Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!uxc!uxc.cso.uiuc.edu!gistdev!flint
From: flint@gistdev.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: UNIX and viruses
Message-ID: <8800020@gistdev>
Date: 14 Jun 89 15:59:00 GMT
References: <16655@rpp386.Dallas.TX.US>
Lines: 25
Nf-ID: #R:rpp386.Dallas.TX.US:16655:gistdev:8800020:000:1416
Nf-From: gistdev.UUCP!flint    Jun 14 10:59:00 1989


Having the sources to the compiler won't help much: the person who wrote
the backdoor can have it sitting right there in the code and you probably
won't know it.  (Yes, if you take the time to figure out what the code is
doing, for every line of the code, but who is going to do that?  If the
author of the code didn't comment it, even when they wrote the code with no
intent to hide what it is doing, it can take days to figure out what
something is really doing.  If someone really wanted to put in a backdoor
and hide it, it would likely go unnoticed for a long long time.  The people
who get that code are just going to use it until they bump into a bug, and
only then will they go poking around in the code to figure out what the bug
is: if it isn't in the same place as the backdoor, the backdoor won't be
found. 

If you really want security, you need to pay somebody (not the code author)
to actually look at every line of code and figure out what it does, and let
them know there is a big bonus in it for finding a security problem.  Of
course, you'll have to make sure that the person who wrote the assembler
didn't put in a backdoor, and that the person who built the hardware didn't
either.

Flint Pellett, Global Information Systems Technology, Inc.
1800 Woodfield Drive, Savoy, IL  61874     (217) 352-1165
INTERNET: flint%gistdev@uxc.cso.uiuc.edu
UUCP:     {uunet,pur-ee,convex}!uiucuxc!gistdev!flint