KY1K wrote regarding 'Re: [PIC] PIC based login device for PC?' on Tue, Mar 07 at 08:29:
> At 04:13 PM 3/6/2006, you wrote:
> >file specific ones) is John the Ripper (http://www.openwall.com/john/)
> 
> Matt,
> 
> Would you really trust the (anonymous) author of a program designed 
> to circumvent security by installing and running his/her software??? Not me::>

In general, this is a good attitude.  In particular, John the Ripper
has been around for a long time, the source code is available, and it
ships with several security-concious Linux distributions (and some
less-safe distros).  So it's specifically pretty trust-worthy, and
anyone can examine the source before building it with a trusted
compiler on a trusted machine if they're feeling paranoid.  I used to
run it nightly against the student accounts in the Unix lab and have
it disable accounts / send a notification email out to people whose
passwords were too weak (this was before we had switched over to a
PAM-enabled system with nice, easy plugins to check new passwords when
they're changed).

We'll ignore the theoretical attack of a compromised compiler which
can compromise a generated compiler as well as compromising binaries,
for the sake of discussion.  Gotta start trust at some point, and I'm
certainly not paranoid enough to build a compiler in assembly and then
audit glibc and gcc's source base. :)

--Danny, who trusts Ruger despite the fact that they almost
exclusively make products designed to kill things...
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist