Weekly Edition
Return to the Distributions page
| |||||||||||
Gentoo rsync server compromised
The Gentoo Project has sent out an alert to
the effect that one of the servers which makes up rsync.gentoo.org has been
compromised. "However, the compromised
system had both an IDS and a file integrity checker installed and we have a
very detailed forensic trail of what happened once the box was breached, so
we are reasonably confident that the portage tree stored on that box
was unaffected." Gentoo users may have gotten off relatively easy,
as Debian's users did before. At this point, however, it is clear that the
level of attacks on the free software community's infrastructure is
increasing. Be careful out there.
(Log in to post comments)
So who is targeting the Linux distributions? Posted Dec 3, 2003 11:50 UTC (Wed) by sphealey (guest, #1028) [Link] First Debian, now Gentoo. Who is targeting the Linux distributions for attack, and why? Assuming one has found a juicy attack vector, the distribution orgs would have to be one of the least profitable targets. Unless the attacker either has an ulterior motive, or a very long-range plan.So what's going on? sPh
So who is targeting the Linux distributions? Posted Dec 3, 2003 11:57 UTC (Wed) by lolando (subscriber, #7139) [Link] > First Debian, now Gentoo.I suppose you mean "First GNU, then Linux, then Debian, then Gentoo." Or should we include SCO in there too? ;-)
So who is targeting the Linux distributions? Posted Dec 3, 2003 12:00 UTC (Wed) by miah (guest, #639) [Link] I've been wondering about this for a little while too.. It seems strange that all this happenedso close together. I'd say somebody is definately targeting linux. ftp.gnu.org got owned
So who is targeting the Linux distributions? Posted Dec 3, 2003 12:12 UTC (Wed) by amtota (guest, #4012) [Link] conspiracy theory #1: microsoft has just announced that they would counterattack linux on security ... see headlines from last week.
So who is targeting the Linux distributions? Posted Dec 4, 2003 6:32 UTC (Thu) by davidl (guest, #12156) [Link] Well it wouldn't surprise me. Microsoft see free software and the free software projects as the real threat.
So who is targeting the Linux distributions? Posted Dec 3, 2003 13:55 UTC (Wed) by freethinker (guest, #4397) [Link] > What's next?Why, LWN, of course, so people won't get these warnings :)
So who is targeting the Linux distributions? Posted Dec 3, 2003 15:03 UTC (Wed) by sdoyon (subscriber, #4221) [Link] Erm well, http://savannah.gnu.org says"On December 1st, 2003, we discovered that the "Savannah" system, which is maintained by the Free Software Foundation and provides CVS and development services to the GNU project and other Free Software projects, was compromised at circa November 2nd, 2003. The compromise seems to be of the same nature as the recent attacks on
So who is targeting the Linux distributions? Posted Dec 17, 2003 7:55 UTC (Wed) by wookey (subscriber, #5501) [Link] One thing that may well contribute to a lot of attacks close together is that once you've sniffed a Debian Developer's password you have a good chance of using it to get into more than one machine. A lot of people use the same password in multiple places, even knowing it's poor practice, because there's a limit to how many you can remember.Quite a few passwords and keys could have become compromised in the Debian attack, and whilst we are all supposed to change all our affected passwords and keys on all the machines we use it's easy to forget one on some obscure box you haven't used for ages or otherwise leave a crack in a door somewhere, especially when multiplied by 1000 people, even if they are all essentially reasonably competent. I wouldn't be surprised if there are more break-ins using the info gleaned from this one (and maybe gentoo's). This would be a factor in the apparent clustering of attacks.
So who is targeting the Linux distributions? Posted Dec 3, 2003 12:34 UTC (Wed) by marduk (subscriber, #3831) [Link] Could this be that they all share the same vulnerability (in Linux) and crackers are just going after that vulnerability. In other words, maybe there's no conspiracy it's just that those are easy and obvious targets.
So who is targeting the Linux distributions? Posted Dec 3, 2003 12:48 UTC (Wed) by ken_i_m (guest, #4938) [Link] First the kernel cvs, then Debian, then Gentoo.
"I cracked debian.org, and for $10,000, I'll crack the Linux 2.4 server of your choice." Posted Dec 3, 2003 12:53 UTC (Wed) by sethg (guest, #14970) [Link] I know a number of laid-off hackers who have invested time in open-source development or other community-service programming projects, hoping that these projects will make them more likely to catch the attention of potential employers. Maybe the slow economy has made the computer-crime business harder, and driven some of the brighter crooks to make similar demonstrations of their skills.(Note that in all of these cases, unlike the recent spate of Windows worms, the author of the exploit was using it against a high-profile server and tried to remain undetected, rather than distributing the exploit widely in a way that would make the news by bringing down a large number of machines.) Or maybe it's a pure ego thing. If I were the sort of person who liked to break into other people's computers, and I figured out how to break into a server for a major Linux distribution, I would feel extremely 31337. Either of these things is more likely, I think, than a shadowy anti-Linux campaign by Microsoft.
