A risk with using MD5 for software package fingerprinting

David Honig dahonig at home.com
Sun Jan 27 13:53:55 EST 2002


At 12:07 PM 1/27/02 -0500, Arnold G. Reinhold wrote:
> if 
>an attacker had an agent working inside the organization that 
>produced the package, the agent could simply insert the Trojan 
>software patch in the original package. However such an insertion is 
>very risky. A sophisticated software company would likely have code 
>reviews that would make introduction of the Trojan code difficult.

Um, right.  A good company would have *design* reviews, but would it really
spend time having skilled engineers review *all* the actual codelines
(given time to market pressure, tedium limits, etc.)?  An individual with 
write access to their part of a source-control-system is all
you need.  Remember, you could buy Aldrich Ames (wife included) or 
Hanssen (just him) for under 1.5 mill $USD each.  Perhaps certain
core operations are studied with >2 eyeballs, but all you need is
one breach to undermine security.

I would like to learn about *code* review practices in whatever
is considered a 'sophisticated' software company.

Cheers














 






  







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list