> Sean Leyne has been arguing for a test program to check
> vulnerability to back door.

May I suggest that it is about time IBPhoenix/Firebird started using
PGP. The "official" source and binary releases should all be
digitally signed.

I noticed with some amusement that the notes IBSecure mention only
downloading from the the provided site. No mention is made of doing
the same for the IB source and binaries - which are equally (or more)
open to abuse. Creating trojan versions that re-instate the old
security flaws or even more devasting aspects.

Besides signing the distributions themselves, it would be good to have
acknowledged signatures for the key executables of any given version.
This way a version can be check in-place without knowing where it came
from originally.

Once IBPhoenix has a known PGP public-key/fingerprint it will be
possible to distribute programs such as IBSecure much more widely,
knowing that recipients can validate the authenticity of the program.

I would suggest that this is an important aspect to consider now!
Attention has been drawn to the security aspects and the potential
magnitute of the problem. This means that anyone interested in
security (which includes the malicious) will now be well aware of the
potential.

Geoff Worboys
Telesis Computing