"I cracked debian.org, and for $10,000, I'll crack the Linux 2.4 server of your choice." Posted Dec 3, 2003 14:31 UTC (Wed) by bex (guest, #16960) [Link] Does it have to be a shadowy MicroSoft campaign? I'm pretty sure there's more than one company or even group of people out there who'd like to see the end of OSS (or maybe just linux).At least they don't seem to be smart enough to entirely evade detection :)
So who is targeting the Free software community? Posted Dec 3, 2003 22:12 UTC (Wed) by Tashlan (guest, #17277) [Link] Didn't Microsoft go around pointing at the accessibility of GNU/Linux code as part of their FUD campaign?If I remember correctly, they were asserting that businesses couldn't risk switching to Linux because it would be too easy for someone to backdoor the code. Also, add to the list- SCO FUD, Microsoft to counter Security "attack", GNU, kernel, Debian, Gentoo... An interesting convergence of events to say the least!
So who is targeting the Linux distributions? Posted Dec 5, 2003 4:54 UTC (Fri) by psharboneaux (guest, #12543) [Link] Let's face it. Now that Linux is on the rise in popularity, it is going to be the target of exploit attacks just for fun, the same way exploiting vulnerabilies is done for fun in Windows. It was bound to happen anytime now...
Gentoo rsync server compromised Posted Dec 3, 2003 13:37 UTC (Wed) by einstein (subscriber, #2052) [Link] Many seem to be poo-pooing the idea that microsoft would ever have anything to do with trying to make linux look bad.To them I say, wake up and smell the homeless - a cursory glance at microsoft's track record shows that they love dirty tricks. Do you really think that an organization like microsoft, with their massive financial resources, their frantic desire to kill linux, and their slimy past record, would never encourage, or fund something like this?
Gentoo rsync server compromised Posted Dec 3, 2003 13:58 UTC (Wed) by piman (subscriber, #8957) [Link] Microsoft loves dirty, barely legal (or sometimes, depending on the judge, barely illegal) tricks. These are blatently illegal. I don't know of any point in MS's history where they've hired black hats, rather than marketers, to take down competition.
M$ and illegal or unethical behavior Posted Dec 3, 2003 14:08 UTC (Wed) by newren (subscriber, #5160) [Link] >I don't know of any point in MS's history where they've hired black hats, rather than marketers, to take down competition.Yes, but the question remains of whether M$ hasn't done any such thing or whether it simply means that they didn't get caught. While they have been caught for an astoundingly large number of dirty tricks, it makes one wonder what they've also gotten away with.
M$ and illegal or unethical behavior Posted Dec 3, 2003 14:44 UTC (Wed) by freethinker (guest, #4397) [Link] Plausible deniability. Strictly limited to a few high ranking executives. Work hired anonymously. Could be done, with enough money. Might even be a private project of one executive, without corporate knowledge.Or, of course, it might just be one guy doing it for fun, or to give us all a wake-up call. Who knows? I doubt it is Microsoft, actually. They aren't desperate enough, yet. They still think they can win with FUD and marketing and SCO.
M$ and illegal or unethical behavior Posted Dec 3, 2003 15:05 UTC (Wed) by freethinker (guest, #4397) [Link] Hmm, on second thought, I retract that. The person or people doing the work could be caught, and even if they didn't know who hired them, just their assertion that they had been hired would be enough to raise an unholy stink.
M$ and illegal or unethical behavior Posted Dec 4, 2003 0:52 UTC (Thu) by jtc (guest, #6246) [Link] Perhaps I'm missing something, but it seems to me that these attacks did not do a great deal of harm (besides temporarily wasting some people's time and resources). Even if MS was slimey enough to do this, I doubt whether they would regard the reward vs the risk worthwhile.
No, they wouldn't Posted Dec 3, 2003 14:02 UTC (Wed) by sphealey (guest, #1028) [Link] No, they wouldn't. Maybe 20 years ago when they were just ramping up - small tech organizations tend to do "clever" stuff like that. But the stakes for a $40b company are so high that they would not, ever. Criminal prosecution would result, and lawsuits by the attacked organization would clean out that cash horde in a minute.sPh
Very unlikely Posted Dec 3, 2003 14:09 UTC (Wed) by proski (subscriber, #104) [Link] I don't think a Fortune 500 company would do anything illegal for PR purposes. The implications of being caught are overwhelming compared to the gain from the FUD campaign, even if multiplied by the probabilities (search Google for "mathematical expectation"). Large companies are very risk averse. If they break the law, they are dealing with billions of dollars. And it's never obvious for competitiors. Think Worldcom.
Very likely Posted Dec 3, 2003 14:40 UTC (Wed) by allesfresser (subscriber, #216) [Link] When a corporation has been prosecuted by the U.S. government and gotten away with a slap on the wrist (if that), why should they be worried about something that they know would never be prosecuted by anybody, especially if they have a proxy do it for them?Microsoft is plenty arrogant enough to do something like this. I'm not accusing them of doing it (since I have no direct evidence to that effect), but if it turned out that there were some communications from someone up there in Redmond that had something to do with getting the ball rolling with these attacks, I wouldn't be even a tiny bit surprised. But of course, I doubt we'll ever find out for sure.
Very likely Posted Dec 3, 2003 15:49 UTC (Wed) by piman (subscriber, #8957) [Link] There is a large difference, both legally and from a business sense, between abusing a monopoly and repeatedly committing server cracks. The former gets you fines or broken up (in both cases, you still make money, often more money); the latter gets you shut down.The traditional way for Microsoft to attack a competitor (and a much safer way) is to pump millions of dollars of marketing into a negative publicity campaign -- and they've had some success doing that via SCO recently. I don't see why they'd turn to something as stupid as server cracks. This is one of the worst conspiracy theories ever.
Very unlikely Posted Dec 3, 2003 15:40 UTC (Wed) by valiant (guest, #17373) [Link] I too believe that and Microsoft involvement is highly unlikely, i know MS has a flare for courtroom theaterics but this is a whole different animal that MS would not dare to do given its current DOJ re-evaluation of the antitrust case. No i am sure MS is far clear of this one and any like it.
Gentoo rsync server compromised Posted Dec 3, 2003 14:10 UTC (Wed) by Zakaelri (guest, #15087) [Link] I think that all of these security breaks are actually A Good Thing (tm) for Linux and it's community. Maybe it's just me. Let's see of this logic is sound:
Basically, we could (and most likely will) use this to our advantage to keep our software `on top'. ;) I will say, though, that it is wierd how so many `important' boxes were attacked in such short order.
Gentoo rsync server compromised Posted Dec 3, 2003 14:23 UTC (Wed) by euvitudo (subscriber, #98) [Link] To add to, or maybe rephrase, your comment:I think the "Good Thing" will be the speed of the response and corresponding fix to these problems. Corporations such as MS, who emit a continuous stream of press releases saying they are addressing the problems, or saying that their product is the most secure while ignoring the problem, will begin to look silly. The faster the response and fix to the problem, the more likely future users of Linux, and FOSS in general, will see that the FOSS community are serious about their security, and hence the more likely they will consider FOSS for their computing solutions. Cheers!
Gentoo rsync server compromised Posted Dec 4, 2003 0:56 UTC (Thu) by jtc (guest, #6246) [Link] Sort of like a hydra, eh?
Gentoo rsync server compromised Posted Dec 3, 2003 15:04 UTC (Wed) by ordonnateur (subscriber, #6652) [Link] I doubt a conspiracy, two distributions compromised is not that statistically improbable.Both no doubt had large numbers of developer accounts, highly probable that some will be careless about the security of thier own passwords etc. On the other hand there has been a worry about Gentoo's security for some time; not , that is, Gentoo itself, but the method of validating the updating of the portage/ebuild system. As a user of gentoo for servers I would welcome a focus on this basic issue rather than what seems at times to be an unmanageble sprawl of sub-projects and undocumented enhancements.
Gentoo rsync server compromised Posted Dec 3, 2003 15:51 UTC (Wed) by piman (subscriber, #8957) [Link] Ignoring issues of Gentoo's developer acceptance process, I do think there is cause to worry. This isn't just Debian and Gentoo -- in a short period of time, it has been GNU, Linux, Debian, Gentoo, and now GNU again. I would strongly encourage Fedora, Mandrake, OSI, etc, to watch their servers very closely.
Time to implement best practices... Posted Dec 3, 2003 16:26 UTC (Wed) by dank (guest, #1865) [Link] It is impressive that the Gentoo breakin was discoveredwithin an hour. Perhaps the free software community in general needs to come up with a consensus list of best practices (such as intrusion detection systems) that should be employed on public and development servers, start tracking which servers do implement these best practices, and encourage those who have not yet implemented best practices to do so.
Gentoo rsync server compromised Posted Dec 4, 2003 6:10 UTC (Thu) by tymiles (guest, #16469) [Link] My question is: Does this mean Linux is not as secure as people claim OR are people not securing their Linux installs right?
|
|||||||||||