Freedesktop.org shenanigans

[Posted November 24, 2010 by corbet]

Subscribers to the xorg-devel list will have seen Luc Verhaegen's November 23 note complaining about a prank commit added to the (moribund) radeonhd tree. As he rightly noted, this kind of trick (which required root access to carry out) can only serve to compromise the community's trust in the X.org project's repositories as a whole. After some hours, the perpetrator came forward; it was, as expected, an X.org developer. So there is no remaining concern that X.org's systems may have been compromised, but we may see a new discussion on how the organization's systems are managed in the future.

(Log in to post comments)

Posted Nov 24, 2010 14:54 UTC (Wed) by nix (subscriber, #2304) [Link]

Ajax has a black sense of humour: Luc is prone to overreaction. Sorry, no news here, we've all known this for years. :)

(It was not just a prank commit, it was a prank commit added to an obscure dead branch. -ENOCARE. Gosh, root@freedesktop.org could potentially compromise repositories hosted on freedesktop.org. That's shocking and nobody could possibly have guessed it before.)

This is *such* a tempest in a teapot. No, not a teapot, a thimble.

Freedesktop.org shenanigans

Posted Nov 24, 2010 15:53 UTC (Wed) by drag (guest, #31333) [Link]

It's confusing because when you see something like this the first assumption is always going to be a script kiddie defacing a server.

Nobody cares about developers being childish, but a hacked source code server is a problem.

Freedesktop.org shenanigans

Posted Nov 24, 2010 19:04 UTC (Wed) by Trelane (subscriber, #56877) [Link]

Pretty much my thoughts too. I thought it more likely that the system was broken into.

Freedesktop.org shenanigans

Posted Nov 24, 2010 20:09 UTC (Wed) by airlied (subscriber, #9104) [Link]

Why would someone who had the ability to break into freedesktop and deface a website, pick a branch of a project that is dead, that nobody cares about enough to even make compile anymore.

Seems like it would be like a graffiti tagger breaking into a train and tagging underneath the rim of a toilet seat.

Freedesktop.org shenanigans

Posted Nov 25, 2010 2:54 UTC (Thu) by drag (guest, #31333) [Link]

> Why would someone who had the ability to break into freedesktop and deface a website, pick a branch of a project that is dead, that nobody cares about enough to even make compile anymore.

Why would a grown person who was put into a trusted position go off, betray people's confidences, and act like a moron?

Both are equally unlikely and make as much sense.

Anyways you don't understand how this "7331 hacker" stuff works. You have the 'script kiddies' that go around and do things like this and act like jackasses. I doubt a average 15 year old with a inferiority complex who spent way to much time on IRC channels really would be able to tell the difference between a git archive that is important versus one that is not. It would probably take a couple hours just to figure out how to use git in the first place. Exploiting a zero day whole in a Linux server is not exactly rocket since. Compile somebody a binary, give them a shell script, and point them in the right direction and that server is 'pwnd'.

Then you have the people that write the scripts that go out and find zero days and wholes that other people have discovered. The people that embed back doors in their and use the moron kiddies as cover for what they are really after. This approach has worked for decades.

Freedesktop.org shenanigans

Posted Nov 25, 2010 13:59 UTC (Thu) by nix (subscriber, #2304) [Link]

Anyone can act like a moron sometimes. Everyone does, sometimes.

But "betray people's confidences"? What confidential data did ajax reveal? Oh, look, none. Did he destroy data? No. Did he even render any data harder to access? No. Did he impersonate anyone? Only 'SPIGOT', who of course does not exist and who nobody would mistake as anyone who exists. Perhaps the nonexistent SPIGOT has the right to complain about the betrayal of confidences, but nobody else does.

This was surely an unwise thing to do as root on a public site, but anyone who's had root for a long time anywhere will have a fund of war stories about awful mistakes or the occasional rare messup caused by strange mental states or excessive drink. This is no different. (My personal worst done-as-root war story: thinking 'I wonder what this program does' while working remotely one weekend and finding out too late that it took down all the machine's network connections... and this was the NIS-and-NFS server for an entire institute, and I couldn't get through the doors at the weekend, and other people were working remotely too, or were trying to. Nobody called *that* a 'betrayal of confidences': it was just a bloody stupid thing to do which wasted the time of everyone trying to get any work done that weekend. This problem has a much smaller impact: in fact, the impact is pretty much nil.)

Freedesktop.org shenanigans

Posted Nov 26, 2010 21:48 UTC (Fri) by airlied (subscriber, #9104) [Link]

you must not drink.

So you've gotten the script to pwn freedesktop.org, why would you attack the git repos if as you say its takes 2 hours to learn git which is more than your average script kiddy is capable of, when there is plenty of http stuff like the site front page etc. These kiddies are like idiot taggers, they want people to know they did it. Even a slow idiot kid could figure out that cgit.freedesktop.org has a sort by modified date to pick the most popular git repo.

Re-read what you wrote its contradicts itself at least twice.

Freedesktop.org shenanigans

Posted Nov 24, 2010 22:27 UTC (Wed) by nix (subscriber, #2304) [Link]

Well, yes, you'd assume that... but when ajax owned up Luc started demanding revocation of commit rights and all sorts of stuff. (ajax and daniel both removed their *own* root privs, which I think is possibly *too* responsible: they should check their haloes for signs of excessive polish.)

Freedesktop.org shenanigans

Posted Nov 24, 2010 23:47 UTC (Wed) by jamesh (guest, #1159) [Link]

Removing their root privileges was probably the right thing to do in this instance. If the fd.o developer community believes that it was a one off instance that won't happen again and that they can still be trusted, then they'll get them back.

Freedesktop.org shenanigans

Posted Nov 24, 2010 21:15 UTC (Wed) by PaulWay (subscriber, #45600) [Link]

This may sound strange, but my first reaction is to reach out to Ajax and offer some kind of assistance with whatever he's dealing with. That's coming from knowing nothing of Ajax, Luc or any other history, so maybe other people might tell me to shut up here. But anyone that feels that bad that they need to make a public, ridiculous statement that's going to get them into trouble needs more sympathy, in my opinion, than condemnation.

As someone who suffers from occasional depression and who helped Arjen found http://bluehackers.org, I'm perhaps a bit biased in my viewpoint here :-)

Have fun,

Paul

Freedesktop.org shenanigans

Posted Nov 25, 2010 15:51 UTC (Thu) by xav (subscriber, #18536) [Link]

I think ajax already feels pretty bad about its simple joke being taken too seriously by everyone (in retrospective, the victim of the joke acted wonderfully for that). No need for people mike you to insinuate he has some mental problem or whatever in the same line.

Freedesktop.org shenanigans

Posted Nov 25, 2010 17:16 UTC (Thu) by ozamosi (guest, #44227) [Link]

To me, it looked like PaulWay was referring to where ajax wrote "I'm kind of in a bad place emotionally and I should know better than to act that out in public."

Freedesktop.org shenanigans

Posted Nov 25, 2010 17:33 UTC (Thu) by xav (subscriber, #18536) [Link]

I'm OK with that, but frankly, is there a need to say that on a public forum ?

Freedesktop.org shenanigans

Posted Nov 26, 2010 12:50 UTC (Fri) by liljencrantz (guest, #28458) [Link]

Here's the thing. Ajax did what he did specifically because he felt like pissing Luc off. And once Luc reported the issue, pretty much everyone gave Ajax a pat on the back and said «I'm sorry you're in a bad place, get better soon» while criticizing Luc for his method in bringing this to everybody's attention. So in the end, the entire community rallied together in helping Ajax to freeze out Luc.

The popular kid can get away with anything, and the unpopular kid gets beaten up for telling on the popular kid.

Leaves a really bad taste in my mouth, to be honest.

Freedesktop.org shenanigans

Posted Dec 2, 2010 14:33 UTC (Thu) by i3839 (guest, #31386) [Link]

Same here.

