each other. That's why we make all the code available, and we do check it ourselves. You'll have to hire people to do the same. But you'll have to do that no matter where you get your software. We just make it a lot easier. And we won't file a lawsuit against you if you find a problem in our code. We'll thank you publicly, and fix it fast." We might also point out that there have been cases of OSS distributions that had backdoors and Trojans. But because the OSS crowd has a lot of people who enjoy studying code and like to show off their expertise, these problems have generally been spotted very quickly, within a day or so, and fixes are usually available online in hours. So you not only have your people studying the code; you also have a few thousand hackers doing the same thing and hollering loudly when they find something suspicious. Notice that you don't have to name any corporations or countries. Sure, Microsoft is a problem, as is the US government. But they're just the biggest meanies on the planet. There are others who are every bit as bad. All software should be treated with the same suspicion. Lots of managers will understand this argument.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
