SJVN on track but missed the mark...

Story: Linux is as secure as everTotal Replies: 6
Author Content

Jun 15, 2010
9:43 AM EDT
SJVN was on track with the article, but missed the mark on an important point. Only the source tar-ball on the mirrors was compromised. So, only those who built their implementation of this package from the supplied sources was exposed to the trojan. From what I understand the CVS versions were uneffected. Most active developers are going to be building from the CVS, so there would be a reduced exposure.

He did hit it right that the package was relatively obscure,... a fact glossed over by quite a few bloggers wanting to spread FUD, or outright misrepresented by some. In reality, I do not know how many people utilize the UnrealIRC package, but I estimate that it runs in the tens,... Not tens of thousands, or tens of hundreds, but tens of people. I doubt it is used in major institutions, or in mission critical implementations.

Most of those would be getting it in pre-built *deb or *rpm packages built from the CVS, or from the CVS directly. So,... I am guessing that there were a couple, at most, real world infections. And if you asked me, I would bet that it was more likely compromised by someone who was looking to build a back door into a specific system as some form of insider espionage against that person's employer, "friend" or organization.

Jun 16, 2010
2:47 PM EDT
With open source, you will always have someone who releases their own IRC package, or a music player or whatever, with security holes. There are certainly more "amateur" programs out there with problems but no one uses them, so in that case "security through obscurity" does indeed work.

Jun 16, 2010
2:49 PM EDT
Isn't a password just "security through obscurity"?

Jun 16, 2010
3:13 PM EDT
A password of "12345" would be security through obscurity.

A well-conceived password is more like a snapshot of entropy.

Jun 17, 2010
6:07 AM EDT
"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

Jun 17, 2010
8:04 AM EDT
Hmm.. I'd better change my LXer password...

Jun 17, 2010
8:20 AM EDT

Don't bother I can do it for you, remotely. Ok?

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!