SourceForge pulls Anonymous OS due to ‘security risk’
The site distributing the questionable operating system has removed it from the site just one day after launch.
SourceForge prides itself on its lack of judgement on the internet, but even it has drawn the line with the operating system, reportedly launched by hacktivist group Anonymous.
Yesterday, the site began hosting the file for users to download the Linux-based OS, which some claimed to be the work of Anonymous, designed to help get around security protections and increase the capabilities of its hacker followers.
Today has seen SourceForge remove the file and release a statement claiming it now believes it is a security risk.
“We looked at the project and decided that although the name of the project was misleading (we see no evidence that it is connected with Anonymous) it appeared, on initial glance, to be a security-related operating system, with, perhaps, an attack-oriented emphasis,” read a blog post from the website’s team.
“However, as the day progressed, various security experts have had a chance to take a look at what’s really in this distribution, and verify that it is indeed a security risk, and not merely a distribution of security-related utilities, as the project page implies.”
The blog added: “We have therefore decided to take this download offline and suspend this project until we have more information that might lead us to think differently. We’ll be in touch with the project admin, and let you know if and when we find out anything to contrary, but for now, that’s what we’re doing.”
Despite SourceForge’s decision, which wasn’t taken lightly due to its “struggle with taking a project offline,” the jury is still out on whether the OS is a risk to users downloading it.
Graham Cluley, senior technology consultant at Sophos, told IT Pro yesterday that users should be wary of the software, claiming it might even be used by Federal authorities to track user activity.
However, Rik Ferguson, director of security research for Trend Micro, told us today he saw little threat from the OS.
“I haven’t seen any evidence of malicious activity within the OS yet,” he said. “It’s just basically a (very) poor-man’s Backtrack.”
SourceForge is sticking by its decision for now, but has said it will keep an eye on the OS in case it becomes viable to distribute again.
“We always struggle with taking a project offline, even one that seems, on the face of it, to need it,” added the blog. “The reason for this is that we have been entrusted with thousands of projects, by thousands of developers, and we are always at risk of making a judgement about a project that looks malicious, and isn’t.”
“We don’t want to forfeit the trust of the developer community in exchange for the trust of the user community, or vice versa. It’s a tightrope we must walk every time we encounter a project that seems a little suspicious.”
SourceForge concluded: “We believe that this is the right decision in this case, but will continue to dig into it, to ensure that we’ve gone the right direction.”