*Reflections on Trusting Trust, Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.
Thompson’s article is a classic reference pointing to the potential risk from “any code you did not totally write yourself,” an approach rediscovered not so long ago by the author of W32/Induc.
However, the issue of trust (in excess or in its absence) dominates security: after all, what we call social engineering in the context of security is essentially psychological manipulation in order to induce trust where it isn’t merited. And if there’s one thing that’s been obvious in the past few weeks, it’s that AMTSO has “benefited” fully from distrust of the security industry in general and anti-virus companies in particular.
I’ve come across several references in the past day or two to an interesting article by Pete Herzog on Essential Trust Analysis. Well, trust is a big topic, and even that relatively short article ranges from biochemical and parasitic influences on our inclination to trust or distrust, to the influence of life experience, to a study from Yale on “The Seductive Allure of Neuroscience Explanations” (you need to read the article to appreciate the context that gives humour to this serious academic paper on a specialist application of “how to blind people with science”) to Isecom’s certification in trust analysis.
I think I feel a paper coming on…
David Harley CITP FBCS CISSP
ESET Sr. Research Fellow