SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast Ckeren's Avatar
    Join Date
    Jun 2001
    Location
    AU
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Apache hacked by unknown "Crack3rz"

    Check this out guys..
    http://www.apache.org/info/20010519-hack.html

    well this just pop up in my mind..
    can we trust open source software to handle our online business ...?

  2. #2
    SitePoint Wizard
    Join Date
    Jul 1999
    Location
    Chicago
    Posts
    2,629
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not sure if this is a troll or a valid question, but...

    Basically, this cracker got in to Sourceforge.net's server somehow and replaced their SSH daemon so that it logged the password of everyone who logged in. So then, an official Apache.org developer logged in and his password and username got logged.

    With that info, the attacker logged in to Apache.org and exploited a bug in an old version of OpenSSH, for which a bugfix was released, to gain root access. That night, Apache.org's automatic security audit caught the attacker and they immediately fixed the problem.

    This has absolutely nothing to do with the open source nature of the software. As with all software, it has bugs, and it has bug fixes. Simply being open source does not mean it's going to get cracked into.

    It's like buying Mobil motor oil, getting in a car crash, and blaming it on Mobil. There's simply no correlation between the two.

  3. #3
    SitePoint Evangelist thewitt's Avatar
    Join Date
    Apr 2001
    Posts
    468
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One backdoor exploit of Apache in many, many months.

    One exploit weekly of IIS.

    Hmm. Which one do I want to trust with my business?

    Not even a fair question.

    -t

  4. #4
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    can we trust open source software to handle our online business ...?
    Yes. After the incident you mention, the Apache team went through EVERY SINGLE file in their source code repository checking it against externally held copies to make sure it had not been altered in any way. Everything was checked and double checked to make sure no damage had been done.

    Sounds pretty trust worthy to me. I'm willing to bet that if something like this happened to a commercial company they would cover it up rather than admit that they had been compromised. The apache team didn't do that.

  5. #5
    SitePoint Zealot Aonghus's Avatar
    Join Date
    Feb 2001
    Location
    Ireland
    Posts
    116
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Of course you can trust open source software - more so than commercial software. The reason is simple, because it is open source, anyone can go through the code and see exactly how it works. This gives crackers the ability to identify possible vulnerabilities in the system, but rather than see this as disadvantage, look at it from another perspective; think of the thousands of other people in the open source community who have also gone through the code, theses are smart people and the chances of them not noticing a vulnerability are slim.

    Now think of a commercially developed program that only a dozen or so programmers have worked on. Do you think they could possibly foresee even a fraction of eventualities the thousands of open source developers could? I seriously doubt it. I also doubt that this dozen or so people, having identified a problem, would be able to release a fix as soon one might be offered by one of the thousands or so open source programmers, bearing in mind, of course, that this dozen or so developers might be working 9-5 Monday-Friday, and the open source community 24/7.

    Remember the Internet Explorer bug that let any site access the cookies of a visitor to another site? It took years to identify this bug, and people are still surfing the net with their personal information open to scrutiny by the owners of certain web sites. I don't think this would have happened if IE was an open source program, I think someone would have noticed the bug a long time ago.

    That's just what I think. Open source software, in my experience, is a good thing.

    -Aonghus

  6. #6
    ComDude CryingWolf's Avatar
    Join Date
    Dec 2000
    Location
    I don't know the cat drug it in!!!
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah we could pretty well fill this forum with the "closed source" exploits
    body { background:#000000; color:#000000 }
    HEY, WHO TURNED OUT THE LIGHTS?!?
    Easy come easy go!!!
    CryingWolf

  7. #7
    SitePoint Enthusiast welded's Avatar
    Join Date
    Jun 2001
    Location
    vancouver.bc.ca
    Posts
    96
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i agree completely with the opinions voice so far. closed source, if accessed in the same method as the open source on apache's servers is just as vulnerable to modification by intruders.

    by it's very nature open source is not one bit (byte?) more dangerous for end users than anything closed source, nor any more safe. the important part comes when the vulnerability is uncovered, whether an effective fix is made available asap. apache did their damndest to maintain public trust in their products by giving a detailed report of the incident. and, god bless their little hearts, microsoft tries, they really do. open source is not to blame, not-so-great sys admins and crackers are.
    it's amazing what velocity can do
    when human beings are in season

  8. #8
    SitePoint Zealot RogueOnTheNet's Avatar
    Join Date
    Nov 2000
    Location
    OK
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I tend to agree that Apache and open source are as secure or more secure than most commercial products out there. As far as business needs go, the only real difference between the two is that there's more support widely available for commercial products like Microsoft's. If someone's server goes down and they run a small business and don't have their own techs on hand, they can call any computer repair business and probably get help; with a lot of open source solutions, that isn't always the case.

    As a former Tech, I came across all kinds of servers and platforms and was able to help solve many issues, though server/network administration weren't my forte. The fact that that I knew how to troubleshoot the different Windows platforms and a bit of Novell allowed me to do what needed to be done. I like open source, believe it is the wave of the future, but I find there is still a reluctance to use it in public or business segments (those businesses not in the IT sector) of society and in places that are rural or even just away from larger epicenters of Net/IT hoopla and advances.

    An example is the cost of multiple licenses in new releases of Red hat Linux - very cheap for a 5 user license...less than the cost of a single user license for a Microsoft product. I mean, from a bottom dollar standpoint, you would think public school systems for example, would jump at the chance to slash costs, considering that when you start upgrading hundreds or thousands of copies of Microsoft products, that such an endeavor can eat up a limited education budget in no time. I don't see too many public school systems implimenting Linux though. Heck, many vocational/technical schools still haven't integrated it into their computer repair/programming curriculum. It's an uphill battle I do believe.

    I personally am only beginning to learn Linux myself, as my open source focus thus far has been PHP and MySQL, and dabbling with REBOL. I run Apache on Windows, for the simple fact that most of the software I use for web development/graphic design are on the platform. Soon, I hope, and plan, to jump to Linux as my primary OS for development, but when it comes to graphics software, site management/testing/assessing software, Linux just hasn't the array it needs to lure me away completely. My biggest beef with Linux is the GUI, which has been lacking.

    Yeah, yeah, I can hear everyone dogging me out for not being a "true" code junkie and what-not, but it's a simple fact: I DON'T WANT TO HAVE TO LEARN A NEW LANGUAGE AND/OR OS, JUST TO USE SOFTWARE THAT ISN'T ANY BETTER THAN WHAT I'M ALREADY USING.

    When open source programmers realize this - because so far rehashing what you can get on Windows is all that seems to have been occuring - and start creating better software that isn't a Linux or BSD version of Photoshop or Homesite, and put out better web development software, I'll jump completely. And, I'm sure this will change (is changing) with time. The general public though, is still largely ignorant of Linux and other open soursce OS's, software, and programming languages. Those that are aware, are still a bit reluctant if they have the money to afford commercial products because there's just not any incentive other than saving a few bucks. But hell, I'll make enough money in a couple of hours driving an hour away to consult for a while with someone about their plans for a website, that I can afford the difference in costs.

    Why then would I want to put in hours and hours learning a new OS, new software, new ways of doing things, when I can keep doing what I am, and use those hours saved jamming with my band, or scuba diving, or hanging out at the bar looking for a future ex-wife? I wouldn't want to, unless that change was so simple that I didn't mind, and there was better software waiting me when I got to the new OS. Or I find that future ex-wife and can no longer afford expensive commercial products, lol. In any case, I'm still waiting...

    While I am dabbling at learning Linux, I spend more time playing guitar these days than learning code. And Apache does make good sense for server uses. I think it's secure, and a good learning tool for those wanting to get into the guts of servers who are newbies at it - like me, lol. I think Apache.org and the developers did a fantastic job of handling this situation...which really wasn't all that bad it seems to me.

    As third world countries continue to build web presences, I think open source is really the ONLY viable solution for most of them. As this happens, I think leading technological/industrial nations will begin to see a need for embracing the open source community more, to better assimilate/integrate the vast differences of varying cultrual approaches to technology and its implementation.

    Sorry for the ramble...just had some coffee and time to kill.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •