Savanna.gnu.org compromised too
The compromise seems to be of the same nature as the recent attacks on Debian project servers; the attacker seemed to operate identically." Savannah will be down until (at least) December 5. (Thanks to "sdoyon", who posted the news in an LWN comment).
Posted Dec 3, 2003 22:46 UTC (Wed)
by stumbles (guest, #8796)
[Link]
Posted Dec 3, 2003 23:36 UTC (Wed)
by freethinker (guest, #4397)
[Link]
Posted Dec 4, 2003 0:51 UTC (Thu)
by QuisUtDeus (guest, #14854)
[Link] (5 responses)
Is this perhaps some sleepers that have gotten local access to servers and now are taking advantage of it? Or perhaps, some developers have been "bribed" to allow improper use of their access? The Gentoo server was not their's, and so it remains to see if it looks like it might have been an "inside job." Or is someone finding a way to get remote access to user accounts in a new way or by brute force? The findings from Debian and Gentoo should help answer this. Anyway, attacks are always possible, whether sponsored by a large enemy like M$ or not. The right answer is still to fix the weaknesses that allowed them, and then perhaps to evaluate any trust relationships that might have been abused. This is still a small fraction of the more devastating results of world-wide windows-based viruses and exploits. -
Posted Dec 4, 2003 1:09 UTC (Thu)
by sward (guest, #6416)
[Link]
Posted Dec 4, 2003 3:06 UTC (Thu)
by Ross (guest, #4065)
[Link] (1 responses)
I also remember that the FSF's ftp site was compromized by an "inside"
Posted Dec 4, 2003 4:01 UTC (Thu)
by piman (guest, #8957)
[Link]
Posted Dec 4, 2003 4:00 UTC (Thu)
by piman (guest, #8957)
[Link]
The Linux kernel CVS is publicly readable, writable by no one. It's mirrored from the BK repository. The only people with "CVS access" and can't be tracked via BK commits, are BitMover employees. So, you're wrong. :)
Posted Dec 4, 2003 8:29 UTC (Thu)
by NAR (subscriber, #1313)
[Link]
I'm afraid most of the developers computers might be not as secure as they should be, so if a cracker gets in, he can easily get into the project server if the developer has a shell access there :-(
Posted Dec 4, 2003 7:03 UTC (Thu)
by ctg (guest, #3459)
[Link]
Oh dear.
Posted Dec 4, 2003 12:51 UTC (Thu)
by tymiles (guest, #16469)
[Link] (10 responses)
Posted Dec 4, 2003 13:32 UTC (Thu)
by hummassa (subscriber, #307)
[Link]
Posted Dec 4, 2003 13:44 UTC (Thu)
by RobSeace (subscriber, #4435)
[Link] (5 responses)
But, I personally have always considered that on ANY host running ANY OS, In my opinion, the REAL problem is NOT a new local root exploit... Big
Posted Dec 4, 2003 16:40 UTC (Thu)
by ccchips (subscriber, #3222)
[Link] (3 responses)
I keep reading people saying things about locks, defects in locks, lock picks, and beating up people for not locking their doors properly. Now, correct me if I'm wrong, but if I should (accidentally or on purpose) leave my back door open on my house, does that action tell you that you have the right to go in there and steal my washing machine? Or, let's say I buy a lock from the Super-Defender Lock Company, and it turns out that somebody knows about a flaw in the metal, and that such a flaw allows them to break the lock, and get into my house. Does that mean people have the right to go on my property, break the lock, and hide in my house until I leave, then steal all my diskes? We can fortify our computers until Hell freezes over, and as long as the people who break into them contine to be allowed to have no respect for our rights, they will continue to be broken into. Once, a long time ago, my father left the back door of our house unlocked when we went on vacation. When we returned, we found the door locked on the bottom (one of those automatic locks once you leave,) and a note inside the house from a neighbor, saying that we had left it unlocked and that he'd locked it for us. Now, I'm not trying to fault anyone for fixing problems in the computer; it seems fairly easy to conclude that a lot of security breaches are possibe because of software flaws. However, I do believe that people need to wake up to the fact that there are fundamental social issues at stake here that technology will never fix. You've got to know that people are going to try really hard now to compromise Linux installations, especially since Gates and Co. made their big announcement about its insecurity. Don't be surprised if they are disillusioned former GPL supporters or current Microsoft fanatics who also happen to be expert crackers. You've got to have been expecting this, and for a long time. Also, Linux is now being advocated heavily by large, money-making concerns, as a possible desktop alternative. Joe User is not going to know (or care) about security the way some of you do. He may leave his window open, his door unlocked, or he may install a cheap-o-flex alram system. Does that give anyone the right to violate or hijack his computer system? No. It's not my fault if I'm the victim of a crime, it's the fault of the criminal. This was true when Microsoft was the butt of jokes about security, and it's still true now that Linux may be.
