On Wed, Oct 09, 2013 at 07:53:24PM +0200, Jim Thompson wrote:
> Also, the source of git would also reveal a problem when examined. To get
> around that one starts hypothesizing the sort of globe-spanning conspiracy
> against which one might as well give up ("well, maybe all my compilers (not
> just gcc, all of them) are also backdoored to backdoor themselves, and each
> other if you cross-compile, then backdoor git too...”).
Yeah, we know our Ken Thompson and about the (known) attempted backdoor
insertions.
> pfSense is based on FreeBSD. What if FreeBSD was backdoored by the NSA or
> other? How would you know?
pfSense is a great deal more than FreeBSD. If you want to reduce the attack
surface,
or just amount of machinery to review, less is definitely more. /tmp/rules.debug
is small enough to eyeball and deploy somewhere else. That else will be
increasingly
involving really open hardware, and compartments formally verified (see seL4 &
Co).
> See? just useless ego stroking, and a lot of resultant heat, rather than
> solutions to problems.
>
>
> Can we get back to pfSense now?
I'm interested into building a trustable network tap, to get a good feel of
what goes on my networks. Apart from the usual mirrored switch port (and
reliance on whatever the firmware is professing it is doing) how can pfSense
help me with that? It used to have a transparent bridge mode, is that still
in there somewhere?
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
