RE: [Axiom-developer] RE: Bootstrapping

[Bill Page]

On November 10, 2005 3:12 AM Andrey G. Grozin
> 
> On Wed, 9 Nov 2005, C Y wrote:
> > Years ago Ken Thompson proposed a diabolical attack on a 
> > computer that could be made by putting a trap door in a
> > compiler, which would automatically build it into all software
> > and subsequent versions of itself, undetectibly.  (I think this
> > is the article: http://www.acm.org/classics/sep95/) That kind
> > of thing makes people (especially open source folk, I think)
> > suspect all binaries, and for good reason.

It must be the approaching Winter season or maybe it is this pain
in my back that wont go away anymore, but I seem to be disagreeing
with almost everyone here lately... :(

I believe that such an attack is technically possible, but I 
disagree strongly that therefore there is a good reason to suspect
all binaries. Modern network computing (like life in general) is
a social phenomenon. In social interactions it is extremely
important that one establish relationships based on trust. It is
only by trusting others that is possible to build a co-operative
collaborative environment that is more than the sum of it's parts.
Given the aggressive and competitive nature of people, companies
and governments, no doubt this might seem a little naïve to some
people, but trust me, it is not ... :)

The implementation of trusted computing on the Internet is
already quite well advanced. Many binary programs are available
with electronic signatures that guarantee authenticity and
origin. Yes, any system (at least those in common use now) can
be broken, but we trust these people, e.g. the GNU free software
foundation, or for that matter even the Axiom developers, not to
behave in a malicious manner. No matter what we do technically,
in the end security always comes down to trusted relationships,
from computer to computer, computer to human, and human to human.

> Yes. I dislike having any binaries in my system I have not
> compiled myself. Therefore, I use Gentoo (installed from stage
> 1, so I recompiled gcc too). Of course, this does not help
> against the Thompson's attack.

By arguing in favour of bootstrapping, I am certainly *not* arguing
against the idea of compiling as much open source software from
source as possible - from the kernel up. I think that such an
approach does effectively deter Thompson's attack (but not prevent)
because at least in principle the possibility of comparing the
source to the generated binary does exist.

> 
> > Not in light of things like Ken Thompson's proposed attack. 
> > Security people may be paranoid, but on the internet paranoia
> > is a virtue.

No. Paranoia is a disease, like depression. It is a social/medical
condition that needs to be treated.

Security is another thing all together. It consists of using the
right technology, having a clear understanding of the way the
system works, and establishing trusted relationships. Security
is not a matter of hiding knowledge and hording control.

> As one of my colleges said,
> 
> For a sysadmin, the absence of paranoia is called professional 
> incompetence.
>

I think your colleague does not have a clear understanding of
security.
 
> Sorry for off-topic.
>
 
Andrey, I think that although this might be a side-issue, it
is not really off-topic since as open source developers we do
distribute both binaries and source code for Axiom. And I
think we should take some steps that we are not taking now to
help ensure that what we distribute is trusted by Axiom users.

Regards,
Bill Page.