Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Posted Apr 25, 2019 21:13 UTC (Thu) by roc (subscriber, #30627)In reply to: Devuan, April Fools, and self-destruction by rweikusat2
Parent article: Devuan, April Fools, and self-destruction
Posted Apr 26, 2019 17:44 UTC (Fri)
by nivedita76 (subscriber, #121790)
[Link] (8 responses)
Posted Apr 26, 2019 19:13 UTC (Fri)
by perennialmind (guest, #45817)
[Link]
Conscientious admins come in small scale shops and solo acts too. Sure, beyond-the-basics, fancy intrusion detection systems are available for those who can devote the necessary resources for defense in depth. But even for them, given the prevalence of scrupulous, painstaking curation in distros like Debian, RedHat, and others, why consider Devuan when such carelessness is on display?
Message matters. The message here: toy, not tool.
Posted Apr 26, 2019 19:29 UTC (Fri)
by mgb (guest, #3226)
[Link] (5 responses)
Posted Apr 30, 2019 14:29 UTC (Tue)
by nix (subscriber, #2304)
[Link] (4 responses)
Actual compromises require a different set of responses to terribly ill-judged poor jokes, and complaining that post-compromise responses were not implemented in response to a really badly-judged prank is like complaining that release announcements are not properly sent out after a compromise (equally inappropriate, because a compromise is not a software release).
Posted Apr 30, 2019 14:57 UTC (Tue)
by mgb (guest, #3226)
[Link] (2 responses)
ONE Devuan admin compromised some Devuan servers. All other Devuan admins and devs were locked out, thought the attack was real, reported that Devuan had been pwned, and were doing what they could to isolate other Devuan infrastructure from the compromised systems.
This continued for 24 hours.
The "prankster" then left the project but Devuan management refused to audit or rebuild the compromised servers and simply declared them uncompromised.
To this date nobody knows whether the "prankster" accidentally or deliberately left any compromises, or whether unrelated black hats were able to gain access during the compromise.
The "prank" was stupid but Devuan could have recovered from it. The management response was inexcusable.
Posted May 2, 2019 13:41 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted May 4, 2019 0:13 UTC (Sat)
by anselm (subscriber, #2796)
[Link]
Remember that these are the people who think it's a good idea to fork an entire Linux distribution just to get rid of an inconsequential library they don't like. Personally I'm not in the least surprised.
Posted Apr 30, 2019 17:07 UTC (Tue)
by rahvin (guest, #16953)
[Link]
You might still trust that person, but anyone who sensibly relies on those services can't trust that nothing it compromised without an outside audit. That's just a rule of the business world. The only question that I see is, Is Devuan a professional distribution with standards or is it a toy where a lockout like this can be undertaken without an external audit to verify it was just a joke.
The person who instituted the joke at this point should not be trusted, they locked out the entire administration staff. Maybe you are having difficulty seeing this outside point of view because you know and trust the person involved. Ask yourself this question:
If you worked at a company with a handful of admin's and one of them locked everyone else out of the servers and pretended they'd been externally compromised for an extended period of time how would that go down? Would the company laugh it off as a good joke?
Posted Apr 26, 2019 22:21 UTC (Fri)
by roc (subscriber, #30627)
[Link]
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
'
When a distro's own sysadmins and developers are locked out of their own compromised servers I would say that is not a good sign.
You keep calling this a compromise, yet the very article you are responding to says, in the second line:
Devuan, April Fools, and self-destruction
the Devuan web site looked like it had been taken over by attackers, which was worrisome to many, but it was all a prank
That is to say, it was not a compromise, because the people who openly stated that they took it offline were Devuan's own admins. If you think this was a compromise, then I recommend you go to the island of San Seriffe for your next holiday, because that clearly exists as well. This whole prank was a terrible idea, but I see no more reason to believe Devuan was compromised after it than before it. (I do see it as a reason to believe that Devuan's administrators are not people I would trust to administer a public resource, and thus that it is more likely that it was compromised long ago than I had last month -- but this prank is not itself a sign of a systems compromise happening at the same time.)
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
ONE Devuan admin compromised some Devuan servers. All other Devuan admins and devs were locked out, thought the attack was real, reported that Devuan had been pwned, and were doing what they could to isolate other Devuan infrastructure from the compromised systems.
That's something I hadn't grasped, and makes this much closer to an actual insider attack by a single privileged entity. It's as much an attack as, say, an admin wiping systems before he's fired (though a less destructive one). My head is full of WTF that anyone could possibly have thought this a good idea for even a microsecond.
Devuan, April Fools, and self-destruction
My head is full of WTF that anyone could possibly have thought this a good idea for even a microsecond.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction