Scary but...

Posted Feb 20, 2003 3:04 UTC (Thu) by yodermk (subscriber, #3803)
Parent article: The trojaning of mICQ

This is scary.

But I think that we have a lot more to fear from small one-person projects than from large projects.

Most or all multi-developer projects use version control. People are notified when code gets changed. It would have to take a lot of social engineering to get something like this into an official, say, Apache or GNOME release.

But perhaps the distros should be quite a bit more careful with accepting code from small projects with little accountability.

to post comments

Scary but...

Posted Feb 20, 2003 15:04 UTC (Thu) by proski (guest, #104) [Link]

It's quite hard to get a trojan applied by someone else as a patch. However, the main developer gradually can redesign the program in such way that the trojan cannot be detected. For example, the "anti-Debian" text could be hidden in a table used for encryption of for calculating checksums. Using pointers to functions also makes it easy to hide much nastier things. For example, you implement a recursive algorithm, and then somehow pass the function that erases files as a pointer to the recursive function. Having many levels of calls also helps hide bad intentions by speading the bad code across the program.

My point is that large programs are not safer is the lead developers cannot be trusted. It's easier to hide bad things in large projects.