[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package

>>>>> In article <[🔎] 20030214072704.GA19933@crdic.ath.cx>, Craig Dickson <crdic@pacbell.net> writes:

 > This was not an "exploit", nor was it a "trojan". The program
 > simply refused to function normally if compiled in the particular
 > way that the Debian maintainer typically did it (without any
 > defined value for EXTRAVERSION, against upstream's
 > clearly-expressed wishes), when run by anyone other than the Debian
 > maintainer. It was a childishly petulant thing to do, but it makes
 > no sense to call it an "exploit", as if it were somehow
 > compromising the security of the end user's machine (it wasn't),

	It is an exploit, even if it has a relatively benign payload,
 which would nevertheless be labelled a grave bug.

	As aj has pointed out, it was a delayed action malware, which
 would never trigger for the maintainer, but caused the program to
 act in a manner not advertized, or desirable to the end user, or
 even reasonably expected.

	The fact that no data loss was caused makes this no less a
 security issue.

	If you remember, denial of service attacks also cause little
 data loss. The user is just incoveninced, that's all, right? They
 can't use the program that they had installed, no skin off cnn.com's
 nose, eh? Wrong.

 > nor to call it a "trojan", as if it were sneakily doing something
 > behind the end user's back  (it wasn't; the refusal to run is quite
 > obvious when it happens, and the program is quite up-front about
 > what it is doing and why).

	It did. It failed to perform the duties it used to until the
 time based trigger was set off; it failed to perform as
 expected. This loss of functionality, or downtime, is the trojans
 payload.

	You have a very limniteds sense of what constitutes loss.

 > That was obnoxious, but it falls far short of being destructive or
 > even particularly malicious. It really comes off as little more
 > than a practical joke played by someone who was already quite

	I am givenr to understand that some perpetrators of DDOS
 attacks also think that it was a great prank too.

 > justifiably annoyed with the behavior of Debian's micq maintainer.
 > It was childish and somewhat irresponsible, but no more so than
 > describing it as a "trojan".

	Well, it was a trojan, hidden innocuously in the program,
 and, on a certain date, triggered to deny the user the services of
 the program. Sounds like a trojan to me.

	manoj
-- 
Texas law forbids anyone to have a pair of pliers in his possession.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: