{"id":40,"date":"2007-12-21T09:27:23","date_gmt":"2007-12-21T16:27:23","guid":{"rendered":"http:\/\/www.talesfromthe.net\/jon\/?p=40"},"modified":"2007-12-21T09:27:23","modified_gmt":"2007-12-21T16:27:23","slug":"poisoning-squirrels-in-the-repository","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2007\/12\/21\/poisoning-squirrels-in-the-repository\/","title":{"rendered":"Poisoning squirrels in the repository"},"content":{"rendered":"<p>Slashdot&#8217;s linked to a bunch of good stories on computer security recently.  <a href=\"http:\/\/it.slashdot.org\/article.pl?sid=07\/12\/18\/1847233\">Squirrelmail repository poisoned<\/a> has the catchiest title, and plus it&#8217;s about squirrels, so it goes first.<\/p>\n<p>What happened was that an intruder got into the site where you download Squirrelmail, and introduced a very subtle change in the code that would allow somebody who know about it (the intruder or anybody he\/she told or sold the secret to) to &#8220;an arbitrary code execution risk&#8221; aka &#8220;pwning&#8221; both of which are security speak for &#8220;doing whatever you want to on the system&#8221;.<\/p>\n<p>YOW!  Dreamhost, my ISP, provides a nice one-click install for Squirrelmail (&#8220;webmail for nuts!&#8221;) and I use it on a couple of my domains.  Maybe somebody&#8217;s used this to hack in &#8212; and that&#8217;s why my colors keep intermittently changing from pink to blue!  Hmm, well, probably not &#8230; although other than the unsatisfyingly generic &#8220;intermittent software bug&#8221; it&#8217;s the best explanation so far.<\/p>\n<p>Imagine, though, that this was a political candidate&#8217;s blog; and that the hack gets exploited to delete a random 10% of mail from potential supporters and voters.  This might not get noticed for a while &#8230; and if it went on long enough, it could easily lead to enough impact to swing a close election.  Or suppose there&#8217;s a mass-mailing from the account to everybody in the district the day before the election: &#8220;This account has been hacked, can you really trust this bozo?&#8221;  Hmm.  Talk about your social engineering attacks.<\/p>\n<p>It&#8217;s also another interesting example of the &#8220;security as a social science &#8221; theme &#8212; and more specifically, the process issues for web services that came up in <a href=\"http:\/\/www.talesfromthe.net\/jon\/?p=13\">How&#8217;d that get through QA?<\/a>   Something that&#8217;s really encouraging here is that in both cases the software providers did exactly the right thing here, including being transparent about what had happened &#8212; <a href=\"http:\/\/www.squirrelmail.org\/\">Squirrelmail&#8217;s blog<\/a> shows how quickly they reacted, announcing immediately and getting the fix out within a day.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Slashdot&#8217;s linked to a bunch of good stories on computer security recently. Squirrelmail repository poisoned has the catchiest title, and plus it&#8217;s about squirrels, so it goes first. What happened was that an intruder got into the site where you download Squirrelmail, and introduced a very subtle change in the code that would allow somebody [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,9,13,14],"tags":[85,134,278,313,314,327,396],"class_list":["post-40","post","type-post","status-publish","format-standard","hentry","category-political","category-professional","category-social-computing","category-social-sciences","tag-computer-science-as-a-social-science","tag-elections","tag-process","tag-security","tag-security-as-a-social-science","tag-software","tag-web-services"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/40","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=40"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=40"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=40"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=40"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}