Slashdot Mirror
NSA Inside?
Newsforge has an article covering a talk given by two of the developers working on NSA's security-enhanced Linux. It seems the NSA has plans to offer kernel code to implement mandatory access controls, a level of system control which goes beyond the normal user-based permissions. Sure, the code would be vetted thoroughly before it could ever make it into the kernel, but....
So don't count on it always being possible to brute-force crack things.
On the other hand, with any of the public key systems, there is always the chance that someone may discover a was to compute the inverse function that is less computationally intensive than brute force. For instance, a breakthrough in factoring could render the RSA cryptosystem useless. There is no proof that such methods are impossible, though most mathematicians think it unlikely that any will be found.
1st of april already?
I very much doubt it. Listening in on phone conversations, military radios, and the like is still the NSA's responsibility, and I'd suspect that they're even *more* important now than they were before - for one thing, the massive increase in mobile phone usage must provide the NSA with all sorts of interesting information. . .
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
(a) It's not my project, I just like it a lot.
(b) When I went looking for security, it took
two searches to find RSBAC
(c) It's been discussed on Linux Kernel a few
times.
(d) It's been announced on comp.os.linux.announce.
Collaboration at this stage wouldn't gain much- the security framework piece of RSBAC is in place, compartments, role-based computing, the privacy model, malcode detection, etc. is already in there. An entire new project to do the same thing is very counterproductive. We'll just fire up a project without seeing what's already out there doesn't sound that feasible to me, especially from people who would supposedly be hooked on Bell-LaPadula, and follow research in that area. Finally, the RSBAC guys presented at NISSC one year (1998) when the first module (Privacy) was done, and that's NSA's own security conference.
I'm not surprised that people who probably don't look for compartmented OSen by default haven't heard of RSBAC, I am surprised when an organization which spends significant money on such commercial systems ignores three or four years worth of significant work in that direction.
Paul
http://www.pauldrobertson.com
The RSBAC project has had MAC compartments for well over a year- no US Government help required. It also supports role-based computing, the European Privacy Model, and is a framework for developing new security models.
;)
http://www.rsbac.org/
RSBAC is already there, an NSA sponsored project doesn't seem to have much additional value to me- seems like they should spend my tax money on something that's not a "me too" project. Maybe they could help Verisign hand out certificates?
Paul
http://www.pauldrobertson.com
The NSA is better served with an open-source OS where they know where the divots are and they can fill them in than with an OS so riddled with holes that it has given rise to an industry based on closing the barn door after the virus-ridden, work-eaten, horse has died.
They'd rather make it uniformally hard to crack so that ONLY somebody with the resources of the NSA could attempt real-time decription.
Remember, security consists at least as much of keeping your cards close to your chest as of getting a peek at what the other guy is holding.
The 'Net is evolving into something that will use biometric information to grant (and track) access and to encrypt and decrypt. 64 bits on every desk top and a finger pad for authentication and a microphone for further authentication and as part of the UI.
All mathematical algorithms have a fundamental security hole. Anything that depends on computational difficulty to maintain security will be cracked with sufficient resources. PGP isn't if your foe has tens of thousands of processors.
Biometrics are fundametally existential. They are enormously wide keys that are reproducable and verifiable. Using them for encryption insures that you KNOW who the intended recipient is. Using them for decryption insures that you know who the sender was. They are based on what you ARE not just on what you, and anyone else, can know.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Microsoft said Linux is un-American! It must be true!
------------------
------------------
You may like my a cappella music
Gov't applications kinda have to implement some serious access controls. Read your orange book, guys.
The end result of this may just be a B-level certified Linux kernel, which would rock the house, and WinNT's C2 certification level (which, mind you, is useless--it's a certification for computers disconnected from a network)
Returned Peace Corps IT Volunteer
it will make their job (SIGINT) and that of other Intelligence agencies more difficult
The NSA has two jobs, SIGINT is one, the other is the exact opposite -- keeping things secret on behalf of the US government (and industry).
Will the Russian government trust their secrets to a system designed by the NSA? Doubtful, even if it is hack-proof. But by building a turnkey system that immediately makes it easier for OUR armed forces and government agencies to keep secrets (with the added bonus of being able to make it available to any American corporations) is a great opportunity for them.
Also, keep in mind that the NSA has a job so long as secrets exist. The US military learned the long way that the same people who build our missile systems build missile defense systems that make them impotent. You're guaranteed a job so long as one side of the equation doesn't advance too far ahead of the other.
Its an interesting conundrum -- having two diametrically opposed requirements for doing your job, keeping secrets or cracking them? You just learn to do both better all the time...
---------------------------------------------
Recursive: Adj. See Recursive.
an intentional buffer overflow or other common bug that they could exploit would be enough. and easy enough that it could be hidden, or another one could be reintroduced whenever needed. but NSA wouldn't do that. they'd have someone else submit that patch, so it couldn't be traced to them.
besides, if NSA wanted to backdoor systems, doing it to apache or something would work better: network traffic is normal. its easier to remotely connect, probably less eyes looking at apache than at the linux kernel.
i don't believe NSA would do this, but if they did, i think they wouldn't put some elaborate backdoor into the kernel.
-- My Sig is a P228.
I searched the biggest header files and didn't see any firmware images. Could you provide some filenames?
My point is that the NSA could just come and take the computer, if they wanted. MAC might make it harder for them to hack in and get data, but if they really believed you were worth it, they'd take the computer.
But it'd raise the bar for hackers, organizations without the NSA's govermental power would have to hack in to get what they wanted and MAC would mean that they would find few easy targets.
The NSA could use TEMPEST or many other things, to see what you're doing right now. But it wouldn't show them what's in the files you don't access. And I don't really think they can break SSH/SSL, at least, not easily. I'm sure they've got far more computer power than we think, but I don't think they can trivially read encrypted data like that.
So they'd use TEMPEST and other non-invasive methods to decide if you looked like a criminal. Then they'd take the computer and prove it. (and maybe take you too...)
I know. I was attempting to just sum up the basic. If the NSA (and thus the US Gov behind them) wanted to know exactly what was on any specific computer in the USA, or anywhere they had significant influence, they'd take it. Maybe they'd have MI5 call the FBI and get them to take it, maybe they'd call up CSIS in Canada and have it taken (if it was a Canadian computer).
But the point is that large government agencies don't bother hacking into a PC to collect evidence. They simply show that you're acting suspiciously (using encryption, etc) and they come and take it. They may have to wear a different TLA while they do it, but it gets taken.
The more-secure OS thus isn't a barrier to them. But it is a barrier to smaller countries' intelligence departments as well as groups like the mafia, terrorists, etc.
So it doesn't hurt them, and gets in the way of the groups/agencies that they oppose. Win/win from their point of view.
Well, Mandatory Access Controls are a good thing for security, but they don't do anything vs. the NSA. MAC just means that you don't accidentally forget to secure a file, and that you don't accidentally lessen security on a file without knowing it.
This is seperate from encryption. The NSA could come and take your HD with a MAC-enabled filesystem/OS on it and read all the files, by simply sticking the disk in another computer and reading the raw data.
But it'll make the computer more resistant to penetration. This wouldn't stop the NSA, they'd come through the front door with guns (and FBI agents) and simply take the computer, access controls be damned.
It helps 'us' by making 'our' (I'm not in the USA) country's computers more resistant to foreign spying, and lets them establish a secure OS (unlike Windows where it's hard to say what the source of a particular version is) that they can use for medium to low security jobs. (Beyond which you simply use the airwall method.)
If it's a good idea, run with it!
I think that this has great potential, though it will probably slow down the system some (the article mentions anywhere from 1% to 10% slowdown). Sure, that wouldn't be great for my 133 running Linux, but a faster computer probably won't notice too much. I assume that it can be turned on and off as desired by the admin.
If it helps to make Linux better, I really don't care if the NSA came up with the code (if fact, I'd probably trust their code to be more secure, especially if they start using the result).
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Once they certify a given set of Linux code, could they then more quickly certify kernel patches? (since they would in effect be much smaller than the full kernel), or would the fact that they need to examine the interaction of those patches slow things down? (or would the open availability of the code speed things up?)
