lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <E2226338-EC95-11D7-B534-000393A45F6C@sourcefire.com>
From: roesch at sourcefire.com (Martin Roesch)
Subject: Snort not backdoored, Sourcefire not compromised

It's come to my attention that some group is claiming to have broken 
into a Sourcefire server and backdoored the Snort source code.   First 
things first, there is no backdoor in Snort nor has there ever been, 
everyone can relax.

A shell server got compromised well over a year ago, but what these 
guys aren't telling you is that the network that it was on was not only 
logically separate from the rest of the sourcefire.com domain, it was 
also physically removed from it too (by about 23 miles, approximately 
the distance from the Sourcefire office to my basement).  Yes, that's 
right, they busted into a shell server that was maintained on a 
physically separate network in my basement.  That particular machine 
was maintained as a shell server for various people to log into so that 
we can have a sacrificial box to use to chat on IRC without having to 
worry about our real network getting compromised, and it has served its 
purpose well.

While we do try to keep that system from suffering break-ins, we also 
realize that many IRC clients aren't exactly the most secure pieces of 
code in the world and sometimes there are problems in server code as 
well (like apache and sshd), so we put together servers like that one 
so that we can interact with people while minimizing the risks to the 
company's networks and servers.  I thought this was fairly standard 
practice for many security companies, maybe I'm wrong.

If you're wondering "how do you know the code isn't backdoored?", since 
we know that that server is an "at risk" server we're not in the habit 
of checking code into CVS from there.  If that's not good enough for 
you, Snort has been through three code audits since March (one 
Sourcefire internal, two third-party external) and there are most 
definitively no backdoors in the code, nor were there any.

Hope that clears things up.

BTW, the sample code that they put into their little screed was nothing 
more than an update of the 'stick' program from 2001, not really 
anything to get worked up about.

      -Marty


-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch@...rcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