Slashdot article on MITRE open source software

[John Chambers]

Bill writes:
| > John Chambers <jc at trillian.mit.edu> writes:
| > > Then, of  course,  there's  Ken  Thompson's  famous  "Reflections  on
| > > Trusting Trust" paper, in which he explains how to install a backdoor
| > > in a program in such a way that it doesn't  appear  anywhere  in  the
| > > source,  but  is  inserted  in the binary by the compiler.  Also, the
| > > insertion code doesn't appear in the compiler source, but is  in  the
| > > binary version of the compiler, even after you recompile it.
...
| Isn't it an academic problem? The invention of public key cryptography, and
| the verification checksums it supports, should obviate this.

Not likely in this case. Ken Thompson was the author of the
compiler, remember.  All the verification schemes can do is
warn you that someone has tampered with the code after  the
kit  was prepared.  If the tampering was done by the author
before building the kit, the  checksums  can  warn  you  if
someone  removes  the backdoor.  They can't do much to warn
you of things that the author included.