Slashdot Mirror

In a perfect world, the open source community will drag a fine tooth comb through the code and we could be sure there was nothing malicious, but I don't believe in that world yet.

I think you are wise not to.

Over the years that contest has produced some stunning entries, including some that had as many as three different unrelated major functions contained in the same body of code. There is more than one way to hide secondary functionality of a program, some of which you would have to be quite clever to detect. The fact that Snowden is involved would serve to cause many people to drop their guard even if they had the skill and mindset to detect such obfuscated functionality.

The problem is that, in a complex enough code, you might not be able to tell even by looking at the source code.

Even simple programs can be unreadable.
And malicious intent isn't annouced with a comment of 'backdoor access here'.

Kate editor code base is just the first random repository I happened to hit on the net. Many other examples of competently designed and executed c++ projects are readily available. I get it. OP does not really know the language and wants to blame that on the language. Meanwhile, countless other practitioners are perfectly able to function and use the tool as appropriate and to advantage.

"Can you even link to one in C++?" What rubbish. Agree that there is a special place in hell for people who implement new languages in template code, but such idiocy is hardly the exclusive domain of C++.

however, linux users like to download and compile code...

when was the last time you really read through the linux kernel to make sure there wasn't an backdoor in it?
i supposed you can hope someone else has...isn't that the theory of open source security?

though what about that stupid library that you had to compile to make your GNU Widgets program work? now did you read that? it may not be as popular as something like the linux kernal, so does that really have enough eyes on it to ensure the NSA didn't insert some obfuscated malicious code?

links to the underhanded C or obfuscated C contests seems somewhat relevant here.

here is at least one example of the NSA trying to push a backdoor into software. this one may have been caught, but can we be sure we caught all of their attempts?

accidentally including dangerous memory bugs in their code

Good, now I can be assured that all of my dangerous memory bugs in my code are intentional.

They are not, because they lack recursion. However, you can use a script to iteratively run C macros so they are Turing complete. See stackoverflow discussion here.

And you can see a program that does it as part of the IOCCC here with hint file here

They are not, because they lack recursion. However, you can use a script to iteratively run C macros so they are Turing complete. See stackoverflow discussion here.

And you can see a program that does it as part of the IOCCC here with hint file here

The NSA did this with RSA, as well. Well, they had to bribe RSA with $10,000 but their code went in.

Oh, and GP should become familiar with the obfuscated C contest:
http://www.ioccc.org/

I bet the "valid random sample" didn't include any projects from the Obfuscated C Code Contest.

Although fluffy code was nearly ubiquitous in all code samples examined, the researchers found that the best quality code could be found at http://www.ioccc.org/

That's only a problem with crap software. Fortunately, C is always readable, and you always know what it's doing.

A compiler that is as well-designed and useable as Linux and Git? It already exists

Using cable1:
$./cable1 "/&%#%^&*)^ADVkjR$%^$E)\!HJLGAZ^&R%\jkghlk/^" "random garbage" "valid perl"
valid perl

http://www.ioccc.org/

But yes, the attack vector is the least of my worries. You write: "Putting in prefs and checkboxes also increases code complexity." True, having the extension increases the code complexity by at least the same amount. But no testing, no planning, no updates, no review. Just an unorganized mess of hundreds upon hundreds of extensions that conflict.

Gnome has the reputation, and for very good reason, of not acknowledging when users need a choice of behavior. Look at your own plus.google post about the negative feedback on Nautilus. Users want those options, you and I both know it. The response: 1) We don't acknowledge that people don't like the changes. 2) People who don't like the change are elitist. 3) Yes, it is worse but it works better for touch.

Think about leaving the laptop on when the lid closes. No one has argued that that should be the default. Many gave reasons why it should be a preference. Users were not given an option but you can easily read the snarky comments from developers: "you can run this line of code and keep both halves if your system breaks" on blog posts. And self congratulation for doing the tough work while users fume or leave. Same story with power off as the only option under the name. I read that bug report with my mouth hanging open. I honestly claim that 50% of users would want the other option and Gnome developers would not give their users the check box. Moreover, there is a good chance most would come across as arrogant asses while discussing it. You and Emily do a fantastic job, but I read what others write and I don't want to even give Gnome a fair shot; not that it much matters.

You may have been joking, but this one is fantastic: http://www0.us.ioccc.org/1988/...

It calculates pi by measuring the area of an ASCII circle, which is an incredibly direct encoding of the problem. Other than that there are two lines of supporting boilerplate and a couple of braces.

http://www.ioccc.org/

The International Obfuscated C Code contest had a winning entry that could flag the names of US presidents as republican or democrat.

main(int riguing,char**acters){puts(1[acters-~!(*(int*)1[acters]%4796%275%riguing)]);}

Quoting: "This one-line C program accepts as a first command-line argument the last name of any of the last 31 US Presidents (from Franklin Pierce onwards), in lower case, and prints out their political affiliation. Use "republican" as the 2nd command-line argument, and "democrat" as the 3rd (or equivalent strings of your choice)."

De-obfuscated, it is a boolean expression acting on a string s,

(*(int*)s)%4796%275%4

I wonder whether you can make a regexp that is shorter than this and accomplishes the same thing.

Err.. Well, let's just say I am sure he would have implemented as general of a solution as was possible within the constraints imposed by the rules, if that was the entrant's goal. Make no mistake, I have tremendous respect for this competition and the entrants. Sad to see there are such lamers on Slashdot showing an unreasonably hostile attitude for someone simply taking interest in someone else's work. You don't happen to be employed by the copyright mafia by any chance, do you?

I found this one a pretty mind-blowing entry. ...

The program wears many hats (not literally). It is

* a web server
* a PNG encoder
* a ray tracer
* a clock

Unlike the PC emulator entry, it does not require a binary blob and all the code and data fit within the 4 kilobyte limit.

And this is why I'm a big fan of OpenBSD's continuous code audits and general outlook regarding security.

"As I was writing up this description, I discovered I'm not the first person to write an obfuscated C sparkline utility! Vicent Martí created
[this one](https://gist.github.com/vmg/1368661) years (!) ago. (My implementation is completely independent.)" http://ioccc.org/2013/dlowe/hint.text

I fully believe this was a coincidence, but one can never say they hadn't seen it or similar before as it's would appear within their circle of interest.

But to complete this project then find an older version must be deflating in some manner.

http://ioccc.org/2013/mills/

Can someone parse this quote from the README for me?

This year, several 8 people won 9 people won 15 awards.

Humbled after reading Largest small system emulator. http://ioccc.org/2013/cable3/hint.html

I found this one a pretty mind-blowing entry. When compiled and run, it creates a web server at http://localhost:8224, which can be opened in a browser to display a ray-traced 3D scene of steel ball bearings on a checker-pattern surface, arranged to display the current time. Quoting the description:

The program wears many hats (not literally). It is
* a web server
* a PNG encoder
* a ray tracer
* a clock

Unlike the PC emulator entry, it does not require a binary blob and all the code and data fit within the 4 kilobyte limit.

I find this very impressive, not so much for the obfuscation, but for packing so much functionality into a small bit of code....

http://ioccc.org/2013/cable3/hint.html

But don't forget about: Point 8)

Learn

How

To

Insert

White

Space

In

Your

Documents.

If all you do is write long run-on sentences, then point 9) you look like an idiot and more to the point, Point 10) no one is going to bother reading them no matter how interesting and insightful it is. You could write things all day long and even though it might be spelled rite and ain't got no many atrocious grammar missteaks, as long as no one reads it then all you've done is waste both your time and theirs. Also, you've increased global warming by breathing and expending energy while you wrote your War and Peace masterpiece and it didn't make any difference in the long run. So in other words: white space on the page is just like air in your lungs, if you don't have any white space in any or your paragraphs you should just stop breathing while you write it so that you remember not to do that. Blank space also creates a slight sense of restfulness for the eyes since you don't have a giant wall of black text staring at you that you have to parse. Instead of having a massive square of text, you might try a more artistic approach for your choo-choo (See marshall). If you just don't care though, you can write as much as you want, even try to write the Great American Novel. All you're doing though is taking low-paying jobs from a million monkeys, and now-a-days putting them on the unemployment line since they're people too. I suppose that's better than being served up as Soylent Green, though. And yes I know that in slashdot you can make things look as pretty as you want in the Comment section, but if you don't delimit them and add the internal markup, then you end up with stuff that looks a lot like this, I'm the only one still here, aren't I? Gee, this is just like back in grammar school when I was the last one picked for dodge-ball, as I couldn't dodge very well. That mean old Tommy always kept picking on me and throwing the ball as hard as he could; he even broke my arm one time and then stood over me and laughed and laughed. I hated him, I've hated him for years. He was always better than I was in almost everything, but just exactly like you he didn't bother to use white space and paragraphs while writing and ... TOMMY? TOMMY, IS THAT YOU?!!? I'm going to find out where you live and we'll just see how you like to be hit with a wrecking ball instead of a hard rubber ball.

