Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!mcvax!enea!kuling!andersa From: andersa@kuling.UUCP (Anders Andersson) Newsgroups: comp.sys.ibm.pc,sci.crypt Subject: Re: Stopping Trojans Message-ID: <289@kuling.UUCP> Date: Fri, 24-Apr-87 14:47:35 EDT Article-I.D.: kuling.289 Posted: Fri Apr 24 14:47:35 1987 Date-Received: Sun, 26-Apr-87 21:17:04 EDT References: <537@faline.bellcore.com> <1669@castor.usc.edu> Reply-To: andersa@kuling.UUCP (Anders Andersson) Organization: Uppsala University, Sweden Lines: 30 Xref: mnetor comp.sys.ibm.pc:3561 sci.crypt:351 In article <1669@castor.usc.edu> blarson@castor.usc.edu.UUCP (Bob Larson) writes: >I don't understand the problem. I don't run any software that I don't >have either the sources to or someone I can sue. (The latter is >software I have payed for.) Having the sources will certainly ease the task of manually verifying that a program does what you expect it to do, but does that eliminate the problem? It is possible to include unpleasant routines in source code as well, hiding them where least expected. Also, manually checking 1 MB or so of sources is quite a job. Having a standard and safe way of identifying the true originator of a particular software document is a way to find out who to sue - if such action is at all possible; serious software vendors usually don't bug their own code. If you obtain your software through a reliable channel (like snail mail perhaps) directly from the vendor, you will probably do fine without any of this fancy checking. I find the method of using public-key encryption (as someone suggested) a quite reasonable approach. This will not only prevent you from executing malicious code inserted by human gremlins under the cover of a well-reputed software author, but also provide you with an easy way of finding out whether the copy you have still is *the* one provided by the original author, regardless of any undocumented (not necessarily malicious) minor changes introduced by others. Maybe this isn't too much of a problem to warrant the development of a standard verification algorithm? -- Anders Andersson, Dept. of Computer Systems, Uppsala University, Sweden Phone: +46 18 183170 UUCP: andersa@kuling.UUCP (...!{seismo,mcvax}!enea!kuling!andersa)