> As much as I hated to contribute one single keystroke to this thread,
> I couldn't help stating one thing:
me also. ;)
[snipped response from well known firewall producer]
> If you'd just give us the source code, we'd be able to verify things
> just fine. I don't want to hear any whining about the fact that it
> would compromise your intellectual property or anything like that,
> because there are sufficient legal restrictions you could use to
> protect yourself. Just give us the source code, and we'll be happy.
> As security people, we should be careful about trusting anything without
> source code anyway..
This very quickly becomes circular,
Customer:"We don't trust you, so lets see the source code."
Firewall Manufacturer: "Ok...Here's the source code"
Customer:"But hang on this has no back-doors, show me the *real* source code."
Firewall Manufacturer: "*sigh*"
I spose you could build from the source and use the resulting binary to target suspect areas of your "official" binary, but I guess different compilation environments could explain differences.
Say you don't get source, say you disassemble the whole thing and find no code that pops up with "<3-letter-agency> Hole Authorisation. Please enter code", instead you find an overflow which allows the insertion of arbitrary code, of arbitrary length. Now, assuming the 3-letter-agency is doing their job right they will go for the second option. So you think MJR will cough up the 3 big ones for that? Maybe..maybe not. So bottom line is, short of a press-release from the 3-letter-agency or the company involved it would appear very very hard to prove deliberate compromise. This is relevant to any producer of similar products I would think.