A year ago last Fall I was at a talk at MIT about computer security,
and of course, someone asked just that question about backdoors.
The audience person asked, "Do you know anything about backdoors
The speaker (a person with a strong background in security), replied,
"You don't need one." I heard several chuckles in response from the
Cheers -- Martha Adams [cola 2007 Apr 26]
"The Ghost In The Machine" <ewill@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
> In comp.os.linux.advocacy, [H]omer
> on Thu, 26 Apr 2007 18:31:06 +0100
>> Verily I say unto thee, that Roy Schestowitz spake thusly:
>>> "Trusted" Computing
>>> ,----[ Quote ]
>>> | Do you imagine that any US Linux distributor would say no to the
>>> | US government if they were requested (politely, of course) to add
>>> | a back-door to the binary Linux images shipped as part of their
>>> | products ? Who amongst us actually uses the source code so
>>> | given to us on the extra CDs to compile our own version ?
>> Five simple steps to "Trusted Computing":
>> 1) ... Know the facts <http://www.lafkon.net/tc/>
> Hm. Trusted Computing. Nice presentation, if a little
> inefficient (6 MB for a video that could probably have been
> done in less than 10K or so on a web page -- but would it
> have the same impact?).
> The gist: who trusts whom with "Trusted Computing"?
> And what, exactly, are they defending against?
> Viruses? Economic downturns? Governmental antitrust action?
>> 2) ... Forget Windows
> Ideally, yes. In practice, the 800 pound monopolistic
> gorilla is hard to ignore, although hopefully one can
> tickle his feet and have him fall off a cliff or something.
>> 3) ... Install a community Linux distro
>> 4) ... Review the licenses and sources
>> 5) ... Update from sources, and audit the diffs
>> Caveat: Step 4 may take a lifetime, but then you are not alone ...
>> are many eyes auditing the source.
> And some distros even require *your computer* to compile
> the source -- which can be a pain for big packages (e.g.,
> OpenOffice) but can also be a good thing for those who
> are a little paranoid.
> For example, in Gentoo one can peruse the patched source by simply
> # ebuild /usr/portage/somedir/somefile.ebuild unpack
> then browse around in the temporary area (specified in
> /etc/make.conf, as is the portage tree and distfiles, so
> take pathnames here with a grain of salt). This source can
> be edited at will, then compiled using 'ebuild compile',
> though there are more reliable ways by which to accomplish
> what's needed (e.g., local portage packaging).
> Licenses in Gentoo are stuck in /usr/portage/licenses.
> For its part distros such as RedHat and Fedora provide
> source RPMS, which can be used in a build process; it's
> a little less integrated, though. Debian's process
> is similar to Redhat/Fedora's, but uses .deb files,
> basically, structured archives.
> I can't speak regarding other distros, as I've not used them.
>> Recent example:
>> OpenBSD stole bcm43xx Linux driver (GPL violation):
>> Open Source is an Open Book, there is no hiding place.
> #191, ewill3@xxxxxxxxxxxxx
> Linux. Because it's there and it works.
> Windows. It's there, but does it work?
> Posted via a free Usenet account from http://www.teranews.com