Steven M. Bellovin wrote:

From a security point of view, why should anyone download any plug-in from an unknown party? In this very specific case, why should someone download a a plug-in that by its own description is playing around in the crypto arena.

I think this is a problem for all open source projects. Suppose I wrote a trojan open source product. Although the code is open for review, how many people actually do review it? I could list the product on Freshmeat, and if it looked like an exciting piece of technology, quite a few people might download it. Probably quite soon someone will find the back door, the story would probably be reported on sites like Slashdot, and the game would be up. However, I could have done a lot of harm in the meantime.

The other approach would be to contribute trojan code to another open source product. I don't personally think that there is any of SCO's IP in the Linux kernel, but SCO's story isn't completely implausible. A rogue contributor could submit code that was SCO's copyright -- or contained a back door. In the case of the Linux kernel, I doubt a back door would work because there seems to be quite a lot of peer review. However, for other projects it might work okay.

These attacks apply in the corporate world as well, but to a lesser extent. Usually you have a better idea who someone is when you pay them money; this is a deterrent because it is a crime to ship trojan software wilfully. It also takes effort to infiltrate someone into a company's programming team; contributing code from an anonymous Internet account is much easier.

On the other hand, once a back door is installed in binary-only software, it is much less likely to be found. The Interbase back door was only found when the source was opened.

I think there are two defences against these attacks. The first is based on developers' reputations. If you don't have a strong reputation, people are much less likely to report on your new open source product, and much less likely to download it. This means that an attack might succeed against a few people, but it would be unlikely to compromise thousands of machines. (A moderated Freshmeat would be nice here -- you could have a site where a condition of listing your project was that you reviewed a certain number of others.)

The second defence is the amount of work that it takes to produce a project that someone would be interested in. If I produced a clone of Word, and put a back door in it, no doubt lots of people would download it. However, the work is not justified by the reward; there are simpler ways of compromising machines.


--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to