Roeland M.J. Meyer has declared that:
I don't care where it purports to be from, for this kind of code, I will not trust something [to not be a trojan] that I can not compile myself. This policy applies to SSH, SSL, and other security related code. I am sure that I am not the only one with this policy.
The NIPC admitted that to me. You are not the only one by a long shot. I contacted the NIPC site, and sent email to the nicpc contact asking about source, explaining the above concerns to them. Their response was they were valid concerns, but they basically didnt care. NO SOURCE. "Trust us". Hard to do knowing they are pushing for the legal right to install trojans or backdoors on peoples computers w/o warrant or the persons knowlege or permission - no way I would put anything on running as root on any system I control. Sad state of affairs, but I feel a prudent approach, given the attitude of some agencies these days. So, I responded that when they changed their policy and started regarding the admins expected to rely on this as an ally in the effort to solve these abuse problems, please let me know, we (where I work) would be glad to participate. Until then, however, thanks but no thanks. I will muddle along using other methods. As such I am looking for open-src tools for finding and smoking out these rogue daemons from other sources. Thanks Pat M/HW -- #include <std.disclaimer.h> Pat Myrto (pat at rwing dot ORG) Seattle WA "On a more encouraging note, I have yet to see anything suggesting the Internet is a threat to the mining industry. Our key assets are ore bodies and its hard to see virtual ore bodies taking over." -- Market analist Jack Jones