Backdoor Found In UnrealIRCd Source Archive 174
l_bratch writes "A malicious backdoor was added to the UnrealIRCd source archive some time around November 2009. It was not noticed for several months, so many IRC servers are likely to be compromised. A Metasploit exploit already exists."
Re:It's nice that they're honest. (Score:2, Interesting)
Yes, because a single trojan in a server that:
1) no one uses (not a single user checked the hash of the download over seven months),
2) is not in the repos of most distros,
3) was not included in the Debain repos, despite there being a willing maintainer, because of poor code quality- see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515130 [debian.org]
completely refutes all the different arguments in favour of open source (many eyeballs, multiple vendors to provide free market competition, no lock in, etc).
We all know that not one single proprietary app has ever had a security issue.
Re:It's nice that they're honest. (Score:2, Interesting)
It's still an embarrassment for open source though.
Talk about generalisation. One project getting rooted isn't representative to the rest of them in any way. Also, FTFA:
CVS is also not affected.
This was a case of distribution packages on their mirror site being replaced with malicious version, not a breakage of the development process. It's also something that happens all the time with closed source SW too, which is why you don't want to download installers from suspicious sites.
Re:It's nice that they're honest. (Score:3, Interesting)
Embarassing (sic), in that, "Yes we screwed up, and we shouldn't have." or embarassing (sic) as in, "Oh shit, open source really isn't any better than security through obfuscation!"?
Well the old "many eyes" argument is getting embarrassing when it's obvious that all the eyes are on the front door while the window is wide open. As usual, it was not the VCS that was compromised, because many people at least casually look at commits, often it has to pass through a mailing list and often getting commit access is hard. Becoming a rouge committer is high risk/low yield, same with hacking a committer's computer. Hacking the VCS server would probably lead to the code changes showing up in diffs so that's not very subtle either.
But then there's the downstream and binary builds. A few packagers, mirror maintainers and distro maintainers might look at these but hardly anybody else. A good example is the Debian OpenSSL fiasco [slashdot.org] a few years back. There's this one, that got caught. How many of these go unnoticed? How many really checks that nothing bad happened between the upstream VCS and the binary running on my server? How many makes sure the source and binary posted really match and compile to the same MD5 and won't just disregard it as different compiler versions and flags? Extremely few. Like in this case, it was no good checking the MD5 because it was also compromised...