A risk with using MD5 for software package fingerprinting
David Honig
dahonig at home.com
Sun Jan 27 13:53:55 EST 2002
At 12:07 PM 1/27/02 -0500, Arnold G. Reinhold wrote:
> if
>an attacker had an agent working inside the organization that
>produced the package, the agent could simply insert the Trojan
>software patch in the original package. However such an insertion is
>very risky. A sophisticated software company would likely have code
>reviews that would make introduction of the Trojan code difficult.
Um, right. A good company would have *design* reviews, but would it really
spend time having skilled engineers review *all* the actual codelines
(given time to market pressure, tedium limits, etc.)? An individual with
write access to their part of a source-control-system is all
you need. Remember, you could buy Aldrich Ames (wife included) or
Hanssen (just him) for under 1.5 mill $USD each. Perhaps certain
core operations are studied with >2 eyeballs, but all you need is
one breach to undermine security.
I would like to learn about *code* review practices in whatever
is considered a 'sophisticated' software company.
Cheers
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list