yuri at rawbw.com
Fri Nov 22 20:21:53 UTC 2013
On 11/22/2013 11:35, Roman Mamedov wrote:
> Why can't it be?
> Well, maybe not the whole device down to the CPU Verilog design level, but
> they could post source-code for the firmware with the instructions to build
> and flash it, and since most likely this contains at least the Linux kernel
> and some GPLed tools like Busybox, they are legally obligated to provide
> source to whoever they distribute the binary to, on their request. But many
> router manufacturers don't bother limiting it to just that, and simply post
> the source code for public download on their websites.
How can one be sure that firmware that is running on the router is built
from this particular source code and not from some modified version or
different revision? Also how can one be sure that one extra service
wasn't added on top of this open source? I think the answer to both of
these questions is "impossible". In addition, governments have the power
to execute the secret order on the company to secretly add such back door.
Open source only makes sense when built and installed by the party
interested in security, or maybe when it is built by some trustworthy
organization, like some trusted linux distro, and not just some random
commercial company without any reputation.
More information about the tor-talk