In a blog post yesterday, SourceForge announced its reasons to pull the Linux-based Anonymous-OS from its available resources. SourceForge is a well-known hub in the open source community for providing a distribution point for numerous open source projects and tools.
The Anonymous-OS was first released on Tumblr Tuesday and was available in the SourceForge repository for awhile. Its creators claimed it was specifically crafted with tools for attacking and penetrating websites in the Anonymous fashion. However, the “official” (if you can use that word) Anonymous Twitter accounts have repeatedly posted messages disclaiming any affiliation with the group behind the OS and denounced it as “wrapped in Trojans.”
The BBC News had Trend Micro researcher Rik Ferguson poke around in the code. He reported that the Ubuntu-based distribution was a “functional OS” that includes pre-installed tools for cracking and anonymizing. However, he had not yet found any evidence of viruses or other malware.
Here is SourceForge’s take:
We looked at the project, and decided that although the name of the project was misleading (we see no evidence that it is connected with Anonymous) it appeared, on initial glance, to be a security-related operating system, with, perhaps, an attack-oriented emphasis. We have, in the past, taken a consistent stance on “controversial” projects - that is, we don’t pass judgement based on what’s possible with a product, but rather consider it to be amoral - neither good nor bad - until someone chooses to take action with it.
This is even discussed in our hosting documentation, in the terms of service.
However, as the day progressed, various security experts have had a chance to take a look at what’s really in this distribution, and verify that it is indeed a security risk, and not merely a distribution of security-related utilities, as the project page implies.
The post goes on to say that a lack of transparency is its primary reason for suspending the project and that as the creators have not been forthcoming with the source code “the result is that people are taking a substantial risk in downloading and installing this distribution.”
If there are any adventurous souls out there who have downloaded it out of curiosity and want to share your findings, let us know in the comments below.