Posted Dec 4, 2003 16:53 UTC (Thu)
by RobSeace (subscriber, #4435)
[Link] (2 responses)
However, that doesn't mean you should say, "Well, since they're at fault, I
Posted Dec 4, 2003 17:10 UTC (Thu)
by ccchips (subscriber, #3222)
[Link] (1 responses)
Start with a wide-open door. Then a lock. Then a better lock. Then a dog. Then an alarm system. Then what---a full-time armed guard? I'm just saying we should never lose sight of the causes for this situation happening in the first place. If those are not addressed, all computer users will be in a vicious cycle forever. I'm waiting for the day when those codes on the dashboard radios no longer have any effect on thieves. Maybe then someone will ask themselves where this ends.
Posted Dec 4, 2003 19:57 UTC (Thu)
by RobSeace (subscriber, #4435)
[Link]
So, I think we're better off addressing an issue which we actually have a
Posted Dec 4, 2003 19:31 UTC (Thu)
by proski (subscriber, #104)
[Link]
Or just give a separate virtual machine to every user.
Posted Dec 4, 2003 18:17 UTC (Thu)
by vblum (guest, #1151)
[Link] (1 responses)
Savannah didn't do so great though, based on the timeline; that attack went undetected far too long. Hm.
Posted Dec 4, 2003 22:09 UTC (Thu)
by ccchips (subscriber, #3222)
[Link]
Unfortunately, it was more absolutely necessary....
Posted Dec 4, 2003 23:13 UTC (Thu)
by emk (subscriber, #1128)
[Link]
Windows doesn't even seriously attempt to protect against local attacks, though, so Linux is still doing fairly well here. As for the remote attacks, we've seen two different scenarios: 1) gentoo: The rsync daemon wasn't secure, allowing an attacker to run code on the gentoo server. This can happen to any network service. 2) Debian & Savannah: The attacker had access to an account on the machine. So Linux is still looking pretty good, at least compared to Windows (if not OpenBSD). But if you want more security, install the grsec kernel patch, which makes life truly difficult for the bad guys.
Posted Dec 4, 2003 13:39 UTC (Thu)
by davidl (guest, #12156)
[Link] (1 responses)
Posted Dec 5, 2003 4:38 UTC (Fri)
by fLameDogg (guest, #11305)
[Link]
But this is someone(s), obviously, who has been studying the kernel, rsync, and probably more at great length. Hmm. Wasn't there a story about Microsoft's Linux lab, around about the time the SCO stink first broke (shortly after which, MS bought licenses from SCO). Hm. Hm. Hmmm... To the person passing out tinfoil hats: can I have one, too?
Well, looks like it's time the script kiddies got tried of Microsoft's "ease of use" and Savanna.gnu.org compromised too
have decided to cut their teeth on something more challenging.
Time for "us" to take our lumps.
Wonder how many more are out there, already rooted but not noticed yet? I hope people are checking their machines.Savanna.gnu.org compromised too
Debian's attack was a local one. The linux kernel attempt (correct me if I am wrong) was attempted by someone with some sort of CVS access. Now another local one.Savanna.gnu.org compromised too
Domine, miserere nobis.
The actual damage from these attacks hasn't been much, true. But the potential damage, if these had gone undetected for long enough, was considerable - because of the "leverage" to be gained by attacking a distribution repository such as this. I imagine that at least part of the cracker(s) motivation was that leverage effect.
Savanna.gnu.org compromised too
I just hope the GNU folks are on their toes; backdooring GCC would provide even more leverage...
It may not have been the developer's fault. I'm pretty sure that in theIt may not be "bad" developers
Debian incident the developer's account was being used by someone else
who had sniffed his or her password. Maybe the intruder(s) compromized a
bunch of desktops and has been collecting passwords?
job a few months back... or maybe it was the Savanna server after all.
My memory isn't that wonderful.
This is the case with Debian; a developer's home system (or one of his/her home systems) had been compromised, and so the attacker got the password (or phrase) when she/he logged into a Debian server.
It may not be "bad" developers
> The linux kernel attempt (correct me if I am wrong) was attempted by someone with some sort of CVS access.Savanna.gnu.org compromised too
Or perhaps, some developers have been "bribed" to allow improper use of their access?
Savanna.gnu.org compromised too
... And anything where shell access is easy to get... may have been comprised.So, sourceforge and anything else with shell access..
My question is: Does this mean Linux is not as secure as people claim OR are people not securing their Linux installs right?
Savanna.gnu.org compromised too
this means there is some kind of coordinated effort to debunk the reputation for/perception of security that the FS/OSS systems have. Now, I have to buy some more tin foil. Do you want a hat too?
Savanna.gnu.org compromised too
Perhaps a little of both? Nothing is ever going to be completely secure,Savanna.gnu.org compromised too
so all of the people who claimed that Linux (or OpenBSD, or anything else)
is are simply fools... But, I think MOST people were only trying to claim
that Linux was far more secure than Windoze... And, there, I think there
can be no doubt as to the truth of that claim...
any unpriviledged local user can gain root, if they really want to, and try
hard enough... I'm not saying local security isn't important, I'm just
saying I always operate under the assumption that if one can run arbitrary
code on the machine, no matter with WHAT priviledges, then they can also
run code as root, if they truly want to... So, that means only allow people
you truly TRUST (including trusting them to keep their home machines secure)
to login to your machine, and then only via secure channels... And, it means
keeping all network services (no matter if they run as root or not) secure...
deal; there are probably several dozen other ways to gain root from a local
user account on most systems... The REAL problem is in anyone untrusted
being able to run arbitrary code (regardless of priviledge level) on a
remote machine... So, instead of focusing all of the effort and attention
on this brk() hole, I'd MUCH rather see it be focused on how the people got
unpriviledged access, in the first place... Apparently, in the Debian case
at least, there was a "sniffed password"... Sniffed where, and how?? From
the user's home system? If so, that user should be beaten, and not let
back in until someone can guarantee the security of their home system from
remote compromises... If sniffed from a compromised server they logged in
to, then it becomes a matter of tracking down how THAT server was
compromised... But, in the end, it'll likely come down to some user whose
home system was setup insecurely, and remotely compromised... And, THAT is
the real, basic problem... A chain is only as strong as its weakest link...
Of course, we should continue to fix local holes like this, but I think
putting as much focus on them as has been done is WAY out of proportion,
and completely missing where the real focus should go: finding the weak
link, and fixing IT... Because, I can assure you, some OTHER local root
compromise will be found someday (if there aren't already several others
already known)... I just think it's inevitable... It's far harder to
protect against a legit local user than it is to protect against an unknown
remote intruder... And, really, if we cut off all possible remote
intrusions (whether they be root compromises or merely unpriviledged ones),
then the local ones become nearly irrelevent... (Except for those few
people who want to run servers that give random untrusted people login
access on their systems, anyway... And, I think those people are just
rather insane, anyway... But, you know, once we've completely nailed down
all remote compromises, THEN we can start focusing on the local ones much
more intently, and help such crazy people... ;-))
Maybe it's also time for a change of focus, as I've said before.Savanna.gnu.org compromised too
Sure, of course the one breaking in is at prime fault... I don't think ISavanna.gnu.org compromised too
saw anyone arguing otherwise anywhere...
don't have to worry about protecting myself, then!"... That's just stupid...
Just because something is illegal, wrong, and/or anything else, does NOT
prevent some people from still doing it... Smart people will realize that
there are people out there that WILL do it, and so they'll take measures
to protect themselves... If they fail to do so, that doesn't mean the
person breaking in is any less criminal or wrong; but, it does mean they
have a lot easier time of it, and are more likely to get away with it...
Ranting and raving about how it's not YOUR fault someone broke in and stole
your stuff, just because you left your front door wide open is just rather
silly... Your stuff is still GONE, isn't it?? The person who stole it is
also long since gone, and will never be caught, will they?? So, why are you
yelling at the wind, and proclaiming your innocence? I don't think the
cops have any intention of throwing you in jail for not locking your door...
However, the only one you're hurting is yourself... So, it would be in your
own best interests to start locking those doors in the future...
Absolutely right. Howefer:Savanna.gnu.org compromised too
And, how exactly do you propose to address these causes?? I personallySavanna.gnu.org compromised too
don't know of any magic method of transforming everyone on the planet into
an ethical and law-abiding person... I quite suspect that for as long as
the human species exists, there will be some of us who break the law, and/or
do bad things... (And, let's be clear: the law is not always in line with
what's right, either...) I just don't see that it's possible at all to
ever do anything to change that basic fact of our nature... Short of
maybe some intensive genetic-engineering to breed out our bad sides, but
that will lead to a race of soulless zombies, like in every dystopian
sci-fi movie ever made... ;-)
hope of doing something about: protecting ourselves from those people who
would choose to try to do us harm... Sure, it's a never-ending battle, and
there is a constant escalation on both sides... But, really, what else IS
there to do??
Actually, there are several projects that allow limiting permissions of the root account. In particular, direct access to the hardware can be disabled. Also it should be possible to remount most filesystems read-only and disable root permissions for mounting. If you need to perform administrative tasks, you have to reboot the system and do it on local the console.Savanna.gnu.org compromised too
Errm .... I'd say these were an example of how good security works: Debian and Gentoo did pretty well, didn't they? It'll be almost impossible to create complete security if an attacker is determined, but these intrusions were _detected_ almost instantly - great work!Savanna.gnu.org compromised too
As I understand it, Stallman didn't believe in security and passwords "'way back when," and he wants to keep security only as tight as absolutely necessary.Savanna.gnu.org compromised too
No operating system is truly secure, although OpenBSD comes close.Not so bad for Linux, but get grsec anyway
I doubt whether the Windows scripters are clever enough to do this.
Savanna.gnu.org compromised too
A lot of them, sure. Probably even the majority. Maybe even the *vast* majority. But y'know, there's an awful lot of such people, including, I'm sure, some *very* smart ones.Savanna.gnu.org compromised too