Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430034
To read all comments associated with this story, please click here.
Comment by lemur2
by lemur2 on Tue 15th Jun 2010 01:46 UTC
lemur2
Member since:
2007-02-17

Later, UnrealIRCd administrator Syzop posted an announcement on the main UnrealIRCd site stating that many new measures are being put into place to keep something like this from happening again (or if it does happen, to bring the malware to light much sooner). Aside from all releases being PGP/GPG-signed, the main site will be isolated from the others, some parts of the main site will be unmodifiable by anyone, several methods have been added to detect if any data is modified or switched, and files will only be available at the main site (for now).


Only a problem then if you obtained the software from the main UnrealIRCd site or one of a few mirrors.

Not a problem at all for anyone installing software from their distribution's repositories, which is by far the normal channel for installing Linux software, and the only one which is guaranteed to be proof against malware. For example, distribution repositories releases are PGP/GPG-signed.

Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.

Edited 2010-06-15 01:50 UTC

Reply Score: 2

RE: Comment by lemur2
by Elv13 on Tue 15th Jun 2010 03:07 in reply to "Comment by lemur2"
Elv13 Member since:
2006-06-12

Distributor don't read the source code every time they package a software. Most of them just update the content of the "src" folder with the new code and and edit the debian/changelog file. It does not prevent infected software from going in, signed or not.

Edited 2010-06-15 03:08 UTC

Reply Parent Score: 7

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 03:19 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

Distributor don't read the source code every time they package a software. Most of them just update the content of the "src" folder with the new code and and edit the debian/changelog file. It does not prevent infected software from going in, signed or not.


Unless you can provide a real-life instance of something remotely like this ever happening, you are just blowing wind (and seriously insulting distribution maintainers while you are at it, BTW).

Good luck trying to find such an example.

PS: For most changes, only the "diffs" need to be examined, not the entire source code.

Edited 2010-06-15 03:28 UTC

Reply Parent Score: -1

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 03:43 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

Distributor don't read the source code every time they package a software. Most of them just update the content of the "src" folder with the new code and and edit the debian/changelog file. It does not prevent infected software from going in, signed or not.


BTW, GPG signing of the code and requiring it to be installed via a package manager would have prevented this particular incident from happening to the UnrealIRCd application.

Edited 2010-06-15 03:44 UTC

Reply Parent Score: 2

RE[2]: Comment by lemur2
by libray on Wed 16th Jun 2010 15:19 in reply to "RE: Comment by lemur2"
libray Member since:
2005-08-27

And as we have learned from the past, not only do most distributors not read the source, when they do make changes, its not always going to be a secure edit.

This boils down to the distros were just lazy enough that they didn't get this latest source and compile it. If they had been following this as closely as say Firefox, there surely would have been an updated packed with the source version. But none of us have any evidence that at least one had not done this already.

Reply Parent Score: 2

RE: Comment by lemur2
by WorknMan on Tue 15th Jun 2010 05:02 in reply to "Comment by lemur2"
WorknMan Member since:
2005-11-13

Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.


And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. But I say, be careful for what you wish for ...

Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.

Reply Parent Score: 2

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 05:36 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

"Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.
And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. "

WTF????

Opposite situation. It is better for the outside developer to avail themselves of the resources of the distribution repository. Unlike Apple, this not a case of "your app can't be in our repository" ... where is there any profit in that?

But I say, be careful for what you wish for ... Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.


The "Distro Gods" are not in the business of trying to limit you. You can get, say, VLC, KDE, MPlayer, Firefox and OpenOffice on Debian, Ubuntu, SuSe, Mandriva and RedHat. It is the same code, it is not re-written dozens of times over by different "Distro Gods". Sheesh!

There are over 25,000 open source packages in Debian/Ubuntu repositories. This is hardly a case of anyone "playing God" and trying to somehow short-change you.

But, anyway, if your application is too obscure for a distribution to accept it (because after all they would have to devote resources to it if they did accept it) ... then you can still sign your packages and host them in a format suitable for delivery via end users package managers anyway. The only weakness here is that end users must add a URL to your distribution server in their software sources list, and they must obtain your public key securely from somewhere. There are key servers for that latter purpose.

For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go:
https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

Open a terminal and enter:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-3.7

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

There are over 18,000 projects on launchpad.net.

https://launchpad.net/

Edited 2010-06-15 05:45 UTC

Reply Parent Score: 1

RE[2]: Comment by lemur2 - file hash
by jabbotts on Tue 15th Jun 2010 19:42 in reply to "RE: Comment by lemur2"
jabbotts Member since:
2007-09-06

Shame the developers didn't provide a file hash for verification from the beginning. That would have at least caught this on it's way into any reputable distributions even if one-off home users didn't bother to verify.

Reply Parent Score: 2

RE: Comment by lemur2
by stew on Tue 15th Jun 2010 09:17 in reply to "Comment by lemur2"
stew Member since:
2005-07-06

As soon as you're going through a distribution, you're in the same situation as with commercial closed source software: you're putting your security into someone else's hand.

The same principles apply to both closed and open software: don't download dubious software from sketchy sources.

Reply Parent Score: 5

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 10:11 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

As soon as you're going through a distribution, you're in the same situation as with commercial closed source software: you're putting your security into someone else's hand.

The same principles apply to both closed and open software: don't download dubious software from sketchy sources.


Not quite. In fact, not at all.

With an open source system, those who package and distribute the code are not those who write the code. Anyone who receives the code can also receive the source of the code, and is therefore able to independently verify that it has been packaged faithfully. It is in the best interests of ALL parties who participate that the code be clean, functional, and written in the common best interests of all parties.

Security is therefore shared between all interested parties. Anyone can check on anyone else. Self-preservation is in everyone's interest, and because the code is open, self-preservation alone (a very selfish motivation) ensures the code is clean, and that all parties agree that it is clean.

None of this applies with closed source distribution of binary packages where the author/owner of the package is the only party who is allowed to know what is in the package.

Reply Parent Score: 1

RE: Comment by lemur2
by tomcat on Tue 15th Jun 2010 19:52 in reply to "Comment by lemur2"
tomcat Member since:
2006-01-06

"Later, UnrealIRCd administrator Syzop posted an announcement on the main UnrealIRCd site stating that many new measures are being put into place to keep something like this from happening again (or if it does happen, to bring the malware to light much sooner). Aside from all releases being PGP/GPG-signed, the main site will be isolated from the others, some parts of the main site will be unmodifiable by anyone, several methods have been added to detect if any data is modified or switched, and files will only be available at the main site (for now).
Only a problem then if you obtained the software from the main UnrealIRCd site or one of a few mirrors. Not a problem at all for anyone installing software from their distribution's repositories, which is by far the normal channel for installing Linux software, and the only one which is guaranteed to be proof against malware. For example, distribution repositories releases are PGP/GPG-signed. Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this. "

We were just discussing the weakness of all repositories, with you claiming otherwise. Your emperor isn't wearing any clothes. Suck it.

Reply Parent Score: 2

RE[2]: Comment by lemur2
by lemur2 on Tue 15th Jun 2010 23:02 in reply to "RE: Comment by lemur2"
lemur2 Member since:
2007-02-17

"Later, UnrealIRCd administrator Syzop posted an announcement on the main UnrealIRCd site stating that many new measures are being put into place to keep something like this from happening again (or if it does happen, to bring the malware to light much sooner). Aside from all releases being PGP/GPG-signed, the main site will be isolated from the others, some parts of the main site will be unmodifiable by anyone, several methods have been added to detect if any data is modified or switched, and files will only be available at the main site (for now). Only a problem then if you obtained the software from the main UnrealIRCd site or one of a few mirrors. Not a problem at all for anyone installing software from their distribution's repositories, which is by far the normal channel for installing Linux software, and the only one which is guaranteed to be proof against malware. For example, distribution repositories releases are PGP/GPG-signed. Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.
We were just discussing the weakness of all repositories, with you claiming otherwise. Your emperor isn't wearing any clothes. Suck it. "

WTF?? The UnrealIRCd package with the trojan didn't come from a repository. In fact, that was the whole reason why this incident occurred in the first place ... it didn't use the repository/package manager distribution system at all. If you don't understand these things, why do you comment on them?

Edited 2010-06-15 23:03 UTC

Reply Parent Score: 2