Hmmm. So, "guess"+"validated"+"positively true"(vs "mostly true") == "credible" ???I guess now that we have this incident validated as positively true from the main Snort/SourceFire IT person, it lends a lot of credibility to the Snort/SourceFire "backdoor" rumor.
Given the fact that you heard the rumors of massive injections of strcpy() into the main Snort CVS repository on an IRC channel and not published to the community at large, what other sources do you cite in order to arrive at your decision that this is a "credible" incident??There have been lots of rumors on IRC that a few months ago, some of the PHC guys were able to compromise the snort CVS tree. Instead of creating a traditional backdoor in Snort/SourceFire (simply opening a rootshell on a specific port) they changed a lot of the code to introduce buffer overflows that didnt exist previously, and could be exploited at a later point in time. They changed a lot of the code to include strcpys where there was strncpys and such. This is a lot less noticeable than PHC's other open source security project trojan code inserts, such as the libpcap, dsniff, and sendmail compromises.
Code audit after a system compromise; a prudent and effective way of maintaining code integrity.Brian Caswell has said that Sourcefire did a major code audit after discovering this compromise, which I think is very cool of them. Code audits can be very expensive, and Im sure SourceFire footed the bill.
Exposed?? You still haven't demonstrated that the "rumors" you heard were, in fact, more than just rumors.But, the question remains, how long were all of us exposed?
Again, what did we supposedly learn from some bh's releasing a fake phrack? I believe they've succeded in demonstrating how quickly some people claiming to be "in the IDS discipline" can be made to jump to conclusions at the drop of a few "catch phrases" or half-truths.And, why did we learn of all this from blackhats releasing a fake phrack, rather than from Snort/SourceFire?
Yes, you do.I find it high disturbing that this is how the whole incident unfolded, as many Snort team members have ragged on the industry practice of hiding major security incidents in the past. Don't we Snort users have the right to know if our code has been trojaned and Snort/Sourcefire compromised?
That's why you download it in source code format, and not in pre-compiled binaries such as those released by other companies "in the industry". IDS is only the leading-edge (topologically speaking) technical representation of a company's policy/process structure. As has been said repeatedly, where you go from there is up to you.
Gee, it must suck to be the target of a Social engineering hack, eh ???Maybe not, but the paying customers of SourceFire for sure do. Joey
|
-- --Rick[at]Verticept |
