Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

 9.6.2000 SecurityNetBSD source code  hacked ?
 Developers of the NetBSD open source operating system say a recent security breach did not compromise the software's source code.

En français: NetBSD code source piraté ?
 Les développeurs de NetBSD, le système d'exploitation dont le code source est libre, disent qu'à la suite d'une brèche de sécurité le code source du logiciel n'a pas été compromis.

 
English version
Developers of the NetBSD open source operating system say a recent security breach did not compromise the software's source code.

NetBSD developer and project spokesman Charles Hannum has confirmed that a key developer's password was "discovered" by outsiders.

The password would have given hackers the opportunity to impersonate Paul Vixie, a leading developer with the right to make changes to the source code for the software, although not directly.

Hannum maintained that an extensive review did not find any proof that Vixie's account had been used "other than a simple probe to see whether the password was used". Under the open source system used by NetBSD, developers such as Vixie would contribute changes and improvements.
Résumé en français
Le mot de passe d'un des principaux développeur de NetBSD a été découvert par des pirates. Ce mot de passe aurait permis d'usurper l'identité de Paul Vixie et d'effectuer des modifications dans le code source.

Le représentant du projet Charles Hannum a confirmé cette situation mais dit que les accès sont compartimentés afin de limiter les risques dans ce type d'incident et toute action est surveillée et répertoriée.

NetBSD est un derivé UNIX qui est généralement considéré comme plus sûr. Apres une importante révision du code aucune modification n'a été trouvée. Ceci rassurera les utilisateurs de ce système d'exploitation.

Les dégats sont sans doute minimes, mais le doute s'est installé sur le logiciel est c'est cela qui causera le plus de préjudice.

Hannum said all such access was "compartmentalised" and changes were logged, under a system designed to deal with problems such as this one.

Some team members are believed to have had "edit access", which would allow them to change log files. If a hacker gained that level of access, they might be able to change the records to conceal changes to the source code, such as the insertion of "trojan horse" or back-door access systems.

NetBSD is a Unix-like operating system that is generally considered to be more secure than the more easily hacked Windows and is popular with elite users.

According to the NetBSD website, NASA uses NetBSD on its numerical aerospace simulation facility and it is believed to be in use on high-level mission-critical systems in both government and business.

Hannum would not confirm the level of privilege available with Vixie's password. He said that Vixie did not have "privileged access" on machines other than the one that was probed.

Hannum said the risk of such an incident and the ways of defending against it had "been known for so long that most security professionals consider it boring".

"No compromise of our source tree was discovered," he said.

Vixie is a respected developer involved in many aspects of the Internet. He is also believed to have helped develop a Unix-for-Windows system called XFree86.

He has been involved in the Internet for at least 10 years and, until last year, was the keeper of the BIND system used for Internet domain name server systems, through his involvement with the not-for-profit Internet Software Consortium.

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juin 08, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.