Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!goanna.cs.rmit.edu.au!news.apana.org.au!cantor.edge.net.au!news.teragen.com.au!news.access.net.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!news.kei.com!news.mathworks.com!howland.erols.net!newsxfer3.itd.umich.edu!news.itd.umich.edu!rees From: rees@umich.edu (Jim Rees) Newsgroups: comp.unix.bsd.netbsd.misc Subject: Re: OpenBSD hides security fixes (and blindly integrates code) Date: Mon, 17 Feb 1997 18:00:21 EST Organization: University of Michigan CITI Lines: 22 Message-ID: <1997Feb17.180021@luckey.citi.umich.edu> References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15212032@zeus.pacifier.com> <5e69v0$1u4@news.bayarea.net> <DERAADT.97Feb16012623@zeus.pacifier.com> <5e6mjn$q3n@panix2.panix.com> NNTP-Posting-Host: luckey.citi.umich.edu Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5467 In article <5e6mjn$q3n@panix2.panix.com>, tls@panix.com (Thor Lancelot Simon) writes: Certainly, code which is integrated into an operating system without ever being examined has a *great deal* to do with security. I disagree. First, examining the code is not sufficient. There was a famous hack done at Bell Labs years ago in which the C preprocessor was modified to insert a trojan into /bin/login. No amount of source code examination would reveal this. The lesson is that you must trust, to some degree, whoever supplies you with tools and source code. Large parts of all unix systems must be integrated simply on trust, because it is impossible, and insufficient, to examine every line of code. I run locore.s without having examined every line of it, because I trust the person who gave it to me. He didn't write it all himself, he trusted someone else. Have any of the free Unix camps examined every line of code in their preprocessor? I doubt it, but I don't consider that to be a serious security breach.