BitchX 1.0c19 IRC Client Backdoored

JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

Re:Who's this?

[Basje]

However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.

I disagree. That would be equivalent to saying you are responsible for your house being burglared. Not having (adequate) security makes one a likely target. It does not, however, make you responsible.

They are, of course, responsible for anything they do. Giving out backdoored software might get them in trouble, if they actively sent the software it to people. If people downloaded it, they may be liable. However, not many countries have as "modern" laws as the USofA, I do not think that is a problem in Poland.

Re:Who's this?

[pacman+on+prozac]

"However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised."

I've now heard this too many times. It's simply wrong. Whatever their reasons for putting a system online that is not totally secure are irrelevant. Blame the person who broke in, not the person who owns/runs the computer.

As an example how many servers were (and still are) running vulnerable versions of apache? Should all those admins be held responsible if someone broke in to their system and abused it? How about if those same systems were broken into before that vulerability was disclosed. Where do you draw the line? I suggest drawing it by putting the responsibility firmly on the shoulders of the perpetrator of the crime rather than the victims.