lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Feb 2004 22:07:46 +0200
From: shimi <shimi@...mi.net>
To: Gadi Evron <ge@...tistical.reprehensible.net>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: OT: reports of a Trojan horse in the Arrow project


Since the second I read the article about that in the newspaper, I've 
failed to understand how is something like a code developed at any 
country (be it egypt, japan, russia etc), can be at a risk of a specific 
system more than a code that wasn't. I have no idea how this system 
works, nor anything about it, except for what was written in the article 
that you gave the URL to. I mean, we're talking about Motif. I assume 
that we're talking on the well known Motif, right? The thing that is 
part of window-programming under X. How do you know that X has no 
trojans? After all, it wasn't written by your government. So wasn't the 
operating system. So wasn't the C library. You can ask your question 
about *any piece of code* involved in running *any* important system on 
earth, might it be USA's nuclear warheads, a 100-billion worth of a 
trade-secret, or anything else that simply can't stand the tought of 
having a trojan implanted in it.

The only way to make sure that a code does not have any trojans, is to 
read all of it. That's hard to do, because in a modern system you'll 
have billions of billions of lines of code to read! So many things are 
related to so many things, and you really have to read them all, because 
if your program contains 600mb of source code after the linkage, and one 
of the functions is using an insecure in-memory copying function, then 
you could be totally vulnerable (on the other hand, it might just crash 
the program...)

This is the point where they invented the.... Open Source.

If all your source is open to you, and preferrably, open to you and to 
hundreds of thousands of people worldwide, and they are all digging in 
it, trying to find where programmers did the Bad Things, then your code 
will be more secure, and, trojans *will* be found. Especially for really 
old projects, that have been went other lots of times during the years, 
like XFree and the Linux Kernel, for instance.

So, as long as governments do the smart thing, and base their critical 
stuff on code that is heavily tested by thousands of thousands of people 
worldwide, I think we're going towards a more secure world. Of course 
that nothing is perfect, but, bug that someone found *by mistake* is far 
more dangerous than a bug that will be found by anyone who searches for 
it inside the source code.

The article you brought mentions that now the source code will be 
audited to make sure there are no trojans in it. Great Open-Source 
thinking. The only thing that shocked me in that declaration is... 
weren't they supposed to audit that code ANYWAYS, regardless of who 
developed the RTL support for Motif? You were already smart not to use 
Windows, which will never be really open, even with Microsoft's "Open 
Source Initiative" - you have to continue and make sure that your code 
is clean.

my 2$ :)

Gadi Evron wrote:

> The Arrow is a counter-ballistic missiles project run by Israel.
>
> There have been reports the past couple of days about a Trojan horse 
> in the code, inserted by Egypt. As one of the Israelis on the list I 
> feel obligated to provide with some facts. It's an interesting story 
> in any case.
>
> You can find the Hebrew URL at: 
> http://www.maariv.co.il/channels/1/ART/648/326.html.
>
> I am willing to translate it if anyone is really interested.
>
> Here are some facts:
>
> Some MOTIF code that was done by IBM Israel was being debugged in the 
> Cairo (Egypt) office. The IDF has not commented on this and IBM claims 
> that no restricted code was shared.
> Some reports claim Egypt inserted a Trojan horse into that code, I've 
> seen no facts that verify that, so I doubt it for now. I'll post more 
> information as it becomes available.
>
> That's all there is to it as far as facts go right now. Some code was 
> being debugged in the Egypt office and that's about it. This fact 
> raises the concern for such a Trojan horse existing, but there is a 
> long way to go from such concerns to actual facts.
>
> It is clearly a security fluke on Israel's side that such a 
> relationship, on any level, existed, but no biggie.
>
> What Trojan horse? Talk about hype. I'll see if I can find out some 
> more facts.
>
> This comes to show once again how security is not only about firewalls 
> and IDS systems. Controlling who has access to what and how 
> information is managed is just as if not more important.
>
>     Gadi Evron.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists