[LAU] Ardour.org hacked...

R. Mattes rm at mh-freiburg.de
Thu Mar 7 14:34:04 UTC 2013


On Thu, 7 Mar 2013 15:14:42 +0100, Nick Copeland wrote
> > Of course you can also always compile from source:
> > http://ardour.org/building_linux.html
>
> So if the ardour site was hacked then is there not a possibility that the source
> code has been compromised too?

Of course. It'll be as vulnerable as the compiled ardour you download from
a hacked server ;-)

> Is the code signed? 

Probably not. It might be possible to provide checksums (wich you would have to
commuincate over a secure channel ...) but in the presence of line-end conversion
et al. even that is non-trivial.

> What I am getting at is that if you install ardour using a root account but the 
> version you are installing is maliciously compromised then your system can
> become pwned.

Yes. That's pretty obvious. Almost the same is true for non-root installs as well.
Just install a backgound process that logs all X-events (key-down ...) and you'll
be able to get root access.

Iff you protection against this kind of exploits you pretty much need to audit you
code base or use distributions that use signed packages. Trust your
distribution or
audit, those are the only options you have.

> I doubt this since if I wanted to own a few systems then I would not leave the
> hack evident but Linux is very close to some large exploits due to the nature
> of distributed and weakly protected code.

Which distribution _doesn't_ sign it's packages? What code is weakly protected?
Even most major download/DVCS sites use secure communication channels these days
(https). The problem is the naive asumption that self-compiled code would be more
secure. Not a Linux problem, I'd say ...


 Cheers Ralf Mattes



> Regards, nick.

--
 R. Mattes -
 Hochschule fuer Musik Freiburg
 rm at inm.mh-freiburg.de



More information about the Linux-audio-user mailing list