Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

A random person on the internet told me that a technology was secure(1), safe to

ID: 660057 • Letter: A

Question

A random person on the internet told me that a technology was secure(1), safe to use and didn't contain keyloggers because it is open source. While I can trivially detect the key stroke logger in this open source application, what can developers(2) do to protect themselves against rouge committers to open source projects?

Doing a back of the envelope threat analysis, if I were a rogue developer, I'd fork a branch on git and promote it's download since it would have twitter support (and a secret key stroke logger). If it was an SVN repo, I'd create just create a new project. Even better would be to put the malicious code in the automatic update routines.

(1) I won't mention which because I can only deal with one kind of zealot at a time.

(2) Ordinary users are at the mercy of their virus and malware detection software-- it's absurd to expect grandma to read the source of code of their open source word processor's source code to find the keystroke logger.

Explanation / Answer

I recently had the opportunity to perform a software security analysis on FileZilla, eMule, and Shareaza. I ran the code through cppcheck, RATS, and ITS4. No tool will be able to discern whether a piece of code is benign or harmful. It requires visual inspection - which is what I did. I spent two weeks examining line-by-line each piece of source code. I probably missed something. That's why my work was backed up by another person who also found the same or more than I did. For instance, FileZilla utilizes a PHP script to determine your external IP address when in PASV mode. What does that PHP script do? Who really knows? I see your point and point well taken. Depending on your strategy, you should take a risk mitigation strategy and examine the source yourself or hire outside consultants. That way you will ensure that the software is secure. Even if key loggers are potentially installed, however, you still need to practice "defense-in-depth" via firewalls, anti-virus, ACLs, etc.

Related Questions

A railway car moves past you at high speed. According to an observer riding on t
Question #1768515
A railway company has to make up its trains of two types of coaches: standard co
Question #3009730
A rainbow is formed by refraction of light as it passes through awater droplet.
Question #1676687
A raindrop inside a thundercloud has charge -8e. What is the electric force on t
Question #1654787
A rainstorm in Portland, Oregon, wiped out the electricity in 7% of the househol
Question #3393328
A rainstorm in port land, Oregon, has wiped out the electricity in about 10% of
Question #3170317
A ramjet, shown below, with inlet Area A0 and exit area Ae is fixed on a test st
Question #1850647
A ramjet, shown below, with inlet aieaA0 and exit area Ae is fixed on a test sta
Question #1850517
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
A random number is a number that ................? A. s selected through subject
Next
A random sample 328 medical doctors showed that 171 had a solo practice. Let p r

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.