lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040507221449.GG32133@positivism.org>
From: seth at tautology.org (Seth Alan Woolley)
Subject: KDE was  hacked

Anybody using a CVS build of KDE is taking an inherent risk for such
things as this.  Anybody using an official release would of course have
a plethora of people reviewing each commit.  It only took them 1.5 hours
according to the Russian article to spot the code comments.  I'd say the
KDE team passed with flying colors.

I'm sure somebody else will pipe in and say, "But what if it were not
caught?"  I believe "free/open source" software has less of a risk than
proprietary codebases for this type of intrusion, but it's a valid
question.  The only way to answer it is of course with an independent
code audit to both free and proprietary code bases to see if such things
occur with frequency.  These audits have been happening from the random
person to the serious, systematic audit against open codebases for some
time, and they didn't appear to find much.  Has anybody else heard of
successful hacks such as this (such as a long-standing but discovered
backdoor in an open project)?

Seth

On Fri, May 07, 2004 at 10:48:06PM +0400, Alexander wrote:
> 2004/05/03 13:50:28 KDE was hacked by Russian hacker
> 
> More information (In Russian)
>  
> http://www.securitylab.ru/45100.html
> 
> 
> Diff for /kdenetwork/kppp/connect.cpp between version 1.175 and 1.176:
> 
> http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kppp/connect.cpp.diff?r1
> =1.175&r2=1.176&f=h
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8  3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040507/e0c91335/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