On Fri, 27 Feb 2004, Leonard den Ottolander wrote: >How well scrutinized is this NSA code actually? Everybody can see they >won't slip in an obvious backdoor, but how about nasty little overflows, >tucked away deep inside the code, for which they already have exploits >in their drawer? Aside from rejecting SElinux merely due to conspiracy theories alone, what would be your suggestion to ensure that this is not the case? If you really think about it, you can apply the same conspiracy theory to the Linux kernel, XFree86, and every other piece of software in the system. There are quite a few security vulnerabilities found and fixed in OSS source code. How can you truely be sure that a given vulnerability wasn't planted there intentionally? Take the recent XFree86 security update which contains fixes for libXfont. Do we really know for sure that when Keith Packard wrote that 14 or so years ago, that he didn't intentionally put the buffer overflows in there, so that he could 0wn all machines running the X Window System 15 years later? ;o) You did upgrade X to the latest version right? ;o) -- Mike A. Harris ftp://people.redhat.com/mharris OS Systems Engineer - XFree86 maintainer - Red Hat
