On Thu, 22 Mar 2001 08:15, Rick Welykochy wrote:
> Has anyone run across any evidence of distributed open-source
> binary packages (i.e. *not* compiled at home) that contain nasty
> code, trojans, worms, etc?
>
> Of course, your first line of defense is comparing MD5 sums, but
> even those can be changed to suit an altered binary.
>
> And a related question would be has anyone uncovered evidence of
> actual source code containing surreptitious bits of nastiness?
If you are totally paranoid you'll want to boot-strap your compiler from
something you trust written in machine-language before you start to compile a
single line of a user program. Ofcourse for complete safety this would also
need to be a cross-compile of the compiler because the OS/platform you are on
could be tainted.
It's possible to hack a compiler's code to firstly recognise when it is
compiling say a program like login and to then also regocnise when it is
compiling itself, and specifically the bit of code that does something when
it is compiling a login program. You then recompile your compiler and there
is no trace of the hack in the source of the compiler. Anytime you recompile
the compiler with this copy of it, you will get a hacked version but you
would never know, you may then compile login and it too will be hacked but
again you would never know. Its all very spooky :)
--
Regards
John
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
