David A. Wheeler's Blog

Fri, 16 Apr 2004

Updated my essay on Software Configuration Management Security

I’ve updated my essay on Software Configuration Management (SCM) Security. That essay is relatively new, and I’ve added more now. Today we use SCM tools to manage our complicated software, yet we’re not paying enough attention to those tools’ security requirements.

For example, few SCM tools think about the problem of handling malicious developers (who are trying to insert Trojan horses) or about countering people who gain root access on a centralized system being used as the SCM data repository… even though that’s already happening. There are ways to deal with those kinds of attacks… but you have to think about them to counter them.

One of the recent additions to the essay is based on an interesting email I received from Dr. Carsten Bormann of the University of Bremen. He mentioned a specialized attack that he terms the “encumbrance pollution attack”. In an encumberance pollution attack, the attacker inserts material that cannot be legally included.

To understand it, first imagine an SCM with perfectly indestructible history. The attacker steals developer credentials, or is himself a malicious developer, and checks in a change that contains some encumbered material. “Encumbered” material is simply material which cannot be legally included. Examples include child pornography, slanderous/libelous statements, or code which has copyright or patent encumberances. This could be very advantageous, for example, a company might hire a malicious developer to insert that company’s code into a competing product, and then sue the competitor for copyright infringement, knowing that their SCM system “can’t” undo the problem. Or a lazy programmer might copy code that they have no right to copy (this is rare in open source software projects, because every line of code and who provided it is a matter of public record, but it proprietary projects do have this risk).

Any SCM can record a change that essentially undoes a previous change, but if the history is indestructable and viewable by all, then you can’t get rid of the history. This makes your SCM archive irrevocably encumbered. This can especially be a problem if the SCM is indestructably recording proposals by outsiders!

Anyway, take a look at Software Configuration Management (SCM) Security.

path: /security | Current Weblog | permanent link to this entry

Treat Washington, DC as Part of Maryland for Congressional Elections

The U.S. has encouraged democracy abroad through the years. Yet due to strange quirks of history, residents of the U.S. capital — Washington, DC — cannot vote in U.S. Congressional elections. That is, simply put, absurd. I’m a big believer in democracy, and this is a quirk that needs fixing. Several solutions have been proposed, but I think one solution in particular stands above the rest and hasn’t gotten the attention it deserves. What’s that solution? Treat Washington, DC as Part of Maryland for Congressional Elections. See my essay for more details.

path: /misc | Current Weblog | permanent link to this entry