How do you go about checking your open source libraries for keystroke loggers?
Posted
by
asd
on Programmers
See other posts from Programmers
or by asd
Published on 2011-06-21T14:37:42Z
Indexed on
2011/06/21
16:30 UTC
Read the original article
Hit count: 258
open-source
|security
A random person on the internet told me that a technology was secure(1), safe to use and didn't contain keyloggers because it is open source. While I can trivially detect the key stroke logger in this open source application, what can developers(2) do to protect themselves against rouge committers to open source projects?
Doing a back of the envelope threat analysis, if I were a rogue developer, I'd fork a branch on git and promote it's download since it would have twitter support (and a secret key stroke logger). If it was an SVN repo, I'd create just create a new project. Even better would be to put the malicious code in the automatic update routines.
(1) I won't mention which because I can only deal with one kind of zealot at a time.
(2) Ordinary users are at the mercy of their virus and malware detection software-- it's absurd to expect grandma to read the source of code of their open source word processor's source code to find the keystroke logger.
© Programmers or respective owner