Topic: Someone tries to poison the Penguin  (Read 8716 times)

0 Members and 1 Guest are viewing this topic.

Toasty0

  • Guest
Someone tries to poison the Penguin
« Reply #20 on: November 08, 2003, 08:59:54 pm »
Quote:

Attempted attack on Linux kernel foiled
Last modified: November 6, 2003, 2:39 PM PST
By Robert Lemos
Staff Writer, CNET News.com

           
An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, stored at a publicly accessible database.

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), a program designed to manage source code.

 
   
 
Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

 
 
 
The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source code database BitKeeper.

"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse."

Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases other developers use.

An intruder apparently compromised one server earlier, and the attacker used his access to make a small change to one of the source code files, McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected--and only during a 24-hour period, he added.

 
   
 
Get Up to Speed on...
Open source
Get the latest headlines and
company-specific news in our
expanded GUTS section.

 
 
 
"The first thing we did was fix the difference," he said. "It took me five minutes to find the change."

When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server.

The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, McVoy said.

The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems, closed development is widely considered to be harder to exploit in that way.

Linus Torvalds addressed the issue in a post to the Linux kernel mailing list.

"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately."

A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database.

BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed.

Even so, he said, the open-source development model likely would have quickly turned up any security flaws.

"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me freak about this."

McVoy said the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Torvalds and others. Torvalds could not be immediately reached for comment.





http://news.com.com/2100-7355_3-5103670.html?tag=nefd_top

 

Dash Jones

  • Guest
Re: Someone tries to poison the Penguin
« Reply #21 on: November 09, 2003, 12:22:57 pm »
Microsoft trying to kill the only competition?

Toasty0

  • Guest
Re: Someone tries to poison the Penguin
« Reply #22 on: November 09, 2003, 05:59:06 pm »
Quote:

Microsoft trying to kill the only competition?  




Shooting a corpse isn't usually Microsofts style...  

Taldren_Erin

  • Guest
Re: Someone tries to poison the Penguin
« Reply #23 on: November 10, 2003, 02:22:28 am »
Quote:

Shooting a corpse isn't usually Microsofts style...




Whoa, I agree that it's not MS's style to do something like this (though who knows what they've got going on), but what makes you think Linux is a corpse?

I think it caters to a different audience than the average PC user, but it's definitely a thriving and more than thriving community.

 

Toasty0

  • Guest
Re: Someone tries to poison the Penguin
« Reply #24 on: November 10, 2003, 05:47:41 am »
Quote:

Quote:

Shooting a corpse isn't usually Microsofts style...




Whoa, I agree that it's not MS's style to do something like this (though who knows what they've got going on), but what makes you think Linux is a corpse?

I think it caters to a different audience than the average PC user, but it's definitely a thriving and more than thriving community.

   




It's a community based on "free". Free communities always thrive for the short term, but over the long haul, it is the community that does not depend on the *donation* of time and talent that ultimately pervails.

The exception to that model is religion, thus my appplication the term zealot to Linux advocates.

Best,
Jerry  

Taldren_Erin

  • Guest
Re: Someone tries to poison the Penguin
« Reply #25 on: November 10, 2003, 03:40:20 pm »
Quote:

It's a community based on "free". Free communities always thrive for the short term, but over the long haul, it is the community that does not depend on the *donation* of time and talent that ultimately pervails.




Hmm, I have a hard time believing that Linux is going away any time in the foreseeable future. There are actually a lot of communities based on "free" -- not that it's a comparison to Linux, but many small anarchist communities exist this way, off the grid and on the barter system. I'm only a cursory Linux user, myself, but I've seen enough of it to know that there are most definitely aspects in it superior to Microsoft or Apple technology. And where there is that kind of tech, there's value, and with something the size of Linux there is longevity. And people who will want to take it down. UNIX is a dying beast and is currently attempting to sue Linux for that reason.

Quote:

The exception to that model is religion, thus my appplication the term zealot to Linux advocates.




Oh, I think there's a lot of money in religion. I'm reminded of the father of Scientology:
"If you want to make a million dollars, invent a religion" -- L. Ron Hubbard

 

Toasty0

  • Guest
Re: Someone tries to poison the Penguin
« Reply #26 on: November 10, 2003, 04:35:52 pm »
Quote:

Oh, I think there's a lot of money in religion.  I'm reminded of the father of Scientology:
"If you want to make a million dollars, invent a religion" -- L. Ron Hubbard





A valid point. Otoh, old L. Ron didn't think to make his goal the downfall of the Pope either.

