Firewall Wizards mailing list archives
Re: Y2K trojans, and outsourcing...
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Tue, 20 Jul 1999 11:19:01 -0700
I was part of the NRC committee that produced the "Trust in Cyberspace" report (http://www.nap.edu/readingroom/books/trust/). During the press briefing that accompanied the release of the report, we were asked about precisely this scenario: back doors or other Trojan horses being inserted by consultants or programmers. My response then was the same as it is now: I'm far more worried about the accidental bugs that will be introduced by anyone touching the code, especially when the change is done hurriedly and by an outsider.
Those will always exist, Y2K patching or otherwise. That makes them no less of a pain. Isn't the paranoia about targeted backdoors, though? Assuming someone has talked themself into believing they can "get away with it" (and maybe they can) can't they do a lot more damage to an individual client with a targeted attack? Certainly, the few intentional holes will never equal the damages done by the idiots. Seems to me it's similar to the "attack of convienience" vs. a targeted attack. If I'm pretty diligent about patches, firewalling, etc... I ought to be relatively safe against attacks of convienience. Few of us can stand against a targeted attack, though. I'm of the opinion that penetration teams should succeed 100% of the time, if they're given free reign ( and they know even a little bit about what they're doing.) I say this only because your statement sounds a little overly dismissive, and I'm sure you don't mean to indicate to people that they shouldn't do proper reference checks, blah, blah.. Ryan
Current thread:
- Re: Y2K trojans, and outsourcing..., (continued)
- Re: Y2K trojans, and outsourcing... Henry (Jul 19)
- Re: Y2K trojans, and outsourcing... R. DuFresne (Jul 19)
- RE: Y2K trojans, and outsourcing... sean . kelly (Jul 19)
- Re: Y2K trojans, and outsourcing... Joseph S D Yao (Jul 20)
- RE: Y2K trojans, and outsourcing... Bill Stout (Jul 19)
- RE: Y2K trojans, and outsourcing... Henry Sieff (Jul 19)
- RE: Y2K trojans, and outsourcing... Alan Lustiger (Jul 19)
- RE: Y2K trojans, and outsourcing... Marcus J. Ranum (Jul 19)
- Re: Y2K trojans, and outsourcing... Steven M. Bellovin (Jul 20)
- RE: Y2K trojans, and outsourcing... Bill_Royds (Jul 20)
- Re: Y2K trojans, and outsourcing... Ryan Russell (Jul 21)
- Re: Y2K trojans, and outsourcing... Henry (Jul 19)