OK so many of you have probably already heard about the situation that went down with the linux kernel code. If not click here to read-----> Linux: Kernel "Back Door" Attempt (http://kerneltrap.org/node/view/1584)





(Plz note I am not biased against any OS, im just voicing my P-O-V as I see it. PLz do not flame me. It is not called for!)

I believe this is a total blow to the image of the OPen Source community. From a newbie's point of view and IMHO, this makes them look bad because they tend to portray themselves as more secure than Windoze users, this and that. blah blah blah the list goes on. I also believe that most people who use Open source "material" will think twice about what they are using. I am curious as to what any linux patriots have to say of the topic. Im open to any commments or criticisms on my point of view. THanks guys...

well what happened is not good, but a real computer geek never says that his system is bulletproof. If you say something like that you are setting up your self for trouble.

Having said that, on the other hand I was a real good save. It was just two lines of code. The fact that they managed to observe just two lines its prety slick IMO. The best thing from all of this, is that the crack was discovered before the release of the kernel.

my 2 cents

actually, i think it validates the strenght of opensource... its harder to pull the wool over many eyes... expecially when those eyes are very careful about what comes down the pike (after all, everyone sees the code... you want it to look the best as possible :) )

here is a quote from slashdot that i thought really used this instance to compare OSS to closed-source...


(In Reply to) Good to see the system works. You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?

You mean like Borland's Interbase? The compiled in backdoor (http://www.cert.org/advisories/CA-2001-01.html) [cert.org] wasn't discovered until after the database opensourced.

My favorite quote from the advisory is:

"This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]."

How long was it in there? "These security holes affect all version of InterBase shipped since 1994, on all platforms."

The advisory dates from 2001 -- you do the math.

The fact it lasted less than a day in the repository really speaks wonders to the power of OSS... SOMEBODY is bound to see it, eh?

Originally posted by diegoeskryptic

From a newbie's point of view and IMHO, this makes them look bad because they tend to portray themselves as more secure than Windoze users, this and that. blah blah blah the list goes on. I also believe that most people who use Open source "material" will think twice about what they are using. I am curious as to what any linux patriots have to say of the topic. Im open to any commments or criticisms on my point of view. THanks guys...

Well, if this had happened to the micro$oft source code, it might not have been caught, and you certainly wouldn't know about it.


With an opensource system, anyone can look at the code, thus greatly increasing the chances something like this will be discovered quickly. With the sheer size of the kernel, it's quite an achievement that someone noticed the new code so quickly.


But the sad thing about this is many would-be converts might read this and think "linux isn't secure, i'll just stick with a system where i won't be cracked, i never hear about this kind of thing from Redmond." :D


~psi42

Microsoft didn't even notice a Pinball game hidden in Word 2000, a Flight Simulator hidden in Excel 97, a Doom-like game in Word 95 and a backdoor password deriding Netscape engineers as "weenies" in IIS. I highly doubt that they would notice a back door consisting of only two lines of code in any of their programs, let alone within a day.

I think that this really shows the strength of opensource, particularly to those who don't believe that anyone looks at opensource code.

Hey MartinB,
Can you elaborate on the hidden games you mentioned; I've never heard of this before. Thanks.

I've only actually played the Flight Simulator one in Excel 97, though I have seen screenshots of the one in Word 95.

I forget exactly how it's done, but it's something like this:
- Load Excel
- Press F5 (?) - It should bring up a box or something, which is like a "goto cell" box I think. Maybe it's a different F-key, but definitely one of them.
- Type "x97:l97" in the box (without speech marks).
- Press return to OK the dialogue.
- Press Tab, which will move the selected cell right one.
- Left click and hold the "Graph Wizard" button.
- Whilst still holding the left mouse button, hold down Left-Shift, Left-Control and Left-Alt simultaneously.
- Release all of the keys and your mouse button at the same time. This has to be VERY precise.

If you did it correctly (and I remembered it correclty ;)), you should now be flying over a purple landscape. Fly around for a bit and see if you can find a big stone - When you find it if you look at it, you'll see the names of the Excel developers scrolling up one side of it.

You're right about the flight simulator...

1) Open a new sheet/workbook
2) Hit F5 and enter "X97:L97" and press enter/click OK.
3) Press TAB once so the activecell is in M97
4) Hold left CTRL and left Shift and click the ChartWizard Icon

You're in there!

Here's a good one for Word 97:

1) Open a blank sheet
2) Make sure that the language is set to US
3) Type "I'd like to kill Bill Gates"
4) Highlight all the text and select "Thesaurus" and see what it offers...

As for the Kernel backdoor, well, I can see it turning out to be a positive publicity stunt (albeit unusual) for the Linux Kernel staff. The security around the kernel source code is obviously tight so that they realised something was amiss and fixed it quickly.

A similar chain of events happened when HMS Newcastle hit that rock off the Australian coast. Although badly damaged, the crew were very highly praised and the training they had received meant that they did not lose the ship. A nasty incident was turned around to prove the effectiveness of those men and women from what could have been a terrible disaster.

If that had been the XP kernel, I'm not sure how long it would take to fix. Or how long before the patch came out to fix it.

On a side-note, can anyone here tell me the last time they applied a security patch to Linux that was classed as a "Critical Update"?

James