Re: Y2K trojans, and outsourcing...

["Ryan Russell" <Ryan.Russell () sybase com>]

> I was part of the NRC committee that produced the "Trust in Cyberspace"
> report (http://www.nap.edu/readingroom/books/trust/).  During the press
> briefing that accompanied the release of the report, we were asked about
> precisely this scenario:  back doors or other Trojan horses being inserted
> by consultants or programmers.  My response then was the same as it is now:
> I'm far more worried about the accidental bugs that will be introduced
> by anyone touching the code, especially when the change is done hurriedly
> and by an outsider.

Those will always exist, Y2K patching or otherwise.  That makes them no
less of a pain.

Isn't the paranoia about targeted backdoors, though?  Assuming someone
has talked themself into believing they can "get away with it" (and maybe
they can) can't they do a lot more damage to an individual client with
a targeted attack?

Certainly, the few intentional holes will never equal the damages done
by the idiots.

Seems to me it's similar to the "attack of convienience" vs. a targeted
attack.  If I'm pretty diligent about patches, firewalling, etc... I ought
to be relatively safe against attacks of convienience.  Few of us can
stand against a targeted attack, though.  I'm of the opinion that penetration
teams should succeed 100% of the time, if they're given free reign (
and they know even a little bit about what they're doing.)

I say this only because your statement sounds a little overly dismissive,
and I'm sure you don't mean to indicate to people that they shouldn't
do proper reference checks, blah, blah..

                         Ryan