Fedora Core 2 Test 2 - delayed
Mike A. Harris
mharris at redhat.com
Fri Feb 27 15:02:09 UTC 2004
On Fri, 27 Feb 2004, Leonard den Ottolander wrote:
>How well scrutinized is this NSA code actually? Everybody can see they
>won't slip in an obvious backdoor, but how about nasty little overflows,
>tucked away deep inside the code, for which they already have exploits
>in their drawer?
Aside from rejecting SElinux merely due to conspiracy theories
alone, what would be your suggestion to ensure that this is not
the case?
If you really think about it, you can apply the same conspiracy
theory to the Linux kernel, XFree86, and every other piece of
software in the system.
There are quite a few security vulnerabilities found and fixed in
OSS source code. How can you truely be sure that a given
vulnerability wasn't planted there intentionally?
Take the recent XFree86 security update which contains fixes for
libXfont. Do we really know for sure that when Keith Packard
wrote that 14 or so years ago, that he didn't intentionally put
the buffer overflows in there, so that he could 0wn all machines
running the X Window System 15 years later? ;o)
You did upgrade X to the latest version right? ;o)
--
Mike A. Harris ftp://people.redhat.com/mharris
OS Systems Engineer - XFree86 maintainer - Red Hat
More information about the fedora-devel-list
mailing list