Security Concern: Unsigned Windows Executable

Jean-David Beyer jeandavid8 at verizon.net
Tue Jun 2 14:55:42 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert J. Hansen wrote:

| Insert mandatory "reflections on trusting trust" reference here.
|
| The sentiment of "I must build it from source if I'm going to trust it"
| is great, but then you have to ask questions about your compiler, your
| system libraries, etc., until you're left hand-hacking Assembly
| instructions for a low transistor count CPU you've personally
| lithographed yourself from your own personal design.
|
Let's say I did all that. But do I trust the guy who looked over my shoulder
to be sure I did not make a mistake in my own personal design?

And if I believe, in principle, in automatically proving programs (or
hardware, their equivalent) correct, do I trust the program that does that?
And the rules given that program that the program to be verified is to meet?

We get into the very problem Rene Descartes was stuck in until he came up
with "Cogito, ergo sum." Which I do not think was a solution at all.

- --
~  .~.  Jean-David Beyer          Registered Linux User 85642.
~  /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
~ /( )\ Shrewsbury, New Jersey    http://counter.li.org
~ ^^-^^ 08:50:01 up 69 days, 15:04, 3 users, load average: 4.06, 4.24, 4.31
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFKJSFOPtu2XpovyZoRAmheAKC7PlUg4LWQsz9HdbP09cXdu/mIHwCcDrYG
X15Zb0CWZ1SbmpgFl+JibYs=
=NdyX
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list