Re: @h4rm0ny
>>Did you check your compiler, to make sure it didn't have a backdoor? If not, what makes you think a mere code audit of your source is enough to prevent Trojan code from being inserted?
One - that would not undermine the point I made. Two, the source code for the compiler I use, since you ask, is here: GCC. And before you start asking about who compiles the compilers, the answer is everyone does and it's verified by a Hash. GCC is very widely used and hashes of legitimate binaries therefore reliable and easily checked. So your point is not only not a response to what I actually wrote, but wrong as well.
>>"This particular security aspect of open source was blown to pieces by Ken Thompson nearly 30 years ago, when he demonstrated the addition of Trojan code using vetted, approved source code that contained NO TRACE of the Trojan code."
If you're trying to make the point (as far as I can work out) that it is possible for someone to introduce a backdoor that isn't immediately noticeable as a backdoor then that's neither in dispute nor something anyone isn't aware of. But your argument is akin to saying a task massively more difficult than another is equivalent because both have a chance of success. Adding a backdoor to closed source is bordering on trivial. Adding one to Open Source that isn't detectable is extremely difficult and constrained to a much narrower range of circumstances. NSA sort of managed to do it with RSA in a way, with their fiddling about with random number generation. And that's an organization of extremely bright people with massive resource working in an area where very few people were qualified to understand the code with a code-base that wasn't publically reviewed. As I say: extremely difficult. To equate 100:000:1 odds with 2:1 odds by saying both scenarios can occur, shows extremely limited thinking. Not to mention being biased as a pre-requisite.
>>"What is more, the USAF knew about this sort of thing 30 years ago - so you can bet that the NSA and GCHQ know about it today. There is probably a whole new layer of security exploits in Linux and open source software like OpenSSL, Apache, et cetera, that are based on backdoors in the GNU compiler. Simply hiring eyes to look at the source code won't help you find them."
Hiring more people to inspect source code wont help find things wrong with the source code? At this point, you're descending into nonsense. Also your invocation of "probably" to make your argument is just a way of trying to escape having to support your argument. In effect, you're just stating an (ill-thought out) opinion.