Monday, May 21, 2007

More On Trusting the Software

So, just as I suspected, this post "Are You Mad?!" did generate some controversy. Let me add some liquid hydrogen to the fire and then splash some liquid oxygen: the unscrupulous programmer mentioned in the previous post does not have to code any sophisticated vulnerabilities in or bring any funky backdoor covert channel encrypted stego shells. In fact, it is better if he doesn't.

All he needs to do, really, is to enable a way to change the data.

Yes, just having a way to replace an obscure string X75JKHJ56 with another obscure string X75JKHJ67  in some obscure  database is rumored (don't you love those! every security conference worth its salt has plenty of rumors exchanged!) to be sufficient to make sure that the wrong part will be installed by a repair service during the ongoing aircraft maintenance! Do you believe this? Maybe I do and maybe I don't. I will certainly not stop flying just because some [very smart] application pentester shared this story with me. But the point is made: if you trust software (and software developers), your ass will be 0wned before you know it.

So, what is the answer? Yes, you guessed it right, open source is one possible answer. What are others? I dunno - future will tell.

Technorati tags: , ,

Dr Anton Chuvakin