Best,
Jerry  

hobbesmaster

  • Guest
Re: Someone tries to poison the Penguin
« Reply #27 on: November 10, 2003, 04:37:09 pm »
Quote:

It's a community based on "free". Free communities always thrive for the short term, but over the long haul, it is the community that does not depend on the *donation* of time and talent that ultimately pervails.




Berkeley first wrote a software system in 1977.  Stallman's GNU project had code in 1984.  Microsoft Windows version 1 was released in 1985.  Torvalds released the Linux Kernel in 1991; the GNU project provided the core utilities and diverted effort away from its own HURD Kernel.

Open Source seems to have been around for as long as Microsoft, if not longer.  Linux and BSD still outnumber Microsoft in the server market.  

Dash Jones

  • Guest
Re: Someone tries to poison the Penguin
« Reply #28 on: November 10, 2003, 04:51:48 pm »
Speaking of things free that have lasted awhile besides religion...

There's still the internet (Though not technically free, it's pretty free considering the value, how many webpages and information access portals do you have...literally millions of pages of information, quintrillobytes of code, and all for the cost of being able to connect (of course someone hopefully is paying to supply the information, but seeing how much is out there, millions upon million are literally supplying it at our fingertips).

Then there's the weather.  Still going strong.

 

Okay, probably not funny, but I found it funny.

Then there are Demo's.  I love Demos of games.

Pamphlets and samples from door to door salespeople.  You would think after 100 years of doing this, and providing all this, they'd learn people don't want others knocking door to door, but instead these people have expanded it to the telephone now.

Then there's air...wait, scratch that, they have oxygen cafe's now...of all things.

Then there's Public TV...accessible if you have a...TV.

And don't forget Public Radio...and Radio Channels as well.  You can pick those up if you have a Radio and not pay them a dime...any Radio channel.  Radio's been around for at least 60 years, I'm pretty certain.

Then there's the Red Cross/Red Crescent.  Supplied and aided by the goodwill of people everywhere.

And finally, there's love.  Of course, love was only invented like 300 years ago (did you know love as we know it didn't exist in the Medieval ages, it meant something completely different!)  It's lasted several centuries, and you know, I hope someday to find the love of my life too.

Hope you like my semi-humorous post/poem (I'm a bad poet you see, but at least I try as you can tell from this deed) of all things free, well some at least, actually not many at all in comparison...okay, an infintessimally small amount of the free stuff in the world, but any longer and you just might not want it to read.

 

IKV Nemesis D7L

  • Guest
Re: Someone tries to poison the Penguin
« Reply #29 on: November 11, 2003, 04:47:12 am »
Quote:

It's a community based on "free". Free communities always thrive for the short term, but over the long haul, it is the community that does not depend on the *donation* of time and talent that ultimately pervails.

The exception to that model is religion, thus my appplication the term zealot to Linux advocates.

Best,
Jerry  




Though free is what gets all the press the Open Source community is based on more the principle of enlightened self interest.  Linus Torvalds wanted a unix clone that he could afford and began creating it for himself.  He made it freely available and others who wanted the same thing pitched in and helped, each one working on what they wanted, each working towards what was in their own interest.  Result each contributer recieved more than they gave and the cheap Unix clone that they each wanted or needed was born.  All from people working for themselves.

Over the last few years companies have been contributing, in their own interest.  

Intel needed a 64 bit OS for Itanium, Microsoft is years behind on delivering, so Intel contributed to porting Linux over, result profits to Intel as they boost sales of Itanium (which are still low because the price of the chip is extreme).  Linux benefits.

IBM wanted to boost sales of big computers, Linux was ported over and 1000's of copies can be run in virtual mode on "big Iron".  Result sales for IBM that would not have been made.   IBM pays programmers to work on those aspects of Linux (SMP, filesystems and more) that help IBM  sales.  Note IBM spent 1 billion dollars on Linux in its first year of contributing, they made that billion back the same year from Linux related sales.

An obscure bug comes up that your company needs fixed, you can pay a Linux programmer to fix it.  With Windows you wait until MS decides it is worth it, to them.  

Redhat sells Linux services and is now in the Black on sales.  They pay Linux programmers to fix or add things that they and their customers want.