lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F7D8908.109@onryou.com>
From: lists at onryou.com (Cael Abal)
Subject: EartStation 5 P2P application contains malicious
 code

> Conclusion
> ----------
> The people behind ES5 have intentionally added malicious code to ES5. If
> you have followed the ES5 discussions on message boards and read what the
> ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
> comes as no surprise. The question then is "why did they do it?" I'm sure
> they won't tell us, but here's a theory: They could be working for the
> RIAA, MPAA, or a similar organization. Once they have enough users on their
> ES5 network, they would start deleting all copyrighted files they own which
> their users are sharing. The users wouldn't know what hit them.

Hi nut,

Excellent job finding and documenting this feature.  As for the 
developers' motivations, though, I don't think it's necessary to point 
at colusion with the RIAA/MPAA.

In all honesty, I'm surprised we haven't seen *more* backdoors of this 
type in various popular closed-source, network-aware apps.  I don't 
condone it, but I understand the mentality:  "Our network, our rules." 
Really, all it takes is one rogue developer, coupled with insufficient 
code review.

What does surprise me is that you report only delete functionality and 
not read/write.  If I was going to the trouble to implement naughty 
features into an app like ES5, that'd be my priority.

All this does is reinforce the value of independent code auditing 
(insert various pro-open-source comments here).

take care,

C


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