Re: KDE was hacked

[Seth Alan Woolley <seth () tautology org>]

Anybody using a CVS build of KDE is taking an inherent risk for such
things as this.  Anybody using an official release would of course have
a plethora of people reviewing each commit.  It only took them 1.5 hours
according to the Russian article to spot the code comments.  I'd say the
KDE team passed with flying colors.

I'm sure somebody else will pipe in and say, "But what if it were not
caught?"  I believe "free/open source" software has less of a risk than
proprietary codebases for this type of intrusion, but it's a valid
question.  The only way to answer it is of course with an independent
code audit to both free and proprietary code bases to see if such things
occur with frequency.  These audits have been happening from the random
person to the serious, systematic audit against open codebases for some
time, and they didn't appear to find much.  Has anybody else heard of
successful hacks such as this (such as a long-standing but discovered
backdoor in an open project)?

Seth

On Fri, May 07, 2004 at 10:48:06PM +0400, Alexander wrote:
> 2004/05/03 13:50:28 KDE was hacked by Russian hacker
>
> More information (In Russian)
>  
> http://www.securitylab.ru/45100.html
>
>
> Diff for /kdenetwork/kppp/connect.cpp between version 1.175 and 1.176:
>
> http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kppp/connect.cpp.diff?r1
> =1.175&r2=1.176&f=h
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8  3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org

Attachment: _bin
Description: