Not logged in
Log in now
Create an account
Subscribe to LWN
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
GNU virtual private Ethernet
Backdoor in e107 CMS version 0.7.17
Posted Jan 26, 2010 14:22 UTC (Tue) by cdman (guest, #63220)
Posted Jan 26, 2010 14:31 UTC (Tue) by johill (subscriber, #25196)
Posted Jan 27, 2010 6:43 UTC (Wed) by njs (guest, #40338)
Posted Jan 28, 2010 10:34 UTC (Thu) by epa (subscriber, #39769)
Posted Jan 28, 2010 19:26 UTC (Thu) by njs (guest, #40338)
If you *really* want to compromise the users of some project, it's pretty straightforward -- just come up with a plausible pseudonym, and send some legitimate patches that "accidentally" introduce an old-fashioned security bug. All the crypto in the world won't help with that. There are plenty of people you'd expect to be expending real resources on this, too -- militaries, criminals, heck, security researchers (who build their reputation and consulting business through finding bugs). The only reason I can think of that we haven't caught anyone at it yet is that earnest engineers produce enough security holes that people who depend on security holes mostly don't find it worth the bother trying to add more.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds