Given enough eyeballs all bugs are shallow: True or False?

From Eugene Siu's blog:

"Given enough eyeballs all bugs are shallow."  I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs.  This premise is built on the assumption that all reviewers have the best intentions in mind.  However, do all people have the best intentions in mind?  If all do, we will not need law enforcement officials.

Obviously there will be some malicious and devious "eyeballs" out there.  Rather than identifying bugs, they plant bugs in open source softwares.  This attack is named "Cross-Build Injection".  Fortify just published an article with reported incidents related to OpenSSH, SendMail and IRSSI.  Check out

Comments (3)
  1. Ravikanth says:

    Is it different from phone home? typically Phone home collects some personal data or trend and report to Microsoft.

  2. ACE Team says:

    It is a little bit different.  Phone home pushes data to Microsoft, and it has gone through explicit privacy and security review on what data can be sent. In addition, it is turned off by default, and a user must consent to sending data to Microsoft. In this attack, attackers maliciously inject code in the softwares with the intent of taking over client PCs.

Comments are closed.

Skip to main content