;-)
I could see a time when a Slashdot headline reads "Kernel 2.6.4 Certified B2" (yes... I know only specific Systems (as a whole) are certified, and not OS. Wouldn't stop Slashdot from publishing though
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
Last night (must have been around 9:00 pm EST), there was a report about the NSA. CNN was even allowed inside, someone in charge was interviewed (they're doing this to improve their image).
I think that show was hosted by Jonathan Mann (sp?), so maybe it was Insight. Don't have time to look it up on the CNN homepage, but if there's a rerun, watch it!
As someone who's worked on classified projects in the past, I think this is great.
When I worked on secret projects, the government requirements for different levels of secrecy really prevented people from using current software and hardware. You just didn't have the luxury. I remember doing lots of typing into 500 pound tempest-approved terminals where the thought of a workstation... well, you just had to get over it.
Think of all the techies lost in the bowels of some government projects sitting at some albatross of system just salivating for an NSA-approved version of linux that they can use... at work!
(let alone the techies that will never work on goverment projects for the same reasons.)
This doesn't apply to just the NSA, it's other government agencies/military and LOTS of outside companies that work on military projects or within their requirements.
I wonder if their perl runs with taint checking always...
I'll echo the voices of other and say that this is a Good Thing. In my opinion, the virtue of free software, and free information, is that it goes one way ("information wants to be free"). If sneaky evil proprietary co. wants to contribute to open source, let them. They haven't made the source any more proprietary - to the contrary, they have just become more open. So bring it on, NSA, FBI, KGB, super-tip-top-secret agency. I think we'll all benefit. I have a naive belief that techies are techies, and that once in a while NSA et. al. actually *aren't* trying to secretly backstab people, and are just trying to do something good.
It's 10 PM. Do you know if you're un-American?
What's yer beef? Are you worried that Linus and Alan and company are going to miss if (!strcmp(pass_entered, "N$A_ru1ez")) uid = 0; somewhere? Is the idea of NSA contributing to the kernel somehow distasteful?
Are you too proud to accept help from The Man?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
That would be nice, considering they are largely responsible for the current lack of security. Without their opposition, encryption would be near-universal by now. Instead, you have to do quite a bit of work to set up PGP or an equivalent, have difficulty communicating with others who don't use it, and be looked on with suspicion because "obviously" anyone who goes to that trouble has something to hide.
A current example: Mac OS X doesn't ship with ssh. Even though the encryption regulations have been weakened, you still have to send in forms to the NSA to be able to distribute encryption software, and some flunky at Apple didn't get them in on time. Of course you can easily build ssh (http://www.stepwise.com/Articles/Workbench/2001-0 3-21.01.html), but many people will not. Because of the NSA's support of immoral and unconstitutional encryption laws, thousands of OS X machines will not be as secure as they should be.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
The NSA has no motivation to release any technology that they cannot crack. It would be like the police departments handing out radar detectors.
Not really. The NSA has an interest in helping American networks more intrusion-resistant. It has an interest in preventing DDOS attacks on various nodes of the internet which will become more and more important to our way of life. It has an interest in keeping files locked up on American computers only on those computers. This is national security. If it's harder to hack their job is already easier - catching the crook is a subordinate goal to preventing the crime.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
And what makes you think that fascist organizations are ineffective at preventing nuclear war or invasion of the US? The effectiveness of the NSA at doing its job is completely unrelated to the threat it poses to our liberties.
Actually, for the really paranoid of mind, the backdoor hack might not be in this piece of code but might be spread across several major patches, sort of like what the satellite broadcasters did to the descramblers recently. I'm sure that patches are audited but how well are they regression tested?
Never think that *any* statement can't have a sinister conspiracy attached to it.
DB
The NSA had its fingerprints all across several initiatives to keep encryption limited. That, IMO, puts them in my personal opposition.
DB
Nope, MAC also makes deliberate spying more difficult. Nobody can downgrade the security clearance of a document, not even its owner/creator. Thus, even if a spy somehow got access to a MAC protected file on the computer, he would have a very hard time smuggling it out of the system. MAC would make sure that he can't just e-mail it to his hotmail account, or ftp it to some non-secure site. In a properly set up MAC facility, even printers have MAC ratings associated with them: you can't print top secret documents to non-top secret rated printers. And only printers in physically secured rooms would get the appropriate rating.
