CGAL users discussion list

[maurice oustache <>]

Dear CGAL users,

it seems that the GhostNet spying operation, http://en.wikipedia.org/wiki/Ghostnet ,
discovered  by the  Munk Center for International Studies at the University of Toronto,
mainly infiltrated machines through the trojan horses of Open Source Software 
projects. 

Our organization (DST) downloaded and analyzed several software packages,
where French research labs like INRIA are implied, and we discovered that 
among several other projects the CGAL project was chosen as a vector of infection, 
probably due to its worldwide users.

The file CGAL/basic.h  contains some "invisible" code, which, when compiled, every 
time an application  that includes the header file is executed, sends sensible 
information about the environment of the running application via UDP broadcasts
(in order not to reveal a fixed destination IP address). 


Malgre the source code distribution, not even the developers were aware of it
(Last night we interrogated several developers at Inria and GeometryFactory). The 
reason is simple: CGAL/basic.h is not just plain ascii but encoded in UTF-EBDIC,
which makes that the subtext is not displayed in development environnements
like emacs, vim, DeveloperStudio ou Eclipse. In fact, we discovered it when
we loaded the header file in the text editor of DerriereLaLune, the French fork 
of Eclipse.


We *urge* you to replace CGAL-3.4/include/CGAL/basic.h with the attached clean
version in order to avoid further problems with GhostNet.


Cordialement,

Maurice Oustache 
http://www.linkedin.com/in/mauriceoustache

Attachment: basic.h
Description: Binary data