On 11/22/2013 11:35, Roman Mamedov wrote:
Why can't it be? Well, maybe not the whole device down to the CPU Verilog design level, but they could post source-code for the firmware with the instructions to build and flash it, and since most likely this contains at least the Linux kernel and some GPLed tools like Busybox, they are legally obligated to provide source to whoever they distribute the binary to, on their request. But many router manufacturers don't bother limiting it to just that, and simply post the source code for public download on their websites.
How can one be sure that firmware that is running on the router is built from this particular source code and not from some modified version or different revision? Also how can one be sure that one extra service wasn't added on top of this open source? I think the answer to both of these questions is "impossible". In addition, governments have the power to execute the secret order on the company to secretly add such back door.
Open source only makes sense when built and installed by the party interested in security, or maybe when it is built by some trustworthy organization, like some trusted linux distro, and not just some random commercial company without any reputation.
Yuri -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk