| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: webmaster at verticept.com (Richard DeYoung) Subject: Re: [Snort-users] Snort and SourceFire "Backdoored" Now for a somewhat different perspective on the whole thing.... > I guess now that we have this incident validated as positively true from > the main Snort/SourceFire IT person, it lends a lot of credibility to > the Snort/SourceFire "backdoor" rumor. Hmmm. So, "guess"+"validated"+"positively true"(vs "mostly true") == "credible" ??? > There have been lots of rumors on IRC that a few months ago, some of > the PHC guys were able to compromise the snort CVS tree. Instead of creating > a traditional backdoor in Snort/SourceFire (simply opening a rootshell > on a specific port) they changed a lot of the code to introduce buffer > overflows that didnt exist previously, and could be exploited at a later > point in time. They changed a lot of the code to include strcpys where > there was strncpys and such. This is a lot less noticeable than PHC's > other open source security project trojan code inserts, such as the libpcap, > dsniff, and sendmail compromises. Given the fact that you heard the rumors of massive injections of strcpy() into the main Snort CVS repository on an IRC channel and not published to the community at large, what other sources do you cite in order to arrive at your decision that this is a "credible" incident?? > Brian Caswell has said that Sourcefire did a major code audit after discovering > this compromise, which I think is very cool of them. > Code audits can be very expensive, and Im sure SourceFire footed the > bill. Code audit after a system compromise; a prudent and effective way of maintaining code integrity. > But, the question remains, how long were all of us exposed? Exposed?? You still haven't demonstrated that the "rumors" you heard were, in fact, more than just rumors. > And, > why did we learn of all this from blackhats releasing a fake phrack, > rather than from Snort/SourceFire? Again, what did we supposedly learn from some bh's releasing a fake phrack? I believe they've succeded in demonstrating how quickly some people claiming to be "in the IDS discipline" can be made to jump to conclusions at the drop of a few "catch phrases" or half-truths. > I find it high disturbing that this is how the whole incident unfolded, > as many Snort team members have ragged on the industry practice of hiding > major security incidents in the past. Don't we Snort users have the right > to know if our code has been trojaned and Snort/Sourcefire compromised? Yes, you do. That's why you download it in source code format, and not in pre-compiled binaries such as those released by other companies "in the industry". IDS is only the leading-edge (topologically speaking) technical representation of a company's policy/process structure. As has been said repeatedly, where you go from there is up to you. > Maybe not, but the paying customers of SourceFire for sure do. > > Joey > Gee, it must suck to be the target of a Social engineering hack, eh ??? -- --Rick[at]Verticept -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030921/89e50bc7/attachment.html
Powered by blists - more mailing lists