|
|
Subscribe / Log in / New account

Devuan, April Fools, and self-destruction

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 20:35 UTC (Thu) by rweikusat2 (subscriber, #117920)
In reply to: Devuan, April Fools, and self-destruction by roc
Parent article: Devuan, April Fools, and self-destruction

There's no magic connection between servers operated by the Devuan project and installations of the distribution. The only thing a "responsible" admin would need to do here is "don't install software from there until more information becomes available".

to post comments

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 20:47 UTC (Thu) by perennialmind (guest, #45817) [Link] (1 responses)

A responsible admin might question whether the time of "pwning" coincides with the announcement thereof.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 20:54 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link]

Ignorance can't be cured with speculation.

Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 21:13 UTC (Thu) by roc (subscriber, #30627) [Link] (9 responses)

It's reasonable to assume that if the site is compromised, there is a significant chance other project assets are also compromised, especially in a small project where the same people likely have access to both.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:44 UTC (Fri) by nivedita76 (subscriber, #121790) [Link] (8 responses)

If your sysadmin was depending on the website looking professional to determine whether the distro was compromised or not, well let's just say you have bigger issues.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 19:13 UTC (Fri) by perennialmind (guest, #45817) [Link]

There are minimalist websites that I hold in high regard. LWN, for one. If LWN started pulling unprofessional the-sky-is-falling pranks, it would behoove me to rely less on the accuracy of their reporting. Thankfully, when LWN authors poke fun, they do let the audience in on the joke.

Conscientious admins come in small scale shops and solo acts too. Sure, beyond-the-basics, fancy intrusion detection systems are available for those who can devote the necessary resources for defense in depth. But even for them, given the prevalence of scrupulous, painstaking curation in distros like Debian, RedHat, and others, why consider Devuan when such carelessness is on display?

Message matters. The message here: toy, not tool.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 19:29 UTC (Fri) by mgb (guest, #3226) [Link] (5 responses)

> If your sysadmin was depending on the website looking professional to determine whether the distro was compromised or not, well let's just say you have bigger issues.
'
When a distro's own sysadmins and developers are locked out of their own compromised servers I would say that is not a good sign.

Devuan, April Fools, and self-destruction

Posted Apr 30, 2019 14:29 UTC (Tue) by nix (subscriber, #2304) [Link] (4 responses)

You keep calling this a compromise, yet the very article you are responding to says, in the second line:
the Devuan web site looked like it had been taken over by attackers, which was worrisome to many, but it was all a prank
That is to say, it was not a compromise, because the people who openly stated that they took it offline were Devuan's own admins. If you think this was a compromise, then I recommend you go to the island of San Seriffe for your next holiday, because that clearly exists as well. This whole prank was a terrible idea, but I see no more reason to believe Devuan was compromised after it than before it. (I do see it as a reason to believe that Devuan's administrators are not people I would trust to administer a public resource, and thus that it is more likely that it was compromised long ago than I had last month -- but this prank is not itself a sign of a systems compromise happening at the same time.)

Actual compromises require a different set of responses to terribly ill-judged poor jokes, and complaining that post-compromise responses were not implemented in response to a really badly-judged prank is like complaining that release announcements are not properly sent out after a compromise (equally inappropriate, because a compromise is not a software release).

Devuan, April Fools, and self-destruction

Posted Apr 30, 2019 14:57 UTC (Tue) by mgb (guest, #3226) [Link] (2 responses)

> it was not a compromise, because the people who openly stated that they took it offline were Devuan's own admins

ONE Devuan admin compromised some Devuan servers. All other Devuan admins and devs were locked out, thought the attack was real, reported that Devuan had been pwned, and were doing what they could to isolate other Devuan infrastructure from the compromised systems.

This continued for 24 hours.

The "prankster" then left the project but Devuan management refused to audit or rebuild the compromised servers and simply declared them uncompromised.

To this date nobody knows whether the "prankster" accidentally or deliberately left any compromises, or whether unrelated black hats were able to gain access during the compromise.

The "prank" was stupid but Devuan could have recovered from it. The management response was inexcusable.

Devuan, April Fools, and self-destruction

Posted May 2, 2019 13:41 UTC (Thu) by nix (subscriber, #2304) [Link] (1 responses)

ONE Devuan admin compromised some Devuan servers. All other Devuan admins and devs were locked out, thought the attack was real, reported that Devuan had been pwned, and were doing what they could to isolate other Devuan infrastructure from the compromised systems.
That's something I hadn't grasped, and makes this much closer to an actual insider attack by a single privileged entity. It's as much an attack as, say, an admin wiping systems before he's fired (though a less destructive one). My head is full of WTF that anyone could possibly have thought this a good idea for even a microsecond.

Devuan, April Fools, and self-destruction

Posted May 4, 2019 0:13 UTC (Sat) by anselm (subscriber, #2796) [Link]

My head is full of WTF that anyone could possibly have thought this a good idea for even a microsecond.

Remember that these are the people who think it's a good idea to fork an entire Linux distribution just to get rid of an inconsequential library they don't like. Personally I'm not in the least surprised.

Devuan, April Fools, and self-destruction

Posted Apr 30, 2019 17:07 UTC (Tue) by rahvin (guest, #16953) [Link]

At best you've got a contribute locking everyone else and all he admins out of the servers without a word. And they left everyone locked out for a significant period of time while pretending it was a real outside hacking event.

You might still trust that person, but anyone who sensibly relies on those services can't trust that nothing it compromised without an outside audit. That's just a rule of the business world. The only question that I see is, Is Devuan a professional distribution with standards or is it a toy where a lockout like this can be undertaken without an external audit to verify it was just a joke.

The person who instituted the joke at this point should not be trusted, they locked out the entire administration staff. Maybe you are having difficulty seeing this outside point of view because you know and trust the person involved. Ask yourself this question:

If you worked at a company with a handful of admin's and one of them locked everyone else out of the servers and pretended they'd been externally compromised for an extended period of time how would that go down? Would the company laugh it off as a good joke?

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 22:21 UTC (Fri) by roc (subscriber, #30627) [Link]

Of course, devuan.org explicitly saying "DEVUAN.ORG HAS BEEN PWNED" is entirely different from just "not looking professional".


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds