Groups | Search | Server Info | Login | Register

Groups > comp.security.misc > #1540

Re: Finding backdoors

From William Unruh <unruh@invalid.ca>
Newsgroups comp.security.misc
Subject Re: Finding backdoors
Date 2024-09-26 19:57 +0000
Organization A noiseless patient Spider
Message-ID <vd4ebj$bqls$1@dont-email.me> (permalink)
References <vd3uf2$7ng3$1@dont-email.me> <vd48b7$8qf9$1@dont-email.me>

Show all headers | View raw

On 2024-09-26, Marco Moock <mm+usenet-es@dorfdsl.de> wrote:
> On 26.09.2024 um 15:26 Uhr bp@www.zefox.net wrote:
>
>> I'm looking for links to techniques for finding backdoors in software 
>> and hardware. 
>
> The only way is to learn the programming language, then check the code
> and compile it yourself. Of course, the other stuff on you machine
> (compiler, linker etc.) needs to be reviewed too, so a huge task no
> single person can do.
>
>> It's a matter of personal curiosity inspired by the exploding pager
>> incident lately in the news and a call for banning certain software
>> developers. An obvious question is whether use of open-source
>> software is a meaningful help. Fuzzing seems an obvious choice, but
>> slow. 
>
> OSS has the benefit that the code is public any many people can look
> inside. Although, that doesn't mean that anybody will have a look. The
> sshd/liblzma backdoor proofed that again.

No, the open source code is public. That does not mean that the code on the
device is the true compilation of the source code, nor does it mean that
you can actually read the machine  code to see if it is a true
compilation of the source code. Most commercial hardware has its machine
code hidden so that competitors cannot steal it to make knock-offs or
their hardware. As far as I know we have no real idea of how the pagers
etc were made to explode. Battery shorts, implated explosives are the
obvious first guesses, but figuring out exatly how the machines exploded
is going to be hard since the victims are not very anxious to indentify
themselves or hand over their fragmented phones.

And they probably used pagers/ etc from that source before and thy were
fine. You cannot take apart every one of the thousands of phones you buy
to see if they are hacked.
>
> The more people look at it, the better it is, but this is not always
> enough.
>

Back to comp.security.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Finding backdoors <bp@www.zefox.net> - 2024-09-26 15:26 +0000
  Re: Finding backdoors Marco Moock <mm+usenet-es@dorfdsl.de> - 2024-09-26 20:15 +0200
    Re: Finding backdoors William Unruh <unruh@invalid.ca> - 2024-09-26 19:57 +0000
      Re: Finding backdoors Marco Moock <mm+usenet-es@dorfdsl.de> - 2024-09-27 17:31 +0200
        Re: Finding backdoors William Unruh <unruh@invalid.ca> - 2024-09-27 16:26 +0000
          Re: Finding backdoors Marco Moock <mm+usenet-es@dorfdsl.de> - 2024-09-27 20:11 +0200
  Re: Finding backdoors Richard Kettlewell <invalid@invalid.invalid> - 2024-09-28 10:09 +0100
    Re: Finding backdoors <bp@www.zefox.net> - 2024-10-01 04:01 +0000
      Re: Finding backdoors Richard Kettlewell <invalid@invalid.invalid> - 2024-10-01 16:44 +0100
      Re: Finding backdoors rlhamil@smart.net (Richard L. Hamilton) - 2024-10-18 21:04 +0000
        Re: Finding backdoors <bp@www.zefox.net> - 2024-10-18 23:37 +0000
          Re: Finding backdoors rlhamil@smart.net (Richard L. Hamilton) - 2024-10-19 02:20 +0000

csiph-web