Towards the end of last week the SquirrelMail team posted information on their site about a compromise to the main repository of SquirrelMail. Two versions were compromised - 1.4.11 and 1.4.12.  The breach and poisioning were detected by a difference in digital signatures which are generated before the upload to a repository. Because the code was poisoned after it was originally uploaded to the repository, the digital signature (using MD5) did not match the original. A clean version -  version 1.4.13  - is now available.

This goes to show that in spite of the code being out there in the open, digital signatures via MD5 or SHA1 can be used effectively to discover break ins and compromises. We also see a case where the breach was reported as soon as it was detected and remedied in a matter of a few days. I would be very surprised if we saw similar behavior from a proprietary software package.  In a similar vein, I often get questions in my classes about security through obscurity - the fact that FOSS has readily available code implies that it can be broken easily. To some extent that is true, however, the same openness affords the community a large set of eyeballs, that will eventually lead to detection of breaches such as this one and its timely resolution. See Security through Obscurity at Wikipedia for more on this topic.

Note: To see how MD5 works in detail, go to http://nsfsecurity.pr.erau.edu/crypto/md5.html (hard math alert!)