UnrealIRCd Forums

[Syzop]

After receiving many questions of what we are doing with regards to the hack incident, here's my reply:

First, we now PGP/GPG sign releases. Our GPG key is releases@unrealircd.com (0x9FF03937). When downloading UnrealIRCd you will be given instructions on how to verify the integrity of the file.

Second, we're now isolating/shielding the main site from the rest, and making parts unmodifiable, to prevent catastrophes in case of a break-in.

Third, we added several methods of detection when files and other data is modified.

Fourth, we'll only serve the files from the main site for now. While the mirror admins did not have any blame in this, it does mean we only have to protect our own site(s).

And finally we did some other things which I won't mention here.

In short: we've really tightened security since the break-in to make sure this will never ever happen again. As you may understand, we really can't afford a repeat of this incident.

On an unrelated side note, I find the claims in various media that this security incident indicates that Linux and Open Source cannot be trusted and that Microsoft and closed-software is better really silly. It lacks any foundation. A hacker, once in, could just as easily have inserted the backdoor in Windows software. In fact, it is *THANKS* to it being Open Source that this backdoor got noticed, though - I fully agree - much too late.

[katsklaw]

perhaps using 3rd party download sites owned by uninterested parties like tucows, cnet .. etc could be beneficial as well.

[andyl]

It seems to me that there is an important step missing from your countermeasures, namely finding out how this was done and ensuring that exactly the same thing isn't done again.

Presumably it isn't your intent to set things up so that anyone in the world can change the contents of the tar file you put up for downloading. You have some limited set of people who are supposed to have write access to that file. So one of two things happened, EIther

1. The machine on which you put files for downloading as a security hole, and anyone can modify the tar files.

Or

2. One of the people who is authorized to modify the tar files, and as all the appropriate files, is the person who put in the Trojan.

Until you have determined which of these happened, and either fixed the security hole, or found out who the person was, changed all the passwords without informing him, and ensuring that he hasn't left any Trojans on the site so he can get back in, there's nothing to stop him from putting the Trojan right back in. Sure the people who check the PGP signature of everything they download could find out (unless the trojan-inserter has access to the appropriate PGP key, of course), but you know perfectly well that most people don't do that. So it seems to me that the download site should have a prominent warning saying something like

"WARNING! Someone has inserted Trojans into this software before, and there's nothing to stop him from doing so again, and every reason to expect that he will. DO NOT download and use this without checking the PGP signagure and checksums". And the checksums should be placed on some other site, with a much more restrictive access than the download site, with a list of who has access. Otherwise, it seems to me that downloading UnrealIIRCd is trusting a set of people that we *know* includes someone untrustworthy, and it's irresponsible of you to encourage such behavior.

[Stealth]

From my understanding neither of your 2 scenarios is correct.

Also, I do believe that Syzop knows exactly how this was done, but chooses to not release such information about the security infrastructure of our systems. Such non-disclosure is common, and because we're open-source doesn't mean we must release details of how it happened, just the details of the vulnerability discovered in the provided software.


EDIT:
Just so you understand how narrow your scope of view is, you're missing the idea that a 3rd party could have somehow got the login credentials for our mirrors and done anything they wanted. It does not necessarily need be the individual who is authorized to use said credentials.

[andyl]

Nothing says you must release details of how it was done, But just as I trust open source software more than I trust closed source, I'd have greater trust that the security hole was patched if you said "this was the security hole, and this is what we've done to patch it". And for the same reason; the more people that are able to look at the security patch, the more confident I am that it was fixed correctly. Keeping the problem secret makes me worry that it wasn't actually patched, and that you're relying on "security through obscurity", which is not good practice.

[nate]

Syzop is not incompetent, he's fixed the issue that much you can be sure of I'm fairly certain.

By not telling anyone exactly what it was it keeps others from trying to be stupid and go through the same vector other ways if anything.

[katsklaw]

Actually obscurity as a layer of added security is in nearly everything you are involved with on a daily basis and not just online either. I'd love to hear how you can attack/hack something you don't even know exists. Do you know exactly what information is in your DMV record, or just what they tell you? What about your credit card? Are you positive you know everything that is stored on the magstrip on the back? Have you memorized every line of code in your email client? what about every server your email passes through? What OS does your bank use to store your bank account data? I bet you don't know, and because of that, there isn't much of a chance of you exploiting anything until you do know. Security through obscurity (as long as it's not the only security) is actually a very good practice and it's often free. That's just basic common sense. The very fact that you *don't* know the details and are here complaining about it proves my point.

Second, no one ever said that obscurity is the ONLY layer of security being relied upon and to assume that is all the only layer is simple ignorance. Unfortunately for you, it's the only layer not being disclosed to you.

Third, anyone that has been on the internet for more than a week knows they shouldn't download software from untrusted/unknown sources. So if you currently do not trust the download site, then simply do not use it. Check the source code yourself, line by line to see if there are any trojans.

Forth, it doesn't take rocket science to use PGP/GPG, just ask my 95 year old grandfather. He uses it all the time. Failing to protect yourself is YOUR fault, not everyone elses. It's not possible for any site to predict every possible scenario. If you or anyone else was overly concerned about the security of any release from day 1 of Unreal's existence I'm sure at the very least an md5 checksum was available for the asking. The sudden concern now is simply a backlash of paranoia.

Lastly, it is the choice of the Unreal Team as to what they wish to disclose, and you have no right to demand disclosure.

** Disclaimer **
All views and comment in this post are solely the opinion of myself and may not reflect the opinions or views of the Unreal Team.

[andyl]

It seems to me that to be useful, you need to satisfy two security goals:

1. You need to have a secure system, so people can't hack in and insert Trojans into your software.

2. You need to provide enough evidence to prospective users of your software that 1 is true that they feel secure using your software.

If you don't accomplish 1, you end up with software with Trojans in it, and that's bad. That's what happened in the past.

If you don't accomplish 2, no-one will use your software, and that's bad too. That's what's in danger of happening in the future.

I have no "right" to "demand" that you describe your security measures. But clearly you think it's a good idea to describe them to some degree, or you wouldn't have started this thread.

I'm not saying "I demand you describe your security measures". I'm saying 'The statement 'we have introduced new sooper sekrit security measures, which we know are enough to render things secure, so you don't need to worry about security any more; just Trust Us that things will be perfectly secure from now on' does not inspire my trust." You've proven yourself incompetent in matters of security in the recent past, so I *don't* trust you to be competent in matters of security.

I think that anyone who downloads and uses your software today is being foolish, and taking unwonted security risks, and that I will continue to believe this until you publicize more details of what you have done to render your formerly insecure system more secure.

And to pick one at random from your "rah rah security through obscurity! Obscurity is great, and everyone uses it" rant. I don't know what OS my bank uses, and you're almost certainly right that they won't tell me if I ask. But I'd be willing to bet they use some form of Windows. And if a bank instead of using security through obscurity said "We've decided that Windows presents insurmountable security risks, so we've switched everything over to Linux", I think that this bank would be more secure, not less, and I would move my money over to them for that reason.

[nate]

You can believe that as much as you wish, but there have been people who thought people who downloaded unreal were foolish just for the hell of it in the past, you're not gonna really make any difference with your opinion, lol.

Statistically speaking, there's a very good chance you yourself are using a software that likely had a security issue at some time that 1) You didn't even know about at all period that they never published about, 2) Was fixed without the actual details of how it happened. So while you think Unreal people are foolish for still downloading it because they won't say exactly how it happened, you yourself are probably foolish for the exact same situation on another software at some point, lol.

[Syzop]

I have no "right" to "demand" that you describe your security measures.

Correct.

But clearly you think it's a good idea to describe them to some degree, or you wouldn't have started this thread.

Indeed, 'describe them to some degree', which is exactly what we did.

I'm not saying "I demand you describe your security measures".

Strange, it looks like that.

I'm saying 'The statement 'we have introduced new sooper sekrit security measures, which we know are enough to render things secure, so you don't need to worry about security any more; just Trust Us that things will be perfectly secure from now on' does not inspire my trust."

Good. Fortunately we never said that.

We never say 'not to worry about security any more' after downloading our software. In fact we have an entire section in the documentation dedicated to Security.

Also, I fail to see how things like PGP/GPG are 'sooper sekrit'.

You've proven yourself incompetent in matters of security in the recent past, so I *don't* trust you to be competent in matters of security.

Yes, it clearly seems you've made a decision. That's fine, if you don't trust us, then don't use our software!

IMHO we were one of the few who were actually quite open about a hack and the countermeasures. I've yet to see that much openness with many major sites who were hacked.
If this openness and clear dedication to security now does not help for you, then.. so be it.

[warg]

My $0.02...

I can't think of any project, wether closed or open source, that's never had a security hole. I can however think of a few which have suffered in similar fashion to Unreal. To name one -- irssi.

http://www.securityfocus.com/news/462

According to a notice posted May 25th at Irssi.org, someone "cracked" the distribution site for the IRC program in mid-March and altered a configuration script to include the back door.

Guess what - poo happens?

The people at Unreal are doing everything in their ability to prevent poo from happening again, and have gone out of their way to convey the poo to the community, even to humour trolls as yourself to reassure the community that the poo is scooped and under control.

If this isn't enough for you, then I would hate to be in your shoes, because poo is everywhere.