So use white space or a wrecking ball might soon come your way. Oh, and those are all good points by the way, once you find them.

But don't forget about: Point 8)

Learn

How

To

Insert

White

Space

In

Your

Documents.

If all you do is write long run-on sentences, then point 9) you look like an idiot and more to the point, Point 10) no one is going to bother reading them no matter how interesting and insightful it is. You could write things all day long and even though it might be spelled rite and ain't got no many atrocious grammar missteaks, as long as no one reads it then all you've done is waste both your time and theirs. Also, you've increased global warming by breathing and expending energy while you wrote your War and Peace masterpiece and it didn't make any difference in the long run. So in other words: white space on the page is just like air in your lungs, if you don't have any white space in any or your paragraphs you should just stop breathing while you write it so that you remember not to do that. Blank space also creates a slight sense of restfulness for the eyes since you don't have a giant wall of black text staring at you that you have to parse. Instead of having a massive square of text, you might try a more artistic approach for your choo-choo (See marshall). If you just don't care though, you can write as much as you want, even try to write the Great American Novel. All you're doing though is taking low-paying jobs from a million monkeys, and now-a-days putting them on the unemployment line since they're people too. I suppose that's better than being served up as Soylent Green, though. And yes I know that in slashdot you can make things look as pretty as you want in the Comment section, but if you don't delimit them and add the internal markup, then you end up with stuff that looks a lot like this, I'm the only one still here, aren't I? Gee, this is just like back in grammar school when I was the last one picked for dodge-ball, as I couldn't dodge very well. That mean old Tommy always kept picking on me and throwing the ball as hard as he could; he even broke my arm one time and then stood over me and laughed and laughed. I hated him, I've hated him for years. He was always better than I was in almost everything, but just exactly like you he didn't bother to use white space and paragraphs while writing and ... TOMMY? TOMMY, IS THAT YOU?!!? I'm going to find out where you live and we'll just see how you like to be hit with a wrecking ball instead of a hard rubber ball.

So use white space or a wrecking ball might soon come your way. Oh, and those are all good points by the way, once you find them.

Yep, and there's no way a malicious programmer could slip something past a novice trying to read his code...

To make the claim that linux has been never been intentionally weakened in security, you need to know that every single security vulnerability in Linux (to take one example) was due to carelessness, not intended action.

Certainly - some classes of backdoor are trivially obvious 'if(sourceip==NSA)' - but others can be subtle logic errors.

You mean like this attempt in 2003?

Personally, I'm not longer all that impressed by the IOCCC. Don't get me wrong, some of the code submitted there shows utterly insane levels of skill. However, the above is an excellent example of a good submission for the Underhanded C Contest, which is an excellent teaching tool for discovering exploits as well as for learning about subtle bugs that may drive you utterly mad trying to find.

#define P(X)j=write(1,X,1)
#define C 39
int M[5000]={2},*u=M,N[5000],R=22,a[4],l[]={0,-1,C-1,-1},m[]={1,-C,-1,C},*b=N,
*d=N,c,e,f,g,i,j,k,s;main(){for(M[i=C*R-1]=24;f|d>=b;){c=M[g=i];i=e;for(s=f=0;
s=0&&k=16!=M[k]>=16))a[f++
]=s;if(f){f=M[e=m[s=a[rand()/(1+2147483647/f)]]+g];j=jb++?b[-1]:e;}P(" ");for(s=C;--s;P("_")
)P(" ");for(;P("\n"),R--;P("|"))for(e=C;e--;P("_ "+(*u++/8)%2))P("| "+(*u/4)%2
);}

