An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel stored at a publicly accessible database.
Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), a program designed to manage source code.
The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source-code database BitKeeper.
"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse."
Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases used by other developers.
One server apparently was earlier compromised by an intruder, and the attacker used his access to make a small change to one of the source-code files, M. McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected and only during a 24-hour period, he added.
"The first thing we did was fix the difference," he said. "It took me five minutes to find the change."
When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server.
The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, Mr. McVoy said.
The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems — the most notable are so-called "Easter Eggs" such as the flight simulator included in earlier versions of Excel — closed development is widely considered to be harder to exploit in that way.
Linus Torvalds addressed the issue in a post to the Linux kernel mailing list.
"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately."
A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database.
BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed.
Even so, he said, the open-source development model likely would have quickly turned up any security flaws.
"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me not freak about this."
Mr. McVoy said that the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Mr. Torvalds and others.
Mr. Torvalds could not be immediately reached for comment.
Attack on Linux foiled
Leading edge technology. Nanobots, gen tech, zero gravity?
Moderator: Super Moderators
Jump to
- ON THE AIR ~ AM/FM/XM RADIO
- ↳ Art Bell's Midnight in the Desert
- ↳ Art Bell Classic Shows & Somewhere in Time Chat
- ↳ Art Bell Archive
- ↳ Art Bell Archive 12-2001 to 5-2002
- ↳ Fantastic Forum 'Original Radio Room'
- ↳ Art Bell/The New Frontier
- ↳ Dreamland ~ Whitley Strieber
- ↳ George Noory/C2C AM Topics/Radio topics
- ↳ Ian Punnett/Saturday Host
- ↳ George Knapp/C2C Sunday Host
- ↳ John B. Wells Caravan To Midnight
- ↳ Ham Radio/DXing
- Ship's Galley
- ↳ FFPirates on Twitter
- ↳ Announcements/ FYI
- ↳ Rapa - from the Ship's Archives
- ↳ Ship's Galley ~ Fantastic Forum Community
- ↳ The Crow's Nest
- ↳ First Time Posters Thread
- ↳ Laugh a bit with Ole 68
- ↳ Garden & Galley
- The Starboard Tack
- ↳ UFO
- ↳ Quantum Physics/Edge Science
- ↳ Paranormal
- ↳ Ancient Archaeology
- ↳ John Lear Archive
- ↳ Conspiracies/Black Ops
- USA
- ↳ Economy
- ↳ Media Watch
- ↳ Energy Policy
- ↳ American Survival
- The Blue Planet...
- ↳ Awakening of global consciousness
- ↳ The Natural World
- ↳ News from a parallel universe
- ↳ Environment in Crisis
- ↳ All Creatures Great and Small
- NEWS BREAK
- ↳ Alt News Blog
- ↳ National
- ↳ Global
- ↳ Weird Nooz
- SCIENCE & TECHNOLOGY
- ↳ FF IT Tech
- ↳ Earth/ Weather/ Climate
- ↳ Health
- ↳ Astronomy/ NASA/Physics
- ↳ Technology
- ↳ Chemtrails
- ↳ The 10th Planet
- FANTASTIC PUB
- ↳ The Brig
- ↳ Politics and Government 2014 - Present
- ↳ Food
- ↳ The Murky Bilge
- ↳ Music
- ↳ Religion/Metaphysics
- ↳ Philosophy
- ↳ Books, Documentaries, Movies, TV Shows
- ↳ USS TEXAS - BB35 Archive
- ↳ Poetry Forum
- ↳ Pirates and Skeptics -P&G, etc
- ↳ Photography
- SETI @ home
- ↳ FANTASTIC FORUM ~ SETi Team
- ↳ Team Art Bell
- Archive
- ↳ Third Party Candidates - 2004
- ↳ USA Archive
- ↳ Various
- ↳ Who Needs eBay?
- ↳ Iraq
- ↳ Politics and Government 2010-2013
- ↳ MAD'S Mali Journal
- ↳ Wild Card Thread
- ↳ Bush/Cheney '04 Campaign
- ↳ William Henry ~ Stargates in the Age of Tara
- ↳ Hemp Industry
- ↳ We the People
- ↳ Politics and Government 2004-2009
- ↳ Lost Harbour & Dry Dock
- ↳ Fantastic Forum Productions
- ↳ Star Trek Forum
- ↳ USS TEXAS ~ BB 35 Restoration/Preservation Project
- ↳ Politics and Government Pre-2007
- ↳ Fantastic Forum - Editor's Cut