George Heuston wrote: >December 24, ZDNet Australia - Trojan horses plague open source. At >least three commonly used open source software packages were altered by >black-hat hackers to contain "Trojan horse" code this year. The three > This is primarily a symptom of maintainers not using cryptographic signatures to certify authentic versions of their code. Some maintainers sign their releases, but not nearly enough. >But Pointon says that >using open source software is often less risky than using pre-compiled, >or "closed source" software because users who download open source >packages can very easily verify their authenticity through a >mathematical process known as an md5 checksum. > Correct: open source programs have made the press with these incidents, because they were detected within a few days. Closed source programs may well have nasty Trojans in them, but they will not make the press with that, because such Trojans would be very difficult to detect, while remaining very easy to exploit by those in the know. I suggest that this has already happened, and we're just not seeing it in the press. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:56:25 PST