Scary but...
Scary but...
Posted Feb 20, 2003 3:04 UTC (Thu) by yodermk (subscriber, #3803)Parent article: The trojaning of mICQ
This is scary.
But I think that we have a lot more to fear from small one-person projects than from large projects.
Most or all multi-developer projects use version control. People are notified when code gets changed. It would have to take a lot of social engineering to get something like this into an official, say, Apache or GNOME release.
But perhaps the distros should be quite a bit more careful with accepting code from small projects with little accountability.
Posted Feb 20, 2003 15:04 UTC (Thu)
by proski (subscriber, #104)
[Link]
My point is that large programs are not safer is the lead developers cannot be trusted. It's easier to hide bad things in large projects.
It's quite hard to get a trojan applied by someone else as a patch. However, the main developer gradually can redesign the program in such way that the trojan cannot be detected. For example, the "anti-Debian" text could be hidden in a table used for encryption of for calculating checksums. Using pointers to functions also makes it easy to hide much nastier things. For example, you implement a recursive algorithm, and then somehow pass the function that erases files as a pointer to the recursive function. Having many levels of calls also helps hide bad intentions by speading the bad code across the program.
Scary but...