Re: Left off the ballot?

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Wed Apr 14 2004 - 10:22:04 CDT

Yes I recall the linux incident. It was a subtle conversion of the boolean setuid == 0 to setuid = 0. hard to spot and even cloakable from a stringent compiler if done properly.

The reason this was noted at all was that the bitkeeper software that maintained the source tree flagged a change not having been made by an authorized agent.

Something to keep in mind for later perhaps: once OVC gets real funding the source tree should be checked into a distributed system that keeps a secure audit log on a locked down single purpose remote server different from the source. A pro-system like bitkeeper should be considered.

-----Original Message-----
From: "Douglas W. Jones" <jones_at_cs_dot_uiowa_dot_edu>
Sent: Apr 14, 2004 8:09 AM
Subject: Re: Left off the ballot?

On Apr 14, 2004, at 9:41 AM, Alan Dechert wrote:

>> Ah, nice to see the criminal mind at work.
> The trick will be to put this in open source in such a way that no one
> will
> catch it.

I'm certain that almost anything can be hidden in a moderate to large
program in such a way that it won't be easily noticed. Furthermore,
open source software doesn't guarantee that anyone will read it, and it
may take several readers before someone notices the Trojan. Consider
the backdoor someone tried to insert in Linux where the first few
readers only saw an unnecessary check on an obvious boolean, and it
was only later that someone noticed that one of the comparisons was done
with a single = instead of two ==, so it was really an assignment,
and this assignment happened to set the effective user ID to root!
This came within a hairsbreadth of getting into Linux.

                Doug Jones
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Fri Apr 30 23:17:05 2004

This archive was generated by hypermail 2.1.8 : Fri Apr 30 2004 - 23:17:29 CDT