Reflections on trusting trust
This highlights that users really need to be able to trust their hardware. The traditional assumption is that hardware is trying to do what it's supposed to do -- conform to specifications, route packets, store data, whatever. All of the reliability features of the Internet depend on some degree of good faith. Just as VeriSign's SiteFinder caused a certain amount of technical trouble, Company X's ad-routing feature raises some issues. The worst part for users is the difficulty of working around such a feature. If I send an HTTP request to a site and the request doesn't complete, the TCP/IP software on my computer is supposed to know that the request failed so it can try to resend. And it won't do this if the router gives it bad data.
If it's possible that hardware might perform a questionable act, then users need a way to verify that the hardware is performing the acts that they bought it for. That pretty much means reviewing the source code for the router's firmware -- the software it has recorded on a little chip, which tells it what to do.
Ken Thompson did a wonderful presentation once, titled "Reflections on Trusting Trust," in which he demonstrated that you cannot trust code that you don't have complete control over. His demonstration involved building a C compiler which introduced a backdoor into a system-authentication routine. You might think you could just check the compiler source, but you see, the code also inserted itself into the C compiler whenever it found itself working on the compiler. As a result, the code could be removed from the compiler and an inspection would reveal nothing suspicious.
Consider the implications of this for a router. It has code to load new firmware software. How do you know that this code is trustworthy? You don't. You can't. The only defense you have is the assumption that router vendors are trustworthy.
But, then, if vendors were always trustworthy, you wouldn't need to examine the code in the first place.
This week's action item: Ask a handful of network technicians what they would think of a router behaving in this way. Is the response generally positive or negative?