FSF FTP Site Cracked, Looking for MD5 Sums

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

Correct MD5s

[Henry+V+.009]

Sure, I've got the "correct" MD5s right here. You trust me, don't you?

Re:Correct MD5s

[brechmos]

Yeah, but if enough people send in the same MD5 sums for each file, then it "should be" easy to confirm it is correct or not.

Surely, there aren't that many dishonest people, and if there were, then it would be hard for them all to get together and come up with the same MD5.

Re:Correct MD5s

[Henry+V+.009]

The man of the million email addresses replies: Are they confirming MD5s in person, or over the phone, or by other electronic means? You have yet to master the art of paranoia, grasshopper.

Re:Correct MD5s

[Merk]

(1..5000).times do
|i|
sender = "gnu_fan#{i}@yahoo.com"
...
end

All it takes is one clever dishonest person. Until PGP signatures become commonplace and people are able to build up a web of trust, it's pretty easy to fake this sort of thing using email.

Re:Correct MD5s

[brechmos]

Yeah, but, surely it wouldn't be that hard to parse through a list of email addresses and MD5 and see which ones you can "trust". We do that everyday with spam filters.

Re:Correct MD5s

[Dogun]

Unless someone is watching their mail queue, then they don't know how many messages to send - if response is pretty large, then they're not going to be able to pull one over. If response is fairly small, and conspirators were to send many messages, then it's obvious something is wrong.

Re:Correct MD5s

[javatips]

Anyway, the only purpose of the MD5 checksum should be to make sure that the file was transfered properly. And with TCP/IP it would be quite uncommon to get bit flipped while traveling from the server to you (unless their is a "man" in the middle).

Any use of the checksum to ensure that the file has not beeen altered before the transfer is useless. As a person who crack a server will replace the file and it's checksum.

File checksum should always be signed by someone who can be trusted. If that's not the case, they are worthless.

Re:Correct MD5s

[DGtlRift]

I have jpg images of the origional checksums with randomized filenames so they cannot be web-harvested... I'm holding them ransom for... Oops... Sorry that RPC worm just killed them. Oh well.

Re:Correct MD5s

never make a joke ever again. That was sad.

Re:Correct MD5s

[Transient0]

Unless you get multiple copies of the same MD5 from different people with whom you have had previous contact and which are sent in PGP signed messages.

If this doesn't satisfy you than you may have trouble leaving your apartment without wondering if someone is going to break in, disassemble all your locks, take impressions, make keys, re-assemble and re-install the locks while you are out.

Re:Correct MD5s

[schulte]

Hmmm....

# grep -i ircflood *.c
gcc.c:#include "ircflood.h"

What's going on here?@!?@!?

Re:Correct MD5s

I hate to tell you but I can make impressions to cut keys for the locks without disasembling them.

Most good locksmiths can do this. Fortunately (or unfortunately) there are not that many good locksmiths.

Re:Correct MD5s

[recursiv]

So there's no 100% way of exploiting this. Does that mean it's not vulnerable?

Re:Correct MD5s

[Transient0]

Yeah, there exist lock-picking guns with internal memories which actually make doing this a relative snap if you have a little experience and a budget, but it doesn't make for as good a paranoia story.

Re:Correct MD5s

[Merk]

I did say "clever" didn't I? The only reason we have any luck catching spammers is that the spam they send is pretty obviously spam: obvious keywords, RFC non-compliant headers, lots of HTML, etc.

Re:Correct MD5s

Detecting an attempted exploit is trivial. Getting one through is almost impossible. I'm not worried. I'm far more likely to die from lightning today.

Someone faking all these e-mail would have to write a program that could practially pass the Turning test. If there are any MD5 mismatches, FSF will be very careful. There's not much of a window left. We're not talking about millions of files.

Re:Correct MD5s

[fussman]

What if all these people got the comprimised version of the file in question?

Re:Correct MD5s

[zangdesign]

True security means trashing any possibly affected code and starting over from zero. It also means you find the person responsible and terminate his existence in a way that will make grown men cry.

Re:Correct MD5s

True, but if one person made fucking backups, there would be no reason to have to trust strangers.

...and some people wonder why there is a perception that open source doesn't have its shit together.

Re:Correct MD5s

[10bt]

There is such a thing as organized crime, you know ;).

Re:Correct MD5s

[Pharmboy]

Unless someone is watching their mail queue, then they don't know how many messages to send - if response is pretty large, then they're not going to be able to pull one over. If response is fairly small, and conspirators were to send many messages, then it's obvious something is wrong.

So, should they let the same guy responsible for managing the hacked ftp site verify this incoming mail to make sure its not all from the same person?

Re:Correct MD5s

[SpaceLifeForm]

With proper due diligence...

maybe.

Damn, that sucks!

Re:Correct MD5s

[plague3106]

I'd think that the maintainers of the code send the MD5s. Its doubtful they would have tainted code because they are pushing it from thier box to gnu.org, not the other way around.

Re:Correct MD5s

Your such teh fucktard.

Anal rapage is your hobby, and you're a fucking french queer, probably canadian as well.

God, I just hope you die and leave us normal people alone.

Re:Correct MD5s

[zangdesign]

And you can't spell, asshole.

Re:Correct MD5s

[fussman]

You're right, I'm just being a paranoid sysadmin. I'd rather make a comment with some good discussion about this, but I am just conceeding that I'm a nut. Mod up/down whatever. I don't care.

Re:Correct MD5s

[Eunuchswear]

You don't read AC posts but you do reply to them?

Re:Correct MD5s

[Black+Copter+Control]

The FSF is using PGP signatures to verify the MD5 sums. Why they're not just using detached PGP signatures directly, I don't know.

Re:Correct MD5s

The article says the sums are all GPG signed.

ouch, saw this yesterday

[Barbarian]

Did you know that some files are just about impossible to get anywhere else?

Re:ouch, saw this yesterday

ah - the wonderful stable world of lunix - this is sure to encourage thoughtful businesses to run their critical operations on this software.

Re:ouch, saw this yesterday

[FifteenSquids]

I was unaware that Linux (the kernel) provided FTP services...

Re:ouch, saw this yesterday

[gearheadsmp]

Look no further than across the pond, my friend! Faster downloads than iBiblio, and it's run by this guy. So dig in!

Re:ouch, saw this yesterday

Have you forgotten that Microsoft were caught out distributing viruses on the Windows installation CD not too long ago?

Re:ouch, saw this yesterday

Why yes, I've totally forgotten. A link, please?

Re:ouch, saw this yesterday

[ecmascript]

It wasn't the Windows install CD, but it was a Microsoft CD. From the mouth of the beast:

PRB: Inert Virus Found in Korean Language Version of Visual Studio .NET

Re:ouch, saw this yesterday

Yes, people should instead turn to MS, 'cause they never get hacked, right?

Re:ouch, saw this yesterday

Your sig is actually somewhat amusing, organized religion (aka the Catholics, Mormons, etc.) are non-Biblical, they try to ignore the facts in the Bible. So for the second half of your sig, the Bible actually agrees with you to a degree.

Re:ouch, saw this yesterday

[driftingwalrus]

Which files?

Re:ouch, saw this yesterday

They have all the source code, they are just trying to verify that none of them have been altered by the hacker.

Did anyone read the statement on the ftp server? They are simply trying to verify the authenticity of the code that they STILL have before putting up links to it. There is no need to get the files elsewhere, they don't need any backup, they still have it all, the just want to make sure no trojans, virii, etc have been added.

Re:ouch, saw this yesterday

[gearheadsmp]

Thanks. I lifted it off the Undead Linux site.

Re:ouch, saw this yesterday

If they had proper backups, they wouldn't have to ask if anything had been added or not.

Re:ouch, saw this yesterday

Yes, thats right. They'll just roll back to a five month old backup. That wont be a problem at all.

Re:ouch, saw this yesterday

[BetaJim]

Yes, those links do point to mirrors. But, it also mirrors the files containing the explaination for the missing files.

I needed a new copy of gcl last week. Guess what? Their gone from ftp.gnu.org and the mirrors you listed :(

Sadly, I've still not found the most recent gcl... I hope this gets fixed soon.

Re:ouch, saw this yesterday

[asit+ler]

If I hadn't left my mod points in my other pocket protector, this would +7, Funny.

Re:ouch, saw this yesterday

[rifter]

I was unaware that Linux (the kernel) provided FTP services...

Linux (the kernel) was the source of the root exploit which was not fixed for a week, during which the gnu.org ftp site was cracked. Somewhere Theo De Raadt is laughing...

Granted, the exploit was a local hole and was only exploitable because the FSF gave the maintainers shell access. But what do you expect from an organization run by a man who finds passwords morally repugnant?

Have a floppy?

[John+Paul+Jones]

How hard is it to script a backup of MD5 sums to removeable media? Sheesh.

Re:Have a floppy?

[Uruk]

I don't think it's that easy. What would prevent an attacker from modifying the md5sums that were present with the machine so that the backup then contained the modified md5sums of the trojaned applications?

No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key.

Re:Have a floppy?

[John+Paul+Jones]

No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key.

This is exactly what I said. They should have been backing up the sums to removable media every night/week or whatever. It's simple, and makes lots of sense.

Re:Have a floppy?

[Mark+Pitman]

They should have been backing up the sums to removable media every night/week or whatever. It's simple, and makes lots of sense.

Since the server was hacked sometime in March, even the backups have the possibility of being compromised. I doubt they keep 5+ months of nightly or even weekly backups sitting around.

Re:Have a floppy?

[sholden]

And just how do you know the file and MD5 sum wasn't compromised sometime during the day before the backup was made?

Or are you planning on doing a back up every second and hoping the cracker can't win the race?

*Every* change to a file on that server since March is suspect. Yes you can recover all the files prior to the crack, but you also want to good data from after the crack.

Hence they need MD5 sums from people who got the files from somewhere else (which didn't in turn get them from the compromised server...).

On the bright side, it means they will finally start using signed MD5 sums. Something which everyone should have been doing years ago.

the $64,000 question:

[BobTheLawyer]

was the server running NT?

Re:the $64,000 question:

[robslimo]

According to netcraft.com, it's running Linux.

The compromise was probably a weak password or an inside job.

Re:the $64,000 question:

[gazbo]

Or maybe, JUST FUCKING MAYBE , Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.

Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.

Re:the $64,000 question:

[Trigun]

The compromise was probably a weak password or an inside job.

Which is why syslog should be on another secure computer, and dumped to paper in a locked room for high-security sites.

It won't help the recovery, but helps pinpoint the intrusion

Re:the $64,000 question:

[ceejayoz]

*claps*

Re:the $64,000 question:

Social engineering is a highly effective crack method. It also leaves fewer traces than a technical crack.

Someone doesn't have to be a zealot to start off with the working assumption that it was social engineering crack rather than a technical failure in some OS component.

Can the invective until there's more evidence, please.

Re:the $64,000 question:

[hawkestein]

Or maybe, JUST FUCKING MAYBE , Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.

That would be OpenBSD. ;)

Re:the $64,000 question:

Mod parent up.

Re:the $64,000 question:

[passthecrackpipe]

leaving out the profanities, this isn't flamebait, modders, the guy has got a good point. It will probably be modded down into oblivion, so i'll just be postin a mirror - i've got karma to burn anyhow.

****************

Or maybe Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.

Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.>br>
*****************

Re:the $64,000 question:

[saskwach]

Actually, this vulnerability had already been patched, just not on this particular server.

iSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.

and patched August 31, 2003

Re:the $64,000 question:

[gazbo]

Tell you what: normally I'd bet you 10, but clearly that doesn't work on the Internet. But I'll bet my credibility (which is all we have online) that it turns out to be an unpatched vulnerability.

Also, I don't deny that it could be social engineering. But read the thread to get the nuances.

"The server was hacked. Was it running NT?"

"No, Linux. It was probably $ANYTHING_EXCEPT_SOFTWARE_ERROR"

And that sort of comment deserves all the invective I can muster.

Re:the $64,000 question:

[iii_rjm]

No. The real $64,000 question is why didn't they have reliable backups and a disaster recovery plan

Re:the $64,000 question:

[Wuffle]

and patched August 31, 2003

I knew the open source community worked fast but that's just scary.

Re:the $64,000 question:

Since August 31, 2003 is in the future, I presume you meant July.

For amusing comparison, though, Microsoft (pardon me, M$) apparently released the patch for the current worm a month ago. Yet that stopped how many people here from laughing their tails off at them?

Re:the $64,000 question:

[DunbarTheInept]

leaving out the profanities, this isn't flamebait

Duhhh. "If it wasn't for the flames, this wouldn't be a flame."

Re:the $64,000 question:

[cronot]

and patched August 31, 2003

Huh? Are you from the future?

Re:the $64,000 question:

[DGtlRift]

You mean the $65,536...

Re:the $64,000 question:

[robslimo]

I'll admit to a little bias. However, before posting my comment I did check www.gnu.org for an announcement/explanation and found none. Also searched news.google.com and found only this /. article. I had not heard of the wuftpd vulnerability as it was disclosed about 2 weeks ago.

I still have seen no specific evidence that the wuftpd vulnerability was exploited in this case, though it quite likely is true. I took the lack of public announcement at gnu.org to be an embarassed, tacit admission of culpability through poor administration and the first things that came to mind were weak passwords and/or insider information. Not applying security patches would have been next on my list.

Re:the $64,000 question:

Heheh. I thought the place I work at, JPL, was the only place paranoid enough to have Disaster Recovery Plans.

Re:the $64,000 question:

Note that he said "probably."

Re:the $64,000 question:

[BigGerman]

"unthinking hero-worshipping idiot"
thank you. It is because of hidden perls like that I keep coming back to ./
Well put and right on the subject.
People from the thoughtful crowd need to post more often.

Re:the $64,000 question:

[ray-auch]

Since we're writing this on thirteenth August,

"patched August 31, 2003"

(particularly following "already") is some pretty wierd tense construction.

To write it correctly you probably need "Dr Dan Streetmentioner's Time Traveller's Handbook of 1001 Tense Formations". HTH

Re:the $64,000 question:

Why would they use something that has a history of insecurities as wu-ftpd ? Why not proftpd or vsftpd ? Both are GPLed and http://vsftpd.beasts.org/ even claims that ftp.gnu.org uses it !!

Re:the $64,000 question:

well, what was cracked? if we find out they were running something like wu-ftpd then all bets are off.

Re:the $64,000 question:

[theNetImp]

or just maybe he did what most people do all the time. Mistype. I'm sure seeing that today is the 13th of august they just accidentally got the typing order wrong. Stop being such asses.

Re:the $64,000 question:

[gothmog666]

OR maybe a hardware failure..
maybe theyr hard drive has rotten couse they had spent to many years without changing it.

Re:the $64,000 question:

i believe he said it was probably a weak password or inside job.

i saw no mention of whether or not it was a software error.

maybe you're reading into things? no, that couldn't be it at all...

Re:the $64,000 question:

[PrImED73]

:-| take a stress pill and think things over... dave....dave....

Re:the $64,000 question:

[molarmass192]

It was an exploit in wu-ftp, not Linux, the story even says it was an FTP exploit. So yes, it was an unpatched vulenrability, but no, it was not in Linux.

Re:the $64,000 question:

well, what was cracked? if we find out they were running something like wu-ftpd then all bets are off.

Well, looks like they were indeed running wu-ftpd (idiots). Linux continues to be a magical bug free OS. Anyone running wu-ftpd is a clown. If they had been running pureftpd like they are supposed to this probably wouldn't have happened.

This has nothing to do with Linux (GNU's not Linux either). This just proves that members of the Free Software community are not the geniuses they like to think they are.

Re:the $64,000 question:

[sulli]

It's more than a $64,000 question. It's more like a $64M question. Many thousands or even millions of users depend on these tools, and they don't have reliable backups?! No wonder people refuse to say GNU before everything and think RMS is a nutjob.

If I were a Microsoft or Sun PR guy, I would be using this for anti-free software FUD immediately. "Sure you can get the source .. if it's not compromised on the server. Can your ENTERPRISE stake its MISSION CRITICAL BUSINESS on such a weak base?"

Re:the $64,000 question:

[prizog]

There are backups from before the crack.

If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money.

Re:the $64,000 question:

[Sunda666]

wu-ftpd? wtf?

even the worthless security audits I had here two years ago had in their recommendations to switch any wu-ftpd servers to ProFtpd

href=http://www.proftpd.org

These GNU guys spend to much time in politics and too little in stuff that matters (like maintaining their servers)

cheers.

Re:the $64,000 question:

Same thing could (and has) happened to OpenBSD project. Their dist servers run Solaris!

Re:the $64,000 question:

[nutznboltz]

Oh, but proftpd has a history of insecurities too.

There's also Pure-FTPd which is secure and GPLed.

Re:the $64,000 question:

[CowsAnonymous]

From as far back as I can remember, that's the exact same type of situation with the last couple of M$ worms...::avoids tomatoes::

Re:the $64,000 question:

You could have backed up the fscking MD5SUMs at least.

Re:the $64,000 question:

[johnnyb]

Are IIS vulnerabilities then not counted against Windows?

Re:the $64,000 question:

[El_Ge_Ex]

Or maybe, JUST FUCKING MAYBE , Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.

All over the World, hundreds of Script Kiddies just had thier illusions of gradeur shattered...

They then go back to their own Red Hat boxes only to find that some guy from Argentina has been using their boxes to send spam for months now.

Just a suggestion, to really appreciate Linux and how it works, start with OpenBSD and go from there...

-B

Re:the $64,000 question:

yep. M$ makes IIS. If they can't make a simple web/ftp server, how can you trust their OS?

Re:the $64,000 question:

[broeman]

real (wo)men don't need backups, especially thinking of OSS, mirrors is all what we need. I think it was Linus how said something simular many years ago.

Re:the $64,000 question:

[commodoresloat]

They have a time machine. In the future, they made the patch, and came back in time to get people to install it. They even posted the first comment to this discussion about it, but it got moderated "troll."

Re:the $64,000 question:

[molarmass192]

wu-ftp is not part of the Linux kernel. That would be like counting a vulnerability in Apache against Microsoft because Apache also runs on W2K.

My take on it is that since IIS is not shipped with all flavors of Windows, that no, it should not count against the Windows product. All the major security firms differentiate between the two as well. SQLServer is also differentiated from Windows for the same reason.

I think what you're alluding to is that Windows, IIS, and SQLServer vulnerabilities are all considered Microsoft vulnerabilities. In that case, it's borderline true since the three products apparently share some of the same codebase. The only Linux counterpart I can think of would be a vulnerability in glib, the C runtime library.

Re:the $64,000 question:

[vadim_t]

They shouldn't be.

If a bug in IIS causes a remote exploit then that's a bug in IIS, and that's it. Now, if there's a bug in the Windows TCP/IP stack, networking components, some kernel call, etc, which causes an exploit then that *is* a bug in Windows.

A bug in wu-ftpd doesn't just affect Linux. It will also affect the other supported platforms: BSD/OS 1.1, and 3.1, FreeBSD 2.2.6, SCO OpenServer 5.x, SCO UnixWare 2.1, Solaris 2.4, 2.5.1 and 2.6, Sun Sparc Platforms, Solaris 2.6, Solaris 2.5.1, SunOS 4.1.4

The only real security vulnerabilities in Linux are the ones that affect only the kernel and Linux specific tools. Everything else is just a vulnerability in some other program.

Re:the $64,000 question:

[TedCheshireAcad]

Right, because we all know that the Linux Operating System is an FTP server.

Most of the time, it's the services that provide for the vulnerability, not the operating system.

Re:the $64,000 question:

[JWW]

Or maybe, just maybe, computer systems are beginning to resemble organic systems.

The scary thing about Blaster is how well it did its job. It was effective enough as a virus (I know its technically a worm) to infect a massive number of hosts, but not leathal enough kill the host machines allowing the virus to continue to spread. This is almost exactly like real viruses in the real world.

Ok now on to replying to your rant against Linux....

Its not the fact the per se Linux is less prone to viruses. Its just that its not the dominant organism on the net so to speak. Current viruses are attacking the dominant operating system. Having such a large number of organisms(OSes) out there that all have the same genetic structure(code base) makes them logically the primary target. Diversity of the gene pool (OS code) would do wonders for the overall stability of the system with a larger portion of computers to be able to fight off the virus.

BSD, Linux, OS X having a larger share of the market would lead to a healtier net. Continued monopoly will IMHO lead to the eventual super-virus that will cause real, prolonged, and large damage.

Re:the $64,000 question:

[Zebra_X]

Mirrors as a backup methodolgy have at least one fatal flaw which has been clearly exposed by this incident:

A mirror is a random (whenever the mirror was made) point in time back up. There is no assurance that at any given point in time in the future that a mirror is available in a particular point in time in the past. As a result, the answer to the question "do we have a backup" resolves to "maybe". Generally this sort of answer makes people squirm.

In this particular situation the problem is exacerbate by the fact that every release from march until NOW needs to reaquired from it's source becuase after march 2003 - the source repository and it's mirrors can no longer be considered safe.

Indeed, a very difficult situation to be in.

In order to answer Yes to the point in time question one must invest considerable cash in hardware and software to provide such backups.

Re:the $64,000 question:

[metalmaniac1759]

So, over here the bug was in Linux - the ptrace exploit. And it wasn't fixed fast. Too many eyes - just looking - not coding. What happened to the concept of peer reviews/analysis. And fast bug fixing, etc. etc.

I'm now beginning to think that good open source software is a myth too! This is the second such exploit - earlier one was BSD and ssh was screwed!

Nandz.

Re:the $64,000 question:

[Skye16]

Complete asshole, maybe, but at least he can spell.

Re:the $64,000 question:

[Overly+Critical+Guy]

Microsoft puts out a patch for a hole, but it's still their fault when people get compromised. Pointing out to people that they should have patched gets lots of dancing around the issue.

I bet people will blame admins for not patching in this instance, though. Because it's Linux. :P

Just pointing out the obvious double standard.

Re:the $64,000 question:

[vadim_t]

What do you mean good open source software is a myth? Linux is great open source software, I had a web server with an uptime of 230 days that only went down because the UPS didn't have enough capacity to power it during all the power outage.

Nobody said it was perfect though, nor it can be. Nothing made by humans is.

Anyway, what I like the most about OSS is being able to fix it myself. I don't need to wait for Red Hat, Debian or somebody else. I can go and see if somebody made a patch. I can also try to patch it myself. I don't have any experience with kernel programming, but I'm pretty sure I could at least disable ptrace until a fix was ready. That's a very good thing, IMO.

Re:the $64,000 question:

[TheCarp]

We are talking about the fsf here.

I mean seriously... this is an organization started by RMS. Now I admit to being one of the first people to defend his ideas in alot of contexts but... we are talking about an organization founded by a person who for YEARS had an account with no password... not only that, but actually admitted to it.

These people woiuld easily give out accounts to anyone who could come up with a use that was in line with their goals and could make use of the account. Not only that, but they would give them root along with the account.

Now... they have somewhat mended their ways. RMS does have a password on his account and he doesn'tr go around advertising what it is... but remember...

it wasn't all that long ago that Firewalls were considered weird and having a guest account on your machines was the norm. Afterall the great part of the net was that this meant people on the other side of the globe could use CPU time on machines here while they are awake and we sleep and don't need the cycles.

I know that sounds stupid and weird... but there was a golden age when the net was small enough that few i fanybody actually felt they needed to care about security... real commune mentality.

As its grown up and the community has become too large to be really cohesive, it has aquired all of the problems of real large non-cohesive communities. Now people lock their doors at night. (some more than others).

Course I still know people in the city that don't lock their doors at night, or even most of the day.

Remember that the online world is an extension of the real one, not one unto itself. It falls to the same pitfalls of human appetite.

Go out into the country, outside the city... you will find a whole different culture. People don't lock their car doors... ever. People don't lock their house doors... ever.

Its liberating. Its nice. Its how we would all LOVE to live. I know I would at least.

-Steve

Re:the $64,000 question:

The ptrace exploit was fixed within one week of being posted to Bugtraq. I'd call that fast.

Re:the $64,000 question:

[TheCarp]

Nah a really good example would be the outlook worm that got infected by a file infector virus and then went on to carry it on to others.

Think about that for a min. Worm infects computer. Virus infects worm. Infected worm infects another computer, and the virus tags along for the ride, going on to infect that computer too.

Now look at the West Nile Virus. Mosquito gets infected with it, and becomes a carrier. The mosquito goes around biting people, and transmitting the virus as it goes.

Neat eh?

-Steve

Re:the $64,000 question:

[DesScorp]

"Their dist servers run Solaris!"

That's because Theo would rather drink his own vomit than add SMB support and let OBSD scale up. While some brave souls are working on such support, they're doing it with his scorn.

Until it can run in "Enterprise" class settings, Open will be good for firewalls and workstations for security nazis. And that's the way Theo likes it.

Re:the $64,000 question:

[SpaceLifeForm]

Spot on. In this case, just like any other database recovery, due to pressures, this recovery effort is about getting back to a known safe state in as quickly a timeframe as possible.

Then, you verify and verify and verify until you are convinced that you have done everything possible within a reasonable timeframe (months?) before you trust it.

Re:the $64,000 question:

[hitmark]

err, its a bug in a ftp server, not the os. with the latest windows worm its a but in a integrated part of the os...

Re:the $64,000 question:

[hitmark]

exept in windows whre you at tiems cant thell a webserver from a integrsted part of the os (like say the rpc service?)...

Re:the $64,000 question:

[winkydink]

If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money. ...nor systems administration competence, it would seem. When it comes to IT, if you're not doing backups correctly, you've got no business doing anything else.

Re:the $64,000 question:

[hitmark]

neat and scary at the same time... and with stuff like xml and tcp/ip there is no need any longer for everyone to be running the same os or the same typewriter replacement.

Re:the $64,000 question:

[hitmark]

bingo, standards are there for a reason, tcp/ip for when you want one os to talk to another. xml for textfiles, image files and video files are another story tho:( standards are good for hammers, cars (they all run on gas, they all have the same control interface and they are not limited to say ford only roads), so why o why are they so bad for computers (im not saying that they should be all the same way inside but the file formats and network protocols should be open standards)...

Re:the $64,000 question:

[prizog]

RTFA. We did backups. The backups were of potentially compromised code.

Re:the $64,000 question:

20 years and they can't get a kerenel done and you want a disaster recovery plan and backups? Christ, this isn't a professional OSS organization like OpenBSD, FreeBSD, Linux, or Mozilla or anything...

Maybe if RMS had taken some time away from shooting his big mouth off about GNU/Linux he could have set up a cron job to run tar and gzip. What an idiot.

Re:the $64,000 question:

[Read+Icculus]

TIS but RTFA. The GNU FTP server was compromised by a local user who exploited a ptrace vulnerability in the kernel. Here's the post regarding said exploit from Bugtraq.

Hello

There are many discussions (on slashdot for example) on the recent linux
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
and
2. /proc/sys/kernel/modprobe contains the path to some valid executable
and
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be
attached to with ptrace(). Game over, the user can insert any code into a
process which will be run with the superuser privileges.

Solutions/workarounds:
- patch the kernel
or
- disable kmod/modules
or
- install a ptrace-blocking module
or
- set /proc/sys/kernel/modprobe to /any/bogus/file

IIRC a patch for this exploit was not available until the following week.

Re:the $64,000 question:

[winkydink]

So, you did backups, but you don't have any archival backups from a point in time before you were compromised?

Bzzzzt! Sorry, thanks for playing our game, but your backup process is flawed.

We do, however, have the home version of your homedir as a parting gift.

Re:the $64,000 question:

[little_fluffy_clouds]

I don't get it - what do OpenBSD's distribution servers have to do with SMB? What does windows filesharing have to do with OpenBSD distribution?

Or did you mean SMP, or more correctly, MP? Well, the good news for OpenBSD is that now that NetBSD has MP support in -current, OpenBSD will have a much easier time, if Theo can be convinced.

Re:the $64,000 question:

[usotsuki]

If you disagree with de Raadt, you can always fork the code.

That said I am using OpenBSD as the base for a *x-like environment on DOS-16 (FreeDOS), more because it's easier to find the BSD sources there. Of course programs have to go through varying levels of modding...

-uso.

Re:the $64,000 question:

[prizog]

We do have archival backups. But many packages were uploaded between when the machines were cracked and when we noticed the crack. That's mainly what we need.

Our backup process is flawed, but that's because we can't afford good backup hardware.

Re:the $64,000 question:

[slackingme]

I wrote a quick paper blowing away most people who jump in with ".. should ahve run OBSD! Most securister ever!! Rahh!" You can read it
here. I'd like people to contribute reasons they think OpenBSD is "the bestest thing for security since the NRA!!!!" and such. Contact information are at the top of the piece, have fun.

I just crawled out of a bad karma slump, and here I go getting myself back into it..

Re:the $64,000 question:

[asit+ler]

2 suggestions.
1. Learn to spell

or

2. Take a typing class.

Re:the $64,000 question:

[asit+ler]

Could be that the dominant organism is in fact itself a virus.

Something to think about.

Re:the $64,000 question:

[hdw]

How about reading the statement they've posted?

"It appears that the machine was cracked using a ptrace exploit by a local user"

A bug in the kernel, not in ftpd.

// hdw

Re:the $64,000 question:

[hdw]

Read the the their statement.
Local exploit of kernel bug.
Not ftpd or anything else.
// hdw

Re:the $64,000 question:

[robslimo]

I did RTFA and gnuftp.gnu.org did not say how they had been compromised.

The file MISSING-FILES.README did not exist as of the posting of the /. article. Check the timestamp on the file. That can only after a great deal of speculation here at /.

Re:the $64,000 question:

[DesScorp]

Fluffy, you got me there. I was tired when I made the post. I meant SMP, as in multiple processors.

Re:the $64,000 question:

[hitmark]

or 3. get a new keybaord (yes its old and very overused...) but thanks...

Re:the $64,000 question:

[invenustus]

Or maybe, JUST FUCKING MAYBE , the majority of all break-ins result from weak passwords and inside jobs, and therefore weak passwords and inside jobs constitute the most likely explanations.

Re:the $64,000 question:

[bsd+troll]

http://ftp.gnu.org/MISSING-FILES.README

It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted. (For the ptrace bug, a root-shell exploit was available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that gnuftp was cracked during that week.)

Re:the $64,000 question:

[bsd+troll]

Aww.. We're poor GPL supporters. Everyone cry in synchrony.

Re:the $64,000 question:

OpenBSD for DOS16, eh? Crazy! Wild! I'm interested in this. What will it support?

A little investigation of your user info found me this ..

PS: gcc doesn't support dos16, does it?

Mirrors?

[ryan76]

Are there no mirrors of this site?

Re:Mirrors?

[Deadbolt]

That was my first thought too. There must be some mirrors that didn't update, or have the last known good copy of these files. I assume mirroring was shut off as soon as they discovered the breach. Some server in Russia somewhere has the known good distributions.

Re:Mirrors?

[gearheadsmp]

Mirror, mirror on the wall, who is the fastest of them all?

Re:Mirrors?

ftp://cs.ubishops.ca/pub/ftp.gnu.org

Re:Mirrors?

[b1t+r0t]

I hope now someone gets the clue to write a script to make a nightly backup of the MD5 files to a different computer. It's not like they're big or anything.

Re:Mirrors?

[nmx]

Of course there are mirrors, but the server was compromised in March, and they just now realized it. It's unlikely that a mirror decided to stop updating for five months.

Re:Mirrors?

[ryan76]

Most likely then all those files are OK then.. Given someone somewhere should've noticed a tampered file by now?

Re:Mirrors?

[wampus]

All the mirrors I've checked have placeholders.back-RSN.README, just like the ones at ftp.gnu.org.
Looks like they don't know how long ago the break-in was, so they pulled the mirrors to be safe.

Re:Mirrors?

[nmx]

Most likely then all those files are OK then.. Given someone somewhere should've noticed a tampered file by now? I'd say that's a dangerous assumption to make. It's probably true, but I don't think the FSF can really afford to take that chance.

Lot'sa files

[guido1]

They need lots of help... There are 689 files on the list...

Eek!

Any word on how the crackers got in?

[Squeezer]

how did the crackers break into the ftp site? anyone know?

Re:Any word on how the crackers got in?

how did the crackers break into the ftp site? anyone know?

someone guessed the root password "itsGNUlinux!!!"

Re:Any word on how the crackers got in?

[Chess_the_cat]

Considering that FTP passwords are transmitted as plain text over the network it probably wasn't too hard.

Re:Any word on how the crackers got in?

someone guessed the root password "itsGNUlinux!!!"

Right before they guessed "GNU/linux"...

-cmh

Re:Any word on how the crackers got in?

[rkz]

refer to this thread

Re:Any word on how the crackers got in?

that was actually the password for the MITstallman account

Re:Any word on how the crackers got in?

[Jhan]

Wouldn't that be "GNPisNotthePassword"?

Re:Any word on how the crackers got in?

[JimH]

If it was the wu-ftpd hole, then one point is that
the wu-ftp web site did not have a patch for at
least a week after the hole was announced. I know
because I was going out of town and had to take
my machine down because I couldn't run with a
hole.

Then I got back five days later and they still
didn't have a patch. I read RedHat and Debian's
patch, and fixed it by hand. I know that
they need to check all kinds of OS's, and that
they are volunteers, etc. But the hole was
reported Jun 01. That's a long time for a remote
root exploit.

So why run wu-ftpd? Is there another ftp
server that does on-the-fly .zip and .tar.gz of
directories? That I could figure out, proFTP
doesn't do that. I'd appreciate being corrected.

Re:Any word on how the crackers got in?

The password was seineeWerAsreenignEUNG.

Re:Any word on how the crackers got in?

[metalmaniac1759]

Password after cleaning up the whole damn mess - "Screw Linux GNU/Hurd In Ten Years Time"!! :)

Nandz.

Well that's good and all, but

[dodell]

How was the site cracked? What have they done to patch it? Was it GNU software? :-D Are they writing patches for this software? MORE NEWS.

Re:Well that's good and all, but

[rkz]

Crackers exploited this vunerability, there was even a patch available!!

Re:Well that's good and all, but

[Omnifarious]

They were using wu-ftp? That's a worse security hole magnet than sendmail or bind.

Re:Well that's good and all, but

Crackers exploited this vunerability

What?!?!? Someone, in this day and age, is running WUFTPD!?!?!? The same wuftpd who's slogan is "providing root shells since 1987"?!??!

Sweet merciful crap! If this is true, they deserve everything they get.

Re:Well that's good and all, but

[Knife_Edge]

Hey, I'm running debian stable 3.0 on a box at home (totally behind a firewall, not to worry). How do I fix this? I just did 'apt-get update' and it said it downloaded some stuff from security.debian.org. Is that all there is to it?

Re:Well that's good and all, but

[Knife_Edge]

Oh yeah, I should mention I am running wu-ftpd too... Some posts seem to suggest I should not be doing that. Huh. Is there another ftpd that provides guest access as well as wu-ftpd?

Re:Well that's good and all, but

[rkz]

you need to do,
apt-get update
apt-get upgrade

thats all there is to it.

Re:Well that's good and all, but

[Uruk]

I'll bet that 90% (or more) of all break-ins are the result of problems that could have been patched. Yeah, it sucks that this happened to GNU, but they're only human. Last I heard, they only have one system administrator to handle all of their machines, including Savannah. I can understand that this happens from time to time. GNU has to be a relatively high profile target (such as for disgruntled BSD h4x0rs and so on) so cut them some slack. If you patch 40 machines 99.9% of the time, nobody remembers that, what they remember is that you got cracked on one tiny detail you missed.

At least they yanked the programs until they could verify that they were correct. That really was the only thing they could do. The lesson to take from this is that with computer security and auditing, nothing less than absolute perfection is necessary. And so long as human beings are doing the admin work, absolute perfection just isn't realistic. :)

Re:Well that's good and all, but

[rkz]

try proFTPd Its like the Apache of the FTP world.

Re:Well that's good and all, but

Try proftpd or vsftpd

Re:Well that's good and all, but

[crandall]

Wow, I guess windows users aren't the only 'stupid' ones to get hit by an exploit from forgetting to patch.

Oops!

Re:Well that's good and all, but

No crap. For Windows users this is like finding out Microsoft is using Windows NT 4.0 Gold with IIS 3 for a webserver. There are some things your just don't do in this day and age.

Re:Well that's good and all, but

[bmj]

While I agree with the premise of the post, this is sort of thing that would get flamed to hell and back if the thread dealt with a Microsoft security breach (case in point, see yesterday's discussion about the RPC worm). According to that thread, being overworked, underpaid, or anything else is not an excuse for having an unpatched machine.

Re:Well that's good and all, but

[statusbar]

Better yet, don't use ftp at all. Use SCP and tell users to use WinSCP or Fugu or equivalents...

--jeff++

Re:Well that's good and all, but

[ichimunki]

Question is: why are you running an FTP server? You don't normally need an FTP server at home. The same functionality is available via scp/ssh, which (I think) is the way to go unless you are providing anonymous, read-only downloads of FTP files from your home system to those outside your firewall (not necessarily unreasonable desire).

In which case: why don't you set up a unique machine for that purpose and put it outside the firewall where it belongs? Then you can keep a secure copy of the files themselves on a safer machine and when the FTP server is compromised you needn't worry that your set of backup files was compromised. Plus, your other machines don't need the attention and exposure that normally get heaped on internet services systems. I mean, if you're running FTP on the same machine on which you use GnuCash to track your finances and someone cracks the FTP server...

Anyways, those are my thoughts. If someone could point out the weaknesses in my thinking, I'd love it. :)

Re:Well that's good and all, but

[jpetts]

This was modded as informative why? This is what it says on the FSF web site:


A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.

Re:Well that's good and all, but

[brooks_talley]

It's a good thing this open source stuff is so much more secure than MS products! I mean, open source is install-and-forget, and those MS bozos really have to stay on their toes with security patches. That MS software is so full of bugs and security holes that a casual use who just installs it and forgets it is definitely going to get themselves 0wned.

Whatever happend to the whole "companies should be liable for security flaws in their products" movement, anyway? That would show those bastards who release imperfect software!

Oh, wait.

(And yes, I know you weren't bashing MS, so please don't take this little bit of sarcasm personally; I completely agree with your post, it just brought these thoughts to mind).

Cheers
-b

Re:Well that's good and all, but

You tellin' me the crackers used wu-ftpd hole? Gee, I never saw that one coming.

Just goes to show that nobody in their right mind should be using the most r00ted server software in existence, right after Sendmail - wait, at least Debian installs Sendmail without problems but if you try to install wu-ftpd it specifically pops up a warning that says that wu-ftpd is a steaming pile of garbage...

Re:Well that's good and all, but

This is not the first problem with a poor backup policy.

http://savannah.gnu.org/forum/forum.php?forum_id =2 288

Re:Well that's good and all, but

[Zigg]

That's not what Bradley Kuhn says. He says ptrace, and it was actually done between the time the exploit was made and the time Linux was patched.

Re:Well that's good and all, but

[WWWWolf]

Is there another ftpd that provides guest access as well as wu-ftpd?

You mean anonymous FTP, right? ProFTPd! Does anonymous, does uploads, does all sorts of stuff, and I believe the configuration file format is more readable (same as in Apache).

And for non-anonymous stuff, I can only recommend OpenSSH =)

Re:Well that's good and all, but

[A55M0NKEY]

The server was cracked in the week between when the exloit was posted on bugtraq and the time a patch was available.
http://www.gnu.org has it under gnus flashes

(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)

Re:Well that's good and all, but

Whatever happend to the whole "companies should be liable for security flaws in their products" movement, anyway?

The FSF doesn't have to be liable. They specifically tell you in the GPL that if their software works as advertised it's a pleasant surprise, but you definitely have no reason to expect it.

Re:Well that's good and all, but

[MartinG]

vsftpd is all you need for secure ftp.

(and to avoid the same pointless conversation I have had too many times, secure in this context means not having exploits in the code. it does not mean having encrypted passwords - we are talking about anonymous ftp)

Re:Well that's good and all, but

[jd]

Having an account on the GNU development site, I know the care they take over security. Kerberos for authentication, for example.

I fully understand their lack of manpower, but real economy is long-term, not short-term. Does it take more time to patch the server, or validate the files?

We should all bear in mind that they're only human, and we've all been in situations where we've wondered why the hell we did/didn't do that.

Let this be a lesson to us all, though - never take security for granted. Assume your computer will be targetted - no matter how trivial it may be - and that it will, eventually, be cracked.

Re:Well that's good and all, but

[iabervon]

If all you're doing is anonymous ftp, you might as well just serve the files by http instead of ftp, and use apache. It's generally more stable software, a more manageable protocol, and the firewall rules are simpler.

Re:Well that's good and all, but

[scotsmancsua]

As a 10 year veteran, I offer that they very clearly need to revisit their gameplan for the following reasons.

The apparent total lack of a disaster recovery plan

The vulnerability was known for a month, the patch released for two weeks, and either wasn't noticed by the admin, put off for a rainy day, or was too daunting because of the all-powerful RPM system

The number of open services to the world *should* be relatively small. The 40 machines patched 99.9% don't matter. Not to patch your main ftp, web, or cvs server is (criminally?) negligent.

Re:Well that's good and all, but

[iabervon]

I presume that they got a shell with the wu-ftp hole, and root with ptrace. The ptrace exploit is a local exploit.

Re:Well that's good and all, but

[LinuxHam]

why don't you set up a unique machine for that purpose and put it outside the firewall where it belongs?

Servers never belong outside the firewall. Perhaps in a DMZ, but never completely unprotected. If you don't have a choice, at least improve the security on the box with something like Bastille.

Re:Well that's good and all, but

[Engdy]

Apparently the breakin ocurred before a patch was available. From the referenced README on ftp.gnu.org:

A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.

(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)

Re:Well that's good and all, but

[__aaklbk2114]

Ha, I'd like to see this kind of blatent biased apology for Microsoft when Windows machines get hacked.

I mean, sheesh, I'm no MS fanboy (espically after having to deal with the blaster fallout), but c'mon--let's hold everyone to the same standard.

In fact, Linux, *BSD, any OSS OS, should be held to a higher standard given the geeky, more vigilant nature of most OSS operators and the fact that it's "all open and most patches are released 3 seconds after someone finds a hole blah blah blah..."

Sysops should do their job, regardless of the OS--no apologies.

Re:Well that's good and all, but

[jdavidb]

The vulnerability was exploited during the one week window between the announcement of the vulnerability and the release of the patch.

Re:Well that's good and all, but

[harlows_monkeys]

Ha, I'd like to see this kind of blatent biased apology for Microsoft when Windows machines get hacked

When it is NEWS that a single Windows machine got hacked, such an apology would be in order.

Re:Well that's good and all, but

I wouldn't recommend that. Just check the source and you know why. I'd recommend PureFTPd or FTPd-OpenBSD.

Don't forget to:

1) Chroot the FTPd
2) Backup those md5's.

Re:Well that's good and all, but

[brlancer]

I'll bet that 90% (or more) of all break-ins are the result of problems that could have been patched. Yeah, it sucks that this happened to GNU, but they're only human...so long as human beings are doing the admin work, absolute perfection just isn't realistic.

I think it is better to say, "as long as human beings are doing the programming, this will continue". The system wouldn't need to be patched (as often) if the programming were better. Linux A may be better written than Windows B, but it is still far too shoddy.

Compare software development to that of...a car. While bugs will always creep in (anyone seen a Ford explode lately?), the quality is derived from how many bugs exist and what impact they have. A bug where the driver side rear window sticks is insignificant, even if it is seen across the board; however, a bug where the car explodes in rear impact collisions due to a design flaw is extremely significant even if the number of cases are relatively small.

Software development is trying to move faster than quality control; this is especially true in commercial ventures where the PHB knows the product will sell even if it breaks in six months. Consumers accept failures in software that they would never accept anywhere else, and business is happy to provide them. This is not an attempt to excuse poor system security but to direct furor in the proper direction: the cause of the bug in the first place.

Re:Well that's good and all, but

[Hatta]

vsFTPd does anonymous access too. Anonymous FTP is the ONLY way to have secure ftp. Passwords are not secure, they're plain text. vsFTPd makes it very easy to run your server locked in a chroot jail so that even if a vulnerability is found the attacker can only access your ftp files and none of your system files.

OpenSSH has a problem in that it's difficult to use scp/sftp without giving someone a shell account. You have to use something like rssh as a shell for it to work properly.

Re:Well that's good and all, but

[murdocj]

When it is NEWS that a single Windows machine got hacked, such an apology would be in order.

Well, in this case the single machine that got hacked means that all the gnu source for the past 5 months or so is suspect. Had a single server in Redmond that held all the Windows source been hacked under similar circumstances the outrage would be flowing like water.

Re:Well that's good and all, but

[mindriot]

Hm? The MISSING-FILES.README (see this post) says:

(For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)

Re:Well that's good and all, but

[chrysalis]

If you're worried about plaintext passwords through FTP, just use an FTP server that supports FTP over SSL/TLS.

Re:Well that's good and all, but

[ichimunki]

OK. I can see that-- although I don't see a properly hardened firewall as being any more protective than properly hardening the server itself. After all, many firewalls are simply servers that do not offer any services beyond packet filtering and forwarding. The extra layer of protection can't hurt-- and most home users would need to ipmasq their DMZ anyway, since they'll only have the IP address of their modem/DSL to work with anyway. The key here is that you keep your public servers on a separate LAN from your internal systems.

Re:Well that's good and all, but

[SpaceLifeForm]

Only if such an event became public.

BTW, how do you know that it has *not* occurred?

Re:Well that's good and all, but

[FunkyELF]

i dunno....maybe because it was bein ./'ed

Re:Well that's good and all, but

[sonpal]

If you patch 40 machines 99.9% of the time, nobody remembers that, what they remember is that you got cracked on one tiny detail you missed.

<rant>
Um, yeah. This is the real world. Mistakes have consequences. If NASA messes up on one conversion between units, $billions can go down the toilet (and have). Cars can crash and buildings can collapse if you don't get every detail right.

Not everything is in your control as a sys admin, and people will break in no matter what you do. But applying a patch that's been out for a while? C'mon. This isn't about not achieving 99.9%; this is about not achieving 80%.
</rant>

Re:Well that's good and all, but

[MartinG]

I wouldn't recommend that. Just check the source and you know why.

I've checked the source and I don't know what you are talking about. What have I missed?

I don't trust PureFTPd anywhere near as much. It's certainly had more exploits appear over the years.

Re:Well that's good and all, but

Read the MISSING-FILES.README file on GNU's site. When they were cracked, no patch was available - it was hours after the initial exploit was released.

Re:Well that's good and all, but

[oneirogen]

I think a significant difference is the frequency with which major attacks occur. Prior to the Blaster worm, the last major Windows security flaw was discovered less than a month ago.

When was the last major GNU security lapse?

--

Oh crap

GNU is the definitive location of loads of packages. Virtually everyone who uses Linux is potentially affected. It's as if Windows Update were cracked. I don't see anything on the main GNU page yet though...

Re:Oh crap

It's as if Windows Update were cracked

Actually, Windows Update has been cracked. During Code Red 1, for a period of a couple hours Windows Update was showing "HACKED BY CHINESE WORM".

But I agree, this is just as horrible as that was. Some kind of inquiry as to how this was allowed to happen, and why the hell weren't there backups, and how this can be absolutely prevented in the future, needs to be publicly demonstrated to have happened within the FSF before I will regain the trust I have lost in them. The software the FSF produces is wonderful but their FTP archive is important enough to people of all OSes and natures all around the world that they should have it secured by whatever means necessary, even if that means running OpenBSD or whatever.

-- Super Ugly Ultraman

Re:Oh crap

Some kind of inquiry as to how this was allowed to happen, and why the hell weren't there backups, and how this can be absolutely prevented in the future, needs to be publicly demonstrated to have happened within the FSF before I will regain the trust I have lost in them.

If what another poster claims is true, and they were using wuftpd, then they should know better than that. I don't know who actively maintains wuftpd, but whoever it is, they are clueless in the extreme, it's almost as bad as sendmail in the old days. Nobody should trust wuftpd.

Re:Oh crap

[pirodude]

There ARE backups. They're just not sure if those themselves have been compromised.

Wait? I thought Linux was Secure??

[FortKnox]

I'll wait while the "wind0ze suX0rs!" 1337 Hackors try to make this sound insignificant to linux, but can blow up on MS when a virus is released.

Just a healthy reminder that nothing is 100% secure, so no point in pointing fingers (on MS OR linux).

Finnishing move

[palad1]

After getting their FTP server rammed in the sockets, I bet the maintainers of ftp.gnu.org will be just more than happy to go through a good ol' slashdotting because someone _has_ to convert urls into hyperlinks for his /. submission.

I know, I clicked on the link :)

Re:Finnishing move

[pimpinmonk]

Say it with me now...

F A T A L I T Y !

Wha? The lameness filter wouldn't let me use caps, so let's all pretend. Wait, maybe that my post length is longer the caps/total characters ratio will be good enough?

Re:Finnishing move

[sharkey]

Finnishing move

I thought that's what Linus does when a kernel comes out?

SCO

[Amon+Re]

Hmm odd...one day they speak of taking sco support out of gcc, the next their ftp server gets comprised, interesting.

Re:SCO

Yeah, I do find it hard to beleive that GNU would be a target for crackers. I mean why attack an organisation that is giving you something for nothing!

The kids of today eh?

Re:SCO

[dr_dank]

gcc had a secretary named SCO and SCO had a secretary named gcc. Oliver Stone, where are you?

Re:SCO

[pete-classic]

To trojan lots of popular packages at the source?

Re:SCO

Yeah, except that it's been this way for at least a week. I tried to download emacs 21.3 around a week ago only to find it had been yanked...

Re:SCO

[Homology]

Hmm odd...one day they speak of taking sco support out of gcc, the next their ftp server gets comprised, interesting.

There are many bad things one may rightly say about SCO, but to suggest that they have anything to do with the compromise is just plain stupid!

Re:SCO

[Farley+Mullet]

Hmm odd...one day they speak of taking sco support out of gcc, the next their ftp server gets comprised, interesting.

If only they'd fitted their server enclosures with that tinfoil covering to protect from the evil SCO satellite server hacking rays.

Re:SCO

[Uruk]

Never underestimate the ability of the conspiracy theorist to connect many completely unrelated facts. By the way, his timing is all off. I received mail from the FSF about this break-in on August 2nd, and I think they probably knew about it a few days before that. So his assumed timing about SCO, GCC, and GNU is a bit off.

Personally, I think it was the aliens that cracked GNU's FTP server. That's why I wear a tin foil hat! Thinking that SCO did it is just crazy! Everybody knows it was the greys! :)

Re:SCO

[Homology]

Personally, I think it was the aliens that cracked GNU's FTP server. That's why I wear a tin foil hat! Thinking that SCO did it is just crazy! Everybody knows it was the greys! :)

At least this makes sense; in an out-of-body-experience LSD inspired weird way ;-)

Re:SCO

[drinkypoo]

No, it's just plain paranoid. The interesting thing about paranoia is that often times it ends up being not entirely unjustified. I trust that you are aware that people have been known to bust into the offices of hard drive manufacturers with guns, wearing ski masks etc, to steal prototypes to sell them to other manufacturers, which means someone's buying this stuff. Just like drug users make drug dealing profitable (well, actually, the war on drugs is what makes it profitable, by raising prices) someone has to buy that stuff to make it profitable to risk life and freedom through an act of terrorism.

With that said, corporate espionage happens every day. Plants and moles exist in every major corporation. It would not surprise me at all if SCO contracted some hax0r to assault the FSF FTP site.

This doesn't mean it's the most likely explanation. More likely, someone just wanted to make a high profile hack. It's also possible that someone intended to sneak a self-replicating back door into gcc or something, that's the best reason I can see to hack the FSF FTP site.

Re:SCO

[VistaBoy]

"There are many bad things one may rightly say about SCO, but to suggest that they have anything to do with the compromise is just plain stupid!"

Yeah! Since when has SCO been good at compromising?

Re:SCO

On the grasping hand, even paranoids have enemies.

Re:SCO

[0racle]

Yes while to the uninformed this seems interesting and possibly more then coincedental, if you were to actually read GNU's site about this problem you would see that it was cracked in March after the problem was found before a patch was released.
So unless SCO has created a time machine, why dont you get a clue and think for once.

Re:SCO

[Homology]

On the grasping hand,...

He He, I've not read "Mote in Gods Eye" for quite some time. Methink I should go hunting for the book in my bookshelves.

Re:SCO

[asr_man]

It would be except that the compromise actually occurred during a 1-week window of vulnerability in March.

Re:SCO

[asr_man]

The cracker was trolling for passwords. People often use the same password for many authentication purposes. The cracker would possibly gain access to other more interesting sites this way.

Re:SCO

[fizbin]

And the compromise itself happened in March.

Re:SCO

Well, just read the comments in this story. Pro-Microsoft zealots are starting to rival the apple-followers in sheer fanaticism

Re:SCO

[Gulik]

There are many bad things one may rightly say about SCO, but to suggest that they have anything to do with the compromise is just plain stupid!

Indeed. For one thing, I don't think they're technically competent enough.

Re:SCO

[TheMidget]

Except that the hack happened in March. It's only that's its been discovered right now. So there goes the conspiracy theory...

Obg.

[Rosonowski]

"Real men don't use backups, they post their stuff on a public ftp server and let the rest of the world make copies." - Linus Torvalds

Re:Obg.

[frieked]

but I'm not a real man you insensitive clod!

Re:Obg.

[nolife]

My thoughts exactly, recently I've been using P2P to backup my music files.

Re:Obg.

Really? That's a coincidence, I've been using it to backup your music files too! Well..except for your Britney Spears collection. I mean, really.

Re:Obg.

[Rick.C]

Distributed backups are easy. It's the distributed restores that tend to get a little squirrely.

Re:Obg.

[Zork+the+Almighty]

Apparently that was the backup policy in this case as well.

Re:Obg.

Linus is right...

And presumably... there are CD copies of much of the software as source out there. In the worst case scenario these could prove useful.

Re:Obg.

[todu]

Hmm.. I just thought of this:

Why not "use p2p to do collaborative distributed backups using xor as the encryption scheme"? Then I could just say that I simply backed up my data which happened to be mostly mp3/xvid's. And the reason I downloaded all that other encrypted data from others is because I want to contribute back to my "backup-community". All files are encrypted (using simple xor). So if MPAA/RIAA/M$ claims they have investigated my "backups" and noticed "illegal" software, I could just sue them for violating the DMCA for trying (and succeeding) to break my "crypto".

..or I'll just stick to Freenet (freenetproject.org)

Another CLE?

[NetNinja]

Career Limiting Event?

Re:Wait? I thought Linux was Secure??

Linux is secure. It's GNU/Linux that isn't!

[rimshot]

Of course, if this was a MS site that was

'compromised', the /. crowd would be laughing their heads off. Just goes to show that 'open source' or 'free software' isn't 100%, and the "no backups" just goes to show that poor sysadmin skills is not limited to proprietary platforms.

Re:Of course, if this was a MS site that was

No kidding!

Uh, hello, I'm running this mass produced garbage operating system written by amateurs....uh, no, not windows, it's called Linux. L-I-N-U-X, and it appears to be vulnerable to problems. Of course very few people are trying to crack it, so it rarely comes out in the news...

Re:Of course, if this was a MS site that was

And if this were an open source exploit, we'd have tons of people preaching because a bunch of dumb little Score 1 posts rip on MS, while everyone with a brain doesn't really believe Linux is 100% secure either.

Oh wait...

Re:Of course, if this was a MS site that was

[dvdeug]

the "no backups" just goes to show that poor sysadmin skills is not limited to proprietary platforms.

It goes to show that listening to Anonymous Cowards isn't very wise; if you read the article, they have backups, but any backups of the system after it was hacked are nigh worthless.

I have the files

[Zabu]

But do to some sort of wierd computer problem my machine keeps on restarting...


I will get around to fixing it sometime next week.

Re:I have the files

[ikkonoishi]

If you use windows you probally have the blaster virus.

Check your task mangager for something called "msblast.exe"

If you have it go here

Silly GNU

[beefdart]

The site ftp.gnu.org is running Apache/1.3.26 (Unix) Debian GNU/Linux mod_python/2.7.8 Python/2.1.3 on Linux

tsk, tsk..

Re:Silly GNU

[Using same reasoning as many IIS complaints post here over the last several years]

See - you can't trust open source software! The stuff is buggy as #ell and is very insecure. Even important sites for the open source community can not protect themselves...

Seriously though, Isn't it funny that everyone is being so quiet about what OS and FTP server they were using. What's wrong - afraid of a little criticism?

Isn't it time that we, as a community, started pointing out that even the best system is impossible to completely secure. It is easy to take cheap shots at Microsoft. However, as LINUX becomes more widely used more people will be looking for ways to exploit it.

Re:Silly GNU

[beefdart]

hrmmm.... ftp.freebsd.org still seems to be ok...

This happened days ago

[jaymzter]

I've been working on a LinuxFromScratch installation, and was perplexed as to why none of the packages I needed were available. The whole alpha.gnu.org thing set me back for a while too. Thankfully I found a debian mirror with (hopefully) good packages

BSD Ports trees should have them

[lactose99]

Taking a brief glance over my FreeBSD server, all of the entries in the Ports tree have the MD5SUMs in the "files" file. The Ports tree includes many many FSF software package installs.

Re:BSD Ports trees should have them

[lactose99]

Oops... its the "distinfo" file that contains the MD5SUMs, not "files".

Re:BSD Ports trees should have them

ditto for gentoo.

Re:BSD Ports trees should have them

[lactose99]

And yes, I have emailed gnu@gnu.org to inform them of this if they didn't already know.

Re:BSD Ports trees should have them

[Uruk]

Those archives might be decent as an absolute last resort, but I think GNU is looking for the pure source from the maintainer. Similar to Debian packages, don't the ports package contain distro-specific modifications and patches?

They may be verified, but I think in some cases the ports packages will be subtly different than the ones GNU is really looking for.

Re:BSD Ports trees should have them

[lactose99]

As I'm not a port maintainer (just an active user) so I cannot authoritatively answer this question, but based on my experience with the ports I have installed, the MD5SUMs are for the actual packages downloaded from ftp.gnu.org. BSD- or package-specific patches are applied to the software compilation after the MD5SUMs are checked, as the patches themselves generally have a seperate MD5SUM that they are checked against.

Re:BSD Ports trees should have them

So the Gentoo portage system.

Re:BSD Ports trees should have them

[mph]

As a port maintainer and committer, I can confirm what you say. The recorded md5 signatures are for the distributed source archive (e.g. from ftp.gnu.org, or Sourceforge, or whatever). They are there to ensure that the source has not been tampered with.

BSD-specific patches are then applied to the downloaded source, but have no implications for the md5 signature that's on file.

Re:BSD Ports trees should have them

[IM6100]

BSD ports don't consist of source file sets that have been fucked with by the distribution assembler, like Red Hat SRPMs and what-not. The patches are instead applied during the build process to pristine tarballs of the source code from wherever the source originated.

Re:BSD Ports trees should have them

[SeaGK]

Nice Karma-Ho technique .... post 1/3 of the entire post ..... wait for moderator to mod-up ...... post 2nd 1/3 and wait again .... post final 1/3 ....

I know, I know, it is not your fault moderators are clueless sometimes.

Cheers,

Re:BSD Ports trees should have them

[lactose99]

That could have been solved with a simple "edit post" button (or at least with me being more diligent about making sure I said all of what I wanted to before hitting submit), but that opens up a whole different can-o-worms.

Re:BSD Ports trees should have them

[Li0n]

From the RPM site:

"With RPM, you have the pristine sources along with patches that we used to compile from."

Re:BSD Ports trees should have them

[Arandir]

That's rpm.org. What about Redhat.com?

As the "license" says

There is no warranty, we are not responsible, etc.

See:

http://www.infoworld.com/article/03/08/06/HNgplu ne nforceable_1.html

for problems with the GPL from the German and EU point of view.

Where's the snide comments from the /. editors?

Oh wait, this wasn't a Microsoft site that was cracked and failed to make full backups, it was the Free Software Foundation. Does this mean I can't look forward to michael writing a one liner in the story header showing that this proves that you can't rely on Free Software.

Oops!

[TypoNAM]

Hate it when that happends...

Who wants to sell off some MD5 checksums off ebay? Let's make a few dallors! :D

Anyone know *when* this happened?

[daoine]

I noticed that the emacs package for XP (had to reinstall the thing, again) was missing last week, but I really didn't think very much of it. But that would mean it was cracked a significant amount of time ago...

Surprising that there hasn't been much news of it.

Re:Anyone know *when* this happened?

[gorre]

From the article:

For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.

This is a conspiracy

[palad1]

When looking at the missing files: gnu/windows/emacs/21.2/leim-21.2-src.tar.gz gnu/windows/emacs/21.2/emacs-21.2-barebin-i386.tar .gz gnu/windows/emacs/21.2/emacs-21.2-bin-i386.tar.gz gnu/windows/emacs/21.2/emacs-21.2-fullbin-i386.tar .gz gnu/windows/emacs/21.2/emacs-21.2-leim.tar.gz gnu/windows/emacs/21.2/emacs-21.2-lisp.tar.gz gnu/windows/emacs/21.2/emacs-21.2-src.tar.gz gnu/windows/emacs/21.2/emacs-21.2-undumped-i386.ta r.gz

the list goes on abd on and...
now, grep for 'vi' : nothing, nada, null.

Of course, what do you think? This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!

Re:This is a conspiracy

[MagikSlinger]

Of course, what do you think? This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!

Damn it, you caught us! We just used :map e :/emacs/d<CR> and everytime someone tried to type 'emacs', they'd delete the file.

[Note: this mapping only tested on Vim, the one true VI clone]

Re:This is a conspiracy

[pmcneill]

It's all so clear now. Can you think of a backup medium that's large enough to hold emacs? I sure as heck can't.

Re:This is a conspiracy

[deadlinegrunt]

Well it does everything else perhaps they should have created a buffer in emacs and hosted ftp.gnu.org out of it. Once comprimised just kill that buffer and start a new one!

What? I've seen stranger things as lisp modules for that OS, err, editor.

Re:This is a conspiracy

bwahahahahaha *pets white cat*

wait.. we are not evil, really >:)

Re:This is a conspiracy

No, it's a conspiracy from XEmacs fans. They nuked GNUEmacs and framed the vi people.

There is a Schism.

Re:This is a conspiracy

[IM6100]

I can remember back when I first installed Yggdrasil Linux on my 486 box in 1993 that the emacs install was like 80 megs. There was no way I could afford that much HD space on my tiny 330 meg hard drive.

Re:This is a conspiracy

[PetoskeyGuy]

This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!

EMACS probably has it's own built in function to wipe itself from the face of the earth. Don't worry though, there is probably another command to dump the source for itself directly from the binary.

Re:This is a conspiracy

[dimator]

Mankind's greatest foe is emacs

Kettle. Pot. Black.

Yea, Free Software is so much more secure than Microsoft.

Go Apple!

Checksums?

[aggressivepedestrian]

If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.

Uh, am I missing something? If I cracked your site, put a file on it, and then you asked the world for valid MD5 sums, wouldn't I be more than willing to give you the MD5 sum for the bogus file?

Re:Checksums?

I would hope they would wait until more than just one MD5SUM came in per package and checked them against each-other....

Late news

[coleSLAW]

Move along folks, nothing to see here. alpha.gnu.org was cracked many months ago.

Re:So apache no invulnerable then...

[Garfunkel]

Can you please point me as to where it says Apache was cracked? Please? If you'd even glanced at even the summary it says "FTP server", Apache is not an FTP server.
I guess this blows the "slashdotters know what they are talking about" myth. Oh wait......

Blame FSF's poor sysadmin skills.

If they can't keep proper backups of things then they have the wrong people (and perhaps software) running the site.

Re:Blame FSF's poor sysadmin skills.

[Wolfrider]

Well, ya can't blame them too much, I think they're all volunteers over there.

But it *is* amazing that this has been going on since March(!!)

--Sounds like they should switch to vsftpd. (I switched to that from proftpd.)

Re:Blame FSF's poor sysadmin skills.

[rifter]

The ftp server (daemon) was not the source of the exploit. The exploit was a local root hole in teh Linux kernel and was taken advantage of because someone obtained shell access (which they were providing to maintainers at the time).

headline

[Lxy]

if you understand the headline

FSF FTP Site Cracked, Looking for MD5 Sums

You just might be a geek.

Re:headline

[Homology]

if you understand the headline ... You just might be a geek.

If beeing informed makes me a geek, I plead guilty as charged.

Re:headline

[wfberg]

if you understand the headline

FSF FTP Site Cracked, Looking for MD5 Sums

You just might be a geek.

The headline should have been simply

FSF ftp 0wn3d IM RMS teh md5sum's

Then the mainstream media would be all "OMFG WTF?! STFU /. I'm writing another MS Blaster story, bi0tch!"

Re:headline

At first glance, *I* thought that someone breached into the FSF site looking for MD5 Sums.

*That* would have made that guy a real geek.

Re:headline

And if it makes you cringe, you might be a grammar nazi.

Re:headline

[landley]

What does it mean if you wrote it, then?

Rob

Re:headline

now THAT was fucking hilarious. That was a good one. oh shit.

Time to hit those logs

[rf0]

and see whats been installed from where..Ho hum

Rus

Re:So apache no invulnerable then...

[kpansky]

Apache? What the hell are you talking about? This was an FTP breach. Absolutely nothing to do with Apache.

This pisses me off more than it should.

[Deadbolt]

Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.

They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.

*goes off to dock another point from his faith in humanity*

Re:This pisses me off more than it should.

I can't agree with you - points get added to the faith in humanity tree every time a church gets burned.

This was just a learning experience, like any other. Now the GNU server maintainers will be more cautious and keep backups and up to date software on the servers, etc.

Don't hack GNU, burn a church instead!!

Re:This pisses me off more than it should.

[rhadamanthus]

"They've done so much for humanity"

Ok, slow down there cowboy. the FSF is nice and all, but there not the "last hope of the free world" or the "lets save the whales and children fund" or anything. This is computer software, not the key to world peace...

sheesh...

--rhad

Re:This pisses me off more than it should.

[RTMFD]

In other news... St. Ignucius escaped from the fire at his church unscathed :)

*Rim Shot*

Re:This pisses me off more than it should.

[DaveAtFraud]

If they catch the perp, the punishment should be something really heinous like locking them up with a computer that has Microsoft "Bob" installed and have continuous "Barney" tunes piped into their cell. That'll teach 'em.

Re:This pisses me off more than it should.

[slipstick]

You know I see this comment all the time "it's just computer software, not the "world saviour, key to world peace, key to heaven etc..." ".

Tell you what, get rid of all the computer software in the world that was ever written, starting with punch cards. Than come back and tell me computer software isn't the "key" to anything.

Dammit, computers and the software written for them has the ability to bring man closer to "world peace", "everybody getting along" or what have you specifically because it allows us to do so much more, so much more quickly and accurately than we've ever been able to do before. Go ahead, analyze that DNA sequence in something less than eternity without a computer!

Re:This pisses me off more than it should.

It pisses me off, too.

The thing is, it was a LOCAL exploit. That means the bad guy had an account. Couple this with the announced removal of shell access for GNU maintainers, and two conclusions are possible:

1. A maintainer w/shell access was the bad guy
2. People other than maintainers have shell access

Either one of these is bad.

If they find out who did it, they should make the person's identity known to the community.

Re:This pisses me off more than it should.

[kwhite]

May I ask how this is different from all the people who crack a corporate or government site just cause its cool or because it is run off a Microsoft server? You can't have it both ways, either you don't like cracking or you do.

Re:This pisses me off more than it should.

[Kynde]

Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.

Burning down a church unholy? Religous numwit. :)
GNU may be holy, yes, but to an atheist like myself burning down a church is like hacking into the microsoft.com, or like releasing also a linux port of Doom3 inspite it not being financially profitable, i.e. (in Carmack's own words) "The right thing to do."

Re:This pisses me off more than it should.

3. Make money....
Oh no wait:

3. People have acces to a maintainer with shell access.


If they find out who did it, they should make the person's identity known to the community.
Pick up you pitchforks, join the witchunt, dont care if you are just trashing the cracked PC of a maintainer which just might have remaining fragments of the acces logs revealing the real cracker.... Burn his house. Phoning the FBI is just to much work, you would have to claim that this wasn`t just a crack that costs all the revenue of redhat and suse combined plus that of the oracle and ibm linux devisions. No this was all about planting backdoors in software used thoughout the goverment, maybe it was the terrorist! just like NSA predicted! That should get their attention and put this script kiddie away for a while... But who would want that, we wanna see that maintainer get what he deserves. If not for proving the whole opensource distribution system isn`t all that great, then at least for not being openbsd style fanatical about keeping secure.

Re:This pisses me off more than it should.

[Piquan]

Some people will wipe their feet on anything that says "Welcome".

Re:This pisses me off more than it should.

I think thats in contrivention of the Geneva Convention and the Bill of Rights.

Re:This pisses me off more than it should.

[noahm]

The thing is, it was a LOCAL exploit. That means the bad guy had an account.

That's by no means a valid assumption. Consider a remote non-root exploit coupled with a local root exploit. Not that uncommon. Figure that at this point, most network services don't run as root, and you can fairly easily envision a situation in which such a series of compromises might have lead to this situation.

noah

Re:This pisses me off more than it should.

[bmajik]

yeah

this is way worse than when someone writes a worm that intentionally targets home windows+broadband users to destroy the functionality of the internet. see, when someone is doing that, they're making a political/religious/security statement that windows sux0rs.

on the other hand, when someone owns the primary distribution server for the worlds most important, relevant free software and the maintainers really have no clue how badly they've been stung over a period of 6 months, well, nobody questions the bullshit about "many eyeballs", and "i just cant trust microsoft/windows update", etc.

instead, someone has committed a MORAL CRIME that has you feeling sick about humanity.

its time for a readjustment folks. more slashdotter has told me that microsoft is "more evil" than saddam hussein. another suggests that microsoft should be held accountable for when MS machines get hacked, or when non-MS machines running MS software get hacked. Another has said that any system that depends on patches for security fixes is garbage, and linux should be used instead.

Wake up and smell reality.

the people that write and use exploits target what is most likely to give them their kicks, whatever that may be. nothing is secure enough against a suitably motivated attacker. the rablidly pro-linux anti-MS community has been making a lot of unsubstantiated statements for a long time, and the fallacies contained therin are starting to come back to haunt them.

Re:This pisses me off more than it should.

Okay, you're an atheist. Do you really have to tell us all about it just because someone simply typed the phrase "burned down a church"?

Re:This pisses me off more than it should.

I'm torn on how to respond to your message.

On the one hand, I want to say that, if two different people are hit by drunk drivers and injured, then it's fundamentally the drunk drivers' fault. However, if the victims' cars are from different manufacturers and one has very poorly-designed seatbelts, that's still stupid and wrong in addition to what the perpetrator has done.

On the other hand, while Windows may be more wantonly stupid when it comes to security, Linux isn't perfect either. And, part of the reason Windows systems experience as much heck as they do is that Windows is the most popular system on the planet and DOES get most of the hacking activity. If Linux displaced Windows, it would take on that disadvantage, a disadvantage that it does not have right now.

I guess ultimately my own person conclusion is that it's not black and white. It's not as if Linux is perfect and Windows is pure trash without a single redeeming quality. Still, that doesn't mean all the arguments in favor or Linux are suddenly invalid. (Also, in the secret place Which Shall Not Be Named -- where the clued sysadmins hang out -- there was discussion today about what creative punishments would be appropriate for whoever launched that Windows worm. So not all anti-MS people have double standards.)

Re:This pisses me off more than it should.

[Phantasmo]

Well, it's certainly not "the Linux way" of cracking a system.

They should've left a file in / called "i-h4x0r3d-u" containing directions to solve the flaw.

