[dundee] U.S. Dept of Defense & Open-Source Software
Lee Hughes
toxicnaan at yahoo.co.uk
Mon Nov 2 17:02:12 UTC 2009
remind me of
http://www.msnbc.msn.com/id/4394002
beware of 'internet' 'exploder'
black boxes are not to be trusted.
okay, so you can verify the software, but can you verify the compiler?
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
hmmm, so software is one thing, how do you verify firmware? or silicon?
we're getting chips that are so complex, no body really can understand them apart
from the designers...
if you do try , then it's DMCA time for you and your going to jail.
verifying trust in the digital domain is becoming harder, not easier.
interesting stuff
--- On Fri, 30/10/09, Rick Moynihan <rick.moynihan at gmail.com> wrote:
From: Rick Moynihan <rick.moynihan at gmail.com>
Subject: Re: [dundee] U.S. Dept of Defense & Open-Source Software
To: "Tayside Linux User Group" <dundee at lists.lug.org.uk>
Date: Friday, 30 October, 2009, 12:03 AM
2009/10/29 gordon dunlop <astrozubenel at googlemail.com>:
> This is an article where the U.S. Department of Defense clarifies the use of
> open-source software and puts it on level terms with proprietary software,
> U.K. take note, no-one wants to see aircraft and warships etc. crippled by
> silly viruses e.g. conficker.
>
> http://gcn.com/Articles/2009/10/28/DoD-OSS-II.aspx?Page=1
Neat... Reminds me of this article I read in the New York Times about
the potential for hidden "kill switches" to be hidden in the commodity
hardware that gets used in high tech weaponry.
http://www.nytimes.com/2009/10/27/science/27trojan.html?_r=1
(Sorry for the NYT link (use bugmenot to read the full article if you
have problems)).
How can the can the US know that their shiny new F22's can't be
bricked mid flight via a trojan inserted by that Chinese semiconductor
fabricator who was contracted to print the chips? Answer... they
don't.
Interesting that they suspect Israel of switching the Syrian air
defence system off when they attacked air striked their nuclear
reactor.
Open Source along with an auditing process has to be a good solution
to this (for the software/firmware at least). For details on the
relatively trivial forensics for spotting when people sneak security
patches (good or malicious) through the back door see this post
describing how Zed Shaw found out what the undisclosed (but patched)
security vulnerabilities were in ruby/rails. (IIRC the Ruby dev's
discovered a vulnerability and patched it secretly to protect the
likes of twitter).
http://www.zedshaw.com/essays/the_big_ruby_vulnerabilities.html
That reminds me git bisect is awesome for discovering exactly when
(i.e. which commit/version) software was patched to fix particular
issues.
R.
_______________________________________________
dundee GNU/Linux Users Group mailing list
dundee at lists.lug.org.uk http://dundeelug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/dundee
Chat on IRC, #tlug on irc.lug.org.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20091102/161eda4c/attachment.htm
More information about the dundee
mailing list