LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The backdooring of SquirrelMail

The backdooring of SquirrelMail

Posted Dec 20, 2007 12:17 UTC (Thu) by scarabaeus (subscriber, #7142)
Parent article: The backdooring of SquirrelMail

there have been several attempts to compromise source distributions over the years. Many of them have succeeded in getting bad code into high-profile packages. But none of these attacks - so far as we know - have escaped detection for any significant period of time
Well, yes - how do you know that no such thing exists?? Anybody who has done it will surely be careful not to cause alarm when exploiting it.

BTW, it is also possible and likely that some developer somewhere has done a similar thing. I dimly remember one occasion a few years ago when such a developer backdoor was detected, can't remember any details though...

(Log in to post comments)

The backdooring of SquirrelMail

Posted Dec 20, 2007 15:30 UTC (Thu) by NAR (subscriber, #1313) [Link] 

Exactly. How do we know that someone didn't crack the workstation of an apache or firefox
developer, didn't slip a backdoor into the code and currently isn't waiting for the highest
bidder to sell the access to these computers? Yes, I know, there is peer review, but it
obviously didn't work in the case of SquirrelMail...

How do we know?

Posted Dec 20, 2007 15:43 UTC (Thu) by corbet (editor, #1) [Link]

Peer review did work with SquirrelMail - somebody reviewed the checksum and raised the alarm. There was no possibility for review to happan any earlier - that code did not go through the ordinary process. The fact that almost all backdoor attempts have targeted the distribution point (the final tarball) rather than some point earlier in the process suggests that getting a backdoor in that way is hard.

In other cases where backdoors have actually made it into source repositories (interbase, for example, or the mICQ incident), peer reviewers have caught the problem. The interbase backdoor lasted for a year and a half, but I do not think it was being exploited. It was something the developers left in by mistake. I do not know of a case where a trojan was introduced into a free software project, then was exploited for any significant period of time before being found.

That, of course, does not say that no such compromise exists. But I would be more concerned about long-term backdoors if there had been some cases of compromises which lasted for an intermediate period of time.

The backdooring of SquirrelMail

Posted Jan 4, 2008 23:39 UTC (Fri) by roelofs (guest, #2599) [Link]

BTW, it is also possible and likely that some developer somewhere has done a similar thing. I dimly remember one occasion a few years ago when such a developer backdoor was detected, can't remember any details though...

Some Debian machines were compromised via a developer's account, if that's what you mean. There was also a case of the kernel getting backdoored, but only via a CVS "mirror" of the main git or bitkeeper repository, not the master copy itself.

Those are the only two I recall offhand. Then again, the old brain cell ain't what she used ter be...

Greg

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds