[clug] Anti-Virus Software

steve jenkin sjenkin at canb.auug.org.au
Sat Jun 26 20:20:21 MDT 2010

Paul Wayper wrote on 27/06/10 10:52 AM:
> On 06/25/2010 01:16 PM, Kevin Pulo wrote:
>> On Fri, Jun 25, 2010 at 12:24:41PM +1000, Paul Wayper wrote:
>>> The source code is there.
>> The point of Steve's post was that you are still trusting that the
>> compiler is generating machine code which corresponds to the source
>> code you gave it.  Malicious compilers aren't usually part of the
>> threat model.
> Sure.  There's three parts to that though.


> Open Source Software makes an additional assertion: that everyone can inspect
> it freely.  This has proven to reduce the chance of really obvious backdoors
> slipping into the code, and increases the quality of the code because more
> people see different problems and because shoddy code is exposed quicker.
> Proprietary software can never make this claim.
> So firstly Steve's original example, while well made, is irrelevant to my
> point.  And secondly FOSS still has better security because of its exposure.

FOSS is definitively the best security model possible for end-users.
*but* Security is a process, not a destination.

BTW, I didn't make it plain earlier:
 I'm not talking about normal commercial/home operations.
 Specifically I'm talking about extreme cases, "in the limit".

<paranoia mode="extreme">

Marcus Ranum used to talk about a 'hypothetical':
 "Here we are visiting the Microsoft Kernel team, there's the CIA agent,
the Mossad agent and ..., all busily inserting their own backdoors and
special code." [Prove it ain't so...]

And heaven knows what priceless bits of code have been intentionally
inserted by staff at Microsoft and Apple. Both known to be very jealous
of their customer base (to the point of being called "control freaks")
and certainly more than once accused of anti-competitive business practices.

How many "Zero Day" surprises do we have that 'management' know about or
not? I don't believe it's Nil.

The world of Internet Security is now fundamentally different:
- the hackers turned Pro in 2004.
  + Organised Crime is focussed and deliberate.
- Microsoft and Apple have assumed very different roles/positions.
- 'smartphones', game-consoles and appliances are game changers.
- Cyber-warfare is a fact, not a possibility.
- Industrial Espionage and Sabotage on the Net is increasingly a threat.
- The "Great Firewall of" <insert Nation> is getting Political traction.
- We are in another economic/military/political transition.
  There were two 'super-powers', then the USSR broke, Japan faded,
  now the USA is under pressure and China's star is on the rise...

The Times, they are a-changing...
And with that, uncertainty and desperate acts will be on the rise.

Hackers can have good foresight and prescience:
 In the early 90's, IIRC, a break-in to Cisco's IOS source was detected.
Imagine the havoc you could wreak with access to most of the backbone
and ISP routers...

If you have the resources of a large Enterprise or Nation, plus the will
to pursue an Agenda against your "opponents", even a small group of
sophisticated black-hats would be formidable.
GOOG aren't the only people that can afford 100,000's of servers.

As the world gets more dependent on I.T. and The Net, the more
disruptive & effective attacks on it become, and hence more likely by
malevolent special interest groups.

I believe it's a "When" not "if" there will be some serious incursion
into, or compromise of, things we believe should be inviolate...
Like compilers or package signing keys or even CPU's.

Like in Quantum Physics, if it is possible, then you will see it...

The Good News is that FOSS projects/authors are much more flexible and
responsive than commercial enterprises. Remember the infamous Intel
Floating-Point bug?? Months of denial and farnarkcling... "Protect the
Brand, Screw the Customer", would seem to be the motto.

If there is some sort of "major event", FOSS is your best protection.


That ends this highly paranoid excursion...
I'm hoping things don't get too bad and no FOSS projects are subverted!

If you have proof I'm wrong, not speculation or wishing, I'm interested
to hear.


> Have fun,
> Paul

Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list