<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">remind me of <br><br>http://www.msnbc.msn.com/id/4394002<br><br>beware of 'internet' 'exploder'<br><br>black boxes are not to be trusted.<br><br>okay, so you can verify the software, but can you verify the compiler?<br><br>http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf<br><br>hmmm, so software is one thing, how do you verify firmware? or silicon?<br><br>we're getting chips that are so complex, no body really can understand them apart<br>from the designers...<br><br>if you do try , then it's DMCA time for you and your going to jail.<br><br>verifying trust in the digital domain is becoming harder, not easier.<br><br>interesting stuff<br><br><br><br><br><br><br>--- On <b>Fri, 30/10/09, Rick Moynihan <i><rick.moynihan@gmail.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left:
5px;"><br>From: Rick Moynihan <rick.moynihan@gmail.com><br>Subject: Re: [dundee] U.S. Dept of Defense & Open-Source Software<br>To: "Tayside Linux User Group" <dundee@lists.lug.org.uk><br>Date: Friday, 30 October, 2009, 12:03 AM<br><br><div class="plainMail">2009/10/29 gordon dunlop <<a ymailto="mailto:astrozubenel@googlemail.com" href="/mc/compose?to=astrozubenel@googlemail.com">astrozubenel@googlemail.com</a>>:<br>> This is an article where the U.S. Department of Defense clarifies the use of<br>> open-source software and puts it on level terms with proprietary software,<br>> U.K. take note, no-one wants to see aircraft and warships etc. crippled by<br>> silly viruses e.g. conficker.<br>><br>> <a href="http://gcn.com/Articles/2009/10/28/DoD-OSS-II.aspx?Page=1" target="_blank">http://gcn.com/Articles/2009/10/28/DoD-OSS-II.aspx?Page=1</a><br><br>Neat... Reminds me of this article I read in the New York Times
about<br>the potential for hidden "kill switches" to be hidden in the commodity<br>hardware that gets used in high tech weaponry.<br><br><a href="http://www.nytimes.com/2009/10/27/science/27trojan.html?_r=1" target="_blank">http://www.nytimes.com/2009/10/27/science/27trojan.html?_r=1</a><br><br>(Sorry for the NYT link (use bugmenot to read the full article if you<br>have problems)).<br><br>How can the can the US know that their shiny new F22's can't be<br>bricked mid flight via a trojan inserted by that Chinese semiconductor<br>fabricator who was contracted to print the chips? Answer... they<br>don't.<br><br>Interesting that they suspect Israel of switching the Syrian air<br>defence system off when they attacked air striked their nuclear<br>reactor.<br><br>Open Source along with an auditing process has to be a good solution<br>to this (for the software/firmware at least). For details on the<br>relatively trivial forensics for spotting when
people sneak security<br>patches (good or malicious) through the back door see this post<br>describing how Zed Shaw found out what the undisclosed (but patched)<br>security vulnerabilities were in ruby/rails. (IIRC the Ruby dev's<br>discovered a vulnerability and patched it secretly to protect the<br>likes of twitter).<br><br><a href="http://www.zedshaw.com/essays/the_big_ruby_vulnerabilities.html" target="_blank">http://www.zedshaw.com/essays/the_big_ruby_vulnerabilities.html</a><br><br>That reminds me git bisect is awesome for discovering exactly when<br>(i.e. which commit/version) software was patched to fix particular<br>issues.<br><br>R.<br><br>_______________________________________________<br>dundee GNU/Linux Users Group mailing list<br><a ymailto="mailto:dundee@lists.lug.org.uk" href="/mc/compose?to=dundee@lists.lug.org.uk">dundee@lists.lug.org.uk</a> <a href="http://dundeelug.org.uk" target="_blank">http://dundeelug.org.uk</a><br><a
href="https://mailman.lug.org.uk/mailman/listinfo/dundee" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/dundee</a><br>Chat on IRC, #tlug on irc.lug.org.uk<br></div></blockquote></td></tr></table><br>