Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430310
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[7]: Comment by yoshi314@gmail.com
by saynte on Wed 16th Jun 2010 14:20
in reply to "RE[6]: Comment by yoshi314@gmail.com"
Member since:2007-12-10
I don't see how this is obscure. Your own Wikipedia link states that the top 100 IRC servers alone host over a half million users at a time. With at least a half-million users, how can it be so obscure? Clearly a vulnerability to the servers translates to a problem for the clients.
RE[8]: Comment by yoshi314@gmail.com
by chris_l on Wed 16th Jun 2010 19:51
in reply to "RE[7]: Comment by yoshi314@gmail.com"
Member since:2010-02-14
I don't see how this is obscure. Your own Wikipedia link states that the top 100 IRC servers alone host over a half million users at a time. With at least a half-million users, how can it be so obscure? Clearly a vulnerability to the servers translates to a problem for the clients.
It's obscure because *PRETTY MUCH NOBODY USES IT UNDER LINUX*
GET THE CONCEPT THOUGH YOU PIN-SIZED BRAIN,PINHEAD.
RE[7]: Comment by yoshi314@gmail.com
by Aristocracies on Wed 16th Jun 2010 19:10
in reply to "RE[6]: Comment by yoshi314@gmail.com"
Member since:2010-06-15
You still haven't grasped the fact that this trojan wasn't in an executable binary. None of the provided executable binaries were infected, in fact, they only provide a Windows binary. Someone had replaced the source tarball with one that had the backdoor in the source code itself. This allowed anyone who built the daemon to have anyone connected to the IRC service execute arbitrary commands as the user the daemon ran as. The potential for abuse there if one was motivated is mindboggling, since it'd be trivial to take control of the entire service from that point.
Anyone who downloaded this and compiled it had an issue. In fact, all the fix scripts for this are simply cleaning a header file, then you have to recompile. Or you could just grab a known clean tarball now and check against the provided hashes.
Sure, they should have been doing more and in fact, now are. But you're still a crazed autistic who can't be bothered to read anything to get his facts straight. I'm sure your reply will be more drivel attacking the Unreal team and then some further distractions like 'hurr tarballs are binaries too', all of which you're throwing forth because someone wrote a mean article about your preferred OS, even if no one in their right mind would take said article seriously. 
Edited 2010-06-16 19:17 UTC
RE[8]: Comment by yoshi314@gmail.com
by lemur2 on Thu 17th Jun 2010 00:17
in reply to "RE[7]: Comment by yoshi314@gmail.com"
Member since:2007-02-17
You still haven't grasped the fact that this trojan wasn't in an executable binary.
Correct. It was in an unsigned binary file, which was a tarball of the application source code. What exactly was it that you contend that I did not grasp?
None of the provided executable binaries were infected, in fact, they only provide a Windows binary. Someone had replaced the source tarball with one that had the backdoor in the source code itself. This allowed anyone who built the daemon to have anyone connected to the IRC service execute arbitrary commands as the user the daemon ran as.
Exactly. This is a classic trojan horse. Where did I say anything different? (PS: a tarball is a binary file, it is not a plain text file, although it can contain plain text files).
The potential for abuse there if one was motivated is mindboggling, since it'd be trivial to take control of the entire service from that point.
For up to the Linux subset of some 800 IRC server machines, of all the machines on the entire Internet. Obscure.
Anyone who downloaded this and compiled it had an issue.
And ran it. Apparently this could amount to maybe 300 machines, perhaps.
In fact, all the fix scripts for this are simply cleaning a header file, then you have to recompile. Or you could just grab a known clean tarball now and check against the provided hashes. Sure, they should have been doing more and in fact, now are.
Now that they are using standard practice, the trojan is no more. Agreed.
But you're still a crazed autistic who can't be bothered to read anything to get his facts straight. I'm sure your reply will be more drivel attacking the Unreal team and then some further distractions like 'hurr tarballs are binaries too', all of which you're throwing forth because someone wrote a mean article about your preferred OS, even if no one in their right mind would take said article seriously.
Sigh!
Oh dear oh dear. Tarballs are indeed binaries. Type "cat name-of-tarball.tgz" at a command prompt and see for yourself.
In order to avoid trojans, standard practice to distribute tarballs of software source code is to provide checksums and a PGP/GPG signature along with the tarball.
Like so:
http://www.ffmpeg.org/download.html
(Provides a source tarball, MD5 and SHA1 checksums, and a PGP signature).
UnRealIRC failed to do this simple thing, which is accepted standard practice. I'm afraid that under any viewpoint at all, that makes them incompetent. Likewise for anyone who accpeted their unsigned file and put it in their distribution, namely Gentoo and Arch Community repo.
Following accepted standard practice, which is very simple to do, would have avaoided this breach of security entirely. There is no excuse, really.
News
Linked by Thom Holwerda on 05/25/13 0:45 UTC
"So in summary... Google has pulled the plug on support on a protocol they've helped popularize, after years of promising interoperability, for reasons that are dubious at best, and in a way that leaves people who don't jump to the new Hangouts app unable to talk to their contacts without any feedback that their IMs aren't getting through... And they've done that with no warning to anyone. I imagine there's a bunch of people out there wondering where some of their buddies have gone, or why their messages aren't getting responses, because this isn't documented anywhere." Google really messed this up. Such a dick move.
