Linked by Thom Holwerda on Wed 19th May 2010 09:52 UTC, submitted by Nitrodist
Internet & Networking If there's one subject that's really hot right now on the web, it's privacy. There's the whole Facebook saga, and especially the company's CEO, Mark Zuckerberg, seems somewhat averse to the concept of privacy. We also have a much smaller issue with the Chrome web browser, where someone found out zoom settings are stored somewhere, even when in incognito mode. It turned out to be a feature (sort of) but it does highlight how important the concept of privacy on the web has become.
Thread beginning with comment 425348
To read all comments associated with this story, please click here.
Open source?
by hornett on Wed 19th May 2010 10:05 UTC
hornett
Member since:
2005-09-19

The power of open source. Try this with Safari, Opera, or Internet Explorer. This is one of the main reasons to use an open source browser.

Can you get the complete source to Chrome then? I thought you could only get Chromium. Who knows what Google is putting in their binaries.

Reply Score: 1

RE: Open source?
by vaette on Wed 19th May 2010 10:15 in reply to "Open source?"
vaette Member since:
2008-08-09

How do you know that the binary .deb packages on Ubuntu actually match up to the source they claim to have built them from?

Even if you compile the code yourself, do you actually read it through and verify its correctness?

Even if you do read the source and verify that it is correct, and then build the binary yourself, how do you know that the compiler doesn't add a backdoor to the binary?

Ken Thompson actually implemented exactly this trick on an early Unix box. The compiler was patched to detect two special conditions: if it was compiling a new version of the compiler it would add the patch to it as well. If it was compiling the "login" program it would add a backdoor to the binary. Read about it here: http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

If you are going to start doubting everything you really very quickly have no leg to stand on anymore.

Edited 2010-05-19 10:15 UTC

Reply Parent Score: 1

RE[2]: Open source?
by Thom_Holwerda on Wed 19th May 2010 10:18 in reply to "RE: Open source?"
Thom_Holwerda Member since:
2005-06-29

It's not about checking everything. It's about having the ability to check (or raise a racket and have someone else check it for you) in case you do notice odd behaviour. Had this behaviour been spotted in Safari, Opera, or Internet Explorer, you wouldn't have been able to do anything about it, nor would you have had the ability to look up what was really going on.

Reply Parent Score: 2

RE[2]: Open source?
by hornett on Wed 19th May 2010 10:50 in reply to "RE: Open source?"
hornett Member since:
2005-09-19

How do you know that the binary .deb packages on Ubuntu actually match up to the source they claim to have built them from?


You can rebuild the .debs from the deb-source package, and you can then verify that your binaries are exactly the same as those built by Debian (or whoever).

You can't do this with Chrome as you don't have the complete source to binary which they release, only the parts released as Chromium. Thus, you have no way to verify if extra code has been inserted into the binaries.


Ken Thompson actually implemented exactly this trick on an early Unix box. The compiler was patched to detect two special conditions: if it was compiling a new version of the compiler it would add the patch to it as well. If it was compiling the "login" program it would add a backdoor to the binary. Read about it here: http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf


That's brilliant!

Edited 2010-05-19 10:53 UTC

Reply Parent Score: 3

RE[2]: Open source?
by WereCatf on Wed 19th May 2010 10:55 in reply to "RE: Open source?"
WereCatf Member since:
2006-02-15

Even if you do read the source and verify that it is correct, and then build the binary yourself, how do you know that the compiler doesn't add a backdoor to the binary?

It'd be REALLY hard to sneak such an addition to the compiler. First of all, compiler source repositories are really damn well guarded because they are so important to not only regular geeks, but also to companies themselves.

Secondly, distros themselves also do regular checks on their compilers exactly because enterprises depend on them. Especially enterprise-oriented distros can't let such things sneak up on them.

So, yes, it'd would be possible to add backdoors to code which didn't have it before if the compiler was compromised. But getting the compiler compromised is the hard part.

Reply Parent Score: 3