Guidance Software, Evidence and Software Provenance
So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software?
There’s also a concept floating around out there in executive suites of “software provenance.” The idea is that you should be able to track and understand who’s checked software in. I don’t know of any software that would really do that effectively.
Let’s assume that there’s some awesome, hard to hack, SDL’d version control software out there with integrated three-factor authentication that logs every check-in to paper and cryptographizes it out the wazoo. It hash-trees, it signs, it timestamps and publishes the good news in the newspaper. Let’s even say that it was installed at Guidance. I should mention that I have no knowledge of what’s happened at Guidance and this is all hypothetical.
Alice the hacker wants to install a backdoor in EnCase that will cause it to not see any file starting with the string “$sys$” and Alice can write code to do that. Let’s next say that Alice pwns Bob the developer’s workstation. She waits until he’s checking in a large set of files, and adds her back door. Bob does the chicken dance with his smartcard, swiptes his fingerprint, and types his 19 character password. And checks in Alice’s code.
I don’t know what it will cost Guidance to ensure its software makes it through the next court case.