The trojaning of mICQ [LWN.net]
LWN<br>.net<br>News from the source
Content Weekly Edition<br>Archives<br>Search<br>Kernel<br>Security<br>Events calendar<br>Unread comments
LWN FAQ<br>Write for us
Edition Return to the Front page
User:<br>Password: |
Log in /<br>Subscribe /<br>Register
The trojaning of mICQ
[Posted February 18, 2003 by corbet]
The story, it seems, is this: Rüdiger Kuhlmann, the maintainer of mICQ, had a disagreement with Martin<br>Loschwitz, the maintainer of the Debian mICQ package, on how that package<br>should be built. Mr. Kuhlmann complained that an old version of mICQ was<br>shipped, that it contained bugs which had been fixed upstream, and that his<br>name had been removed from the copyright file. The disagreement had<br>apparently been going on for a while.
Mr. Kuhlmann decided that enough was enough, and he was going to take some<br>action. As of mICQ 0.4.10.1, the code will, when built for the Debian<br>distribution, print out a message which says some unflattering things about<br>Mr. Loschwitz and encourages use of a different version; the program then<br>exits. In other words, when built for Debian, mICQ thumbs its nose at the<br>user and refuses to run. To help ensure<br>that this code got into the official Debian version, it was written in an<br>obfuscated manner, set to trigger only after February 11, and only if<br>it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.
In response, Mr. Loschwitz called for the<br>removal of mICQ from the Debian distribution and started a generally<br>impressive flamewar. After some time, the two parties actually started<br>talking to each other; summaries from Mr. Kuhlmann and Mr. Loschwitz have been posted. The resolution<br>involves fixing the packaging issues and the removal of the anti-Debian<br>code. The mICQ package will also be removed from Debian until a security<br>audit is performed and a new maintainer is found. The situation would<br>appear to have been resolved.
The whole thing has, however, left a bad taste in the mouths of many Debian<br>developers.<br>According to some, Debian was subjected to a trojan horse/denial of service<br>attack, and they are not happy about it. Mr. Kuhlmann denies this, of<br>course ("In fact, I only added dead code. It was you who #ifdef'd it<br>in - not knowingly, but anyway."), but this code, even described in<br>more friendly terms ("easter egg," say), is the sort of thing that does not<br>often happen in the free software world. Free software users like to think<br>they have a bit more control over their systems than that.<br>(It's not completely unheard of, though - GNU emacs used to greet<br>Symbolics users with the message "In doing business with Symbolics, you are<br>rewarding a wrong.")
Much of the discussion was concerned with what Mr. Kuhlmann could<br>have done with this piece of stealth code. Such speculation is a bit<br>off-topic, given that, as far as anybody can tell, there are no evil or<br>destructive trojans coded into mICQ. In the context of a wider discussion,<br>however, this episode does raise a scary issue. The mICQ code was slipped<br>into a major distribution, seemingly with great ease. The code was<br>relatively harmless, but, next time, it might not be. Access to source<br>code decreases our vulnerability to this sort of attack; proprietary<br>software, after all, can have anything in it. It is hard to imagine<br>anybody being able to hide a flight simulator inside a free spreadsheet<br>application. But anybody who believes that having the source makes us<br>invulnerable to this kind of trojan is clearly mistaken. With suitably<br>clever coding, great nastiness can be hidden in seemingly innocuous code.<br>The resources to audit all of our code at the level of detail required to<br>find small trojans simply don't exist.
Perhaps, in the future, tools like the Stanford Checker can be turned to<br>the task of finding suspicious code in source distributions. For now,<br>though, we have to remain on our guard. This kind of thing will<br>happen again, and, next time, the results may not be so benign.
to post comments
The trojaning of mICQ
Posted Feb 20, 2003 3:01 UTC (Thu)<br>by ncm (guest, #165)<br>[Link] (3 responses)
My question is, why didn't Mr. Loschwitz see the trojan<br>code when he diff'd the old version against the update,<br>to see what had changed?
The trojaning of mICQ
Posted Feb 20, 2003 3:31 UTC (Thu)<br>by trutkin (guest, #3919)<br>[Link] (1 responses)
He didn't look over the diff. He was upbraided by other maintainers for this.
The trojaning of mICQ
Posted Feb 20, 2003 22:11 UTC (Thu)<br>by hmh (subscriber, #3838)<br>[Link]
You bet he was upbraided. Some of us take great pains to go over every<br>line in a 1000+ line diff file (usually not for security, but out of sheer<br>paranoia of breaking the package in a hideous way, and losing even more<br>time trying to get it to work again)...However, as others said, don't expect normal diff-looking to catch a<br>really bright piece of obsfucation (which was NOT the case of mICQ).
The trojaning of mICQ
Posted Feb 27, 2003 14:46 UTC (Thu)<br>by MLKahnt...