At 12:07 PM 1/27/02 -0500, Arnold G. Reinhold wrote: > if >an attacker had an agent working inside the organization that >produced the package, the agent could simply insert the Trojan >software patch in the original package. However such an insertion is >very risky. A sophisticated software company would likely have code >reviews that would make introduction of the Trojan code difficult.
Um, right. A good company would have *design* reviews, but would it really spend time having skilled engineers review *all* the actual codelines (given time to market pressure, tedium limits, etc.)? An individual with write access to their part of a source-control-system is all you need. Remember, you could buy Aldrich Ames (wife included) or Hanssen (just him) for under 1.5 mill $USD each. Perhaps certain core operations are studied with >2 eyeballs, but all you need is one breach to undermine security. I would like to learn about *code* review practices in whatever is considered a 'sophisticated' software company. Cheers --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
