Forwarded from: Kurt Seifried <listuser@private> How do we know that this is the software that they compile and ship? We don't. Source disclosure is useless in this situation unless the build process is somehow audited, or they ship source and whatever else I need to build identical binaries to theirs, which I can then compare and go "yes, these binaries are identical, ergo it's probable that the sources we used are identical, ergo the source I audited and found to be correct is probably what was used to build the production binaries". I'm sorry but I see no reason to trust these companies implicitly, I think they should be held to an extremely high standard of "guilty until proven innocent". They have the ability to change the laws and governments we live within. Any other object with this capability (judges, politicians/etc) is generally made to go through a rigourous process and/or when they make/change laws there are multiple checks and balances (appeal courts, congress, the preseidents veto, the queen's veto, etc.). With voting machines there appear to be no checks and balances. Kurt Seifried, kurt@private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 13:05:58 PDT