Scary but...

Posted Feb 20, 2003 15:04 UTC (Thu) by proski (guest, #104)
In reply to: Scary but... by yodermk
Parent article: The trojaning of mICQ

It's quite hard to get a trojan applied by someone else as a patch. However, the main developer gradually can redesign the program in such way that the trojan cannot be detected. For example, the "anti-Debian" text could be hidden in a table used for encryption of for calculating checksums. Using pointers to functions also makes it easy to hide much nastier things. For example, you implement a recursive algorithm, and then somehow pass the function that erases files as a pointer to the recursive function. Having many levels of calls also helps hide bad intentions by speading the bad code across the program.

My point is that large programs are not safer is the lead developers cannot be trusted. It's easier to hide bad things in large projects.