Professional Documents
Culture Documents
use.
Well we know with 100 percent certainty that all of them contain security vulnerabilities and Bogues
In fact systems are getting more complex which is one of the reasons security is struggling to keep
up.
Another approach to try and help protect us from these known vulnerabilities and Bogues is to use what
Therefore you can prove the correctness of a system through testing and proving properties of that
system.
This way you can provide complete evidence of correctness meaning no matter what inputs the system
receives
This formal process was really performed by human mathematicians which was feasible on programs
with
But with today's systems containing millions of lines it's impossible for a human to do.
But what has happened recently is that both algorithms to proof and the computer power have
improved
Unfortunately Currently only the most critical software goes through formal methods like air
transportation
Formal process is still too time consuming and cost prohibitive for most systems so most software testing
we know security vulnerabilities and bugs will exist with exist in operating systems with existing
applications.
It's a general loaded term let's just consider it as a term to mean a weakening of a system.
But you should probably take these with a pinch of salt because some of them actually don't think are
potentially accurate.
You know there's a whole list of them from the canoe project potential back doors and phones and
applications
Rooters but those can be introduced by accident through human error or on purpose by an adversary.
If something is closed source the only way to find back doors is through a process called reverse
engineering.
This is not feasible for most people and is also on lightly to find anything well-hidden with closed
source.
Open source systems have less risk of backdoor as potentially as the code is open to public scrutiny.
But using open source does not automatically prevent back doors which a lot people think and it
certainly
doesn't prevent security vulnerabilities that can be used as back doors with open source.
If we download a news pre-compiled binary is there is nothing to confirm that the clean source code
published was used to build the binary you are using those you compile distribute and host the
boundaries
Even if you create your own binary from source code there is no guarantee that there is no back door.
You would have to have personally reviewed the source code before compiling it which is often
completely
infeasible or you would have to validate the signature of clean source code before compiling it.
The compilers used by developers could be backdoor to create back doors in the application they
compile
without the developers knowing this happened to a pirated version of X code which resulted in malware
version of X card.
You'll get back doors forced onto you by legislation from nation states which is an imminent problem
and that those can be very very sneaky too and difficult to spot.
Just the slightest deliberate or accidental changing code can create a vulnerability and it can create
a backdoor.
An example here of juniper routers being back door and I'll read a summary here by Mark Green who
was
part of an investigation into this particularly sneaky back door for the past several years.
It appears that Juniper net screen devices having corporally potentially backdoor random number
generator
At some point in 2012 the next screen code was further subverted by some unknown party.
So that same back door could be used to eavesdrop on net screen connections.
While this alteration was not authorized by Juniper it's important to know that the attacker made no
This means that the systems were potentially vulnerable to all the parties even beforehand.
Worse the nature of this vulnerability is particularly insidious and generally messed up and very very
subtle backdoor.
Clearly a nation state or an expert hacker group but also interesting that it's based on NSA is jus
E C D R B.G. algorithm which is one reason why people don't necessarily trust the standards put forward
by the NSA in the NYST standards because they believe that they've been deliberately specified in such
Personally I think for anyone who really cares about security privacy and anonymity back doors are a
serious problem.
Any tools you use going forward through legal methods which is extremely worrying or through hacking
Operating Systems encryption security services applications and even the hardware and firmware any
anonymising
service you can think of will be under attack from hackers Corp and nation states to back door them
and you can't just create a backdoor just for the good guys.
Well we have deterministic and reproducible builds that can help to detect back doors.
So reproduceable Bill usual bills are a set of software development practices which create a verifiable
path from human readable source code to binary code used by computers.
That means the source code that a binary is set to be compiled from is genuinely compiled from it with
The build system needs to be made entirely deterministic and the build environment should either be
recorded or predefined.
They need to be given a way to recreate a close enough build environment perform the build process
and
So real full deterministic and reproducible builds take lots of effort and are hard to set up.
To my knowledge there are no fully deterministically Bill operating systems yet there is good work going
on in the Debian Project which is one of the reasons why I recommend it as an operating system for
people
If your operating system is backdoor or your precautions fail so it's vital your operating system is
solid.
and if you're interested more in the topic maybe you a developer and this is quite a good read by a
gentleman called Mike Parry on deterministic builds in relation to Tor but it's also a good read.
Reproducibly.