OpenSparc -- the open source chip (except for the crypto parts)
Marcos el Ruptor
ruptor at cryptolib.com
Sun May 4 17:52:05 EDT 2008
> To be sure that implementation does not contain back-doors, one needs
> not only some source code but also a proof that the source code one
> has is the source of the implementation.
Nonsense. Total nonsense. A half-decent reverse engineer does not
need the source code and can easily determine the exact operation of
all the security-related components from the compiled executables,
extracted ROM/EPROM code or reversed FPGA/ASIC layout (see the recent
Karsten Nohl's extraction of Crypto-1 code for example).
All this open-source promotion is a huge waste of time. Us crackers
know exactly how all the executables we care about (especially all
the crypto and security related programs) work. We do not always
publish our results, but look, somehow RC4, SecurID, DST40, KeeLoq,
Crypto1, Hitag2, etc. all got reverse engineered and published when
people actually cared to do it. A lot more other closed-code ciphers,
random number generators and other components have been reverse-
engineered and thoroughly analysed without publishing the results
just because those results were not interesting, could do more harm
than good if published or if keeping them secret could benefit the
cracker.
As a reverse engineer with over 20 years of experience, I can
guarantee everyone on this list who is not familiar with this process
that from the security evaluation point of view there is ABSOLUTELY
NO BENEFIT in the open-source concept. It is actually much much
easier to hide a backdoor in the C or especially C++ code from anyone
reading it than it is in the compiled assembly code from a reverse
engineer, even if it is highly obfuscated like Skype. High-level
languages offer enough opportunities to hide and cover up some sneaky
behind-the-scenes magic that no one will notice for years or ever at
all unless they know exactly what to look for and where. I always
compile the open-source code, then reverse engineer it and see what
it is actually doing.
If you want a guarantee or a proof, better ask all the reverse
engineers you know to take a closer look at the program and tell you
if there is a backdoor, anything malicious or anything sneaky or
suspicious. Don't trust your own eyes. I've seen too many open-source
applications with well-concealed backdoors or unnoticeable security
holes. Linux's endless exploitable vulnerabilities should be enough
of a proof of that.
Best regards,
Marcos el Ruptor
http://www.enrupt.com/ - Raising the bar.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list