Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!elsie!mark
From: mark@elsie.UUCP (Mark J. Miller)
Newsgroups: comp.sys.ibm.pc
Subject: Re: Stopping Trojans
Message-ID: <7388@elsie.UUCP>
Date: Mon, 20-Apr-87 16:02:10 EST
Article-I.D.: elsie.7388
Posted: Mon Apr 20 16:02:10 1987
Date-Received: Tue, 21-Apr-87 03:04:49 EST
References: <8704172222.AA16691@cory.Berkeley.EDU>
Organization: NIH-LEC, Bethesda, MD
Lines: 28
Summary: to verify programs, avoid unknown authors


Obviously, if one wants to post a Trojan program, anonymity is
essential. The solution would seem to be for Sysops to ensure that
they have the correct name and address (both email and smail) of any
person who posts a program. The Sysop would need to obtain this
verification befor allowing the program to be entered in the FILES
section of the BBS.

Obviously, there are many ways to break into a BBS and pretend
you're someone else, so it would probably be wise to send a letter
through the (I know there are some hackers who will throw
up at the thought) post office to the contributing programer asking
for verification (through smail) of name, address, and program. If the
individual was local, the Sysop could simply telephone. Then,
if it's a Trojan you'll know where to start looking (with cattle prods
and spay hooks).

Of course, it would be a PIA for everyone concerned. But it would be
simple, relativly quick, probably less dangerous than trying out the
program on a spare machine, and hard to fool. True, the programmer
could be about to leave town -- but that's unlikely. True, a Trojaner
could intercept the letter (I suppose) but that would be mail fraud
and we could call in the FBI (:-<>)
-- 
Dr. Mark J. Miller
NIH/NCI/DCE/LEC
UUCP:	..!seismo!elsie!mark
Phone:	(301) 496-5688