Security Basics mailing list archives

Re: sendmail trojan

From: Alexandros Papadopoulos <apapadop () cmu edu>
Date: Fri, 18 Oct 2002 11:29:31 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's exactly my point. Who does the code review? You, the final user of the 
product? No way! You implicitly trust the supplier to do that for you. Or 
does your company employ an army of programmers that take apart all source 
files of any application you compile and review its functionality?

Haven't you ever heard of code review ?  It's part of any decent software
development process.

Alexandros Papadopoulos wrote:

Frankly, even if the trojan was enclosed in <blink></blink> statements,
in 80,000 lines of code it would be lost. It's not feasible for one
single coder to proofread everything he/she compiles. You have to
implicitly trust the coder/maintainer/distributor, I see no other way.


- -A
- -- 
http://www.andrew.cmu.edu/~apapadop/pub_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9sCjbgmAMwQt1gmURAjXHAJ4sfBlgXPXHlFemQylohn5hfqyZ9gCfWajL
7TiagN/zmdnp66vygkl0KZ4=
=QFPV
-----END PGP SIGNATURE-----

Current thread:

sendmail trojan jnf (Oct 15)
- Re: sendmail trojan Alexandros Papadopoulos (Oct 17)
  - RE: sendmail trojan Vince (Oct 17)
  - Re: sendmail trojan Stephane Nasdrovisky (Oct 18)
    - Re: sendmail trojan Alexandros Papadopoulos (Oct 18)
- <Possible follow-ups>
- RE: sendmail trojan Chris Santerre (Oct 21)