Linked by Thom Holwerda on 05/24/13 23:59 UTC
The Tizen Greek Community has some screenshots of a very recent build of Tizen running on a Samsung GT-i8800. It looks wholly unremarkable.
Linked by Thom Holwerda on 05/24/13 22:33 UTC
Joint statement to The Next Web from Microsoft and Google: "Microsoft and YouTube are working together to update the new YouTube for Windows Phone app to enable compliance with YouTube's API terms of service, including enabling ads, in the coming weeks. Microsoft will replace the existing YouTube app in Windows Phone Store with the previous version during this time." Good to know these children stopped acting like little pricks. Can we have full Google support in Windows 8 now, please?
Linked by Howard Fosdick on 05/24/13 21:41 UTC
Yahoo is acquiring Tumblr, the microblogging and social networking website, for $1.1 billion USD. Tumblr offers little revenue but lots of eyeballs if Yahoo can monetarize them. Now Yahoo is bidding for Hulu, the streaming video service. After years of ineffective responses while Google, Facebook, and others took large chunks of the online advertising market, Yahoo is fighting back. Can Yahoo reignite the momentum it had at the turn of the century? What do you think?
Linked by Thom Holwerda on 05/24/13 14:44 UTC
"Sources have described iOS 7 as 'black, white, and flat all over'. This refers to the dropping of heavy textures and the addition of several new black and white user interface elements." I couldn't be happier.
Linked by Thom Holwerda on 05/23/13 23:22 UTC
"Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues."
Linked by Thom Holwerda on 05/23/13 22:04 UTC
"Google is facing a new antitrust probe by the U.S. Federal Trade Commission into whether the company is using its leadership in the online display-advertising market to illegally curb competition, people familiar with the matter said." Sucks to be Google today, apparently.
Linked by Thom Holwerda on 05/23/13 22:01 UTC
"In the midst of the major press blitz surrounding its annual I/O Conference, Google dropped some unfortunate news about its instant messaging plans. In several places around the web, the company is replacing the existing 'Talk' platform with a new one called 'Hangouts' that sharply diminishes support for the open messaging protocol known as XMPP (or sometimes informally Jabber), and also removes the option to disable the archiving of all chat communications. These changes represent a switch from open protocols to proprietary ones, and a clear step backward for many users." That's why I always say: only suckers trust companies.
Linked by Thom Holwerda on 05/23/13 17:52 UTC
"The wave of departures is a sign of internal struggle, but amidst all the bad news, there is a glimmer of hope. According to an anonymous HTC executive cited by WSJ, the crucial HTC One is selling 'pretty good so far'. The executive revealed that HTC sold about five million One units since launch, a performance that is deemed encouraging. However, sales have been limited by the persisting supply issues that still plague the production of the HTC One." Finally some good news for HTC. Five million units amidst supply constraints is very impressive.
Linked by Thom Holwerda on 05/22/13 22:23 UTC
"Sony gave the PS4 50% more raw shader performance, plain and simple (768 SPs @ 800MHz vs. 1152 SPs & 800MHz). Unlike last generation, you don't need to be some sort of Jedi to extract the PS4's potential here. The Xbox One and PS4 architectures are quite similar, Sony just has more hardware under the hood. Weâll have to wait and see how this hardware delta gets exposed in games over time, but the gap is definitely there. The funny thing about game consoles is that itâs usually the lowest common denominator that determines the bulk of the experience across all platforms. On the plus side, the Xbox One should enjoy better power/thermal characteristics compared to the PlayStation 4. Even compared to the Xbox 360 we should see improvement in many use cases thanks to modern power management techniques." AnandTech does its usual in-depth thing.More News »
Sponsored Links
Member since:
2007-02-17
He is also correct that you went off on several tangents unrelated to the topic of potential impact of this vulnerability, calling IRC obscure, anyone who installed this incompetent, a few guesses based on total IP space, etc.
Your argument is appears incredibly weak compared to his, you may want to stop discussing this if you can't produce better formed responses that are actually on-topic.
Aristocracies is the one who went of on the tangent. It was his whole point that this IRC server daemon was somehow in his view not an obscure application, when clearly it is. It could scarcely be more obscure. Even though there is a Linux version, it is included in no Linux distribution repositories at all. I merely mentioned this in passing.
Furthermore, it truly is incompetent, both of the application authors and of anyone who installed it, to have been caught out by this trojan. There was totally no need to have been so caught out, since there are a number of means readily available to distribute Linux applications securely, so that trojans cannot get a look in. Signing the package is a very obvious thing to have done, but these developers failed to do even that. The developers even admitted to being very embarrassed by their utter lack of even the simplest security measures.
Anyone who had even the vaguest understanding of normal methods of distribution of Linux software should not have touched this particular package with a ten foot barge pole.
Unsigned binary packages simply downloaded from a server and manually installed is the absolutely classic vector for trojan horse malware injection.
http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
* Software downloads (e.g., a Trojan horse included as part of a software application downloaded from a file sharing network)
I'm sorry, but this is in the very first page of security 101 for dummies ... don't do this. Don't do unsigned binary installation packages. Refuse point blank to ever install such things.
Edited 2010-06-16 11:51 UTC