Cold War Trojan

Thu Mar 18 11:42:21 EST 2004

D.E. Chadbourne writes:
| John Chambers wrote:
| > Someone wrote:
| > | On Tue, 16 Mar 2004, D.E. Chadbourne wrote:
| > | > Explosive Cold War Trojan has lessons for Open Source exporters
| > | > http://www.theregister.co.uk/content/4/36270.html
| > |
| > | This story about US sabotage of Soviet pipelines has been rather
| > | thoroughly debunked.
| >
| > So where has it been debunked?  It certainly sounds like  a
| > PR  story,  but  that  doesn't  necessarily make it true or
| > false. ...
|
| hi again.  i agree.  i searched but no debunking has appeared.
...
| so far i think that the story appears to be true.

Well, maybe it's true; maybe it's not. But the take on the story in a
lot  of the world will probably be based on something else.  It seems
that a CIA guy has gone public with the story,  presumably  with  the
CIA's permission.  Whether it's history or propaganda, we don't know.
But we can conclude that there are people in the  US  government  who
consider  this  a  Good  Thing  to  do to their enemies (and innocent
bystanders). And they don't mind the world knowing.  So the idea that
American software isn't to be trusted isn't paranoia, it's a rational
response to apparent policies of the US government.

Of course, a lot of software security people would openly state  that
this  is not only true, but you shouldn't trust any software from any
source.  It's not just Americans; security means that you should make
sure  that  your  people  have  studied  the  source  code and you've
compiled it all yourself.  And you've compiled the OS yourself.   And
you've compiled the compiler yourself (with a different compiler from
a different source). And you've studied the firmware in the cpu. This
can be expensive, so you want some help if you can find it.

The Open Source crowd should be in a  good  position  here.   We  can
easily  tell  people  "You  shouldn't  trust us.  We don't trust each
other.  That's why we make all the code available, and we do check it
ourselves. You'll have to hire people to do the same. But you'll have
to do that no matter where you get your software.  We just make it  a
lot  easier.   And  we won't file a lawsuit against you if you find a
problem in our code.  We'll thank you publicly, and fix it fast."

We  might  also  point  out  that  there  have  been  cases  of   OSS
distributions  that  had  backdoors and Trojans.  But because the OSS
crowd has a lot of people who enjoy studying code and  like  to  show
off  their expertise, these problems have generally been spotted very
quickly, within a day or so, and fixes are usually  available  online
in  hours.   So  you not only have your people studying the code; you
also have a few thousand hackers doing the same thing  and  hollering
loudly when they find something suspicious.

Notice that you don't have to name  any  corporations  or  countries.
Sure,  Microsoft  is a problem, as is the US government.  But they're
just the biggest meanies on the planet.  There  are  others  who  are
every  bit  as  bad.   All  software  should be treated with the same
suspicion.

Lots of managers will understand this argument.