A craftful spy could still get data out (copying it by hand on a sheet of paper, photographing the screen), but it would be a much bigger hassle, and it greatly augments the probability of getting caught.
Say no to software patents.
Sticking all sorts of neat security gizmos in Linux had better drive the commercial companies to keep up, or they'll end up getting left in the dust. It'll also raise the bar for the assorted free programmer camps AND provide example code that can not be embraced and destroyed by any single given company.
You're probably right to suspect that they're up to something, but perhaps this time their goals are in line with ours.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I agree though that the NSA thinks a strong defense is a good offense. But think about this: how many of the really really important stuff do you think is on a web connected machine? How much is actually sent over the internet?
None. Zip. Zero. That's not the point. MAC is primarily used by military and intelligence places. MAC is not about preventing people from rooting your system (OpenBSD is probably equivalent to a B1 or B2 system as far as penetration resistance is concerned). MAC is about preventing user A, who knows secret S, from giving it to B, who is not authorized to know S. Computer security != crypto. Having a license-free, open-sourced, B2 rated OS would be a real win for the federal government as far as costs go.
Targets using 128-bit or higher encryption- how long would that take to crack on 10k clustered machines each with 64 Alpha chips?
A very, very long time. Here's an example: say you constructed a Dyson sphere around the sun, and used _all_ of the energy you collected to power a computer whose only purpose was to increment a 128-bit counter from 0 until 0xFFFF....FFFF. That would not finish before you die (this derives from thermodynamic arguments, not current or forecasted computing power). Actually running a cipher key schedule, decrypting the blocks, and figuring out if they're the plaintext will take much more time.
128 bit crypto is "good enough", because it will be much simpler to break your security in other ways. If I want your data bad enough, I'm not going to try to brute force even a 64 bit key; I'm going to come to your house and start breaking your fingers until your tell me what I want to know. Or I'll root your systems through conventional means and trojan your binaries. Or break into your office building and replace your custom hardware with stuff that is really weak. Or (if I'm the government), arrest you and give the options: a) tell us everything, or b) go to jail for a long time. All of these options are much more economical.
The analogy commonly used for this situation is putting a giant spike in the middle of your yard in the hopes that someone will run into it (this spike is called "crypto"). It doesn't matter if the spike is a mile long or 2 miles long, if someone can walk right around it and climb through your unlocked window.
Slashdot had an article on this just a few weeks ago. And the previous article was better.
Vintage computer games and RPG books available. Email me if you're interested.
1) They posted under their own name, not anon.
2) They posted tech info on how it works, helping anyone who wants to find a backdoor.
3) They're really not that stupid. Honest.
It's far more likely that this is a cheap trick to help them sneak a back door in later; partly by wasting good paranoid community coders on an obvious red rag, but also by building trust through honest code. You can't stab someone properly unless they trust you first.
If you really don't trust them, do a 2 part project:
1) Read everything about SE, then write a full spec of it's API and operating principles.
2) Write a clean version to the spec and GPL it. Preferably the coders for part 2 should not have seen the NSA version.
You don't have to trust them if you don't want to.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
For the most part, government agencies are prohibited from selling ANYTHING. Surplus Government owned or produced [physical] property must be sold of at public auction. Under the FOIA, any Government intellectual property must be given to anyone who asks for it, and they are prohibited by statute to charge anything other than a nominal duplication fee. The copyright of anything produced by the US Government belongs to the citizens of the United States.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
BZZZ, sorry. All government-produced intellectual property is in the public domain. They can't sell it to the public because it's already owned by the public. As for selling loans, IIRC that is done at public auction (just as seized and surplus property is sold). If you had the money, you could buy up federal loans yourself, providing you complied with the appropriate banking regulations.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Secondly, NSA is not a law-enforcement agency. Their purview is electronic intelligence, period. They gather information and pass it on to other agencies. They don't arrest people. If any doors need to be kicked in by gun-toting, jackbooted thugs, the work is farmed out to the FBI or CIA.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Ok folks, put paranoia aside for a second and consider rationally what this actually could mean. If they are going to commit the code to open source, that almost certainly means they don't dare try any tricks. Any tricks that they could hope to put in would have to be extremely subtle. As such, they would require a great deal of effort. Like all of us, their time is limited. And if their efforts were discovered, always a distinct possibility with open source, all that effort would be wasted since open source software is much more easily updated. Doesn't make any sense. Remember also, that *nix users are generally some of the more computer savvy users around. If you're going to try tricks, they're generally not the target you want to try them on. Windows users are on average more cooperative.
