At 02:59 AM 6/22/99, Peter Gutmann wrote: >Zombie Cow <[EMAIL PROTECTED]> writes: >>http://linuxtoday.com/stories/6876.html >> >>Could Open Source Software Help Prevent Sabotage? >> >>Imagine a Chinese agent working at Microsoft. How difficult do you think it >>would be to insert a little "backdoor" into a Windows .dll file or somewhere >>else? [...] > >Not to defend MS on their security record (who has that much asbestos?), but I >don't think having the source available would make a major difference in >finding deliberately inserted, cleverly hidden trapdoors. Although it's >traditional to use Ken Thompson's Unix login trapdoor as an example, I'm sure >it wouldn't be too hard to insert trapdoors in plain view in just about >anything without anyone really noticing. Access to "the source code" may also give a false sense of security. "The source" might not be the full, complete, and exact code used to produce the commonly available object, and thus might not reveal the threating features. Anyone with experience in large-scale software development knows how easy it is for source and binary to get out-of-synch ... accidently. >Having source code available would certainly help to find accidental security >bugs, and God knows NT is generously enough endowed with those, but adding a >deliberate weakness is going to be practical with or without source code. >There are lots of reasons why having source code available is a good thing, but >for finding deliberately inserted, cleverly hidden holes it's not going to help >much. True. Ad-hoc open source initiatives probably won't do much to stop an insider attack at a late stage of development, like a patched binary. Defining a trusted development process for a large collaborative effort, to the point of insuring trustworthy "signed" deliverables, is by no means a simple problem. A trusted development process should insure that multiple independent eyes attend to the design, implementation, and translation of each component. -- dpj --------------------------------------------------- David P. Jablon [EMAIL PROTECTED] President +1 508 898 9024 Integrity Sciences, Inc. www.IntegritySciences.com
