Jeremy Epstein wrote:Ok, someone has mentioned Ken Thompson's Turing Award speech in a "my security is better than yours" flamewar^W discussion. This almost warrants a security-geek version of Godwin's law :)
I agree with much of what he says about the potential for infiltration of bad stuff into Linux, but he's comparing apples and oranges. He's comparing a large, complex open source product to a small, simple closed source product. I claim that if you ignore the
open/closed part, the difference in trustworthiness comes from the difference between small and large.
It's a lot deeper than that. Here's the link to the original Ken
Thompson speech for convenience sake:
http://www.acm.org/classics/sep95
But taking the remark seriously, it says that you must not trust anything that you don't have source code for. The point of Thompson's paper is that this includes the compiler; having the source code for the applications and the OS is not enough, and even having the source for the compiler is not enough unless you bootstrap it yourself.
Extrapolating from Thompson's point, the same can be said for silicon: how do we know that CPUs, chipsets, drive controllers, etc. don't have Trojan's in them? Just how hard would it be to insert a funny hook in an IDE drive that did something "interesting" when the right block sequence comes by.
For a really interesting long-term extrapolation of this point of view, I strongly recommend reading "A Deepness in the Sky" by Vernor Vinge http://www.tor.com/sampleDeepness.html
While it is a science fiction novel, Vinge is also a professor of computer science at UCSD, and a noted visionary in the future of computing, having won multiple Hugo awards. Vinge wrote the first cyberpunk story "True Names" in the mid-70s.
The horrible lesson from all this is that you cannot trust anything you do not control. And since you cannot build everything yourself, you cannot really trust anything. And thus you end up taking calculated guesses as to what you trust without verification. Reputation becomes a critical factor.
It also leads to the classic security analysis technique of amassing *all* the threats against your system, estimating the probability and severity of each threat, and putting most of your resources against the largest threats. IMHO if you do that, then you discover that "Trojans in the Linux code base" is a relatively minor threat compared to "crappy user passwords", "0-day buffer overflows", and "lousy Perl/PHP CGIs on the web server". This Ken Thompson gedanken experiment is fun for security theorists, but is of little practical consequence to most users.
Crispin
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
