Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 15:28 UTC (Thu) by rweikusat2 (subscriber, #117920)
In reply to: Devuan, April Fools, and self-destruction by mgb
Parent article: Devuan, April Fools, and self-destruction

Don't you think you're overreacting a little because you fell for a pretty obvious April Fools joke?

I mean, "we're the hackers using green monochrome text monitors and have taken over the web to replace it with gopher, as it was always meant to be"? On April 1st?

- love to have tried to access any of this via gopher -

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 16:14 UTC (Thu) by mgb (guest, #3226) [Link] (15 responses)

> Don't you think you're overreacting a little because you fell for a pretty obvious April Fools joke?

Several of Devuan's own caretakers (core developers) did not know of the stunt, believed that Devuan's servers had indeed been hacked, were unable to access the hacked servers, and disconnected as much infrastructure as they could from the the hacked servers.

For businesses using Devuan to believe likewise does not seem unreasonable or overreaction.

The breaking point for us was when Devuan refused to audit or rebuild the compromised servers. Even if we trusted the prankster we cannot be sure that some black hat did not pwn them using some vulnerability in the temporary stunt software.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 17:19 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

Sorry, but I do think taking the "green hat hacker's gopher revolution on April 1st" (complete with monochrome-green ASCII art) seriously is completely unreasonable. The term "green hat" alone doesn't make any sense whatsoever except as allusion to a once common type of CRT monitor.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 8:55 UTC (Fri) by nilsmeyer (guest, #122604) [Link]

Or on St. Patrick's Day.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 17:50 UTC (Thu) by augustz (guest, #37348) [Link] (4 responses)

Wasn't the "temporary stunt software" static html in pre tags? It looked like the page was fully static. That might have actually resulted in a reduced attack surface?

Did you offer to pay for the audit of the system you felt was necessary or do it yourself, or was this a demand being made on a group of volunteers?

If you have this high level security need / worry in your business - I might suggest using a more commercially oriented / backed distribution.

It's seems a bit unfair to threaten a group of volunteers with jail time after choosing to use something they provided for free.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 19:00 UTC (Thu) by mgb (guest, #3226) [Link] (3 responses)

> Did you offer to pay for the audit of the system you felt was necessary or do it yourself, or was this a demand being made on a group of volunteers?

One does not demand of F/LOSS volunteers.

If one no longer has an adequate level of trust one stops using that software.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 11:40 UTC (Fri) by nix (subscriber, #2304) [Link] (2 responses)

Sorry, wasn't it you who said:

> I know nothing of Italian law but whether or not the incident
> should be referred for criminal prosecution is a question you
> should already be discussing with your lawyers or the police.

This seems inconsistent with your position here, that just stopping using it is enough.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 12:30 UTC (Fri) by mgb (guest, #3226) [Link] (1 responses)

> This seems inconsistent with your position here, that just stopping using it is enough.

Devuan servers were compromised. Devuan devs were locked out. Devuan devs believed their servers had been hacked. Devuan devs took steps to disconnect other servers from the compromised servers.

What happened next was entirely Devuan's choice. They could have sought advice from their lawyers or the police. They could have audited or rebuilt their servers to ensure their integrity. Their choice was to do nothing.

The choice for Devuan users is different. If they no longer trust Devuan they can stop using it. That is the choice we made.

Everyone makes their own choices. Choices have consequences.

Devuan, April Fools, and self-destruction

Posted May 22, 2019 8:08 UTC (Wed) by rickmoen (subscriber, #6943) [Link]

Devuan servers were compromised.

No.

You have long been aware of this claim being flat-out incorrect, but keep repeating it. We were both there. (I'm not a Devuan Project insider, but am a longtime sympathetic participant with no horse in this race otherwise, as you probably recall.) As you are fully aware, exactly zero Devuan servers were compromised. One of the caretaker pretended, as the substance of a meticulously implemented, hilarious, and deeply unwise prank that they had been, and then revealed the prank within the customary one-day period, and then apologised for the unwise choice of prank framing (inside a supposed security breach).

The biggest damage was then done by, to be blunt, you and a few other people who flew off the handle and did the Internet-maximal-noise dance at great length and to stupefying effect. If you were hoping to be thanked for that, I fear you will be a long time waiting.

Rick Moen
rick@linuxmafia.com

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 18:17 UTC (Thu) by nivedita76 (subscriber, #121790) [Link] (7 responses)

The reason you're cuckoo is because you keep referring to "compromised servers" after being repeatedly told that these are a figment of your imagination.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 20:40 UTC (Thu) by edomaur (subscriber, #14520) [Link] (6 responses)

I understand his point : How can you prove that they are, indeed, figments of imagination ?

The whole point here is that after any event like that, you need to do a security assessment, otherwise how can you be _REALLY_ sure that nothing is amiss ? Today, Linux distros are somewhat central in the Internet world. If one of those is not able to prove that it has really not been compromised, then it is only a toy and not a tool.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:21 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (3 responses)

There was no 'event like that'.

A member of the core team of some distribution temporarily replaced a web page/ set of web pages on some set of servers belonging to the distribution. This happened on April 1st, was meant to be an April Fools joke and was pretty clearly recognizable as such due to the nature of the replacement page (efficient text-only gopher vs the bloated WWW being a holy war of the 1990s --- do we perhaps need a warning sign "You may encounter people over 35 here. If they do something you absolutely don't understand, please consider asking about it before panicking and jumping to wild conclusion"?). Revealing this as the joke it was supposed to be ought to be entirely sufficient to 'prove' nothing was compromised here.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 19:00 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

It wasn't just a replaced web page. If it was, nobody would have really cared after April 2nd. Instead, a whole bunch of infrastructure was taken offline, and weeks later, at least some of it is _still_ down.

There seem to be two logical explanations:

* They were genuinely (and cleverly) hacked, and are lying to cover it up while trying to restore services
* This was a prank that was made without any heads-up to other core team members, and was taken _way_ too far, to the point where weeks later services still aren't fully restored.

Either way, the way it's been handled does not exactl instil confidence in Devuan's competence or professionalism, and I would expect "Veteran Unix Administrators" to be quite aware that those qualities are high on the list of "reasons to use Distribution X for anything remotely important"

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 20:07 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

This autorepeat-FUD based on nothing but thin air is getting a bit tiresome.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 22:24 UTC (Fri) by pizza (subscriber, #46) [Link]

...You do realize that the parent article contains many, many links to actual messages posted on the devuan-devel mailing list, and that the drama is still ongoing?

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:36 UTC (Fri) by nivedita76 (subscriber, #121790) [Link]

The point is that in this case it was irrelevant. The prank was perpetrated by someone who ALREADY had full access to the servers. There was nothing to compromise.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:40 UTC (Fri) by nivedita76 (subscriber, #121790) [Link]

This is also an interesting attitude to take, because in the real world there are exactly zero operating systems that can prove they have not been compromised. No linux distro gives you any sort of proof that its servers haven't been compromised. If that's the level of trust you need, then you need to use something homegrown, built from source code and with an audit team going over that source code to make sure there are no compromises. I'll bet even the NSA isn't that paranoid.

Devuan, April Fools, and self-destruction

Posted Apr 29, 2019 10:06 UTC (Mon) by jezuch (subscriber, #52988) [Link]

There was a time when "hacking" was almost synonymous with "vandalism". This was before criminals realized that there is serious money to be made from it. But in those times "we're the hackers using green monochrome text monitors and have taken over the web to replace it with gopher, as it was always meant to be" would totally be a thing that crackers would put on your vandalized web page. So... Not so obvious. On any date.