From owner-freebsd-chat@FreeBSD.ORG  Thu Aug 14 11:46:22 2003
Return-Path: <owner-freebsd-chat@FreeBSD.ORG>
Delivered-To: freebsd-chat@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E22137B401
	for <freebsd-crap@FreeBSD.org>; Thu, 14 Aug 2003 11:46:22 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CED0143FE9
	for <freebsd-crap@FreeBSD.org>; Thu, 14 Aug 2003 11:46:21 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08114;
	Thu, 14 Aug 2003 12:46:10 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20030814124234.02a08540@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Thu, 14 Aug 2003 12:46:04 -0600
To: Kris Kennaway <kris@obsecurity.org>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20030814074336.GA58098@rot13.obsecurity.org>
References: <200308140525.XAA02934@lariat.org>
 <200308140525.XAA02934@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: freebsd-crap@FreeBSD.org
Subject: Re: All "GNU" software potentially Trojaned
X-BeenThere: freebsd-chat@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Non technical items related to the community
	<freebsd-chat.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-chat>,
	<mailto:freebsd-chat-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-chat>
List-Post: <mailto:freebsd-chat@freebsd.org>
List-Help: <mailto:freebsd-chat-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-chat>,
	<mailto:freebsd-chat-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2003 18:46:22 -0000

At 01:43 AM 8/14/2003, Kris Kennaway wrote:
  
>On Wed, Aug 13, 2003 at 11:25:04PM -0600, Brett Glass wrote:
>> CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
>
>This never would have happened if they had used the BSDL!

Not true, of course. But on the other hand, the fact that FreeBSD
uses their code means that it may have integrated Trojaned source.
Another reason to avoid using code from a group that's not only
unethical and malicious but also careless about security.

Kris, as a member of FreeBSD's security team I hope you're checking
to make sure that Trojaned code was not included. (The most effective
way would, of course, be to remove the GNU code from FreeBSD, but while
I'd like to see that done it's probably too much to hope for.)

--Brett Glass