
Horde backdoored - kaeso
http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155
======
bryanh
I've always been very trusting of open source software. I've often thought
"surely someone else has looked through this source code" and just assumed
that malicious code never hits stable releases. The same goes for "verified"
binaries, packages, etc... apparently that is not always the case.

What are the possibilities that such code could make its way into some piece
of extremely popular public facing software, say Apache? How many cleverly
hidden "bugs" already exist that open us up to complete pwnage for the clever
bastard behind them?

Just think about the havoc someone could do with a few popular but nasty PyPi
or RubyGem packages...

~~~
brador
Wasn't there a serious backdoor situation with some Linux distros (Ubuntu?)
last year? Some guy came out detailing a 10 year contract of silence or
something...

~~~
kijin
You mean the OpenBSD IPSec backdoor controversy? Nothing found AFAIK.

~~~
eneveu
HN discussion at the time: <http://news.ycombinator.com/item?id=2029175>

------
cs702
The comments on this page immediately reminded me of Ken Thompson's point:
"You can't trust code that you did not totally create yourself."

He wrote this right after demonstrating how to create, step-by-step, an
undetectable trojan horse in the C compiler. Here are the steps for creating
such a trojan horse:

<http://cm.bell-labs.com/who/ken/trust.html>

[ Also see <http://news.ycombinator.com/item?id=2642486> ]

~~~
justinlau
You can't totally trust your own code, either. Look at all the buffer overrun
vulnerabilities that have been found over the years.

------
NelsonMinar
So several Horde releases were trojaned for three months? That's pretty
terrible. Good on them for coming clean.

What's the best way for open source projects to make it easy for their
customers to get verified downloads? A lot of packages post MD5 checksums but
no one tests them when downloading manually, do they? Automated signature
checking on Debian packages seem to work better in practice; homebrew also
verifies download checksums automatically.

~~~
ctz
Checksums provide no security.

Idea: protocol- and package-format-independent verification of packages, with
trust rooted in DNSSEC of the ultimate source domain using DANE.

~~~
dlgtho
That's not entirely true. Since i found how to poison my ISP's PeerApp
"invisible" cache servers i started to check MD5 when downloading manually. It
does cache big files but not small ones. Here is the link for technical
details if you are interested.
[http://godlessmechanics.blogspot.com/2011/12/tale-of-
sneaky-...](http://godlessmechanics.blogspot.com/2011/12/tale-of-sneaky-
proxy.html)

------
d3b14n
Horde 4 is not affected. If you're running it, you're fine.

The affected releases are:

\- Horde 3.3.12 downloaded between November 15 and February 7

\- Horde Groupware 1.2.10 downloaded between November 9 and February 7

\- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and
February 7

------
laconian
Well, shit. So much for host-it-yourself services being more secure. Which
dogma do I trust now?

------
fuscata
Check with: grep -r "\$m\\[1\\](\$m\\[2\\])" /path/to/horde

------
jaryd
kernel.org, vsftpd, unrealircd, who will fall next?

------
jvehent
it's 2012: stop using horde and install roundcube !

~~~
imr
Have you tried Horde 4? It is much better than version 3 and is not affected
by this issue.

~~~
mverwijs
Tried? Yes. Failed? Miserably.

I've happily used Horde for well over 5 years. I was really _really_ looking
forward to Horde4. Once it came out, I immediately tried it. Tried to install
it, that is. I failed. The lack of clear documentation combined with the dark
magic of php-pear kept me from migrating. And even when I did get it installed
I was unable to comprehend the UI. It completely changes depending on what
'application' you're using. There is no consistency.

E.g.: The calendar in Horde4. The interface completely changes into nothing
you've ever experienced. It's unrecognisable from the rest of Horde4.

I migrated to RoundCube + Plugins for calendar (caldav+davical) and
addressbooks (carddav + davical) and have been a happy, android syncing camper
ever since.

~~~
imr
php-pear dark magic is nothing compared to installing the framework libraries
from git! The pear.horde.org instructions fail to mention that you must
install horde/Horde_Role before any of the applications.

The UI is currently undergoing a rewrite, but the default interface can be
forced into the traditional view in the Horde configuration.

------
mlntn
"Horde backdoored" - Hey, that rhymes!