Then there is the other option - that they are sincere, they want a really secure operating system, they like the design and abilities (as well as as the lack of licensing issues) associated with Linux, and they are scratching their own itch for a really secure system by contributing this design and code. Once in a while the public interest happens to work well with some professional agendas. They may see Linux as a good group of people to harden the code with.
Consider, also, that if they are sincere with Linux users hammering on it they could probably create a STRONG solution, stronger than most other free software programmers. These guys know how it works. This could be a golden opportunity.
Geek dreams are made of things like super secure systems. I'm excited by this. Also, I think the threat, if any, is minimal If worse come to worse, Linus could include a compile option to not build it in - although I doubt it would be necessary. Let's give them the benefit of the doubt, examine the code carefully for both our benefit and theirs, and do some cool stuff with it!
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Mandatory Access Control means one user is PREVENTED even from consensual sharing of info with an untrusted user (Discretionary Access Control only stops nonconsensual information sharing).
Fine-grained security means you can be more explicit about what rights a given process can have - i.e. something better than the current UNIX system.
Allowing certain processes selected by the admin to, for example, bind a reserved port while not having full root privs is fine-grained security, but NOT Mandatory Access Control. They can both be good, and they can work together, but they are different.
Mandatory Access Control is NOT a panacea - there are always covert channels to worry about. Safest thing is to allow only one security level on a given machine (e.g. no machine can have both Secret and Top Secret data on it).
Just because it CAN be done, doesn't mean it should!
Boys, girls, and everyone else, this is what Open Source is all about. The first test of a civilization's commitment to true freedom comes when those they dislike exercise the freedom that the civilization has fought for. Do we embrace, support, and admire this for what it is? Or will we attack the people and their actions, attempting to block their code from being addded to the kernel just because they're the enemy?
Think long and hard about what's more important - the Freedom of Open Source Software, or is it the software itself? If the former, we must disregard any possible negative impact on the latter...
Think outside the... Hey, where'd the friggin' box go?
I wonder if this is the kind of thing which will eventually end up leading to a major government challenge of the legitimacy of the GPL.
-Nev
Comment removed based on user account deletion
Comment removed based on user account deletion
If Linus accepted an NSA key into the kernel...
You would see the fastest code fork in *nix history.
134340: I am not a number. I am a free planet!
Are there provisions for dealing with Open Source "vandals"?
I believe the primary provision is to not use their code.
I mean, come on. It's not new. We've already had at least one story on this and the interview doesn't add any real info. Trying to generate some more click throughs? Maybe the Mac stories haven't generated enough flames?
The NSA has been, since its birth, concerned with national security. Now that the "Cold War" is over, there is less of an outside threat to be concerned about. Almost any useful intel now is likely to come from the CIA.
It comes to reason that with private corporations working on some of the most secret government projects (Hell, ASCI White wasn't exactly made by the DoD), that defense has to be re-focused. And with computer crimes beginning to tax the US economy heavily, what better way to make national security investments more productive?
I'm obviously leaning onto a thin limb when I say this, but I believe that the NSA is going to become more concerned with protecting computer systems than cracking them over the next few years. After all, the aim of the govenment is to do what is most effective, and it looks like securing data may help things out more than stealing it...
Of course, the NSA may just be trying to boast a better public image with all of this Echelon stuff going on, eh?
I can't be karma whoring - I've already hit 50!
