Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430055
To read all comments associated with this story, please click here.
Comment by Stratoukos
by Stratoukos on Tue 15th Jun 2010 06:02 UTC
Stratoukos
Member since:
2009-02-11

First of all let me applaud the UnrealIRCd developers. This is a lesson of how security vulnerabilities should be handled. It doesn't matter if you find one almost a year later, full transparency is always the best choice.

That said, wouldn't this be trivially solved with a simple hash check?

Reply Score: 2

RE: Comment by Stratoukos
by lemur2 on Tue 15th Jun 2010 06:48 in reply to "Comment by Stratoukos"
lemur2 Member since:
2007-02-17

First of all let me applaud the UnrealIRCd developers. This is a lesson of how security vulnerabilities should be handled. It doesn't matter if you find one almost a year later, full transparency is always the best choice. That said, wouldn't this be trivially solved with a simple hash check?


Hash checks rely on manual action at the user's end, and they aren't that difficult to foil these days anyway. GPG signing is the way to go.

The easiest solution for UnrealIRCd would have been to open a project account on a server somewhere like launchpad.net (there would be equivalent host sites for other distributions). Then UnrealIRCd would have needed only to sync their development source tree with launchpad, and UnrealIRCd would have gained an automated way of delivering malware-free signed binary packages very easily to Ubuntu users, without any drain on their own server bandwidth.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

The developers screwed up but they are due credit for how they handled it through transparency and voluntary disclosure.

Reply Parent Score: 2