[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040507221449.GG32133@positivism.org>
From: seth at tautology.org (Seth Alan Woolley)
Subject: KDE was hacked
Anybody using a CVS build of KDE is taking an inherent risk for such
things as this. Anybody using an official release would of course have
a plethora of people reviewing each commit. It only took them 1.5 hours
according to the Russian article to spot the code comments. I'd say the
KDE team passed with flying colors.
I'm sure somebody else will pipe in and say, "But what if it were not
caught?" I believe "free/open source" software has less of a risk than
proprietary codebases for this type of intrusion, but it's a valid
question. The only way to answer it is of course with an independent
code audit to both free and proprietary code bases to see if such things
occur with frequency. These audits have been happening from the random
person to the serious, systematic audit against open codebases for some
time, and they didn't appear to find much. Has anybody else heard of
successful hacks such as this (such as a long-standing but discovered
backdoor in an open project)?
Seth
On Fri, May 07, 2004 at 10:48:06PM +0400, Alexander wrote:
> 2004/05/03 13:50:28 KDE was hacked by Russian hacker
>
> More information (In Russian)
>
> http://www.securitylab.ru/45100.html
>
>
> Diff for /kdenetwork/kppp/connect.cpp between version 1.175 and 1.176:
>
> http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kppp/connect.cpp.diff?r1
> =1.175&r2=1.176&f=h
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8 3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040507/e0c91335/attachment.bin
Powered by blists - more mailing lists