[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4033C612.7020300@shimi.net>
From: shimi at shimi.net (shimi)
Subject: Re: OT: reports of a Trojan horse in the Arrow project
Since the second I read the article about that in the newspaper, I've
failed to understand how is something like a code developed at any
country (be it egypt, japan, russia etc), can be at a risk of a specific
system more than a code that wasn't. I have no idea how this system
works, nor anything about it, except for what was written in the article
that you gave the URL to. I mean, we're talking about Motif. I assume
that we're talking on the well known Motif, right? The thing that is
part of window-programming under X. How do you know that X has no
trojans? After all, it wasn't written by your government. So wasn't the
operating system. So wasn't the C library. You can ask your question
about *any piece of code* involved in running *any* important system on
earth, might it be USA's nuclear warheads, a 100-billion worth of a
trade-secret, or anything else that simply can't stand the tought of
having a trojan implanted in it.
The only way to make sure that a code does not have any trojans, is to
read all of it. That's hard to do, because in a modern system you'll
have billions of billions of lines of code to read! So many things are
related to so many things, and you really have to read them all, because
if your program contains 600mb of source code after the linkage, and one
of the functions is using an insecure in-memory copying function, then
you could be totally vulnerable (on the other hand, it might just crash
the program...)
This is the point where they invented the.... Open Source.
If all your source is open to you, and preferrably, open to you and to
hundreds of thousands of people worldwide, and they are all digging in
it, trying to find where programmers did the Bad Things, then your code
will be more secure, and, trojans *will* be found. Especially for really
old projects, that have been went other lots of times during the years,
like XFree and the Linux Kernel, for instance.
So, as long as governments do the smart thing, and base their critical
stuff on code that is heavily tested by thousands of thousands of people
worldwide, I think we're going towards a more secure world. Of course
that nothing is perfect, but, bug that someone found *by mistake* is far
more dangerous than a bug that will be found by anyone who searches for
it inside the source code.
The article you brought mentions that now the source code will be
audited to make sure there are no trojans in it. Great Open-Source
thinking. The only thing that shocked me in that declaration is...
weren't they supposed to audit that code ANYWAYS, regardless of who
developed the RTL support for Motif? You were already smart not to use
Windows, which will never be really open, even with Microsoft's "Open
Source Initiative" - you have to continue and make sure that your code
is clean.
my 2$ :)
Gadi Evron wrote:
> The Arrow is a counter-ballistic missiles project run by Israel.
>
> There have been reports the past couple of days about a Trojan horse
> in the code, inserted by Egypt. As one of the Israelis on the list I
> feel obligated to provide with some facts. It's an interesting story
> in any case.
>
> You can find the Hebrew URL at:
> http://www.maariv.co.il/channels/1/ART/648/326.html.
>
> I am willing to translate it if anyone is really interested.
>
> Here are some facts:
>
> Some MOTIF code that was done by IBM Israel was being debugged in the
> Cairo (Egypt) office. The IDF has not commented on this and IBM claims
> that no restricted code was shared.
> Some reports claim Egypt inserted a Trojan horse into that code, I've
> seen no facts that verify that, so I doubt it for now. I'll post more
> information as it becomes available.
>
> That's all there is to it as far as facts go right now. Some code was
> being debugged in the Egypt office and that's about it. This fact
> raises the concern for such a Trojan horse existing, but there is a
> long way to go from such concerns to actual facts.
>
> It is clearly a security fluke on Israel's side that such a
> relationship, on any level, existed, but no biggie.
>
> What Trojan horse? Talk about hype. I'll see if I can find out some
> more facts.
>
> This comes to show once again how security is not only about firewalls
> and IDS systems. Controlling who has access to what and how
> information is managed is just as if not more important.
>
> Gadi Evron.
>
Powered by blists - more mailing lists