Devuan, April Fools, and self-destruction [LWN.net]

Devuan, April Fools, and self-destruction

Posted Apr 24, 2019 23:23 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

Yeah, I agree. Simply standing down is not enough, this borders on a CAFE violation that can lead to prison time.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 0:31 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (1 responses)

"CAFE"? Internet search is letting me down here; "CAFE violation" without quotes gets me news stories about coffee shops being punished after visits by the hygiene inspector, and "CAFE violation" with quotes gets me news stories about automobile manufacturers being punished (or not!) for their vehicles having fuel economy worse than the government regulations permit.

Neither of these seem particularly relevant to the incident we're discussing.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 1:06 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link]

I think this was probably a mistake, and Cyberax actually meant a CFAA (Computer Fraud and Abuse Act) violation, which would make more sense.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 15:32 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link]

Decaffeination is alway dangerous :-)

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 0:33 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (33 responses)

> Asking someone to stand down over a prank?

The term "prank" covers a range of activities; some things that one person perceives as a prank, another may instead perceive as vandalism, assault, extortion, fraud, or an assortment of other such unpleasant terms.

One is entitled to regard any particular prank as unworthy of censure, but indignation at the very concept of a person being censured for pulling a prank seems... misguided.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 3:38 UTC (Thu) by nivedita76 (subscriber, #121790) [Link] (32 responses)

Well, demanding that a community project kick out one of its core team and sue him to boot.. is a little excessive. That Bird guy is cuckoo.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 4:22 UTC (Thu) by mgb (guest, #3226) [Link] (30 responses)

> That Bird guy is cuckoo.

I am "that Bird guy".

I suggested that Devuan business users should consult their own attorneys as to their own liability if they continued to use Devuan after Devuan refused to audit or rebuild their compromised servers.

We expected it would take a long time to move all our systems from Devuan to Debian but it turns out that Debian now has all the sysvinit support we need in stretch-backports and buster. As Devuan consists of little more than a few changes to a few Debian packages we were able to switch in a few hours with about as much effort as it takes to roll out an average day's security updates.

Nevertheless we remain grateful to the people who undertook the substantial initial effort to create Devuan and to maintain it over that period of years when Debian's sysvinit support was broken.

As of course we are also grateful to all free software developers and packagers.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 5:46 UTC (Thu) by lkundrak (subscriber, #43452) [Link]

Lol, duuude.

Thanks for the laughing time for those of us, who didn't wish the Devuan project any luck from the beginning.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 8:43 UTC (Thu) by nilsmeyer (guest, #122604) [Link]

> I suggested that Devuan business users should consult their own attorneys as to their own liability if they continued to use Devuan after Devuan refused to audit or rebuild their compromised servers.

I'm sure they're at least entitled to their money back.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 8:53 UTC (Thu) by dgm (subscriber, #49227) [Link] (4 responses)

Disclaimer: I'm not a Devuan user or developer, and I don't follow their mailing lists, so my oppinion is merely based on sencond hand information, basically what's available on this site.

That said, I think this was blown way out of proportion. A joke is a joke, it's what April's Fools is about. Pretending that a joke can cover some kind of security problem just shows distrust for the developers. When this is the case, nothing Devuan could do will make for this inherent lack of trust. All the talk about "compromised" servers just shows that lack of trust, unless you have any other indication that there was an attack.

To sum up, if you don't trust the developers, don't use their software. And if you cannot tolerate a bad joke, don't go near human beings.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 9:58 UTC (Thu) by ovitters (guest, #27950) [Link] (1 responses)

Regarding lack of trust: It's weird. I assumed/thought the joke went on for way too long (weeks). In reality the linked "April Fools" email was sent April 1st. This seems like a bog-standard April Fools joke. The LWN article could maybe make the timeline a little bit clearer. This as I did see various "Devuan is hacked" articles, but on Apr 1 I got the impression that they said it was NOT linked to April Fools. This from reading the news articles at that time.

The only thing I disliked was the attitude this joke brought. Meaning: "evil people from XXX are out to get Devuan". Too much attention seeking action IMO. On other hand, most April Fools jokes are utterly boring and me too type actions.

Security related, the Riot.im incident is way crazier. Compromised, restoration, then another compromise. Then the old Android app is purposely broken, preventing any migration from the old app to the new app. Not cool!

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 14:54 UTC (Thu) by nix (subscriber, #2304) [Link]

The only thing I disliked was the attitude this joke brought. Meaning: "evil people from XXX are out to get Devuan".

I don't see why this was a surprise. It's exactly their response to everything else that impinges on Devuan, ever.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 10:33 UTC (Thu) by zdzichu (subscriber, #17118) [Link]

I recommend following "dng" Devuan developer's list just for hilarity factor. The amount of paranoia and misinformation digs deep into Poe's law. It is very funny (as long as you do not think those are real people and their real thoughts – then it is scary).

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 11:33 UTC (Thu) by excors (subscriber, #95769) [Link]

> A joke is a joke, it's what April's Fools is about.

Not all jokes are equivalent, and April Fools' Day is specifically about jokes that would be considered both unfunny and unacceptably disruptive at any other time of year. That's why they get relegated to a single day - if they were actually good jokes then they could be performed at any time. If a joke isn't intended to be good, maybe it shouldn't be performed at all.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 11:16 UTC (Thu) by pizza (subscriber, #46) [Link] (1 responses)

> As Devuan consists of little more than a few changes to a few Debian packages we were able to switch in a few hours with about as much effort as it takes to roll out an average day's security updates.

Which raises the question -- For an end-user, what exactly is Devuan's value proposition over Debian?

...And as a follow-up, how much of that value (and trust in Devuan's collective professionalism) remains after this juvenile stunt?

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 23:49 UTC (Thu) by sml (guest, #75391) [Link]

> Which raises the question -- For an end-user, what exactly is Devuan's value proposition over Debian?

The major value is that the noisy anti-systemd crowd has removed themselves from Debian mailing lists in favour of their own little echo chamber. This removes a major distraction from Debian and results in more time to concentrate on fixing bugs.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 15:28 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link] (17 responses)

Don't you think you're overreacting a little because you fell for a pretty obvious April Fools joke?

I mean, "we're the hackers using green monochrome text monitors and have taken over the web to replace it with gopher, as it was always meant to be"? On April 1st?

- love to have tried to access any of this via gopher -

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 16:14 UTC (Thu) by mgb (guest, #3226) [Link] (15 responses)

> Don't you think you're overreacting a little because you fell for a pretty obvious April Fools joke?

Several of Devuan's own caretakers (core developers) did not know of the stunt, believed that Devuan's servers had indeed been hacked, were unable to access the hacked servers, and disconnected as much infrastructure as they could from the the hacked servers.

For businesses using Devuan to believe likewise does not seem unreasonable or overreaction.

The breaking point for us was when Devuan refused to audit or rebuild the compromised servers. Even if we trusted the prankster we cannot be sure that some black hat did not pwn them using some vulnerability in the temporary stunt software.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 17:19 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

Sorry, but I do think taking the "green hat hacker's gopher revolution on April 1st" (complete with monochrome-green ASCII art) seriously is completely unreasonable. The term "green hat" alone doesn't make any sense whatsoever except as allusion to a once common type of CRT monitor.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 8:55 UTC (Fri) by nilsmeyer (guest, #122604) [Link]

Or on St. Patrick's Day.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 17:50 UTC (Thu) by augustz (guest, #37348) [Link] (4 responses)

Wasn't the "temporary stunt software" static html in pre tags? It looked like the page was fully static. That might have actually resulted in a reduced attack surface?

Did you offer to pay for the audit of the system you felt was necessary or do it yourself, or was this a demand being made on a group of volunteers?

If you have this high level security need / worry in your business - I might suggest using a more commercially oriented / backed distribution.

It's seems a bit unfair to threaten a group of volunteers with jail time after choosing to use something they provided for free.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 19:00 UTC (Thu) by mgb (guest, #3226) [Link] (3 responses)

> Did you offer to pay for the audit of the system you felt was necessary or do it yourself, or was this a demand being made on a group of volunteers?

One does not demand of F/LOSS volunteers.

If one no longer has an adequate level of trust one stops using that software.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 11:40 UTC (Fri) by nix (subscriber, #2304) [Link] (2 responses)

Sorry, wasn't it you who said:

> I know nothing of Italian law but whether or not the incident
> should be referred for criminal prosecution is a question you
> should already be discussing with your lawyers or the police.

This seems inconsistent with your position here, that just stopping using it is enough.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 12:30 UTC (Fri) by mgb (guest, #3226) [Link] (1 responses)

> This seems inconsistent with your position here, that just stopping using it is enough.

