SJVN on track but missed the mark...
|
| Author | Content |
|---|---|
| JaseP Jun 15, 2010 9:43 AM EDT |
SJVN was on track with the article, but missed the mark on an important point. Only the source tar-ball on the mirrors was compromised. So, only those who built their implementation of this package from the supplied sources was exposed to the trojan. From what I understand the CVS versions were uneffected. Most active developers are going to be building from the CVS, so there would be a reduced exposure. He did hit it right that the package was relatively obscure,... a fact glossed over by quite a few bloggers wanting to spread FUD, or outright misrepresented by some. In reality, I do not know how many people utilize the UnrealIRC package, but I estimate that it runs in the tens,... Not tens of thousands, or tens of hundreds, but tens of people. I doubt it is used in major institutions, or in mission critical implementations. Most of those would be getting it in pre-built *deb or *rpm packages built from the CVS, or from the CVS directly. So,... I am guessing that there were a couple, at most, real world infections. And if you asked me, I would bet that it was more likely compromised by someone who was looking to build a back door into a specific system as some form of insider espionage against that person's employer, "friend" or organization. |
| zentrader Jun 16, 2010 2:47 PM EDT |
With open source, you will always have someone who releases their own IRC package, or a music player or whatever, with security holes. There are certainly more "amateur" programs out there with problems but no one uses them, so in that case "security through obscurity" does indeed work. |
| Bob_Robertson Jun 16, 2010 2:49 PM EDT |
Isn't a password just "security through obscurity"? |
| gus3 Jun 16, 2010 3:13 PM EDT |
A password of "12345" would be security through obscurity. A well-conceived password is more like a snapshot of entropy. |
| jacog Jun 17, 2010 6:07 AM EDT |
"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!" |
| Sander_Marechal Jun 17, 2010 8:04 AM EDT |
Hmm.. I'd better change my LXer password... |
| TxtEdMacs Jun 17, 2010 8:20 AM EDT |
Sander, Don't bother I can do it for you, remotely. Ok? |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!