Firewalls: Re: Firewalls, Spooks, $3,000 and Proving the null hypothesis

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls, Spooks, $3,000 and Proving the null hypothesis
From:	Adam Shostack <adam @ homeport . org>
Date:	Mon, 30 Jun 1997 13:41:26 -0400 (EDT)
To:	richard @ a42 . deep-thought . org (Richard Jones)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<m0wiiZG-00257JC @ a42 . deep-thought . org> from Richard Jones at "Jul 1, 97 01:40:41 am"

Richard Jones wrote:
| > just fine.  I don't want to hear any whining about the fact that it 
| > would compromise your intellectual property or anything like that,
| > because there are sufficient legal restrictions you could use to
| > protect yourself.  Just give us the source code, and we'll be happy.
| 
| Two points:
| 
| 1/
| This very quickly becomes circular, 
| Customer:"We don't trust you, so lets see the source code."
| Firewall Manufacturer: "Ok...Here's the source code"
| Customer:"But hang on this has no back-doors, show me the *real* source code."
| Firewall Manufacturer: "*sigh*"
| 
| I spose you could build from the source and use the resulting binary
| to target suspect areas of your "official" binary, but I guess
| different compilation environments could explain differences.     

1. I can build from source and run.  This reduce the problem to
reflections of trusting trust.  I know people who have strongly
considered building a compiler with awk.

2. You can ship Makefiles, and not offer options beyond "make
distribution."  If you list your tools, then this should produce the
same binary on many machines.

| 2/
| Say you don't get source, say you disassemble the whole thing and
| find no code that pops up with "<3-letter-agency> Hole Authorisation.
| Please enter code",  instead you find an overflow which allows the
| insertion of arbitrary code, of arbitrary length.  Now, assuming the
| 3-letter-agency is doing their job right they will go for the second
| option.  So you think MJR will cough up the 3 big ones for that?
| Maybe..maybe not.  So bottom line is, short of a press-release from
| the 3-letter-agency or the company involved it would appear very very
| hard to prove deliberate compromise.  This is relevant to any producer
| of similar products I would think.            

	So?  You haven't proven the origin of the problem, but you
have found a problem, and can demand it be fixed.  This is the case
with source or object files, its just *much* easier with source.

	Having gone through the work of reviewing the product, you
have much more confidence that it is secure or not.  Well founded
confidence in the quality of your security products is a good thing.
Haven't you ever taken a crowbar to that bulletproof glass in the man
trap?

	(Reminds me of the audit I did where the glass was bulletproof,
the mantrap had an alarm if someone was inside for 30 seconds, and the
raised floor extended beyond the glass by over a yard.  Pry, lift,
shimmy, and hey, I'm past it all!)


Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:

Firewalls, Spooks, $3,000 and Proving the null hypothesis
From: Richard Jones <richard @ a42 . deep-thought . org>

Indexed By Date	Previous:	Re: Spooky Tremors in InfoSec From: Alan <alano @ teleport . com>
Indexed By Date	Next:	Reliable Firewalls OS From: "Michael S Hines" <mshines @ purdue . edu>
Indexed By Thread	Previous:	Firewalls, Spooks, $3,000 and Proving the null hypothesis From: Richard Jones <richard @ a42 . deep-thought . org>
Indexed By Thread	Next:	Re: Pulling out Checkpoint-1 firewalls From: Mike Shaver <shaver @ neon . ingenia . ca>