Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OT: reports of a Trojan horse in the Arrow project

From: shimi <shimi () shimi net>
Date: Wed, 18 Feb 2004 22:07:46 +0200
Since the second I read the article about that in the newspaper, I've failed to understand how is something like a code developed at any country (be it egypt, japan, russia etc), can be at a risk of a specific system more than a code that wasn't. I have no idea how this system works, nor anything about it, except for what was written in the article that you gave the URL to. I mean, we're talking about Motif. I assume that we're talking on the well known Motif, right? The thing that is part of window-programming under X. How do you know that X has no trojans? After all, it wasn't written by your government. So wasn't the operating system. So wasn't the C library. You can ask your question about *any piece of code* involved in running *any* important system on earth, might it be USA's nuclear warheads, a 100-billion worth of a trade-secret, or anything else that simply can't stand the tought of having a trojan implanted in it.
The only way to make sure that a code does not have any trojans, is to read all of it. That's hard to do, because in a modern system you'll have billions of billions of lines of code to read! So many things are related to so many things, and you really have to read them all, because if your program contains 600mb of source code after the linkage, and one of the functions is using an insecure in-memory copying function, then you could be totally vulnerable (on the other hand, it might just crash the program...) 

This is the point where they invented the.... Open Source.
If all your source is open to you, and preferrably, open to you and to hundreds of thousands of people worldwide, and they are all digging in it, trying to find where programmers did the Bad Things, then your code will be more secure, and, trojans *will* be found. Especially for really old projects, that have been went other lots of times during the years, like XFree and the Linux Kernel, for instance.
So, as long as governments do the smart thing, and base their critical stuff on code that is heavily tested by thousands of thousands of people worldwide, I think we're going towards a more secure world. Of course that nothing is perfect, but, bug that someone found *by mistake* is far more dangerous than a bug that will be found by anyone who searches for it inside the source code.
The article you brought mentions that now the source code will be audited to make sure there are no trojans in it. Great Open-Source thinking. The only thing that shocked me in that declaration is... weren't they supposed to audit that code ANYWAYS, regardless of who developed the RTL support for Motif? You were already smart not to use Windows, which will never be really open, even with Microsoft's "Open Source Initiative" - you have to continue and make sure that your code is clean. 

my 2$ :)

Gadi Evron wrote:


The Arrow is a counter-ballistic missiles project run by Israel.
There have been reports the past couple of days about a Trojan horse in the code, inserted by Egypt. As one of the Israelis on the list I feel obligated to provide with some facts. It's an interesting story in any case.
You can find the Hebrew URL at: http://www.maariv.co.il/channels/1/ART/648/326.html. 

I am willing to translate it if anyone is really interested.

Here are some facts:
Some MOTIF code that was done by IBM Israel was being debugged in the Cairo (Egypt) office. The IDF has not commented on this and IBM claims that no restricted code was shared. Some reports claim Egypt inserted a Trojan horse into that code, I've seen no facts that verify that, so I doubt it for now. I'll post more information as it becomes available.
That's all there is to it as far as facts go right now. Some code was being debugged in the Egypt office and that's about it. This fact raises the concern for such a Trojan horse existing, but there is a long way to go from such concerns to actual facts.
It is clearly a security fluke on Israel's side that such a relationship, on any level, existed, but no biggie.
What Trojan horse? Talk about hype. I'll see if I can find out some more facts.
This comes to show once again how security is not only about firewalls and IDS systems. Controlling who has access to what and how information is managed is just as if not more important. 

    Gadi Evron.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: