| |||||||||||||
|
| |||||||||||||
One attempt thwartedOne attempt thwartedPosted Nov 6, 2003 19:53 UTC (Thu) by ncm (subscriber, #165)Parent article: An attempt to backdoor the kernel Anyone who stuck his neck out so far as to do this will not be satisfied with doing it just once. There are many points of vulnerability in the Free Software world. It would probably be much easier to sneak a backdoor into one of the distributions' kernels or network-service daemons, for example, They get much less scrutiny than Linus's kernel. A successful Red Hat, Debian, or FreeBSD backdoor would be (has been?) hardly less damaging. The distinction between a local vulnerability and a remote one is pretty artificial. The distinction made, in remote exploits, between enabling arbitrary code execution as root or as a restricted user becomes moot when a user can easily become root. Since arbitrary code execution as a limited user (e.g. via lpd, sendmail, ftp) is very common, there's little practical difference between a trapdoor that works for local or for remote exploitation. It's way too early to pat ourselves on the back for having fended off this one attack. It wasn't caught by "hundreds of eyeballs", it was caught because of an unusual level of automated scrutiny in one corner of the castle. Furthermore, it was caught because the attacker made a grave and foolish mistake, assuming a particular host was a primary source, and not a frequently-updated copy. We may be sure that other attacks will be more subtle -- perhaps some already have been, and have evaded detection. As the economic significance of Linux and Free Software increase, we can also expect such attacks to multiply. One immediate lesson, already known to a few, that this attack emphasizes is that current CVS servers are inherently insecure. Thus, any machine running a CVS server exposed to untrusted individuals cannot itself be trusted. How many projects compare their public CVS server contents against a trustworthy image? How many projects firewall the server that takes developer updates against access by non-developers?
(Log in to post comments)
One attempt thwarted Posted Nov 6, 2003 20:51 UTC (Thu) by proski (subscriber, #104) [Link] We should consider the political significance of free software as well as its economical significance. It's possible that the attack aimed to create bad publicity for Free Software rather than to exploit the backdoor.Collaborative development is specific for free software. We cannot say that similar can happen for non-free software, usually developed behind corporate firewall. That's why this attack could have been used for FUD very effectively, were it to succeed.
One attempt thwarted Posted Nov 6, 2003 23:35 UTC (Thu) by ken_i_m (guest, #4938) [Link] "The distinction between a local vulnerability and a remote one is pretty artificial."I have to disagree with this rather strongly. There is a huge difference between a local user who has access to a console and a remote attacker whose only leverage is the network services offered. To imply that successful remote attacks where the vector is "arbitrary code execution" are "very common" (or easy) simply does not hold water. have a nice day,
One attempt thwarted Posted Nov 7, 2003 0:34 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link] this attack was detected by the 'hundreds of eyeballs' approach, only one eye saw it becouse he was the only one looking for this, but in the 'traditional' closed-source approach that person would not have been looking (to address the point specificly, if there wasn't the need to make the kernel source available via all the different method the scripts would not have been publishing them and could not have identified the issue)the hundreds of eyeballs approach doesn't expect that there will be hundreds, or even dozens of reports of a prticular bug, it means that with enough different people looking at something, each looking at the one particular piece they are interested in, you have complete coverage of the entire codebase.
One attempt thwarted Posted Nov 8, 2003 3:12 UTC (Sat) by lm (guest, #6402) [Link] > this attack was detected by the 'hundreds of eyeballs' approach,> only one eye saw it becouse he was the only one looking for this, > but in the 'traditional' closed-source approach that person would > not have been looking That's nonsense. This attack was detected because BitMover trains their engineers to be paranoid, end of story. There were "hundreds of eyeballs" that could have detected this, why didn't they? Gimme a break. It's pathetic of you to try and turn this into an open/closed argument, it has nothing to do with either. This was detected because we train our engineers to be competent. You can have good engineers in the open source world and good in the closed source world, and I'll remind you it was an open source system which was attacked. As Linus said "it's telling that it was the CVS tree and not the BK tree that somebody tried to corrupt."
One attempt thwarted Posted Nov 13, 2003 2:47 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link] the bitkeeper engineers were one of those hundreds of eyeballs, they happened to detect it first.the only way you will have lots of people reporting the same bug is if they don't read what others have discovered and/or there is a long time period between a bug being discovered and it being announced. the normal situation is one person (or a very small number) discoveringa issue and publicising it for others. even in this case when Larry first posted about this to the L-K list he didn't post 'someone attempted to put a backdoor in the kernel' he posted 'I noticed something strange, can anyone tell me why this happened' and a few posts later he posted the change that was inserted and a few posts after that a few people noticed that it was a backdoor.
|
|
||||||||||||