• On ZDNet: The Windows 7 upgrade survival guide
October 12, 2007 4:06 PM PDT

Bugs in the open-source community?

by Matt Asay
  • Font size
  • Print
  • 3 comments
Share

Fortify Software is suggesting that the trusting nature of open-source developers has led to some glaring Trojan Horses in their code. The problem with Computer Business Review's analysis ("Is nothing sacred?") is that the very transparency of the problem leads to its erasure in open source. Transparency leads to a solution.

Fortify has identified a new class of bug that is designed to take advantage of the atmosphere of trust that occurs while developers are playing with open source code. It's called "build-process injection," a Trojan horse that allows hackers to insert malicious code into the target program while it is being constructed.

In this case, hackers can surreptitiously replace source code sitting in the repository with an infected version. The result is that the Trojan horse could start doing its dirty work before the application ever gets to test phase, or depending on the design of the malware, at any point thereafter.

I'm not a developer, and understand the problem (a developer comes to trust her code repository and so doesn't think to check it before pulling down code). But the one thing that isn't recognized in the problem or analysis of it is the trust that is required to upload code to an open-source project. It's simply not the case that anyone can do it. The kind of person who would do this sort of thing isn't the sort of person that has the access necessary to accomplish it.

Regardless, I'm willing to bet that a horde of open-source developers with knowledge of the problem will fix it. Exposure leads to solutions; secrets perpetuate them.


Via LinuxToday.

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to The Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. You can follow Matt on Twitter @mjasay.
Topics:

Industry news

Tags:

security,

open source

Share:
Digg
Del.icio.us
Reddit
Recent posts from The Open Road
Zemlin: 'Industry transformation depends on Linux' (Q&A)
In mobile, do developers or consumers matter most?
Open source: The money is in the cloud
Google, Red Hat represent tech at Obama jobs summit
To troll or not to troll, is that the question?
Newsflash for GE, you're already using 'risky' open source
Why Microsoft should open-source Internet Explorer
Eclipse tells ex-community director to 'go away'
Related
When open source isn't (open enough)
The convenient fiction that Microsoft is evil
Eclipse tells ex-community director to 'go away'
After 5 years, Firefox faces new challenges
Netherlands' open-source policy goes double Dutch
Why Microsoft should open-source Internet Explorer
Why is Google Android beating Symbian?
Microsoft's embrace of MySQL could kill it
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
Bugs in the open-source community?
by royrusso October 12, 2007 6:49 PM PDT
Link?

I'm guessing they're referencing OSS projects that use Maven, which at build-time downloads dependencies from the somewhere on the internet. If one of the dependencies is infected or downloaded from an untrusted source, then perhaps something unintended can happen... assuming the code even compiles.

Any OSS project-lead not safe-guarding his dependencies in his own hosting environment, needs to get his head examined anyway.
Reply to this comment
Fortify ?
by vexorian October 13, 2007 6:03 AM PDT
"build-process injection," uh oh, I have learned a valuable lesson today, not to trust Fortify. Since they are either ignorant in respect to how open source actually works or are acting in malicious intent.

The only way this would happen would be without a maintainer or with one not capable enough, or that if one of the core developers actually had the wrong intent, but these are also situations that affect closed projects, it is even riskier since the problem cannot be detected as fast.
Reply to this comment
"Theoretical"
by reedhedges October 16, 2007 8:21 AM PDT
Parts of the article imply that they actually discovered a case of this happening, but nowhere in the article does it actually say that. I think this is theoretical. In following and participating in the OSS community for years, I have never heard of this happening. (You can be sure it will be on Slashdot in 5 minutes if anyone ever reported an actual case of this.)
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

Google hopes to turn the river into a canal

Searching real-time services like Twitter at the moment is like standing in front of a firehose on a hot day: you'll get cooled off, but you'll get knocked over. Google wants to change that.

Will video site Vevo be next-gen MTV?

Vevo is the Web music-video service built by the big record labels with help from YouTube. Can it make an MTV-like splash?

advertisement

About The Open Road

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to the Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is general manager of the Americas division and vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader

The Open Road topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET