Zombie Cow <[EMAIL PROTECTED]> writes: >http://linuxtoday.com/stories/6876.html > >Could Open Source Software Help Prevent Sabotage? >Jun 18th, 11:07:50 > >Imagine a Chinese agent working at Microsoft. How difficult do you think it >would be to insert a little "backdoor" into a Windows .dll file or somewhere >else? With the Government jumping into NT left and right, a secret backdoor or >even an "easter egg" that shuts the system down on command could cripple our >entire defense network, law enforcement and just about anything else. How much >easier it would be to fight a war against an enemy whose computers are all >crashed beyond repair? Not to defend MS on their security record (who has that much asbestos?), but I don't think having the source available would make a major difference in finding deliberately inserted, cleverly hidden trapdoors. Although it's traditional to use Ken Thompson's Unix login trapdoor as an example, I'm sure it wouldn't be too hard to insert trapdoors in plain view in just about anything without anyone really noticing. For example, one claim which is often made on the net is that "you can trust PGP because the source code is available", but how many people have actually read through every line of PGP source, carefully analysing it not only at a microscopic level ("Is this line OK") but at a macroscopic level ("How does what this code module is doing interact with another code module"). In practice I doubt anyone has ever done this (look at how long it took to find the xorbytes bug, which was located in a central, critical portion of the code). When you hear people say "I trust PGP because the source code is available" what they really mean is "I trust PGP because I'm hoping that someone else has looked at the source code and was clever and/or lucky enough to find any bugs it might have". Having source code available would certainly help to find accidental security bugs, and God knows NT is generously enough endowed with those, but adding a deliberate weakness is going to be practical with or without source code. There are lots of reasons why having source code available is a good thing, but for finding deliberately inserted, cleverly hidden holes it's not going to help much. Then there's the original story, in which recent missile failures are blamed on bogeymen instead of conventionally buggy software: >http://www.worldnetdaily.com/bluesky_dougherty/19990618_xnjdo_missile_fa.shtml > >[...] > >Ken Russell, a retired aerospace engineer, told WorldNetDaily that in light of >so much espionage by potential enemies like China, it is "extremely plausible" >to have had many of the most sophisticated software programs developed for >U.S. weapons systems intentionally corrupted. It's interesting to note that writing buggy software now requires the involvement of Chinese spies, rather than just sitting back and letting programmers go at it as they have for decades. I guess the person who made the statements isn't familiar with the Detection Club's code, which among other things required members "to observe a seemly moderation in the use of [...] Mysterious Chinamen". Next thing they'll be moving military satellites and taking control of battleships over the net. Peter.