shapiro.c from IOCC 1985

#define P(X)j=write(1,X,1)
#define C 39
int M[5000]={2},*u=M,N[5000],R=22,a[4],l[]={0,-1,C-1,-1},m[]={1,-C,-1,C},*b=N,
*d=N,c,e,f,g,i,j,k,s;main(){for(M[i=C*R-1]=24;f|d>=b;){c=M[g=i];i=e;for(s=f=0;
s=0&&k=16!=M[k]>=16))a[f++
]=s;if(f){f=M[e=m[s=a[rand()/(1+2147483647/f)]]+g];j=jb++?b[-1]:e;}P(" ");for(s=C;--s;P("_")
)P(" ");for(;P("\n"),R--;P("|"))for(e=C;e--;P("_ "+(*u++/8)%2))P("| "+(*u/4)%2
);}

shapiro.c from IOCC 1985

What has been snuck past linus and the other code reviewers. Honestly Linus needs to do a call for people to comb through and look specifically for sneaky things. It's not hard to make something look innocent in C but instead it does evil. http://www.ioccc.org/ for example. or more scary... http://underhanded.xcott.com/

Linux needs a security team that is double checked by a team outside the USA so it can be the ONLY OS that can state, "Not compromised by the NSA"

I am aware of the difficulty of auditing code for malicious features, I have read some IOCCC submissions and these hacks are nothing short of awesome. I do recognise that people can place malicious features into the software by hiding it with techniques used here. I place blind faith to the open source mantrta which states, "given enough eyeballs, all bugs are shallow"; as soon as a community member finds something wrong (it could take many years before this happens if it happens at all), they're probably going to fix the problem and send a patch to the maintainers. It happened to Debian's OpenSSH vunerability as an example and it happened to Noscript as another example. Finding such risky features then propogating the fixes would not be practical had these titles been proprietary software.

I am aware of the difficulty of auditing code for malicious features, I have read some IOCCC submissions and these hacks are nothing short of awesome. I do recognise that people can place malicious features into the software by hiding it with techniques used here. I place blind faith to the open source mantrta which states, "given enough eyeballs, all bugs are shallow"; as soon as a community member finds something wrong (it could take many years before this happens if it happens at all), they're probably going to fix the problem and send a patch to the maintainers. It happened to Debian's OpenSSH vunerability as an example and it happened to Noscript as another example. Finding such risky features then propogating the fixes would not be practical had these titles been proprietary software.

Obfuscated C is unreadable, obfuscated Perl is completely impenetrable, but what I want to see is obfuscated Lisp.

Then you clearly overlooked this Common Lisp entry:

http://www.ioccc.org/2005/mikeash/hint.text

Last year's winners also included some obfuscated lambda calculus programs, like a 167-bit prime number generator.

-John

It's always interesting to see what (some of the best attempts at) intentional code obfuscation can look like:
http://www.ioccc.org/

There are very talented people that can hide things in only a few lines of code. See http://ioccc.org/ for some examples that will make your skin crawl.

True, but any programmer that works in a Professional way should document their code so that it is maintainable. Those programmers that think that their code should be hard to read because that is a good way of keeping their job eventually come down to earth with a thud when their manager tells them that "The door is over there, please watch your fingers on the way out". Usually hard to read code is thrown out and a fresh start is made since it sometimes is so much quicker to do this especially if the System Designer (not the programmer) has documented the concept properly. On a more serious note companies that don't have well documented overview design and code are asking for trouble down the time line.

There are very talented people that can hide things in only a few lines of code. See http://ioccc.org/ for some examples that will make your skin crawl.

The fine folks running ioccc.org may disagree... just because you have the source code doesn't mean every thing therein is perspicuous.

($l=join("",))=~s/.*\n/index($`,$&)>=$[||print$&/ge;

Take an arbitrary list, and output a sorted liste with no duplicate entries. You could (still quite tersely) do the same thing with a much more readable:

my @outputarray = sort grep( ( ($h{$_}++ == 1) || 0 ), @inputarray );

Or, you could iterate through using a foreach or while loop, assuming you also understand the memory implications of doing so, and are okay with the possible high memory usage.

But I'm confused - are you suggesting that this would be considered "good" (i.e., maintainable) Perl? Or are you suggesting that it's impossible to write similarly obtuse code in another language?

