Can I trust downloading Python?

Mon Sep 9 05:41:54 EDT 2013

On Mon, 09 Sep 2013 02:39:09 +1000, Chris Angelico wrote:

> On Mon, Sep 9, 2013 at 2:08 AM, Charles Hottel <chottel at earthlink.net>
> wrote:
>> I think this article is relevant althought the code examples are not
>> Python but C:
>>
>> http://cm.bell-labs.com/who/ken/trust.html
> 
> That is quite true, and yet not truly helpful here :) It's like pointing
> out that we could be being fed false information, and then suggesting
> that The Matrix is technically possible. Once you start distrusting to
> that level, you become paranoid to a point that's inappropriate to all
> but the most critical situations. I'd accept and maybe even recommend
> that sort of paranoia if you're running a nuclear power station, or an
> automated weapon system capable of firing missiles that destroy the
> planet, or a bank that holds everyone's money. For the average Joe,
> there's no point panicking.
> 
> Also: That hack works beautifully when there's precisely one C compiler.
> In today's world, there are many (well known ones like gcc, clang, MS
> Visual Studio (whatever the compiler from that is called), and a bunch
> of lesser-known ones as well), and it's pretty easy to just grab a
> different compiler and build. The chances that your code will be falsely
> compiled by TWO compilers would have to be infinitesimal, and you
> needn't stop at two. 

That logic is dubious. Compilers aren't compromised by chance, and we 
don't know the a priori probability of any specific compiler being 
compromised. That depends on the attacker, surely? We know, for example, 
that the NSA has compromised multiple brands of router, smart phone and 
similar. If they, or some other similar organisation with equivalent 
capabilities, were going to attack compilers in the same manner, they 
surely wouldn't stop at one.

Would people notice? How often do people compare the machine code output 
of two different compilers, looking for back-doors in the generated code? 
Would you know where to look? If you found some differences, wouldn't you 
likely just chalk it up to different compilers producing different code? 

I think the best argument against this suggestion is that it would be an 
order of magnitude harder to compromise open source compilers, as you 
discuss below, and therefore gcc is *probably* (but not certainly) safe. 
But closed source? If Microsoft inserted a backdoor into Windows 8 on 
behalf of the NSA, as seems to be the case, then surely they'd also do 
the same to Visual Studio if asked.

Organisations like the NSA don't operate under the rule "if there is one 
single uncompromised machine on the planet, we've lost". It's a numbers 
game. If (hypothetically speaking) they had inserted backdoors into 
Visual Studio, gcc and clang, but not Larry's Cool C Compiler, I don't 
think they're going to lose sleep over that.

> Since many people build (to take one example) gcc
> from source, using an old version of gcc, the hack would have to be
> propagated to all current gcc builds in some way - you can't simply
> build once and install the binary as the official C compiler, not in
> today's distributed society. (If you're truly paranoid, you might
> believe that gcc has had the hack in it since its inception. But some
> people build gcc using other compilers, too.)

Yep, I agree -- although probably no individual has inspected the entire 
tool chain involved in building gcc, enough people have inspected each 
individual component that we can be reasonably confident that it is okay.

> If you can't trust any code you didn't write yourself, 

You trust yourself? You sheeple! The truly cautious man doesn't even 
trust himself. You might be an unconscious sleeper agent. Haven't you 
watched The Running Man?

(Ha ha only serious.)

-- 
Steven