[Linux-aus] Unix world reminded of creator Thompson's stunt

Con Zymaris conz at cyber.com.au
Wed Apr 14 21:02:01 UTC 2004

good write up.

Now, take this one step further. prep a press release using the material
below (and from elsewhere) as a rebuttal and submit it to the LA press
team for polishing and broadcasting.

It's all good that 1,000 Linux geeks know this stuf now. We want everyone 
else to know O'Dowd is dead-wrong, and why.

This step is a must-take if we want to move our realm into the mainstream.

you should be able to do this within 24 hours.

On Wed, Apr 14, 2004 at 04:29:52PM +1000, Ian Wienand wrote:
> On Wed, Apr 14, 2004 at 08:29:15AM +0300, linux-aus at amos.mailshell.com wrote:
> > I think the main fault in the logic of the speaker is that he assumes
> > that UNIX' source code exposure is similar to that of Linux.
> That seems like the least of the flaws in the argument.  I assume they
> are taking about "Reflections on Trusting Trust" [1], which has
> nothing to do with "Many Eyes" (and was never distributed, according
> to Thompson).  [2] gives you the gist.
> In essence, if you have a trojaned compiler binary, this infected
> compiler can realise it's building *another* compiler and re-insert
> it's trojan code.  You never realise you have the trojan because there
> is no source for many eyes to look at, just a badly behaving binary.
> The problem comes down to trusting anything you didn't build yourself.
> Many eyes can verify the *source* of gcc, and do.  But do you trust
> the gcc distributed by your vendor (or more probably, the security of
> the mirror you downloaded from)?  This is a serious issue, but not
> related to how open code is. 
> In fact, the only way this would be detected is with open source.
> Even though this is a complex recursive trojan, the code has to be
> inserted at some point.  Luckily, thanks to open source, "Many eyes"
> can verify the source code of the gcc that built *my* gcc.  And then
> the "Many eyes" can verify the source of the gcc that built that gcc.
> And so on, and so on.  Once I'm happy with that, I can verify the
> source of whatever application I'm building and be quite happy that
> I've got exactly what I asked for.
> But if this trojan is in icc then how the hell am I ever going to know
> it's there?  Worse still, how do I know what has been slipped into a
> closed source binary from any vendor?
> From the page :
>   "Before most Linux developers were born, Ken Thompson had already
>   proven that 'many eyes' looking at the source code can't prevent
>   subversion," said O'Dowd.
> No, he proved the "many closed eyes" theory : many people using
> untrusted binaries can see nothing.
> Talk about getting the wrong end of the stick ...
> [1] http://www.acm.org/classics/sep95/
> [2] http://www.jargon.net/jargonfile/b/backdoor.html
> -i
> ianw at gelato.unsw.edu.au
> http://www.gelato.unsw.edu.au

Con Zymaris <conz at cyber.com.au> Level 4, 10 Queen St, Melbourne, Australia 
Cybersource: Australia's Leading Linux and Open Source Solutions Company 
Web: http://www.cyber.com.au/  Phone: 03 9621 2377   Fax: 03 9621 2477

More information about the linux-aus mailing list