Who needs standards?
This is fine isn't it?

long long n,u,m,b;main(e,r)char **r;{f\
or(;n++||(e=getchar()|32)>=0;b="ynwtsflrabg"[n%=11]-e?b:b*8+
n)for(r=b%64-25;e15?n:n>9?m%u*~-u:~(int)r?n+
!(int)r*16:n*16,b=0))u=1ll6177%n--*4;printf("%llx\n",m);}

If PERL was a decent language, there would have been no need to develop alternative scripting languages. The fact that one programmer cannot read something written by another when they're both prefoessionals in the same language is pretty damning, only PERL has that claim to fame in over 40 years of languages.

perl is a decent language. The problem isn't the language; it's the programmers. My bet is that it's possible to write unreadable code in any programming language (except maybe COBOL but then you just write enough of it that it bores anyone to death who tries to read it). As an example, take a look at something like what comes out of the Obfuscated C Contest. But I don't hear anyone saying we should junk C because it's possible to write C code that is almost completely impossible to understand.

perl gets a nasty reputation for being unreadable because:

1) People who have never used get told that the way to do what they want to get done is to do it in perl instead of doing it in bash, awk, grep, sed, etc. They have no idea how to use perl but muddle their way through to something that works but which should be burried.

2) The opposite extreme are the perl experts who seem to delight in using obscure perl features in obscure ways rather than write something that a mere human can understand. I had one of these complain that my perl wasn't "perlish" enough.

3) "Dave the web server is down!!! Can you write a quick perl script to fix the data coming out of the database so it doesn't crash the application? It's costing us $$$$ in lost revenue while the server is down."

4) Take the perl that results from any of the above and then maintain it in production for a few years.

Cheers,
Dave

As wonderful as this sounds, you cannot expect to vet any code base without an investment of time on the order of that which was required to write the code. (The old adage is appropriate here "Debugging is twice as hard as writing the code in the first place." Vetting code is probably harder than debugging; see the IOCC). When code is open source, a community will grow surrounding it. Many eyes read the code with the intention of building, improving, and actually debugging it. This has the side-effect of also vetting the code; it's not wasted effort if the program is free (as in freedom). The community can be trusted (to an extent) to validate the code (granted, this is a bit idealistic). With non-free code, you cannot expect this top happen on its own, and it is not cost-effective to do this vetting yourself. It's kind of pointless.

Will they be able to obscure any backdoors written into their equipment?"

Yes.

-

Who the hell thought blue links on a dark green background was a good idea?

Selected Judges Remarks:

This is an extremely subtle and twisted piece of Gold award winning code!

The judges had spent a considerable amount of time analyzing this entry. At one point we spent 18 minutes just to understand 18 key characters of this code.

The file zeitak_deobfucate.c provides a version that has been slightly deobfuscated. You may find reading that file helpful in your attempt to understand this extremely subtle entry.

Author’s comments:
Nesting Errors Detector

What does it do
As you have probably understood by looking at the source*, this program has something to do with parenthesis (and equality of opening and closing parenthesis, if you look close enough). It goes over the file given to it and checks that every opening (, [, or { has a matching closing one and vice versa. It also checks that every “ or ‘ is closed.

If an error is detected, an error message will be printed. If the problem is a superfluous closing bracket, it will even print a few characters around it’s position.

Make sure you view the source with 4 spaces tab width.

Features
Ignores parenthesis inside strings or character constants, so no errors will be detected in the following line:

printf(")");

Doesn’t get confused by the 1984/anonymous entry!

Mis-Features
Escapes (e.g. \") are ignored, so the following line will produce an error:

printf("\"");

Obfuscation
IOCCC winners already contain entries without digits, control-flow keywords and certain operators in their source. This entry has an even more limited source, that is:

Without any digits.
Without any character constants.
Without using functions from headers other than stdio.
Without any control-flow keywords (not even the ?: operator).
Without any arithmetic or logic operators!

Selected Judges Remarks:

This is an extremely subtle and twisted piece of Gold award winning code!

The judges had spent a considerable amount of time analyzing this entry. At one point we spent 18 minutes just to understand 18 key characters of this code.

The file zeitak_deobfucate.c provides a version that has been slightly deobfuscated. You may find reading that file helpful in your attempt to understand this extremely subtle entry.

Author’s comments:
Nesting Errors Detector

What does it do
As you have probably understood by looking at the source*, this program has something to do with parenthesis (and equality of opening and closing parenthesis, if you look close enough). It goes over the file given to it and checks that every opening (, [, or { has a matching closing one and vice versa. It also checks that every “ or ‘ is closed.

