[GLLUG] Am I over-reacting to this?
John Edwards
john at cornerstonelinux.co.uk
Thu Jan 16 10:21:21 UTC 2014
On Thu, Jan 16, 2014 at 10:01:00AM +0000, Adrian McMenamin wrote:
> On 15 January 2014 22:26, John Edwards <john at cornerstonelinux.co.uk> wrote:
<snip>
>> Even compiling from source does not give you 100% safety, because you
>> then need to trust the C compiler (see Ken Thompson).
>
> It might not even be the compiler - it might simply be impossible to know:
>
> http://arstechnica.com/security/2014/01/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/
Impossible? If the application is open source then you *can* find out
which algorithm is used (and more importantly - how it is implemented).
In the examples in the link you gave, RSA's BSAFE is closed source
software and Debian was a failure of implementation in the random
number generator (caused by the use of automated code validation
tools). Debian's problem was discovered by examination of the code
and fixed. RSA's was found by the leaking of information from the NSA.
--
#---------------------------------------------------------#
| John Edwards Email: john at cornerstonelinux.co.uk |
#---------------------------------------------------------#
More information about the GLLUG
mailing list