[tor-talk] "Safeplug"

Yuri yuri at rawbw.com
Fri Nov 22 20:21:53 UTC 2013

On 11/22/2013 11:35, Roman Mamedov wrote:
> Why can't it be?
> Well, maybe not the whole device down to the CPU Verilog design level, but
> they could post source-code for the firmware with the instructions to build
> and flash it, and since most likely this contains at least the Linux kernel
> and some GPLed tools like Busybox, they are legally obligated to provide
> source to whoever they distribute the binary to, on their request. But many
> router manufacturers don't bother limiting it to just that, and simply post
> the source code for public download on their websites.

How can one be sure that firmware that is running on the router is built 
from this particular source code and not from some modified version or 
different revision? Also how can one be sure that one extra service 
wasn't added on top of this open source? I think the answer to both of 
these questions is "impossible". In addition, governments have the power 
to execute the secret order on the company to secretly add such back door.

Open source only makes sense when built and installed by the party 
interested in security, or maybe when it is built by some trustworthy 
organization, like some trusted linux distro, and not just some random 
commercial company without any reputation.


More information about the tor-talk mailing list