Trojan Found in libpcap and tcpdump 486
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
Glad I use Gentoo (Score:4, Informative)
How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.
Re:Glad I use Gentoo (Score:5, Interesting)
Presumably the tcpdump.org FTP server got 0wned, and the trojan was planted, but the people that found the trojan aren't the server admins - they just found it in the source they downloaded. And I doubt we will find out how the perpetrators got in, either. It would have been nice to find out in more detail what happened when the OpenBSD FTP server was compromised, but people are usually tight-lipped in these cases.
Re:Glad I use Gentoo (Score:4, Insightful)
$ nc -vvv 212.146.0.34 1963
mars.raketti.net [212.146.0.34] 1963 (?) open
M sent 0, rcvd 1
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects
maybe someone should contact the machine administrator before more people get owned.
Re:Glad I use Gentoo (Score:5, Informative)
SRC_URI="http://www.tcpdump.org/release/
http://www.jp.tcpdump.org/release/${P}.tar.gz"
SRC_URI is a last resort mirror..
Lucily the MD5 sum catched the trojan: (From the gentoo ebuild digest)
MD5 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz 428737
as soon as this evening... (Score:2)
well, I have not installed these sniffing proggies, so it should be okay.
Now it could be worse
If you suspect your binaries to be trjanized, you'd want to sniff your own machine but if (and it is the case) the sniffer is trojanized, then it could possible hide such "activities"...
I actually read the article and it however seems that it was not the case here...
phew
Re:as soon as this evening... (Score:5, Informative)
If you read the article more carefully, you will notice that the binaries aren't trojaned. This is a trojan in the build scripts only. So ironically, only the paranoids who build from source (but aren't paranoid enough to demand an MD5) got hit by this.
Re:as soon as this evening... (Score:3, Funny)
Phew, glad to hear that, I was worried the trojaned sources actually built trojaned binaries - glad you got that cleared up for us.
Re:as soon as this evening... (Score:3, Insightful)
Re:as soon as this evening... (Score:3, Insightful)
Re:as soon as this evening... (Score:3, Insightful)
The right way to do things is for the person who makes the release package (e.g., the tarball, or the rpm, or whatever) to digitally sign it. They should do the signing on a machine other than the web server or FTP server. Ideally, they do the signing on their development machine, which is safetly tucked away on a network that crackers can't get to.
Re:as soon as this evening... (Score:5, Informative)
To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.
The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.
Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.
Re:as soon as this evening... (Score:3, Interesting)
Yeah... my servers front end my home network, so they are turned on 24/7 and right now are connected through redundant DSL connections to the Internet. So mine make a somewhat attractive target.
Since I am basically a lazy sysadmin, my approach had been to use really obscure hardware for my server. To accomplish that I bought a Rebel Netwinder on the theory that any exploit out for x86 would probably take months to be ported to the StrongARM (the StrongARM instruction set is both restrictively small, and completely anal about non-aligned memory accesses, so hand-coded assembly is a pain to write if you are trying to take advantage of a stack overflow of some kind.)
Recently I've swapped the rebel box for another Intel server, this time running RH7.3, and I bought a subscription to RHN to keep it up to date. Since RHN manages all of the security updates and dependencies, all I have to do is log on once a week or so and request the updates. So now I get to be lazy in two regards; first it is much easier to add new software (StrongARM porting being not my cup of tea), and secondly RHN takes care of the security updates.
I imagine that Debian users would argue likewise for apt-get.
Re:as soon as this evening... (Score:3, Interesting)
Oops, forgot to answer that. I did log on to IRC and tracked down a couple of the users listed in the eggdrop config files. The original channel was no longer active, but there were a few people with the same IDs logged in on another channel; but the channel content was so spooky that it kind of freaked me out at the time. For about five minutes the only thing in the channel were various people sending messages like 'CCs', or 'eggable accts'. Then suddenly some guy posted a message saying approximately: 'so and so is a lousy copier', then 'I may as well give this out as a freebie since I don't want him to get all the use of it', followed by some guy's name, address, SSN, phone, and credit card numbers.
At that point I decided I was in the middle of things I didn't want to be in. I did call the person to let them know that his credit card information had been stolen, and to watch his receipts, but basically dropped it there. As far as I know the FBI only cares about computer hacking if there has been at least $1k of damage. I had about a day to rebuild my server (before replacing it a month later with the Rebel), but nothing close to $1k; no deleted files or anything.
I did track down the person's Nick which basically turned into a Google search, but since he'd been using that Nick for a long time and in many different places, it was very easy to do. The Nick seemed to belong to a student at UCB, previously a student in Singapore, but the evidence was pretty loose, and in any case I doubt I could have done more than make a few legal threats. Ultimately I decided to chalk it all down as a learning experience and let it go (but I still have the backup tapes of the hacked machine if I ever need them.)
Handing out other peoples passwords wouldn't have been possible. Eggdrop stores them in encrypted form so even with the contents of the password file there wasn't anything I could do to retrieve their plain text passwords.
Re:as soon as this evening... (Score:3, Insightful)
J
Re:as soon as this evening... (Score:5, Insightful)
1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.
2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.
3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.
People using source for security who are in category 1 or 2 are just fooling themselves.
Re:as soon as this evening... (Score:3, Funny)
Impressive! (Was: as soon as this evening...) (Score:3, Funny)
well, I have not installed these sniffing proggies, so it should be okay.
Darn... apt-get even makes your box more secure than before even if you haven't actually installed the bad packages? This must be the Holy Grail! And it should be okay? Not only that you have not installed tcpdump and libpcap, what definitely makes it okay, you don't even trust apt-get to really solve your (non-existing) problem... Now I wanna join the apt-get cult... Where can I register?
I bet you recommend penicillin over other medicine even when you got no infection! Or do you use apt-get then as well? Doesn't make any difference anyway...
(For the record: I use Debian GNU/Linux among other stuff...)
phew? --- just how carefully did you read? :-) (Score:3, Informative)
MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.
Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.
As irrelevant as various source-distributions (e.g. lunar [lunar-linux.org], source-mage [sourcemage.org] and Gentoo [gentoo.org]) are at present in other respects, they make a nice 'canary' in the coal mine :-).
Hrmm (Score:2, Funny)
Eventually, this would happen (Score:5, Insightful)
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.
Re:Eventually, this would happen (Score:5, Informative)
Does that mean that this trojan has been around for almost a year before anybody noticed? If that's true, it does not meet my definition of "easily detected".
Re:Eventually, this would happen (Score:4, Insightful)
Have you ever changed the date of a file? It's quite easy.
Re:Eventually, this would happen (Score:2)
I am actually asking a question: how long was this trojan released before it was discovered? I, personally, do not know. I was hoping somebody else could tell me the answer.
Re:Eventually, this would happen (Score:3, Funny)
No! It's John Ashcroft! This is just the first step towards the Brave New World Order, as correctly fortold on that ground-breaking show "The X-Files."
Before Chris Carter and David Duchovney were eliminated and replaced with robotic clones by the old CIA lackeys of George Bush Senior, that show was the only thing on television that really explained what was going on in the world. There was a brief attempt by the FOX network to continue feeding you important news about technology and politics, but the Lone Gunmen show was quickly eliminated by the evil forces...
Re:Eventually, this would happen (Score:5, Informative)
I downloaded libpcap/0.7.1 from tcpdump.org on September 2 of this year (just 2 months ago), and it was not trojaned (I keep a record of md5 sums, and was able to check this just now).
Probably whoever modified the file just touched it to resotre the original timestamp. This is trivial to do.
Re:Eventually, this would happen (Score:2, Interesting)
So there's no point mentioning it.
The point is: When was the specific change added? By whom? The maintainer should know. Let us know. Then put the person who sent in the patch with the trojan in a black list so his/her future patches to open source programs are first severely checked, if accepted at all.
That's more like it -I think-.
Re:Eventually, this would happen (Score:3, Informative)
There is virtually no way to be absolutely certain of the integrity of any code, unless you audit it yourself. Even fans of OpenBSD have to admit that they are trusting the OpenBSD auditors. Some would use this to argue that you can place greater trust in closed code. But, to use Microsoft as an example (but not to claim that they are the adminstrator of all evil), the infamous Word macro virus first appeared on a Microsoft beta release and I seem to recall a story a little over a year ago about Russian hackers having spent a few merry weeks in the Windows 2000 source code. Trust now?
The point is that we all use code on faith. Even should Palladium become reality, you are just transferring trust to another party. The lesson I think we in the Free Software community should take away from this is that we should make better use of the tools we have. We should should provide GPG signed MD5 checksums of all of our "official" tarballs. Some projects do this, some do not. As I just pointed out, this is not a guarantee, but it does provide a chain of accountability.
Re:Eventually, this would happen (Score:5, Insightful)
The difference is that with Open Source you have an additional means of detecting the corruption - not only by its effects (as with the binary), but by reading the source.
Bruce
Re:Eventually, this would happen (Score:5, Insightful)
Bruce
Re:Eventually, this would happen (Score:2, Interesting)
I don't think the only irrelevant comment is thinking that bad things(r) happens only in one place. Like I said, on open source software, I Can Audit Myself The Code.
Re:Eventually, this would happen (Score:2)
Perhaps this is the work of an international ring of expert black hat hackers who are doing this in order to build up their network of computers that are available as jumping points for future hacking?
I'm not worried about "kiddies" in the closed source world, but about the incredibly devious companies that produce programs. Don't think for a second that Microsoft hasn't put back doored software onto your computer.. that's already been documented [fuckmicrosoft.com].
_NSA backdoor (Score:3, Interesting)
Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.
Re:Eventually, this would happen (Score:3, Informative)
And doesn't display them even when you turn on the display of hidden and system files in explorer. Didn't you read the article?
I would complain if Konqueror didn't show me all dot files after I'd enabled viewing them, or if the history file was being backed up without my knowledge.
Re:Eventually, this would happen (Score:5, Interesting)
> closed src doesn't have its src on some
> webserver for some kiddie to trojan in the first
> place. sure the possibility of some employee or
> the employer itself to trojan the src, but most
> open source trojans are someone breaking into
> the web server and uploading modified src. by
> definition this wont happen with closed src
> since closed src doesn't release src, so your
> argument is irrelevant.
Oh, no? Look here:
http://news.zdnet.co.uk/story/0,,s2082221,00.ht
Microsoft had their source available to some cracker for three months back in 2000. Of course they later spun it down to "one day and we were watching them all the time".
Point is, closed source can be vunerable too. Only Microsoft knows if any damage was really done, and they aren't telling us squat.
"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)
Re:Eventually, this would happen (Score:3, Insightful)
How quickly the world forgets how things like the original Back Orifice were distributed... Too funny to read 'This couldn't happen with closed source!'
Re:Eventually, this would happen (Score:2, Insightful)
The same that applies to somebody breaking into a open source code repository applies to a closed source repository.
If the trojaned code is inserted after the aditing and goes into a production/distribution state, then the consumer/user has NO WAYS to detect the problem.
You are talking about the same Microsoft that wants to take to court independant researchers that detect security flaws in MS products?
Or the same Microsoft that hides security problems on their products?
And...Have you ever used CVS?
Re:Eventually, this would happen (Score:3, Interesting)
Bruce
Re:Eventually, this would happen (Score:3, Interesting)
Bruce
Re:Eventually, this would happen (Score:5, Informative)
Why do you think only an employee can trojan a binary, anyway? Most viruses modify binaries. Certainly many virus-infected binaries have been distributed professionally.
Bruce
Re:Eventually, this would happen (Score:3, Informative)
Re:Eventually, this would happen (Score:3, Informative)
If this troian got inside like the others (OpenSSH and Bind, IIRC), it was _not_ a patch submitted to the project. Simply, somebody rooted the FTP server and substitute the official tarball with the troyanize one.
In other words, the weak point that was exploited was not that anybody can contribute to an open source project ( which is not a weakness at all IMO) but that source tarballs are hosted on insufficiently protected FTP servers.
There are counter-measures against this weakness. As long as distros use them (and I hope they do), it is unlikely that one of these trojans will slip into an officia CD.
Re:Eventually, this would happen (Score:3, Insightful)
With in a few months of the code being open sourced, the back door was found. It stayed in closed source code for six years. Whether or not Borland could have done things to find it is irrelevant - they didn't and I bet many other vendors work the same way.
it was a rumour.
I guess it's easier to accuse me of spreading rumors then to enter "Borland database backdoor" into google and get stuff like a ZDNet article detailing the history of the bug [com.com] or the CERT vulnerability note. [cert.org]
WarGames was one of the most accurate theatrical portrayals of hacking ever.
I'm not sure whethor to mod this +5 Funny or -1 Clueless. I really hope you were joking.
Why? He didn't fly through a 3d-cyberspace, nor did he jump through 5 layers of military-grade security in a couple minutes. He didn't have access to anything and everything controlled by computer.
He snagged the password to the teacher's computer off a Post-it note, and dug up information on the programmer of WOPR to take guesses at what the password might be, both of which are real hacking tools. He used hardware that existed and that he could realistically own. He wardialed, a habit of real hackers. I can't think of any other movie that comes close.
There are minor plot-neccessary exaggerations -- no, WOPR wouldn't have an outside line to it, and yes, the cops would have been at the door long before he got in -- but they don't mar the fact that it was fundamentally right.
Seems (Score:2, Informative)
Seems now more than ever the need to check the authenticity of your sources before installing.
As if security auditing wasnt a big enough headache already
Re:Seems (Score:2, Redundant)
Re:Seems (Score:5, Insightful)
Re:Seems (Score:2, Insightful)
In the end, it still comes down to whether or not you (can) trust the author/host.
This Trojan thing... (Score:2, Interesting)
It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.
Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...
Re:This Trojan thing... (Score:5, Informative)
And he only might have done it (can you tell?)
See http://www.acm.org/classics/sep95/ [acm.org] for more details
Re:This Trojan thing... (Score:5, Informative)
facts, not fiction. (Score:5, Informative)
follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.
Ewww (Score:2, Funny)
Trojan Found in libpcap and tcpdump
I swear, some of these source trees are worse than the canals of Venice.
MD5 checksums (Score:4, Insightful)
Re:MD5 checksums (Score:5, Insightful)
Re:MD5 checksums (Score:3, Interesting)
We need to come together and paaaaaarty! [cryptnet.net] :-)
Really, that's the only solution to this problem. Probably, this is something we are going to see more frequently, so frequently perhaps that it may undermine the free software community's credibility. Therefore, we must come together and meet, and exchange signatures, so that at least we can ensure that they software is signed by its maintainer.
Now, go and get registered at Biglumber [biglumber.com], sign up to the keysignings list [alt.org] and start organizing keysigning parties. Also, make sure that you meet other hackers when you're out travelling.
Re:MD5 checksums (Score:2, Interesting)
That's good if you can assure that the MD5 checksum is for the original tarball. What if the guy who placed the torjan placed a new MD5 checksum as well?
NO!!!! NO!!! NO!!! (Score:5, Informative)
Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.
Check sigs when you download code too.
mars.raketti.net (Score:3, Interesting)
With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?
Re:mars.raketti.net (Score:2)
This is a growing trend (Score:2, Interesting)
Security getting worse? (Score:2)
Seriously, though, I think the ideal solution would be to do multiple checks of the RC5 signature of newest packages, over several mirrors. The advisory mentioned that tcpdump.org was compromised, while the mirror at ibiblio.org was OK.
Or use Gentoo Linux. Of course. I can't do that, since I don't have broadband at home... =(
One too many? (Score:4, Insightful)
There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?
Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?
At least that's what I think.
Re:One too many? (Score:5, Insightful)
Re:One too many? (Score:3, Informative)
http://www.openssl.org/news/secadv_20020730.txt says that is vulnerable.
Re:One too many? (Score:3, Informative)
That being said, that alone is not enough. Everyone should run their updates nightly, and make sure their security don't collapse completely once one box has been taken.
However, I would like to take the opportunity to applaud the honeynet people who actively act like sitting ducks in order to protect the rest of us.
cleaning? (Score:3)
Er, I thought trojans were for preventing... (Score:2, Funny)
Re:cleaning? (Score:2)
I guess that's the clever part... you only activate the trojan if you recompile from source!
Why do I have a feeling (Score:2)
Reply from a mirror site to HLUG and tcpdump.org (Score:5, Informative)
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
Accountability (Score:2, Interesting)
Isn't this the whole point of Open Source? (Score:5, Funny)
Sounds like that's what happened here!
Uncommented trojan (Score:5, Insightful)
Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.
Well, ok, crackers probably want to obfuscate their code with
I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.
Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.
DEMAND PGP SIGNATURES!!!! (Score:5, Insightful)
The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.
Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.
At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!
Re:DEMAND PGP SIGNATURES!!!! (Score:5, Insightful)
And for god's sake, keep your private signing key encrypted in your gpg keyring, or offline.
Would it help to have a source Bank? (Score:3, Interesting)
I'm just typing out loud here.
Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..
The source could still be publically available for comment and review to add to those being paid to perform the analysis.
Seems like this might be a good service, once the idea is fleshed out more...
There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.
Sandbox Your Applications (Score:5, Informative)
In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace [umich.edu] which is available for the BSDs and Linux.
This screenshot [umich.edu] shows Dug Song detecting the trojan in the Fragroute [monkey.org] distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.
We need to be much more careful about the software that we run.
a quick test to see if your hit (Score:4, Informative)
tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963
if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963
and well, its always nice to
the people at 212.146.0.34 should change it to something like
if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an
--Anonymous Coward
Early news from tcpdump.org (Score:5, Informative)
"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.
Preliminary inspection says that the CVS repository is O.K.
www.tcpdump.org (Score:3, Insightful)
Date of Trojan is after Nov 1, 2002 (Score:5, Informative)
DeMorgan's Law (Score:3, Interesting)
That's not a problem, that's a feature (Score:2, Insightful)
But then again, you had to pay no-one for the man hours you saved by using the open-source code.
Re:This is dreadful (Score:2, Informative)
Now, good GPG signatures would have helped.
Re:This is dreadful (Score:5, Insightful)
Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.
Re:This is dreadful (Score:4, Funny)
I couldn't agree more, if those cheap-arsed hippies who write Linux would only pay up when there's a problem with their software like reputable commercial companies like Micros.. err, Oracl.. err actually, forget it.
Re:This is dreadful (Score:5, Insightful)
Re:This is dreadful (Score:5, Funny)
Re: (Score:2)
Re:This is dreadful (Score:5, Insightful)
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
And this is different from Closed Source how ?
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.
Hey, Slashdot, (Score:3, Funny)
Re:prison (Score:2, Insightful)
It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.
Re:Siltakoski Petri is somehow connected with this (Score:3, Informative)
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.
Don't jump to conclusions (Score:5, Insightful)
It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.
Re:Siltakoski Petri is somehow connected with this (Score:4, Informative)
Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.
Re:Siltakoski Petri is somehow connected with this (Score:2)
How is this fair? (Score:5, Insightful)
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
And, by the way, this happens all the bl**dy time on
Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.
...And later moderators can't fix it! (Score:3, Insightful)
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.
Re:So much for peer auditing? (Score:5, Informative)
let me make sure to put pillows over the sharp corners of the table.
this was found, just last night, because of the change in the md5 checksum.
this md5 checksum changed because the file changed.
this file changed because someone changed it
so in conclusion, this file has not been like this for a year
hope you were able to keep up
Re:So much for peer auditing? (Score:2, Informative)
Since there are no md5 sums or gpg signatures listed on tcpdump.org it makes it very easy for someone to simply replace the source. Only those that check md5 sums and gpg signatures will know if it is truly trojaned or not.
I hope that the tcpdump people will start provided md5 sums and gpg signatures for those that build from source.
Re:So much for peer auditing? (Score:2)
There are no diecent auditing tools in use.
Everyone could check 95% on the code and still miss a trojan in the other 5%.