RE: Windows Update: A single point of failure for the world's economy?
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: Thu, 4 Sep 2003 09:59:05 -0500 To: "Jeremy C. Reed" <firstname.lastname@example.org>
> -----Original Message-----
> From: Jeremy C. Reed [mailto:email@example.com]
> Sent: Wednesday, September 03, 2003 5:12 PM
> To: Schmehl, Paul L
> Cc: Stefano Zanero; BugTraq
> Subject: Re: Windows Update: A single point of failure for
> the world's economy?
> cvsup (or cvs) to update to new operating system or
> ports/pkgsrc sources is different because:
> - you don't get the final product; the binaries are not built
> automatically nor installed.
> - it is used to build from source; and the source code changes can
> be compared and reviewed by anyone.
I see this argument made all the time, and it's simply hogwash. The
number of people actually *qualified* to review the source to ensure
that it's not trojaned or doesn't have a buffer overflow or some other
programming problem is some miniscule percentage of the people who
actually download and compile that same source. It's a baloney
argument, and I wish people would stop using it.
Quick, name the people that *you* know personally who are qualified and
capable of auditing source code. (This is for all the readers.) I know
one. I certainly am not. And I know some *very* competent admins who
are not. I know a programmer who is, but he doesn't have the time.
In the end, we all have to trust that the people distributing software
are doing "due diligence", because there simply isn't time to audit it
all nor are we (in general) qualified to audit it. If you want to argue
that this isn't true, then *please* explain why so many patches are
constantly being released for the Linux kernel, for popular applications
like sendmail and apache, for damn near every software application that
exists today. This list *exists* because those who *write* the code
don't know how to program securely. How in the *world* do you expect
the average user, or for that matter the way above average user, to be
able to know with certainty that there isn't a problem with the source
that he's compiling? (Yes, I know about MD5 checksums, PGP sigs, etc.
All that does is confirm that the source you're getting is what the
developers intended you to get. It does *not* confirm that the code is
Paul Schmehl (firstname.lastname@example.org)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member