Security Basics mailing list archives
Re: sendmail trojan
From: Alexandros Papadopoulos <apapadop () cmu edu>
Date: Fri, 18 Oct 2002 11:29:31 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's exactly my point. Who does the code review? You, the final user of the product? No way! You implicitly trust the supplier to do that for you. Or does your company employ an army of programmers that take apart all source files of any application you compile and review its functionality?
Haven't you ever heard of code review ? It's part of any decent software development process. Alexandros Papadopoulos wrote:Frankly, even if the trojan was enclosed in <blink></blink> statements, in 80,000 lines of code it would be lost. It's not feasible for one single coder to proofread everything he/she compiles. You have to implicitly trust the coder/maintainer/distributor, I see no other way.
- -A - -- http://www.andrew.cmu.edu/~apapadop/pub_key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9sCjbgmAMwQt1gmURAjXHAJ4sfBlgXPXHlFemQylohn5hfqyZ9gCfWajL 7TiagN/zmdnp66vygkl0KZ4= =QFPV -----END PGP SIGNATURE-----
Current thread:
- sendmail trojan jnf (Oct 15)
- Re: sendmail trojan Alexandros Papadopoulos (Oct 17)
- RE: sendmail trojan Vince (Oct 17)
- Re: sendmail trojan Stephane Nasdrovisky (Oct 18)
- Re: sendmail trojan Alexandros Papadopoulos (Oct 18)
- <Possible follow-ups>
- RE: sendmail trojan Chris Santerre (Oct 21)
- Re: sendmail trojan Alexandros Papadopoulos (Oct 17)