[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] "Safeplug"

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] "Safeplug"
From: Yuri <yuri@xxxxxxxxx>
Date: Sat, 23 Nov 2013 18:23:01 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 23 Nov 2013 21:26:16 -0500
In-reply-to: <528FFC76.3050801@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20131122165044.3343f003@natsu> <20131122112533.GB5843@tuzo> <CAJQk2Dxb+2oz5oVwoYuXivfPpeNLG_U+kfKR6Rx9NcAtUEOrgg@xxxxxxxxxxxxxx> <528F5E60.2080306@xxxxxxxxxxxxxx> <528FA64F.1030205@xxxxxxxxx> <20131123013554.31c329f5@natsu> <528FBCE1.5090104@xxxxxxxxx> <528FFC76.3050801@xxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

On 11/22/2013 16:53, Red Sonja wrote:

How can one be sure that firmware that is running on the router is
built from this particular source code and not from some modified
version or different revision?

Hashes?

The ability to build it from sources?

If you search you can find a few other solutions.

Nope, there is no solution. Hash can only prove it comes from thisvendor, it doesn't establish vendor trust. You practically can't provethat firmware is built from the particular source since it ispractically impossible to duplicate the build environment for anycomplex project from the real world.

Also how can one be sure that one extra service wasn't added on top
of this open source?

Go for your own compile and see what's broken.


Sorry, this doesn't make any sense.

Open source only makes sense when built and installed by the party
interested in security, or maybe when it is built by some trustworthy
organization, like some trusted linux distro, and not just some
random commercial company without any reputation.

Not really. How about the tor project? Trust comes precisely from this
open source, open review. In fact, Tor is one step above: it's Free
Software.


Yes, trust comes with the open review, and transparent build process.

None of these is possible with firmwares supplied by commercialcompanies. Therefore, no trust. Product in its original form is prettymuch useless for what it is advertised.

However, there are many useless products on the market, and commercialsuccess doesn't seem to correlate with "usefulness". So I only wish themwell in their endeavor. Nice try anyway.


Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] "Safeplug"
  - From: Roman Mamedov
- Re: [tor-talk] "Safeplug"
  - From: Sean Alexandre
- Re: [tor-talk] "Safeplug"
  - From: Chris Burge
- Re: [tor-talk] "Safeplug"
  - From: krishna e bera
- Re: [tor-talk] "Safeplug"
  - From: Yuri
- Re: [tor-talk] "Safeplug"
  - From: Roman Mamedov
- Re: [tor-talk] "Safeplug"
  - From: Yuri
- Re: [tor-talk] "Safeplug"
  - From: Red Sonja

Prev by Author: Re: [tor-talk] "Safeplug"
Next by Author: Re: [tor-talk] Open Source Router
Previous by thread: Re: [tor-talk] "Safeplug"
Next by thread: Re: [tor-talk] "Safeplug"
Index(es):
- Author
- Thread