Slashdot Mirror

There was MD5 sum for this package and there was detached PGP signature.

But how often you care to check signatures when you are downloading a package. And it seems that anything at all can contain trojans.

Read a nice article by Ken Thompson about trojan in C compilier. Have you checked MD5 sum when you downloaded GCC binary last time? And as Thompson shows, recompiling GCC from sources with untrusted compilier doesn't help you.

Just in case that was too subtle for anyone, he's talking about Reflections on Trusting Trust, which was posted here the other day.

Apparently, Ken Thompson added a piece of code to the C compiler that would detect when it was compiling the Unix login command and insert a special password. He then added a piece to detect when it was compiling the C compiler and add both of these routines. He then compiled the standard C compiler on this doctored version: the source is clean but the binary contains his hacks, with the effect that he can rootshell any Unix system that was compiled with any version of the C compiler that was compiled with his C compiler binary. He claims he never actually used this.

The point is that not only can you not trust binaries that you are given; you can't even trust binaries that you've compiled unless you trust your compiler, i.e., you wrote it yourself in assembly. I guess even then there could be hardware back doors, so you'd better make your own processors too.

But then, I'm not sure writing it yourself is such a good solution: I know there are no back doors in code I've written from scratch, but how far would I want to trust my own debugging skills? Dunno.

David Gould