How they reacted and replied to Luc did actually more damage to trust than Adam's and Daniel's prank itself (after they admitted doing it).

Freedesktop.org shenanigans

Posted Nov 26, 2010 12:44 UTC (Fri) by liljencrantz (guest, #28458) [Link]

The event itself is a non-issue, but I've been kind of irked by the reactions of various people to the whole issue.

Ajax makes a joke commit with the expressed purpose of pissing Luc off.
Luc notes in various foras that something is wrong with a fd.o git repo and that this may be caused be a defacement.
Ajax confesses to the prank and says he's sorry.
A huge pile of people give Ajax a pat on the shoulder and critisize Luc for using such a public forum when reporting the issue.

It seems to me that Ajax is the «popular kid» who can get away with anything because people like him, and Luc is the «unpopular kid» who gets beaten up simply for pointing out the Ajax is behaving like an asshole towards him.

Freedesktop.org shenanigans

Posted Nov 29, 2010 16:42 UTC (Mon) by nix (subscriber, #2304) [Link]

Sorry, but Luc sent the note to *press contacts*. This is not something someone does when one wants to quietly note a defacement. It's something someone does when one wants to make a huge stink. Doing that sort of thing might go some way towards explaining unpopularity.

Freedesktop.org shenanigans

Posted Nov 29, 2010 17:21 UTC (Mon) by rektide (guest, #71530) [Link]

luc's reaction was in response to two triggers--

his response might've been more sedate had the prank-commit not included questionable content in the commit message. fd.o has to keep up it's sharp corporate^H^H^H^H^H^H^H^H^H^H community image! jab aside, when if ever would such language have slipped past censorship in fd.o, or elsewhere in "mainstream open source?" what pivots have occurred to make dubious language a concern?

the other trigger was that the commit was from a facetious, non-existent account, which raises questions fd.o security.

Freedesktop.org shenanigans

Posted Nov 24, 2010 20:35 UTC (Wed) by nicooo (guest, #69134) [Link]

There's also that prank someone pulled off by making config files use xml.

Freedesktop.org shenanigans

Posted Nov 25, 2010 5:34 UTC (Thu) by sitaram (guest, #5959) [Link]

I sometimes think XML itself was intended as a prank!

(sorry couldn't resist; I know I'm not helping the SNR!)

Freedesktop.org shenanigans

Posted Nov 27, 2010 7:13 UTC (Sat) by deepfire (guest, #26138) [Link]

You are familiar, per chance, with the Erik Naggum's XML rant?

http://www.schnada.de/grapt/eriknaggum-xmlrant.html

Freedesktop.org shenanigans

Posted Nov 28, 2010 8:21 UTC (Sun) by sitaram (guest, #5959) [Link]

oh wow... I wasn't! Thanks -- this is very educational, if a little short on paragraph breaks :)

Freedesktop.org shenanigans

Posted Nov 25, 2010 14:22 UTC (Thu) by MattPerry (guest, #46341) [Link]

This is the problem with giving people root as opposed to allowing them only to use sudo. Once someone logs in as root it's difficult to find out who is accountable. fd.o is lucky that the person came forward on their own.

Freedesktop.org shenanigans

Posted Nov 25, 2010 20:46 UTC (Thu) by slashdot (guest, #22014) [Link]

The important thing is that this action had no negative impact whatsoever, since it just added an useless branch to a project.

The only problem is that it apparently wasn't done as a joke, but rather seems to be an expression of personal issues the two people involved, which obviously aren't best handled this way.

Freedesktop.org shenanigans

Posted Nov 25, 2010 22:56 UTC (Thu) by ovitters (subscriber, #27950) [Link]

Would just have been as easy to break out of sudo if you have enough access. You must be able to trust a sysadmin, else: don't give the access. Further, sysadmins define for themselves if they use sudo or root anyway.

Freedesktop.org shenanigans

Posted Nov 27, 2010 9:03 UTC (Sat) by rilder (guest, #59804) [Link]

Lesson learnt -- don't mix alcohol and git. Can happen to anyone.