Anybody using a CVS build of KDE is taking an inherent risk for such things as this. Anybody using an official release would of course have a plethora of people reviewing each commit. It only took them 1.5 hours according to the Russian article to spot the code comments. I'd say the KDE team passed with flying colors. I'm sure somebody else will pipe in and say, "But what if it were not caught?" I believe "free/open source" software has less of a risk than proprietary codebases for this type of intrusion, but it's a valid question. The only way to answer it is of course with an independent code audit to both free and proprietary code bases to see if such things occur with frequency. These audits have been happening from the random person to the serious, systematic audit against open codebases for some time, and they didn't appear to find much. Has anybody else heard of successful hacks such as this (such as a long-standing but discovered backdoor in an open project)? Seth On Fri, May 07, 2004 at 10:48:06PM +0400, Alexander wrote: > 2004/05/03 13:50:28 KDE was hacked by Russian hacker > > More information (In Russian) > > http://www.securitylab.ru/45100.html > > > Diff for /kdenetwork/kppp/connect.cpp between version 1.175 and 1.176: > > http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kppp/connect.cpp.diff?r1 > =1.175&r2=1.176&f=h > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized Key id EF10E21A = 36AD 8A92 8499 8439 E6A8 3724 D437 AF5D EF10 E21A http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org
Attachment:
pgp00028.pgp
Description: PGP signature