The trojaning of mICQ

The story, it seems, is this: Rüdiger Kuhlmann, the maintainer of mICQ, had a disagreement with Martin Loschwitz, the maintainer of the Debian mICQ package, on how that package should be built. Mr. Kuhlmann complained that an old version of mICQ was shipped, that it contained bugs which had been fixed upstream, and that his name had been removed from the copyright file. The disagreement had apparently been going on for a while.

Mr. Kuhlmann decided that enough was enough, and he was going to take some action. As of mICQ 0.4.10.1, the code will, when built for the Debian distribution, print out a message which says some unflattering things about Mr. Loschwitz and encourages use of a different version; the program then exits. In other words, when built for Debian, mICQ thumbs its nose at the user and refuses to run. To help ensure that this code got into the official Debian version, it was written in an obfuscated manner, set to trigger only after February 11, and only if it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.

In response, Mr. Loschwitz called for the removal of mICQ from the Debian distribution and started a generally impressive flamewar. After some time, the two parties actually started talking to each other; summaries from Mr. Kuhlmann and Mr. Loschwitz have been posted. The resolution involves fixing the packaging issues and the removal of the anti-Debian code. The mICQ package will also be removed from Debian until a security audit is performed and a new maintainer is found. The situation would appear to have been resolved.

The whole thing has, however, left a bad taste in the mouths of many Debian developers. According to some, Debian was subjected to a trojan horse/denial of service attack, and they are not happy about it. Mr. Kuhlmann denies this, of course ("In fact, I only added dead code. It was you who #ifdef'd it in - not knowingly, but anyway."), but this code, even described in more friendly terms ("easter egg," say), is the sort of thing that does not often happen in the free software world. Free software users like to think they have a bit more control over their systems than that. (It's not completely unheard of, though - GNU emacs used to greet Symbolics users with the message "In doing business with Symbolics, you are rewarding a wrong.")

Much of the discussion was concerned with what Mr. Kuhlmann could have done with this piece of stealth code. Such speculation is a bit off-topic, given that, as far as anybody can tell, there are no evil or destructive trojans coded into mICQ. In the context of a wider discussion, however, this episode does raise a scary issue. The mICQ code was slipped into a major distribution, seemingly with great ease. The code was relatively harmless, but, next time, it might not be. Access to source code decreases our vulnerability to this sort of attack; proprietary software, after all, can have anything in it. It is hard to imagine anybody being able to hide a flight simulator inside a free spreadsheet application. But anybody who believes that having the source makes us invulnerable to this kind of trojan is clearly mistaken. With suitably clever coding, great nastiness can be hidden in seemingly innocuous code. The resources to audit all of our code at the level of detail required to find small trojans simply don't exist.

Perhaps, in the future, tools like the Stanford Checker can be turned to the task of finding suspicious code in source distributions. For now, though, we have to remain on our guard. This kind of thing will happen again, and, next time, the results may not be so benign.

---

to post comments

The trojaning of mICQ

Posted Feb 20, 2003 3:01 UTC (Thu) by ncm (guest, #165) [Link] (3 responses)

My question is, why didn't Mr. Loschwitz see the trojan code when he diff'd the old version against the update, to see what had changed?

The trojaning of mICQ

Posted Feb 20, 2003 3:31 UTC (Thu) by trutkin (guest, #3919) [Link] (1 responses)

He didn't look over the diff. He was upbraided by other maintainers for this.

The trojaning of mICQ

Posted Feb 20, 2003 22:11 UTC (Thu) by hmh (subscriber, #3838) [Link]

You bet he was upbraided. Some of us take great pains to go over every
line in a 1000+ line diff file (usually not for security, but out of sheer
paranoia of breaking the package in a hideous way, and losing even more
time trying to get it to work again)...

However, as others said, don't expect normal diff-looking to catch a
really bright piece of obsfucation (which was NOT the case of mICQ).

The trojaning of mICQ

Posted Feb 27, 2003 14:46 UTC (Thu) by MLKahnt (guest, #6642) [Link]

Having seen the code (and read the entirety of each thread of the flame war,) there were some very deliberate efforts to hide the code and the activities - other developers on Debian-devel admitted that they wouldn't have realised the nature of what was to happen if the results weren't reported to them. The offending message was coded in base64 iirc, the reference used to hide the message from appearing on the system of the Debian maintainer was set up to use his specific ICQ name, hardcoded a letter at a time rather than a more obvious string, and even the reference to Debian was chopped into substrings to not stand out.

There was substantive effort put into hiding this function, which might well have slipped past most any maintainer not performing security audits of diffs, let alone one that was relatively new to the process (the mICQ maintainer being still under sponsorship.)

Scary but...

Posted Feb 20, 2003 3:04 UTC (Thu) by yodermk (subscriber, #3803) [Link] (1 responses)

This is scary.

But I think that we have a lot more to fear from small one-person projects than from large projects.

Most or all multi-developer projects use version control. People are notified when code gets changed. It would have to take a lot of social engineering to get something like this into an official, say, Apache or GNOME release.

But perhaps the distros should be quite a bit more careful with accepting code from small projects with little accountability.

Scary but...

Posted Feb 20, 2003 15:04 UTC (Thu) by proski (guest, #104) [Link]

It's quite hard to get a trojan applied by someone else as a patch. However, the main developer gradually can redesign the program in such way that the trojan cannot be detected. For example, the "anti-Debian" text could be hidden in a table used for encryption of for calculating checksums. Using pointers to functions also makes it easy to hide much nastier things. For example, you implement a recursive algorithm, and then somehow pass the function that erases files as a pointer to the recursive function. Having many levels of calls also helps hide bad intentions by speading the bad code across the program.

My point is that large programs are not safer is the lead developers cannot be trusted. It's easier to hide bad things in large projects.

The trojaning of mICQ

Posted Feb 20, 2003 16:20 UTC (Thu) by dwheeler (guest, #1216) [Link]

The fundamental problem is that a trusted developer (Mr. Kuhlmann)
intentionally inserted code that caused the program to fail to run.

Eventually, in all software, trust must stop somewhere.
However, it would be far better if multiple barriers had to be broken
instead of a single person.

The trojaning of mICQ

Posted Feb 21, 2003 16:19 UTC (Fri) by Steve_Baker (guest, #265) [Link] (6 responses)

This is probably an unpopular opinion, but as far as I'm concerned, the developer can do whatever he damn well pleases with his code, and anyone who complains can just write their own damn programs. This developer had very reasonable complaints about how his code was being handled by Debian. Perhaps he could have found another way to respond, but Debians' response to his solution was at least as extreme.

Debian was very much in the wrong on removing his name from the copyright file, but it seems developers are at the mercy of distributions in such matters. It is aken to telling programmers, once they have offered their code to the world, to shut up and go away. How their code is presented to the world is at least as important as its functionality, some allowances should be made for that.

Furthermore, printing a message and exiting is not a trojan horse, a denial of service attack, an easter egg or anything of the sort. Debian got called on to the carpet with their developer abuse and cried foul, but they have no legitimate reason to. Debian and other distributors would do well to remember that licenses can change, and they can be changed to prohibit them from using such programs at all, or in ways much more to the developers liking. Angering the foundation on which your distribution is based is not a good idea.

In my not so humble opinion, Debian owes Mr. Kuhlmann an apology and should take steps to correct their mistakes.

The trojaning of mICQ

Posted Feb 22, 2003 0:38 UTC (Sat) by proski (guest, #104) [Link] (3 responses)

In my not so humble opinion, Debian owes Mr. Kuhlmann an apology

That would be the case if Mr. Kuhlmann didn't act in such a childish way. Even adding the same warning code without obfuscation would have made a better statement.

When Opera developers were upset about MSN serving broken pages, they released the "Bork" edition, but they were open about the changes they made. It's not like "borkifying" MSN was an undocumented feature of an official release.

Besides, if Mr. Kuhlmann was upset about Debian distributing old versions of micq, he should have encourage the Debian maintainer to upgrade. Mining the new version to protest against distributing old versions is preposterous. The result of his actions is that the future maintainer will be pretty much discouraged from grabbing the next version without doing a very careful audit of the changes.

