News/Announcements
Old News Archive
Posted by Syzop on June 14, 2010, 3:36 pm EDT
After receiving many questions of what we are doing with regards to the hack incident, here's my reply:
First, we now PGP/GPG sign releases. Our GPG key is releases@unrealircd.com (0x9FF03937). When downloading UnrealIRCd you will be given instructions on how to verify the integrity of the file.
Second, we're now isolating/shielding the main site from the rest, and making parts unmodifiable, to prevent catastrophes in case of a break-in.
Third, we added several methods of detection when files and other data is modified.
Fourth, we'll only serve the files from the main site for now. While the mirror admins did not have any blame in this, it does mean we only have to protect our own site(s).
And finally we did some other things which I won't mention here.
In short: we've really tightened security since the break-in to make sure this will never ever happen again. As you may understand, we really can't afford a repeat of this incident.
On an unrelated side note, I find the claims in various media that this security incident indicates that Linux and Open Source cannot be trusted and that Microsoft and closed-software is better really silly. It lacks any foundation. A hacker, once in, could just as easily have inserted the backdoor in Windows software. In fact, it is *THANKS* to it being Open Source that this backdoor got noticed, though - I fully agree - much too late.
First, we now PGP/GPG sign releases. Our GPG key is releases@unrealircd.com (0x9FF03937). When downloading UnrealIRCd you will be given instructions on how to verify the integrity of the file.
Second, we're now isolating/shielding the main site from the rest, and making parts unmodifiable, to prevent catastrophes in case of a break-in.
Third, we added several methods of detection when files and other data is modified.
Fourth, we'll only serve the files from the main site for now. While the mirror admins did not have any blame in this, it does mean we only have to protect our own site(s).
And finally we did some other things which I won't mention here.
In short: we've really tightened security since the break-in to make sure this will never ever happen again. As you may understand, we really can't afford a repeat of this incident.
On an unrelated side note, I find the claims in various media that this security incident indicates that Linux and Open Source cannot be trusted and that Microsoft and closed-software is better really silly. It lacks any foundation. A hacker, once in, could just as easily have inserted the backdoor in Windows software. In fact, it is *THANKS* to it being Open Source that this backdoor got noticed, though - I fully agree - much too late.
Posted by Syzop on June 12, 2010, 3:42 pm EDT
All our releases are from now on signed with GnuPG (PGP) again. Our key is called releases@unrealircd.com (0x9FF03937).
The next few days people will be signing this key to reflect the trusted nature of it.
Once you start a download you'll see instructions on how to verify a release.
The next few days people will be signing this key to reflect the trusted nature of it.
Once you start a download you'll see instructions on how to verify a release.
Posted by Syzop on June 12, 2010, 5:17 am EDT
Hi all,
This is very embarrassing...
We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn't allow any users in).
It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.
Obviously, this is a very serious issue, and we're taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.
Safe versions
==============
Official precompiled Windows (SSL and non-ssl) binaries are NOT affected.
CVS is also not affected.
3.2.8 and any earlier versions are not affected.
Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you shou ... (Read More)
This is very embarrassing...
We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn't allow any users in).
It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.
Obviously, this is a very serious issue, and we're taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.
Safe versions
==============
Official precompiled Windows (SSL and non-ssl) binaries are NOT affected.
CVS is also not affected.
3.2.8 and any earlier versions are not affected.
Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you shou ... (Read More)
Posted by Syzop on February 28, 2010, 1:28 pm EST
Just wanted to drop a note that if anyone is experiencing problems like this (also called Firefox XPS IRC Attack). Then this is what I suggest you do:
1. If not done so already, then compile UnrealIRCd with NOSPOOF (spoof protection) enabled, on *NIX this is the first question asked during ./Config, on Windows it is always enabled.
2. I've released a nopost module which will kill/zline/etc such connections. http://www.vulnscan.org/UnrealIRCd/modu ... ost.tar.gz
You can do #2 without #1, and #1 without #2, but if you're really under attack then combining them is most effective.
1. If not done so already, then compile UnrealIRCd with NOSPOOF (spoof protection) enabled, on *NIX this is the first question asked during ./Config, on Windows it is always enabled.
2. I've released a nopost module which will kill/zline/etc such connections. http://www.vulnscan.org/UnrealIRCd/modu ... ost.tar.gz
You can do #2 without #1, and #1 without #2, but if you're really under attack then combining them is most effective.
Posted by Syzop on February 22, 2010, 1:33 pm EST
The UnrealIRCd team- and support-channels on IRC have moved to their own network (rather than using IRCSystems). The URI is still irc://irc.unrealircd.org/
The support channel is still #unreal-support too, however the development channel has been split: #unreal3-devel for 3.2* development and #unreal4-devel for 4.* development.
The support channel is still #unreal-support too, however the development channel has been split: #unreal3-devel for 3.2* development and #unreal4-devel for 4.* development.
Posted by Stealth on January 6, 2010, 2:36 pm EST
Unreal 4 is coming along slowly but surely. There is a lot of work that still needs to be done, and we only have 1 coder working on it.
Currently we have a somewhat functional core that compiles, allows connections, provides basic commands and the ability to join channels. However, even though we have a mostly functioning core, we are still a long way off from having a core that provides all the basic IRC functions.
If you're a C++ coder and would like to help out, stop by #Unreal-Devel on irc.unrealircd.com and we'll help you get up to date on what is done and what still needs doing. If you would like to download the code we have so far, you can access our mecurial repository at http://ohnopub.net/hg/unrealircd-cpp/
Currently we have a somewhat functional core that compiles, allows connections, provides basic commands and the ability to join channels. However, even though we have a mostly functioning core, we are still a long way off from having a core that provides all the basic IRC functions.
If you're a C++ coder and would like to help out, stop by #Unreal-Devel on irc.unrealircd.com and we'll help you get up to date on what is done and what still needs doing. If you would like to download the code we have so far, you can access our mecurial repository at http://ohnopub.net/hg/unrealircd-cpp/
