You are not logged in.
Curious thought of the day: if they approached Linus to install a backdoor in the kernel - code that is open-source - does this imply they're confident they could hide a backdoor in open-source code in broad daylight?
Unfortunately it's feasible to conceal "backdoors" in open source code. For example, in the Linux kernel, where you have 25M + lines of code, it becomes difficult to audit (by contrast the whole of OpenBSD is less than 3M lines of code).
It comes back to Linus' law and why it's mostly an idealist stance: "given enough eyeballs, all bugs are shallow" (Eric S. Raymond)
But if the eyeballs aren't actually looking (s they clearly weren't with respect to OpenSSL), the bugs don't get found. Bugs which aren't found can become vulnerabilities which can be found by certain entities, but not disclosed (for years, if at all) and exploited.
As Torvalds said two years ago:
We also have to keep in mind that most of the kernel is drivers, a big chunk of the rest is architecture specific, and there are 25 million lines of code. So it’s really hard to have people go over it; we have to rely on automated testing and on tools. There are too many lines in too many obscure places for humans to really check.
https://www.linux.com/news/linuxcon-201 … s-torvalds
With that in mind you can see how viable it could be to find and conceal an exploit. Unfortunately it's the kernel which is the one component you need to trust. Despite the work of the grsec/Brad Spengler and others, Torvalds has publicly taken a very laid back approach to security and has been dismissive of "security people".
And now, with the arrival of systemd and similar software (from gnome, freedesktop.org, et al), you have even greater complexity, more "attack surface" and more code which has just been written with the aim to bring in raw functionality to the detriment of all else.
Last edited by cynwulf (2017-10-27 13:02:11)
Offline