SIG: HUP
Oh, and don't forget boys and girls, this is from the company that releases security patches which cause holes. Sure this is M$ bashing, but the fact is that M$ has created a product that, when used as a server, is unacceptable. Even as a client, M$ products have caused problems - note today's story about the SatireWire article. The simple reason for this is that only a limited number of people are able to see if there actually are any bugs and fix them. And if they won't let you join them, you might as well beat them, eh?
Basically, don't trust somebody from Texas to give you directions when you're in Maine...
I can't be karma whoring - I've already hit 50!
SIG: HUP
There is one very good thing about this development, and that is that having an NSA-approved distribution of linux will make it very tough for government agencies to say that linux doesn't meet their security needs, or that Windoze does.
Bring it on.
microsoftword.mp3 - it doesn't care that they're not words...
The NSA has some really smart people in it and they aren't oblivious to the idea of social engineering. They have to know that everyone and their mother will go the code line by line looking for any unusual functions or classes. It would be stupid to even attempt to hide something like a backdoor in their first attempt to reach out to the open source community, they have to gain a level of trust before they can even think about sneaking something in.
Right now most people would be apprehensive to say the least to run any code from the NSA without looking through it first and this general mentality will probably remain for the first few software releases from them, but at some point they will achieve some level of trust so that the amount of eyeballs looking through the code will begin to drop off. That is the point that the NSA could start sneaking in some sort of backdoor. They probably wouldn't suddenly include the entire code at first either. Maybe just a couple new lines in version 5, another 3 in version 6.5, and so on, allowing time for the people still looking through the code to see, test, and pronounce individual lines by themselves benign until they have the whole package in there.
Of course they'd eventually get caught if they tried it but probably not before some famous Linux users like China or some terrorist group had been lulled into trusting the security of the NSA's additions to the code and deploying it on their systems. I mean the NSA doesn't like in a vacume, they know about China and Germany rejecting many kinds of commercial software because of possible security problems and if the NSA has been spying though a backdoor in closed source OS's they wouldn't let a window like that dissapear without at least trying to keep it open.
This could all be a bit of needless paranoia on my part and i hope it is, but like i said earlier they got some really smart people at the NSA and if anyone could and wanted to sneek in a backdoor they could.
btw- please forgive any spelling errors
Another question is that Linus will never accept binary-only code when it comes to security.
What is the big deal with the NSA and paranoia? The whole point of open source is that it is impossible for them to slip backdoors or anything like that into the kernel. I highly doubt that even the NSA would be able to get something like that past the Linux community.
I see this as benefitting the NSA in two ways: 1) They save money because they would not be paying big money for operating systems from Micros~1 or any company. And 2) They could MAKE money off of this because selling a Linux permutation that has "Official NSA Approved Security" would be a big hit with paranoid businesses who want to keep their web servers secure. If they can see and exploit this potential, then good for them!
But what? In this instance their motivation is almost certainly to allow a widely available OS to be certified to a sufficient security level that it can actually be used in the same situations where certain US agencies might normally buy in NT, AIX or such.
If they *really* wanted to plant a back door, in no way would they want their name so obviously traceable to the actual patches they submitted - they'd do it 'anonymously' and you'd never know. How do you know they haven't already done this? Or that GCHQ, or Mossad, or the Russians haven't? You have no way of knowing, but we just have to trust that any attempts at sabotage would be obvious in the source.
This is my World Wide Web of Whatever
I recall Microsoft saying Linux wasn't secure...I guess this is the argument that can be thrown back at them. The NSA, is very secret about what they do...and they would pick nit a Operating System on security. And then went making a secure Linux...
What does that tell you about Linux security, why would the NSA be working on Linux kernel? Most likely they're using Linux on their systems, (or most likely, a OS they made for their own purposes, who knows).
Slashdot Hypocrisy at work?
Right, so the worry is that any NSA implemented code may contain a backdoor so subtle that even outsiders reading the source may miss it. So what about this?
The NSA provide their design for an access control system, in detail. Other , non government-affiliated coders (the more paranoid the better) write the actual code. The NSA then audits their code and confirms that it meets the specification. The government and corporations get their NSA approved secure linux, the paranoid know that no actual NSA code is in the kernel. Or wouldn't this be workable?
They should be required to only distribute it it source form so that they can't hide something in the compiler. I've heard thats been done before.