Devuan servers were compromised. Devuan devs were locked out. Devuan devs believed their servers had been hacked. Devuan devs took steps to disconnect other servers from the compromised servers.

What happened next was entirely Devuan's choice. They could have sought advice from their lawyers or the police. They could have audited or rebuilt their servers to ensure their integrity. Their choice was to do nothing.

The choice for Devuan users is different. If they no longer trust Devuan they can stop using it. That is the choice we made.

Everyone makes their own choices. Choices have consequences.

Devuan, April Fools, and self-destruction

Posted May 22, 2019 8:08 UTC (Wed) by rickmoen (subscriber, #6943) [Link]

Devuan servers were compromised.

No.

You have long been aware of this claim being flat-out incorrect, but keep repeating it. We were both there. (I'm not a Devuan Project insider, but am a longtime sympathetic participant with no horse in this race otherwise, as you probably recall.) As you are fully aware, exactly zero Devuan servers were compromised. One of the caretaker pretended, as the substance of a meticulously implemented, hilarious, and deeply unwise prank that they had been, and then revealed the prank within the customary one-day period, and then apologised for the unwise choice of prank framing (inside a supposed security breach).

The biggest damage was then done by, to be blunt, you and a few other people who flew off the handle and did the Internet-maximal-noise dance at great length and to stupefying effect. If you were hoping to be thanked for that, I fear you will be a long time waiting.

Rick Moen
rick@linuxmafia.com

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 18:17 UTC (Thu) by nivedita76 (subscriber, #121790) [Link] (7 responses)

The reason you're cuckoo is because you keep referring to "compromised servers" after being repeatedly told that these are a figment of your imagination.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 20:40 UTC (Thu) by edomaur (subscriber, #14520) [Link] (6 responses)

I understand his point : How can you prove that they are, indeed, figments of imagination ?

The whole point here is that after any event like that, you need to do a security assessment, otherwise how can you be _REALLY_ sure that nothing is amiss ? Today, Linux distros are somewhat central in the Internet world. If one of those is not able to prove that it has really not been compromised, then it is only a toy and not a tool.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:21 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (3 responses)

There was no 'event like that'.

A member of the core team of some distribution temporarily replaced a web page/ set of web pages on some set of servers belonging to the distribution. This happened on April 1st, was meant to be an April Fools joke and was pretty clearly recognizable as such due to the nature of the replacement page (efficient text-only gopher vs the bloated WWW being a holy war of the 1990s --- do we perhaps need a warning sign "You may encounter people over 35 here. If they do something you absolutely don't understand, please consider asking about it before panicking and jumping to wild conclusion"?). Revealing this as the joke it was supposed to be ought to be entirely sufficient to 'prove' nothing was compromised here.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 19:00 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

It wasn't just a replaced web page. If it was, nobody would have really cared after April 2nd. Instead, a whole bunch of infrastructure was taken offline, and weeks later, at least some of it is _still_ down.

There seem to be two logical explanations:

* They were genuinely (and cleverly) hacked, and are lying to cover it up while trying to restore services
* This was a prank that was made without any heads-up to other core team members, and was taken _way_ too far, to the point where weeks later services still aren't fully restored.

Either way, the way it's been handled does not exactl instil confidence in Devuan's competence or professionalism, and I would expect "Veteran Unix Administrators" to be quite aware that those qualities are high on the list of "reasons to use Distribution X for anything remotely important"

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 20:07 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

This autorepeat-FUD based on nothing but thin air is getting a bit tiresome.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 22:24 UTC (Fri) by pizza (subscriber, #46) [Link]

...You do realize that the parent article contains many, many links to actual messages posted on the devuan-devel mailing list, and that the drama is still ongoing?

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:36 UTC (Fri) by nivedita76 (subscriber, #121790) [Link]

The point is that in this case it was irrelevant. The prank was perpetrated by someone who ALREADY had full access to the servers. There was nothing to compromise.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:40 UTC (Fri) by nivedita76 (subscriber, #121790) [Link]

This is also an interesting attitude to take, because in the real world there are exactly zero operating systems that can prove they have not been compromised. No linux distro gives you any sort of proof that its servers haven't been compromised. If that's the level of trust you need, then you need to use something homegrown, built from source code and with an audit team going over that source code to make sure there are no compromises. I'll bet even the NSA isn't that paranoid.

Devuan, April Fools, and self-destruction

Posted Apr 29, 2019 10:06 UTC (Mon) by jezuch (subscriber, #52988) [Link]

There was a time when "hacking" was almost synonymous with "vandalism". This was before criminals realized that there is serious money to be made from it. But in those times "we're the hackers using green monochrome text monitors and have taken over the web to replace it with gopher, as it was always meant to be" would totally be a thing that crackers would put on your vandalized web page. So... Not so obvious. On any date.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 16:58 UTC (Thu) by jhhaller (guest, #56103) [Link] (1 responses)

Well, if you are going off of user liability issues, your best bet is to switch to Microsoft products, as you are likely to be able to get an indemnification agreement. Commercial Linux distributions tend to limit their liability to software they wrote, and not all the FOSS that they merely packaged. With Debian, is there even anyone to sue? Is your liability any less if a distributor has a security breach they don't discover which causes you a loss as opposed to someone saying they had a breach followed by a nevermind? And, once you have that liability, do you have anyone with assets to subsequently sue?

Rather than asking a lawyer, asking your insurance broker is probably a better solution, as they are in the business of assessing risk and pricing it. If you can't get insurance, they will tell you why, and what you can do to be insurable. Alternatively, if you can't afford insurance, but have no substantial assets, it probably doesn't matter, as no one will sue an entity where there's no pot of gold at the end of the rainbow. The lawyers are more likely to say your liability is limitless, and so will your legal expense costs. A lawyer will never say there is no risk, as that opens them up to liability, and they don't want the cost of their Errors and Omissions insurance policy to go up.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 11:42 UTC (Fri) by nix (subscriber, #2304) [Link]

your best bet is to switch to Microsoft products, as you are likely to be able to get an indemnification agreement

Really? With Microsoft, as with any other large software company, you're as likely to be able to get them to indemnify you against flaws as you are to get them to ship you a live unicorn. Small software companies that you have over the barrel (as by far their largest customer) might be convinced to do it, as the last alternative before an outright takeover, but anyone else? Not a chance.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 19:18 UTC (Thu) by jschrod (subscriber, #1646) [Link]

> I suggested that Devuan business users should consult their own attorneys as to their own liability if they continued to use Devuan after Devuan refused to audit or rebuild their compromised servers.

Please note: April 1 is over.

Please don't publish your bad jokes here on lwn.net. They're not funny.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 8:56 UTC (Fri) by nilsmeyer (guest, #122604) [Link]

> Well, demanding that a community project kick out one of its core team and sue him to boot.. is a little excessive. That Bird guy is cuckoo.

People who threaten lawsuits usually can't afford an attorney.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 14:35 UTC (Thu) by bferrell (subscriber, #624) [Link]

Pranks, OK.

Pranks that go on for a full 24 hours by persons in a position of trust who ACT as if it were a full on breach... That's a problem on a number of levels that I would hope don't need actual enumeration.

Calls for liability checks... Well, those should have been done by commercial users, just in general. The "prank" shouldn't be needed as a trigger for that business activity and using the incident as a "weapon, is probably not ok, in some other ways too.

All of it implies there may be larger issues in play that, by the way it's played out, have highlighted a threat to the project.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 15:05 UTC (Thu) by raven667 (subscriber, #5198) [Link] (3 responses)

> over a prank

Something can only be considered a prank if the target thinks its funny, if they don't laugh then it's not a prank, it's just being an a**hole. The feelings of the person doing the "prank" and whether they consider it OK don't matter as much as the feelings of the person on the receiving end.

So go ahead, do fun pranks! But, know your audience first and plan accordingly, take responsibility when you get it wrong.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 19:56 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link] (1 responses)

Something can only be considered a prank if the target thinks its funny

I disagree strongly. An important use of pranks is a way for the meek and powerless to puncture the overinflated egos of the powerful and obnoxious. That type of prank is rarely appreciated by its victim, and it can be quite nasty. That doesn't mean it isn't a prank; it's just a mean spirited one.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 21:16 UTC (Thu) by roc (subscriber, #30627) [Link]

It's easy for anyone to see themselves as meek and whoever they don't like as obnoxious. So this is a license to be nasty to whoever you want.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 8:13 UTC (Fri) by mvdwege (guest, #113583) [Link]

Especially on the nose considering Nicosia's 'apology' came down to "I'm sorry you're too stupid to get the joke".