The trojaning of mICQ

Posted Feb 22, 2003 2:11 UTC (Sat) by Steve_Baker (guest, #265) [Link] (2 responses)

You cannot justify Debians' actions just because you don't agree with the developer. It would have been better perhaps if he had found some other way to get his point across, but I don't believe for a minute that he hadn't already exhausted most "diplomatic" methods before doing this.

Don't forget that he would be helpless to stop the debian maintainer from removing his bitch message, which was the whole point of obfuscating it and waiting for a specific date in which to appear. He did that precisely because the Debian maintainer has the power to shut him up as it were. Remember that the Debian maintainer was roundly criticized for effectively failing to do so.

Regardless of his so called "childishness", Debian made the greater error in removing his name from the copyright file. That is not excusable, and his later actions do not change the fact that Debian owes him an apology. And I stand by that assertion.

The trojaning of mICQ

Posted Feb 22, 2003 20:51 UTC (Sat) by mongre26 (guest, #4224) [Link]

I agree Steve, the developer can add any features to his program he wishes, no warranties expressed or implied.

It is the responsibility of the maintainers/users of the software to use it responsibly. If they do not like his features, they should not use his software. It is their choice.

The removal of the name from the copyright is the big issue here. That is expressley prohibited under copyright law and illegal in countries that have signed international copyright agreements. The maintainer should be severely chastised for this, even more so since he is ostensibly a supported of software libre.

As far as this being some tip of the iceberg situation as the original LWN editor suggested, please, enough with the scare mongering. There is nothing new here save perhaps people had their assumptions challenged.

Using software, commercial or open source is a calculated risk. There are no guarantees. However I would suspect that we have much more to fear from incompetence than malice when it comes to software.

The ethics of "trojaning" vs. stealing code.

Posted Feb 24, 2003 2:03 UTC (Mon) by Duncan (guest, #6647) [Link]

<quote>
Regardless of his so called "childishness", Debian made the greater error in
removing his name from the copyright file. That is not excusable, and his later
actions do not change the fact that Debian owes him an apology.
</quote>

Initially, I was asking myself what sort of irresponsible general maintainer this was,
to do what he did.

Then I realized the truth of the above. His name wasn't in the copyright file, so he
had every reason to assume none of his code would be in their version anyway.
Thus, he could write whatever he wanted and it wouldn't see the light of day,
because it wouldn't be triggered by being in their distribution, because they would
have removed it as code from someone not in the copyright file, rather than stealing
from him, which taking his code without attribution is, in effect.

Looked at it that way, all he did was prove that they were stealing his code, while at
the same time demonstrating a VERY important point about what he COULD have
done, the dangers that existed if someone were to exploit them, because the Debian
maintainer wasn't doing HIS job, but rather, was stealing from someone else, without
even crediting him for his contribution.

It's going farther than I would have. That's not my nature. However, I certainly
don't blame the general maintainer for doing what he did, because, indeed, he had
every reason to believe in good faith that none of his code was being included
anyway, because after all, the Debian maintainer certainly wasn't THAT unethical,
and CERTAINLY wouldn't include code stolen without attribution, would he?

The trojaning of mICQ

Posted Feb 23, 2003 21:57 UTC (Sun) by giraffedata (guest, #1954) [Link]

>...the developer can do whatever he damn well pleases with his code,
>and anyone who complains can just write their own damn programs.

I agree up to the point of fraud, which is what we had here. The author intentionally misled the Debian project into shipping something different -- something of clearly less value -- from what it thought it was shipping. Had the author been open about what was in the program, I would have no problem with it.

... copyright file

Posted May 20, 2003 14:46 UTC (Tue) by Tadu (guest, #11339) [Link]

Debian was very much in the wrong on removing his name from the copyright file

Just for the records, the package in Debian woody still has the name removed from the copyright file; it's more than half a year since it was reported to the bugtracking system. The bug in that package btw. is something extremely annoying but trivial to fix and is as well still present.