MW is actually a guy named Mike Wood… Me and some buddies at the Houston Advanced Security Center used to test out 0-dayz and other attacks against him… he’s a good sport…

Another mention of MW can be found here:
http://blogs.zdnet.com/security/?p=997

BK

-Nate

Now on the other hand if I go online to Joe Smith’s site, I don’t even know if the guy behind it is actually Joe Smith, could be some hacker from another country who’d be almost impossible to track down for all I know. The author has no public image, no known history, etc, basically nothing a big company has to give me a reason to trust it. Without something good and verifiable, I’m going to be unsure about trusting his code unless I can see it all since he really doesn’t need to care about his image if someone finds malicious code in his program. If he is malicious, what he likely cares about is his key logger getting log in information to peoples bank accounts and taking a couple hundred thousand off the people who trusted his program instead of the reputation of his alias. Without a public image/face it will be hard to track him down, and if he’s smart he could be long gone before the authorities trace the web back to who he really is assuming he’s somewhere they have or can get jurisdiction in.

On the other hand, you’re totally correct about maybe being able to trust big-search-engine.com, but maybe not being able to trust the third party ads being served by them. I didn’t hear the details about it, but I recall hearing a little while ago about problems with ads from google having malicious code hidden in them. Even with all the security measures companies like google has in place to try to prevent this, no wall is perfect online and people will find ways around them. The only options to be somewhat secure online is trust no one or use an air gap firewall (the cheapest, easiest to set up firewall around and my room mates personal favorite security method, just reach behind your box and unplug your ethernet cable or forget to plug it in after moving your box like my room mate).

The last sentence was actually a bit of an inside joke (shoutz to MW), but you’re completely right and I agree… we put ourselves at risk EVERY TIME we install software. Some may feel that its a little easier to trust orgs like Mozilla, M$FT, and Adobe (notice I didn’t say Apple, thanks to Nate) than it is to trust some random devs creating a GArchiver like tool.

To make matters worse, we run untrusted code inside our browser thousands of times a day… maybe I can trust big-search-engine.com, but can I really trust the third party ads being served by big-search-engine.com?

BK

Since you are so conditioned to be aware for untrusted code, can you list here how may applications you have running on your computer at the moment? (Windows, Office, Winzip, Firefox, Flash, etc…). Feel free to stop when you reach 20

And who installed them?

The bottom line is that we install and run untrusted code all the time, that is how we have been conditioned to do (in order to get value from our computers).

G-Archiver is just a too obvious example which was discovered by accident.

Dinis