RE: Y2K trojans, and outsourcing...

["Marcus J. Ranum" <mjr () nfr net>]

> Ultimately, there was no evidence to back it up, just the generalized
> fear that consultants hired to make Y2k mods to software for, say, financial
> insititions, might surreptitiously code a backdoor in the program.
> Basically, it was a "there's no way we can be sure they didn't do it"
> argument.

Kind of ironic to have one kind of consultant (security consultants)
sowing Fear, Uncertainty, and Doubt, about another kind of consultant
(Y2K consultants) when the same FUD can be applied to them. What about
security consultants that learn all about the victim's network, leave
backdoors, and come back? Same problem, conceptually. "There's no way
to be sure they didn't do it" almost applies to the same degree (though
maybe a bit less).

Sounds like lamer consultants trying to drum up business with semi
fictional scare stories, to me. Remember the "banks in the UK are
being stuck up for billions of dollars by extortionist hackers"
F.U.D. that was going around last summer? That was all fiction, too.
This kind of nonsense just makes reputable security professionals
into media patsies.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr