The trojaning of mICQ
[Posted February 18, 2003 by corbet]
The story, it seems, is this: RĂ¼diger Kuhlmann, the maintainer of
mICQ, had a disagreement with Martin
Loschwitz, the maintainer of the Debian mICQ package, on how that package
should be built. Mr. Kuhlmann complained that an old version of mICQ was
shipped, that it contained bugs which had been fixed upstream, and that his
name had been removed from the copyright file. The disagreement had
apparently been going on for a while.
Mr. Kuhlmann decided that enough was enough, and he was going to take some
action. As of mICQ 0.4.10.1, the code will, when built for the Debian
distribution, print out a message which says some unflattering things about
Mr. Loschwitz and encourages use of a different version; the program then
exits. In other words, when built for Debian, mICQ thumbs its nose at the
user and refuses to run. To help ensure
that this code got into the official Debian version, it was written in an
obfuscated manner, set to trigger only after February 11, and only if
it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.
In response, Mr. Loschwitz called for the
removal of mICQ from the Debian distribution and started a generally
impressive flamewar. After some time, the two parties actually started
talking to each other; summaries from Mr. Kuhlmann and Mr. Loschwitz have been posted. The resolution
involves fixing the packaging issues and the removal of the anti-Debian
code. The mICQ package will also be removed from Debian until a security
audit is performed and a new maintainer is found. The situation would
appear to have been resolved.
The whole thing has, however, left a bad taste in the mouths of many Debian
developers.
According to some, Debian was subjected to a trojan horse/denial of service
attack, and they are not happy about it. Mr. Kuhlmann denies this, of
course ("In fact, I only added dead code. It was you who #ifdef'd it
in - not knowingly, but anyway."), but this code, even described in
more friendly terms ("easter egg," say), is the sort of thing that does not
often happen in the free software world. Free software users like to think
they have a bit more control over their systems than that.
(It's not completely unheard of, though - GNU emacs used to greet
Symbolics users with the message "In doing business with Symbolics, you are
rewarding a wrong.")
Much of the discussion was concerned with what Mr. Kuhlmann could
have done with this piece of stealth code. Such speculation is a bit
off-topic, given that, as far as anybody can tell, there are no evil or
destructive trojans coded into mICQ. In the context of a wider discussion,
however, this episode does raise a scary issue. The mICQ code was slipped
into a major distribution, seemingly with great ease. The code was
relatively harmless, but, next time, it might not be. Access to source
code decreases our vulnerability to this sort of attack; proprietary
software, after all, can have anything in it. It is hard to imagine
anybody being able to hide a flight simulator inside a free spreadsheet
application. But anybody who believes that having the source makes us
invulnerable to this kind of trojan is clearly mistaken. With suitably
clever coding, great nastiness can be hidden in seemingly innocuous code.
The resources to audit all of our code at the level of detail required to
find small trojans simply don't exist.
Perhaps, in the future, tools like the Stanford Checker can be turned to
the task of finding suspicious code in source distributions. For now,
though, we have to remain on our guard. This kind of thing will
happen again, and, next time, the results may not be so benign.
(
Log in to post comments)