Slashdot Mirror
OpenSSH Package Trojaned
cperciva writes "The original story is here.
And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.
Windows software doesn't have problems like this!
Wake up, Bill won the game.
Losers!
I don't mean to be making a "*BSD is Dying" post, but what's the deal? This is the second problem with OpenSSH in a few months, and OpenSSL was exploited just a few days ago.
Is OpenBSD in trouble? More importantly, what are security-conscious people switching to, now that OpenBSD is no longer the fortress it once was?
Karma: Good (despite my invention of the Karma: sig)
Oh shut up, it's more secure than any amusement-inspiring shit you run.
Has anyone else thought about ways to solve this problem?
Buy software produced by professionals?
I don't know what OS you are talking about.
Wow! I guess that means you're a fucking idiot.
It is official; Netcraft confirms: MD5 is dying
One more crippling bombshell hit the already beleaguered MD5 community when IDC confirmed that MD5 market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that MD5 has lost more market share, this news serves to reinforce what we've known all along. MD5 is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
and so forth...
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dead
All I can tell you is, let this be a lesson against using anything other than OpenBSD. At least we bother to look over our source code for security holes. We are still investigating exactly what led to the NetBSD machine being rooted, but we have a fair idea that it had something to do with the USB subsystem in the kernel. This is totally inexcusable. Just another reason to avoid that over-extended, slow, stinking pile of source code that is NetBSD. They oughta at least be grateful to me for finding this security hole for them, after all they've done to screw us over.
--
Theo DeRaadt
Founder, OpenBSD project.
If you look at the parent author's posting history, you'll see that he is nothing more than a troll who fools people into thinking that he is Theo. (Incidentally, the name is "Theo de Raadt", not "Theo DeRaadt".)
Look, this whole FreeBSD/OpenBSD flamewar has gotten out of hand. It's bad enough that you people are blocking each other's email, but let's not go accusing Theo of stealing his own account. Yes, a FreeBSD box was responsible for this security breakdown. Deal with it. There's no reason to go spreading wild accusations like this.
That's Theo's Slashdot account. Quit being a jerk.
--
What happens when you outlaw guns
Slashdot : - : A load of shit monkeys who think they are professional experts because they were able get a slashdot account and use a string of words with letters longer than 7 characters in a sentence that sounds remotely coherent.
1.Usually found downloading pornographic material and spending all week downloading upgrades.
2.Rarely if ever contributes original ideas or projects. See (1); Too busy upgrading.
It has been confirmed that the hacker group known as ADM was behind the trojanning of irssi, dsniff, and OpenSSH. You'll notice all trojans are very similar and that the latest contains the switch() cases of 'A', 'D', 'M'.
i .security.is/FAQ.php?faq=official
i .security.is/links.php
The ADM website is at http://ADM.freelsd.net/
They were responsible for creating the Anti-Security movement, which used to be accessible at http://anti.security.is. That movement promoted non-disclosure and encouraged hackers to send trojans to the security mailing lists and to backdoor distro site packages. You can see their FAQ archived here:
http://web.archive.org/web/20010702072841/
ant
And you can see the recommendation to trojan distro site packages by following the link here:
http://web.archive.org/web/20010802063339/
ant
("protect the bug foundation" was written by an ADM member and details how it is necessary to trojan packages to maintain a state of insecurity.)
K2, from the Honeynet Project, is a known member of ADM.
K2 works for CORE Security.
ADM is a subset of w00w00 Security Development (http://www.w00w00.org/)
DugSong (dsniff author, OpenBSD developer) is a member of w00w00 Security Development
DugSong said that his monkey.org machine was compromised by an EPIC client remote vulnerability, but despite protests from other groups, did not disclose any details of this remote vulnerability.
DugSong did not disclose any details of this vulnerability because he knows it was discovered by ADM, and although he is of reputable character, he did not want to aggravate ADM.
It's not a conspiracy theory. Anyone spending enough time on IRC and paying close attention can see the truth.
Running the latest versions of daemons means absolutely nothing when you're dealing with skilled exploit coders who most likely have a stash of unreleased exploits.
It's really time we stop ignoring the facades created by these so-called whitehat groups like w00w00. Individuals like K2 should stop being branded as security professionals and this criminal activity should be punished, rather than indifferently admired.