An Ubuntu operating system developed under the auspices of the Anonymous movement has been taken down from SourceForge due to security concerns.
The operating system came preloaded with anonymity and hacking applications including ParaloaPass and Pyloris, which allow password-cracking, SQL injection and anonymous surfing via the Tor network.
The rare take-down followed a tweet circulating yesterday from popular Anonymous account AnonOps that claimed the AnonOS was "laced with trojans".
The creator of the operating system released a purported Rootkit Hunter log analysis of the system, said to show that AnonOS was free of Trojans and backdoors.
But SourceForge, which hosted the project, removed the operating system from its site citing "security concerns" raised in a BBC story.
"As the day progressed, various security experts have had a chance to take a look at what's really in this distribution, and verify that it is indeed a security risk, and not merely a distribution of security-related utilities, as the project page implies," SourceForge said in a statement.
Trend Micro director of security research Rik Ferguson told the BBC he had not established whether the operating system was "booby trapped" with trojans or backdoors.
Similar news coverage of the operating system had merely flagged the potential for it to be a security risk because its source code was not open.
SourceForge, too, flagged concerns about the lack of openess in the project.
"SourceForge, and the Open Source community as a whole, values transparency, particularly where issues of security are involved," the organisation said.
"This project isn't transparent with regard to what's in it.
"It is critical that security-related software be completely open to peer review (i.e., by providing source code), so that risks may be assessed along with benefits.
"That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution."
SourceForge said the offending security components in AnonOS – also common in platforms such as BackTrack – did not breach its terms and conditions.
"We have, in the past, taken a consistent stance on 'controversial' projects - that is, we don't pass judgement based on what's possible with a product, but rather consider it to be amoral - neither good nor bad - until someone chooses to take action with it."
SourceForge also claimed the project had taken on an "intentionally misleading name" which attempted to "capitalise on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old".
Yet the Anonymous collective was a leaderless movement, illustrated by its popular mantra "we are all Anonymous".
Sophos chief technology officer Paul Ducklin said yesterday examining the security integrity of the system would be complex.
He said users should use more established Linux operating systems.
"Why would you download this when there are more trusted quality systems available?" he said.
Some 40,000 users had downloaded the operating system as of Friday afternoon.
Copyright © SC Magazine, Australia
Issue: 342 | September 2015