Hello,

On 02/05/07 20:12, Dave Korn wrote:
>   Interesting, but of course they're still a good way from 100% secure.  It's
> really great that they issue the source, but unless they also issue the
> toolchain, and the source to the toolchain, so that anyone who wants can
> recompile and reflash their phone, it's less than secure.

I know these devices.

You are right. The source code you get cannot be used for full
assurance, because you don't get everything required to build an image
and replace the existent one with it. The source you get allows you to
check and be convinced that the code has no software bugs that were not
intended by the vendor. It does not aim to assure you against malicious
attempts by the vendor to introduce back-doors into the product.

So, you are "secure", just not against everything... It's still more
than you get with completely closed-source devices, let alone with ones
that implement proprietary crypto...

And, of course, the source code is probably published also because the
marketing guys (probably) said that people skilled in the art will
appreciate this feature when evaluating this product against others.

Hagai.

-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to