| |||||||||||||
|
| |||||||||||||
Another update on Fedora infrastructureAnother update on Fedora infrastructurePosted Aug 19, 2008 13:31 UTC (Tue) by sbergman27 (subscriber, #10767)Parent article: Another update on Fedora infrastructure
If and when they ever deign to let their users know what the problem is/was, it's going to be huge. No one would take everything down at once like this, and take a credibility hit of this magnitude unless they were fairly sure that the attacker had his tendrils intertwined in their infrastructure very deeply, indeed. Yeah, I know that the true fans will pat them on the back and say it was great that they responded so quickly. (Standard fall-back procedure.) Others will, understandably, wonder how such a thing was ever allowed to happen at all. Whatever is revealed, it's sure to be riveting.
(Log in to post comments)
Another update on Fedora infrastructure Posted Aug 19, 2008 14:30 UTC (Tue) by kragil (guest, #34373) [Link] Are the servers running fedora ?? I guess they are running RHEL .. that makes the exploit even scarier. ( OK .. might be wild speculation on my part ;) ) While I am speculating .. :) I also guess all the investment into SELinux did not help. Maybe AppAmor and/or Smack are better suited for human beings.
Gracious! Posted Aug 19, 2008 14:47 UTC (Tue) by dwheeler (guest, #1216) [Link] Again, let's give them credit; whatever the problem is, they are clearly taking it really seriously, as evidenced by the extraordinary steps they're taking. And we don't know if AppArmor (etc.) would have done any better. Generally Fedora/Red Hat work especially hard on preventing attack (see their SELinux work, stack protection, etc.); I think it's silly to imply that they don't take security seriously.Here's hoping that it's some sort of serious compiler bug, instead of an attack. However, while I don't have any inside information, I wouldn't bet on that. The sheer secrecy of details suggests a serious attack.
Gracious! Posted Aug 19, 2008 15:10 UTC (Tue) by kragil (guest, #34373) [Link] I'm sorry. Speculating is fun though. Maybe they introduced a trojan into the build sources for an update and Linus installed that update and then they changed the kernel source on Linus' box ( because he is running fedora, isn`t he. He shouldn`t say something like that by the way, makes him _obviously_ more vulnerable ;P ) and from now on all kernels will be exploitable by default... B) But seriously: I'm just kidding .. like I said: Speculating is fun.
Gracious! Posted Aug 19, 2008 16:23 UTC (Tue) by jengelh (subscriber, #33263) [Link] All this secrecy gets tiring. First the huge bubble about DNS, now Fedora. What I kinda miss in all of this mess is an informant leaking details ;-)
Gracious! Posted Aug 19, 2008 16:47 UTC (Tue) by mmcgrath (subscriber, #44906) [Link] Fedora said it: "We know the community is awaiting more detail on the past week's activities and their causes. We're preparing a timeline and details and will make them available in the near future. We appreciate the community's patience, and will continue to post updates to the fedora-announce-list as soon as possible." Paul has told us all that he's going to make this known in the near future. I know I'll be holding Fedora to that :)
Another update on Fedora infrastructure Posted Aug 19, 2008 16:40 UTC (Tue) by dowdle (subscriber, #659) [Link] As has been pointed out in a comment to a previous mention of an update notice... the most common thing it could be would be a compromised account of someone who had high administrative rights within their infrastructure. In security the weakest link is usually human and SELinux, AppArmor, etc can't defend against that... nor physical access. Of course I have no idea what the problem is/was. I think this is a testament to Fedora's ability to keep a tight lid on an issue... and keep it from leaking before they are ready to make an announcement. Great job guys!
Another update on Fedora infrastructure Posted Aug 19, 2008 16:51 UTC (Tue) by Sutoka (guest, #43890) [Link] This is what I was thinking. It wasn't that long ago that something similar happened in the Debian project, though that was 'only' a developer (and not an administrator IIRC). If one of the Fedora admins, say, had privileged login for several of the main fedora project servers saved on their laptop and then their laptop got stolen, the project may be taking all this as a precautionary attempt to change all their login/keys/etc and they're keeping quiet because they're hoping they can get everything before the person realizes what they got. Going further with this hypothetical, it's possible there were several days before the laptop being stolen and the Fedora projecting finding out so they may simply be worried that any would-be attackers were able to take any credentials on the laptop and spread to other parts of the system as well, and they're using this as an opportunity to do a *complete* audit/reinstalls/upgrades/etc. Then again, this is all speculation so I may be completely off.
Another update on Fedora infrastructure Posted Aug 20, 2008 1:12 UTC (Wed) by qg6te2 (guest, #52587) [Link] Yeah, I know that the true fans will pat them on the back and say it was great that they responded so quickly. (Standard fall-back procedure.) Others will, understandably, wonder how such a thing was ever allowed to happen at all.Assuming this is indeed a security problem, the real question to ask would be: if it happened to Fedora, is the infrastructure of Ubuntu, Debian or Suse also vulnerable? Even in the case that this "incident" was something highly specific to Fedora, we as a community can still learn from Fedora's experience.
Another update on Fedora infrastructure Posted Aug 20, 2008 3:10 UTC (Wed) by sbergman27 (subscriber, #10767) [Link] """ if it happened to Fedora, is the infrastructure of Ubuntu, Debian or Suse also vulnerable? """ We cannot know at this point because Fedora ain't talkin'. And usually Red Hat Legal must be consulted and hand down an opinion before they do.
Another update on Fedora infrastructure Posted Aug 20, 2008 6:14 UTC (Wed) by jd (guest, #26381) [Link] Standard tactics is to assume the worst and hope for the best. By that, I mean assume that all distros have a vulnerability that may permit root access to an outside user via a service likely to be run on the machine with the key change, but at the same time, don't panic and shut everything down. Use common sense. In this case, if you are running a mission-critical server that is exposed directly to the Internet (rather than via a proxy in a DMZ), double-check you have applied all relevant security updates, ensure unnecessary services are disabled (or run in a honeypot), do a quick check of your security logs for abnormal login failures, and run some auditing tools like SARA, TARA and Nessus. Perhaps get round to installing Tripwire as well. The less critical the server (either in and of itself, or what someone could do if they compromised it), the more of these you can skip and not look like a fool. Likewise, the more shielded it is from a direct attack, the more you should focus on the machines that are at real risk. The chances are good that it's not a genuine risk to other systems, that it's a lost/stolen key, some idiot blogged their password, or even that an admin found a keylogger on their machine that may have predated the last time they ssh'ed in. There are all kinds of "trivial" reasons for a deep clean that won't affect others. For that reason, getting anxious or in a panic won't help. However, there is always the possibility of a real flaw, so take measures that are appropriate to the systems you run. Beyond that, there is nothing you can do - other than cut the network cable or launch tac nukes at the power socket.
|
|
||||||||||||