If an error is detected, an error message will be printed. If the problem is a superfluous closing bracket, it will even print a few characters around it’s position.

Make sure you view the source with 4 spaces tab width.

Features
Ignores parenthesis inside strings or character constants, so no errors will be detected in the following line:

printf(")");

Doesn’t get confused by the 1984/anonymous entry!

Mis-Features
Escapes (e.g. \") are ignored, so the following line will produce an error:

printf("\"");

Obfuscation
IOCCC winners already contain entries without digits, control-flow keywords and certain operators in their source. This entry has an even more limited source, that is:

Without any digits.
Without any character constants.
Without using functions from headers other than stdio.
Without any control-flow keywords (not even the ?: operator).
Without any arithmetic or logic operators!

Or submit vulnerabilities back to the origin. They even hold contests to hide the real intention of code.

No, but at some point they would have been consulted to see if they wanted to proceed.

So you know that the Secret Service personally called Steve Jobs or someone at Apple before they obtained a search warrant? Get real. The most that the Secret Service would have done was to inform Apple of the results of the investigation after they had questioned the artists and investigated. The Secret Service is not a branch of Apple.

If they had ever caught someone, you'd be asked if you wanted to press charges. If they had suspects, there's a good chance you'd be shown a set of pictures and be asked if you recognize anyone.

After the Secret Service found the person, after they investigated him, and after they determined why he installed the software then the Secret Service may ask how Apple would like to proceed. I suspect the whole reason the Secret Service was involved was there were factors beyond a simple case of spying. I am speculating that the artist may have taken a picture of someone important enough for them to be involved.

The artist should face consequences, but of the "mild discomfort and inconvenience" variety that the Apple stores faced when they couldn't explain what the display computers had just done.

He was interviewed. His computers were confiscated. He wasn't thrown in jail. He wasn't fined. When the Secret Service determined it was for an art project, they returned this things. Please tell me that you have issues with that.

In TFA, the artist mentions that he had pictures of an Apple technician working with the program. They did some of their own investigation. It's reasonable to assume that they could figure out what was going on, and they chose to pass it to the Secret Service.

You are assuming a lot. Apple discovered that the program wasn't one of theirs and they may have discovered some of the basic functionality of what it did through monitoring. But Apple like the Secret Service are not omnipotent; they could not know why or all of the functionality. Even if Apple had the source code, they may not known what it did. Have you heard of the C Obfuscation Contest? At some point Apple contacted the authorities and it was the Secret Service who had to investigate.

Apple should have tried to quietly just end the project with discussion rather than force.

Two things: 1) After the investigation, it was found out to be an art project. How could have Apple or the Secret Service know about that when they found the program. Tell me how was anyone supposed to know that in advance. 2) You keep saying Apple did this and Apple did that. Apple turned it over to the Secret Service who investigated. They last time I checked the Secret Service did things on their own. Is it not clear that they are not the same entity.

The Secret Service apparently followed their protocol well, and from TFA don't seem too objectionable, so my only objections to them are the standard-issue complaints about federal law enforcement (confiscations lasting far too long, generally hostile demeanor, provocation, etc...).

So you leave the Secret Service blameless in this even though they were the ones who drafted the search warrant; they were the ones who confiscated everything, and they were the ones who investigated. All Apple did was to alert them that there was a security issue yet they are to blame.

Then lets see your link drinkypoo, lets see a list of these "many eyes" or even a single study showing patches given by actual non corporate paid workers. You can't just pull "many eyes" out of your ass because i could argue the same thing for Windows, after all I sign an NDA and pay $10k I can look at the source as well but that wouldn't magically give me the ability to spot an obfuscated bug.

And how exactly is many eyes not just another case of the mythical man month which has been shown to be just that, a myth? Just because you can look at the code doesn't magically give you the power to read it you know. A software developer with the skills to actually spot obfuscated bugs is a hell of a lot rarer than a weekend coder, and I urge you to read the code at the obfuscated c code contest and you'll see that even KNOWING the code is a trap, being given knowledge of HOW the code is a trap, being able to spot the actual trap itself? FUCKING DIFFICULT. Now you honestly think some weekend coders are gonna be able to spot obfuscated code in some low level package used in many distros that nobody messes with? Hell I bet my last dollar that most of the code in your average distro isn't looked at by anybody other than the ones that wrote the thing and without links or citations my view is JUST as valid as "many eyes".