hAckz0r writes "The WhiteHouse.gov ( https://wwws.whitehouse.gov/petitions#!/petitions ) now has an online petition to stop the USPTO from issuing any more software patents. One must register first with the petition site, wait for the confirming email, login, then locate the "Open Petitions" menu to go to the list of petitions. Scroll down to the one called "Direct the Patent Office to Cease Issuing Software Patents", and then do what you think is right. They need 3,428 petitions total to make it meaningful, and has logged 1,572 as of my entry." Link to Original Source top
hAckz0r writes "I am in the final phase of a research project software design which, believe it or not, intends to help locate embedded malicious logic in Mega-SLOC sized source code bases, and eventually even across multiple computer language linkages. This tool is intended to aid an analyst in finding things like back doors, Easter eggs, time bomb logic, or other undesired or malicious logic inserted into the source code. The design has been highly scrutinized, and the funding for the project is now looking imminent. Once all the final papers are signed, and it really happens, then it's straight from the frying pan into the fire for me. The educated nay-sayers will no doubt be quick to remind me that you can't prove a negative. I already know that fact all too well.
Ok, now on to the real question. In order to prove any real life viability in the final software implementation we will need to demonstrate its many capabilities against a set of real life threats. I could write my own tests but I feel like that would be like cheating. Compromised 'Open Source' projects would be an obvious choice for availability reasons, but the problem is that as soon as an OS project admin realizes that their software product has become compromised, it literally disappears off of the Internet, almost over night. Poof! Gone! The Fedora/Redhat OpenSSH compromise could be one such example. Anybody even seen any Fedora updates lately?
I can start by chasing down other repositories that cache rpm source and then do my own deltas, if they have not already pulled that deprecated version, but that is still timing dependent. Obtaining copies of even older exploits seems to be even more troublesome and very time consuming, especially if one has to actually contact the project owners directly to revive a specific deprecated version number.
So my questions to Slashdot are:
1)Is there a compromised source code repository I am not aware of? Hacks-R-Us maybe? If it were a simple virus or a rootkit this would be much easier!
2)If you had to identify and then find these older deprecated versions of source code (C/C++ for now, other languages to follow) how would you go about doing this collection efficiently? Is there a comprehensive list of hacked OS projects with version numbers? Closed source doesn't count if the source code is not obtainable.
3)What specific deprecated/exploited OS software packages would be most worthy of testing if you only had a short time line, say about two weeks to collect them in? What floats to the top of the list? The Linux Kernel hack no doubt would top my list, then OpenSSH *2