2003 hasn't been a banner year for computer security, and that includes
Linux. The CVS repository for the Linux kernel was
several servers related to the Debian project were compromised, and the GNU
server was also
broken into recently. Since there has been little information published
about the nature of the Savannah compromise, we contacted Bradley Kuhn,
executive director of the Free Software Foundation for more information.
Kuhn described the Savannah compromise as "almost identical to what
happened to Debian." (A detailed account of the Debian compromise can be
Kuhn said that he believes that the Savannah compromise and the Debian
attacks were related, and happened at about the same time. However, he said
that the project has not put a great deal of time and effort into analyzing
the attacks because it was more important to put Savannah back online and
to try to harden the system to see to it that a similar compromise doesn't
happen again. The hard drives from Savannah have been saved for future
reference, but the project is not putting its efforts into thoroughly
analyzing the attacks.
For the most part, Savannah has been restored
and changes have been made to try to ensure a similar attack will not be
possible. However, there are still some features that remain unavailable,
including Web CVS access and new projects are not being approved for the
time being. According to the Savannah website, new projects will probably
be accepted sometime before the end of January, 2004.
Has there been an attempt to insert a trojan into any of the code residing
on Savannah? Kuhn says that they've asked the owners of projects on
Savannah to go through and verify the code that is on Savannah to be sure
that it hasn't been trojaned. So far, there have been no reports of tainted
code. However, not all of the projects have reported their status. Kuhn
also noted that projects on the Savannah website will soon have an
indicator to report whether or not the developers have verified that they
have checked the integrity of their software.
We also asked if there was any sensitive information on Savannah that may
have been compromised. Kuhn said that the useful information on Savannah
mostly consists of the code for the various projects, and that the only
other information of interest would be developers' passwords. The passwords
on Savannah have been reset, of course, and the developers have been
encouraged to "investigate their own personal security."
For now, the GNU Project is not actively pursuing criminal prosecution of
the attacker or attackers. Kuhn says that the project is not "ethically
opposed" to prosecuting the intruder, but that with limited resources he'd
rather divert time and energy to restoring the services and trying to
harden systems to make future attacks more difficult and easier to contain.
To that end, the compromise may actually be a good thing in the long
run. Kuhn said that they have contacted the CVS maintainers and have
offered to pay for development of features that would allow GPG signing of
commits through CVS -- making it much more difficult for changes to be
inserted unnoticed into code held in a CVS repository. He said that they
have also contacted the GNU Arch maintainer about adding GPG
signing. Though it may take some time to develop, the addition of GPG
signing to commits would be a welcome feature.
Kuhn said that he expects that the future will bring more attacks on the
community, as free and open source software become more
prevalent. Opponents of the open development model will no doubt be using
these events as an illustration of the "dangers" of open source. Though the
recent intrusions have mostly been an inconvenience, it's important that
the community learn from these attacks, and redouble efforts to prevent
them in the future.
to post comments)