[83585] in North American Network Operators' Group
Re: India cites security concerns, blocks Huawei bid to expand their indian ops
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Aug 18 11:46:27 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Valdis.Kletnieks@vt.edu
Cc: Jim Popovitch <jimpop@yahoo.com>, deepak@ai.net,
Alexander Bochmann <ab@lists.gxis.de>, "'NANOG'" <nanog@merit.edu>
In-Reply-To: Your message of "Wed, 17 Aug 2005 21:55:49 EDT."
<200508180155.j7I1tnXw009434@turing-police.cc.vt.edu>
Date: Thu, 18 Aug 2005 11:45:44 -0400
Errors-To: owner-nanog@merit.edu
In message <200508180155.j7I1tnXw009434@turing-police.cc.vt.edu>, Valdis.Kletni
eks@vt.edu writes:
>
>--==_Exmh_1124330148_3161P
>Content-Type: text/plain; charset=us-ascii
>
>> Requesting the source code and/or having access to it is really
>> meaningless unless you have the skill and capabilities to compile it
>> *and* use it. There is no sure way to know that the source code in your
>> left hand is what was used to compile the binary in your right hand.
>
>Even if you compile your left hand into your right hand. See Ken Thompson's
>"Reflections On Trusting Trust" (http://www.acm.org/classics/sep95/). To
>complete the references, Reference 4 ("An unknown Air Force document") is
>Karger & Schell's paper on a Multics pen-test, which is available at
>http://www.acsac.org/2002/papers/classic-multics-orig.pdf
>
>Karger and Schell did a "30 years later" retrospective, also available at
>http://www.acsac.org/2002/papers/classic-multics.pdf
>
>Between the India/Huawei thing and the MS05-039 mess, this is a good time for
>everybody who hasn't read all 3 of them to read them - under 40 pages for all
>3,
>and the 24 pages of the first Karger&Schell you can probably skim.....)
>
Also bear in mind how hard it is to find a cleverly-concealed back
door. Think how hard it is for reviewers to find ordinary bugs, let
alone one that someone tried to conceal.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
