 |
|
|
I will match those donations up to a total of $500 Please let me know the amount you donate, thanks.
|
FreeRepublic , LLC PO BOX 9771 FRESNO, CA 93794
|
|
|
|
Posted on 10/09/2002 5:54:22 PM PDT by Bush2000
Hackers send Sendmail a message
Online vandals hacked into the primary download server for Sendmail.org and replaced key software with a Trojan horse, a Sendmail development team member said Wednesday. The apparent attack on Sendmail didn't leave a back door in the popular open-source e-mail software package, as previously believed, but compromised the download software on the Sendmail consortium's primary server so that every tenth request for source code would receive a modified copy in reply.
"The exploited code that we see is not in our (development) tree at all," said Eric Allman, chief technology officer of Sendmail Inc., which sells a version of the open-source e-mail server program, and a member of the Sendmail Consortium, the development group for the software. "It seemed to be going to the (Sendmail) host, but it was delivering a corrupted file that wasn't on our server anywhere."
The problem apparently only affects source code for version 8.12.6 of Sendmail downloaded between Sept. 28 and Oct. 6, according to an advisory posted by the Computer Emergency Response Team (CERT) Coordination Center on Tuesday.
While the Sendmail development group is only just starting its forensic analysis of the computer that hosted the files, Allman said that its current theory is that the FTP (file transfer protocol) server had been hacked. If a user tried to download the latest Sendmail source code from the ftp.sendmail.org server, a compromised copy of the code would be sent instead about 10 percent of the time.
"It was a little bizarre that way," said Allman.
If the evidence confirms the theory, the hack would definitely be a strange way to compromise a downloadable file, said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security.
"I'm not sure why they would want to do that," he said.
A Trojan horse--like the instrument that led to the downfall of the city of Troy--is a program that appears to be a legitimate piece of software but in fact has unwanted functions that allow a company or hacker to access the victim's computer.
The FTP server compromised by this attack apparently provided people who requested downloads not with the Sendmail source file, but with a Trojan-horse copy. This copy included a non-Sendmail test component that, when compiled, started a program that opens a covert channel to another server on the Internet. That server has since been configured to block the covert connection, according to messages posted to the Bugtraq security list.
Taking into account the 1-in-10 ratio, about 200 people may have downloaded the corrupted software over that eight-day period, said Sendmail's Allman. The development group is trying to contact everyone who downloaded the source code.
Both Sendmail and the CERT Coordination Center stressed that any software that is downloaded from the Internet should be verified using common cryptographic tools and the file's signature.
"Anyone that downloaded the code and followed good software practices would have found that this software was bogus," said Marty Linder, team leader for incident handling for CERT Coordination Center.
Linder stressed that, while the open development projects that give open-source its name may seem to invite problems like those of Sendmail, companies working on proprietary software have also run into problems.
In October 2000, Microsoft's source code may have been compromised by a hacker that penetrated the company's network allegedly with the help of a malicious program known as the Qaz Trojan.
"The same thing can happen if an intruder compromises the source tree of a private company," Linder said. "It's just another method for injecting badness into software."
|
|
|
|
I will match those donations up to a total of $500 Please let me know the amount you donate, thanks.
|
FreeRepublic , LLC PO BOX 9771 FRESNO, CA 93794
|
|
|
|
Sure. There's plenty of "news" about Microsoft that you never post.
BTW: Did you know MS is now making their windows source code available under certain guidelines? I don't believe you can modify it, but if you like you can review it for security issues (I think).
uh, what are you in 3rd grade? What kind of point/flame is that? I don't like Bill Clinton, but I don't think I've posted any articles about him--good or bad. In order to dislike him on FR and be relevant, do I need to post an equal number of good/bad posts about Bill Clintoon? It's a good thing you're not running this site--it would have been gone years ago.
Charter is now down 16.7%, with no end in sight. And that federal grand jury is still investigating Paul Allen's accounting shenanigans.
And what's got stuck in your butt? I'm just pointing out that B2K's definition of "news" is relative. I guess that's so obvious that it didn't really need to be said, huh?
This is not news. Not any more than this is. The holes have been patched.
As far as Free Republic being about News and Commentary the main page does not agree with that. This place is about conservatism. Trashing what you don't like over and over is not news. And this post, like many of your others, has nothing to do with conservatism.
Jim says this place is for fun. In one Freepmail to me you said "Dude, don't you realize I'm trolling you... ;-p" (From Bush2000 | 2002-09-19 09:08:55). In another, you said "I simply enjoy watching you guys squirm." (From Bush2000 | 2002-09-19 09:19:19). You see using this forum for your strange desire to "bait" people as fun. I don't and that's why I started posting back to you.
As far as Dominic Harr, I sent him this recently.
I like technology. Technology has been very very good to me. You, Dominic and others are obviously interested in technology too. If you just have to post technology items how about doing so such that the information is helpful. Post something positive about what Microsoft has done lately. And maybe not spit at technology you have some problem with. Or spit at other Freepers that don't share your rabid views. Speaking in terms of "shoving faces" is childish. Especially when you are in no position to shove anyone's face anywhere anyhow.
Yes, it didn't need to be said. Everyone's "news" is relative. Just like when Dominic Harr posts something, I can bet it won't be pro-MS, but it is probably "news".
Can't find a lot about this. googles news has 3 references to "hacker sendmail". And two of them are several days old.
As others have pointed out to you on this thread, many people like reading about technical issues that affect them. That you don't find them interesting or useful is irrelevant. If you don't like reading them, don't! And don't respond! I could care less whether you do
You have indicated to me that your goal in posting this stuff is not for purposes of educating anyone on technology, it's to start conflicts here. Since that's the case your posts are hardly balanced and intended to 'educate" and should be taken with a large grain of salt.
Well, in every holy war, there are at least two combatants. I'm one of them. And I don't care whether it hurts your feewings.
LOL! LARGE GRAIN OF SALT! Holy war? This is devine to you? Then why haven't you just said so up until now? Now THAT comment finally explains what's in your head. And you don't hurt my feelings. I'm not the one slobering about Microsoft all over myself. But gee. You think this guy is a god?
You want to censor the discussion to "safe" topics. No way.
That was a question. I can't censor anything B2K. And it's obvious you can't either. Thank G-d, er, Bill Gates?
Thanks for finally responding with some indication of why you keep posting like you do. I'll not ask again since I am conservative and I feel you should be able to presue you religion freely as long as you are peaceful.
Gatesism? Gatesianity? Gateslam?
Don't worry about that. I speak the linga franca of UNIX, "C". That's why open source makes sense to me. Anyways, most of the "stuff" I use is hard core, been here forever, UNIX software anyways -- tons of docs and online info. I like the tried and true. About the only thing I use off the beaten path is Postfix. It is hands down, 100% better than Sendmail -- which has had a history of hacks that boggle the mind.
That's what you said. CNET is not "widely reported".
No, you're just frothing at the mouth over any comment which casts aspersions on Linux or open source.
Nope. Not true. I write checks to people that are building things on Linux, MS, and other platforms. Using various tools including .NET.
Hardly. The only god that I worship is Christ.
Good for you. That's my God too. But I didn't use the term holy war. Nor have I compared myself to one of two entities that would be fighting such a war. Would that make you Archangel Bush2000?
So, not "widely reported". Not like the item on Microsoft's problem in the article you post here.
You don't seem to like viewpoints which differ from your own...
Total BS.
Perhaps you don't understand some rather simple concepts.
I understand what the "holy war" means in contemporary terms. It's war declared or fought for a religious or high moral purpose. Usually nation against nation. But comparing "holy war" to Microsoft and Open Source is silly at best. If you are serious you are indeed very troubled.
Still not a lot out there. At least not in big red headlines. Sorry. Do you post things similiar to what you poster here on Slashdot? Little harder room to work there.
Your statement was total BS. Still is. I'm not a big Linux cheerleader or Microsoft basher.
I see the terms metaphor and allegory are totally lost on you.
Nope. I understand. Based upon the number of your posts here about the same thing over and over I just don't think it's metaphor or allegory to you. But if all this time you have not been serious and have been pulling legs please set me straight.
The market has closed, and I'm up 9.6%. Nice rally.
Paul Allen's Charter is down -17.7%, closing at 79 cents per share and bleeding red.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
