Groups | Search | Server Info | Login | Register

Groups > comp.security.misc > #1541

Re: Finding backdoors

From Marco Moock <mm+usenet-es@dorfdsl.de>
Newsgroups comp.security.misc
Subject Re: Finding backdoors
Date 2024-09-27 17:31 +0200
Organization A noiseless patient Spider
Message-ID <vd6j57$ou6o$2@dont-email.me> (permalink)
References <vd3uf2$7ng3$1@dont-email.me> <vd48b7$8qf9$1@dont-email.me> <vd4ebj$bqls$1@dont-email.me>

Show all headers | View raw

On 26.09.2024 um 19:57 Uhr William Unruh wrote:

> On 2024-09-26, Marco Moock <mm+usenet-es@dorfdsl.de> wrote:
> > On 26.09.2024 um 15:26 Uhr bp@www.zefox.net wrote:
> >  
> >> I'm looking for links to techniques for finding backdoors in
> >> software and hardware.   
> >
> > The only way is to learn the programming language, then check the
> > code and compile it yourself. Of course, the other stuff on you
> > machine (compiler, linker etc.) needs to be reviewed too, so a huge
> > task no single person can do.
> >  
> >> It's a matter of personal curiosity inspired by the exploding pager
> >> incident lately in the news and a call for banning certain software
> >> developers. An obvious question is whether use of open-source
> >> software is a meaningful help. Fuzzing seems an obvious choice, but
> >> slow.   
> >
> > OSS has the benefit that the code is public any many people can look
> > inside. Although, that doesn't mean that anybody will have a look.
> > The sshd/liblzma backdoor proofed that again.  
> 
> No, the open source code is public. That does not mean that the code
> on the device is the true compilation of the source code, nor does it
> mean that you can actually read the machine  code to see if it is a
> true compilation of the source code.

This would be possible with deterministic compile processes. You can
then compare the machine code.

> Most commercial hardware has its machine code hidden so that
> competitors cannot steal it to make knock-offs or their hardware.

This is different from the compiled machine code and another way to
inject malicious stuff.
If you want to be sure about every part, you would need access to the
code of UEFI/BIOS, firmware of devices etc.

> As far as I know we have no real idea of how the pagers etc were made
> to explode.

Implemented explosives.

> Battery shorts

Very unlikely.

> And they probably used pagers/ etc from that source before and thy
> were fine. You cannot take apart every one of the thousands of phones
> you buy to see if they are hacked.

For security reasons, they should do that.


-- 
kind regards
Marco

Send spam to 1727373459muell@cartoonies.org

Back to comp.security.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Finding backdoors <bp@www.zefox.net> - 2024-09-26 15:26 +0000
  Re: Finding backdoors Marco Moock <mm+usenet-es@dorfdsl.de> - 2024-09-26 20:15 +0200
    Re: Finding backdoors William Unruh <unruh@invalid.ca> - 2024-09-26 19:57 +0000
      Re: Finding backdoors Marco Moock <mm+usenet-es@dorfdsl.de> - 2024-09-27 17:31 +0200
        Re: Finding backdoors William Unruh <unruh@invalid.ca> - 2024-09-27 16:26 +0000
          Re: Finding backdoors Marco Moock <mm+usenet-es@dorfdsl.de> - 2024-09-27 20:11 +0200
  Re: Finding backdoors Richard Kettlewell <invalid@invalid.invalid> - 2024-09-28 10:09 +0100
    Re: Finding backdoors <bp@www.zefox.net> - 2024-10-01 04:01 +0000
      Re: Finding backdoors Richard Kettlewell <invalid@invalid.invalid> - 2024-10-01 16:44 +0100
      Re: Finding backdoors rlhamil@smart.net (Richard L. Hamilton) - 2024-10-18 21:04 +0000
        Re: Finding backdoors <bp@www.zefox.net> - 2024-10-18 23:37 +0000
          Re: Finding backdoors rlhamil@smart.net (Richard L. Hamilton) - 2024-10-19 02:20 +0000

csiph-web