You know, take only pictures, leave only footprints h4x0ring.

Re:This pisses me off more than it should.

Sacred? So much for humanity? The GPL? Are you sure?

So what if I comprimised the site...

[Roached]

...and sent my MD5 sum?

Re:Can someone please tell me...

[Planesdragon]

Was he lying?

Only as much as a priest of a false religion is lying.

Microsoft servers _do_ get hacked more than Linux servers, but this is because there are far more MS servers of an identical configuration than there are Linux servers. They also tend to crash more--especially IIS.

So, Linux does get hacked, and there have been viruses written for Linux--but there are far far more hackers and virus-writers aimed at MS Windows as opposed to Linux.

They never heard of...

[Yaa+101]

Mirror sites and rsync? one would think that the FSF has professional help for these kind of things...

You're Kidding?

[System+Control]

The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups.

Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

Re:You're Kidding?

[Lxy]

While your post is somewhat trollish, I have to agree that this is an interesting prediciment for the FSF. To save face, I hope they post a detailed account of how they were cracked, and own up to their mistakes so they can all teach us what not to do. That's the power of openness :-)

Re:You're Kidding?

you looking for porn in the basement ia not an enterprise

Re:You're Kidding?

Don't confuse coding with operations. Coders don't necessarily (sp?) make the best system/network managers, and vice-versa. Well, that's what I observed in ~16 years working in IT.

This being said, I guess we can say that the cliche "the cobbler's children run barefoot" really applies here...

Re:You're Kidding?

[ShadeARG]

Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

Troll.

Don't equate the stability of the ship with the experience of the captain. If any ship isn't maintained properly, eventually it will sink.

Re:You're Kidding?

[American+AC+in+Paris]

The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups.

Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

So true. Pray that this story doesn't work it's way into the twisted editorial world of your PHB's trade rags.

"Bob, it says here that these Linux people didn't even have backups for their mission critical servers, and that they had to "go begging to their users" to rebuild the system after they got hacked! Is this the same Linux you want to use as our web server?"

Re:You're Kidding?

[Niles_Stonne]

That's why I liked Picard.

Re:You're Kidding?

[Usquebaugh]

The really stupid thing is not having back ups. That is what I cannot fathom. Getting cracked, it happens and you deal with it. But not having backups, that's just plain incompetence.

Re:You're Kidding?

[Kevin+DeGraaf]

Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

What's unbelievable is the blatant stupidity of that statement.

Sure, this incident demonstrates that the person(s) in charge of the maintenance of ftp.gnu.org is/are incomptent. How you extrapolate from that to reach the conclusion that hundreds of GNU programs written and maintained by thousands of programmers are therefore sub-par, especially since these tools have been continually refined and perfected over the last decade or so and are objectively much better than those from any corporate vendor, is the truly incomprehensible matter.

Enterprise my ass, anyway.

Re:You're Kidding?

[bogado]

or lack of space/time/money to do full backups in regular time. Remember that we are talking about a non-profitable foundation, with limited resources. A post above stated that the entire FTP and sites for FSF is maintained by a single person, if he did the full backup of all sites and ftps, he would be doing pretty much only this.

Re:You're Kidding?

[fermion]

I have to agree. Ideally, having reliable backups is a critical part of any technology enterprise, and the lack of backups may indicate that the firm is not taking itself seriously as an important part of the technology sector.

That said, outside of the US federal government, I have seen very few firms with truly complete backup strategies. In fact this is one thing that really concern me when people say that the government should be run like a business.

Also, the FSF can claim that they have a distributed system of redundancy. There are mirrors, individual developers, and off line distributions. While it may be harder to recreate the web site from such disparate sources, economics may indicate that such a system is vastly more cost effective that regular backups.

I myself back up all my data, but the methodology I use does still pose a significant risk of loss. It is frankly not worth the money is to further reduce the risk.

In any case, you may be looking at the lesser security issue. If the crack was caused by a known venurability, it would have likely been far cheaper to patch the system rather than establish an overly complex backup protocol

Re:You're Kidding?

[digitalhermit]

"Only wimps use tape backup: real men just upload their important stuff on FTP, and let the rest of the world mirror it."
-- Linus Torvalds

Re:You're Kidding?

[GirTheRobot]

"Unbelievable. And I'm supposed to trust their methods and products with my enterprise?" Hmmm...who remembers the Microsoft gaffe where all of their DNS servers were on the same SUBNET. (http://www.techweb.com/wire/story/TWB20010125S001 8) Or how about how their prized source code for their operating system was leaked to Russian hackers (http://zdnet.com.com/2100-11-525083.html?legacy=z dnn) Or even better, how Microsoft's own network was vulnerable to a highly publicized worm (http://silicon.com/news/500013/1/2620.html) Your argument is moot.

Re:You're Kidding?

[Tom7]

No. The free software movement does not have "products."

Re:You're Kidding?

[pongo000]

You mean, an accounting like this? Seems pretty detailed to me...

Re:You're Kidding?

[Bob+The+Cowboy]

Last I checked, they're running on donation money. Maybe they don't have the hardware/manpower to spare on full redundancy?

Bill

Re:You're Kidding?

[Lxy]

That wasn't up when I posted, thanks for the link! I'm glad to see the FSF isn't off blaming the end users users or something like some other company would have.

Re:You're Kidding?

[Quill_28]

Ok, I have lots of problems with FSF and GNU in general.

But this statement is either a joke or a troll, but not insightful.

Re:You're Kidding?

[Quixote]

And how much did "your enterprise" pay them to maintain their "methods and products" ?

Those of you who donate regularly to FSF, please raise your hand. The others? If you are concerned about this, start donating some $$$ to FSF so that they can hire more people.

Re:You're Kidding?

[Malcontent]

"Unbelievable. And I'm supposed to trust their methods and products with my enterprise?"

No you are supposed to trust Microsoft and the hundreds of thousands of machines that were cracked in the last couple of days.

Re:You're Kidding?

[Zebra_X]

Why does a detailed account matter? The fact is that it happened. There are no excuses and the potential ramifications of such a compromise is mind boggling.

Re:You're Kidding?

[joeytsai]

It seems that one reason that they haven't used backups is because the machine has been compromised for six months(!), where all backups made during that time can't be trusted.

Re:You're Kidding?

[NoOneInParticular]

As some other posters in other threads noticed, the FSF does not have full backups because all backups made after early 2003 can be compromised. The crack happened in March, and what they miss is all the stuff that was uploaded after the crack. Backups from before March are available. In this situation no backup strategy at all would leave you with total security after March. The fact that the site was cracked five months ago is a bit scary though.

Re:You're Kidding?

[Alan+Shutko]

The question is, how long should they be keeping backups? Unless they have backups more than five months old, they're useless to check against.

And according to their md5sum list, they do have backups for a lot of this. But since they were cracked in March, anything uploaded since then might have been compromised before the backups were run that night.

Good thing they're handling it and not you.

Re:You're Kidding?

[Pharmboy]

Actually, its the fact that the server was owned back in March and they just now figured it out that bothers ME. One good thing about FSF is they don't dick around once they do find out, it becomes public fast, which is pretty honest.

What I do on my server, and what you do on your server is our own problem, but you would think the primary FTP site for all FSF would have a little better security. Yea, its like how mechanics don't take great care of their own cars, but this really is a black eye, and potential marketing tool, mainly because the server has been 0wned for MONTHS now. Doesn't shake my faith (been with linux 4 years now), but it MIGHT shake someone considering migrating.

"First Linux steals Unix property from SCO, and now their servers were hacked and it took them months to figure it out."

I'm not trolling, I'm wincing... Right or wrong, some people WILL see it this way.

Re:You're Kidding?

[Abcd1234]

Umm... according to their press release, they had backups which they used to restore most of their files. However, stuff added after early 2003 could have been compromised in their backups (since the attack was in March), hence their call for missing files. Dumbass.

Re:You're Kidding?

[eht]

At least they should have complete backups of md5 sums, that'll take what? a dozen floppies for all the software they've ever distributed, ever.

OK so floppies suck for backups, 1 blank rewritable cdrom, cost around 1$, if even that much, so they need a rewritable cdrom drive too, you can't tell me none of the members have one they're willing to use to do this.

Re:You're Kidding?

[Usquebaugh]

"Good thing they're handling it and not you."

Yep, I expect important data to be backed up and I get V pissed when newbies try to blame data loss on circumstance.

If you didn't plan for an event then the fault lies with you not the event. Do you think the FSF backup policy might change after this?

Disaster Recovery, the important word is recovery!

Re:You're Kidding?

[kindbud]

And I'm supposed to trust their methods and products with my enterprise?

No. You are supposed to pay through the nose, and then not even hear about the break-in, since that information would be classified as a trade secret by a commercial vendor.

Re:You're Kidding?

[passion]

Oh hell yeah there is a way. The software can be managed on a separate host that has limited connectivity to the outside world, and the ftp server can be updated from that.

Why back up your production server (which is exposed to the outside world), instead of syncing to it from known, trusted sources? and why aren't they running a regular tripwire that checks their current offerings against that same, known-good library to notify them of break-ins?!

Re:You're Kidding?

[NoOneInParticular]

Maybe they did exactly this? The exploit was the ptrace exploit, a local exploit. Maybe an inside job, maybe not. This could however simply mean that it was this limited connected server that was compromised. Maybe all machines inside were compromised, and the ftp server was just one of them. Once such a crack appears inside the citadel, nothing can be trusted anymore.

Re:You're Kidding?

[sawanv]

No you dont have to, you can trust them to Microsoft and SCO. Belive me those guys are really trustworthy...

Re:You're Kidding?

[jgoemat]

Well, it appears that it was cracked by a local user back in march during a week between when the vulnerability was discovered and fixed in the kernel.

As for "they don't seem to have full backups", the reason they are requesting the MD5 sums is that any backups from after march could have been compromised as well. They are asking for verification from the people that uploaded the files to them if I understand it correctly.

Re:You're Kidding?

[timelady]

as opposed to Microsoft? How long does it take them to release patches or information? How often does this affect MS products as opposed to Open Source stuff? Thats just SILLY:)

Re:You're Kidding?

[Beliskner]

they don't seem to have full backups. Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

My Enterprise has backups - one spare Maxtor for the RAID-5 array.

Any other ways to help?

[mschoolbus]

I will donate a CDR if that helps you keep your little files...

Its hard to believe something like this actually happened, especially to the FSF... You would think... nevermind

Re:So apache no invulnerable then...

[PepsiProgrammer]

Yes, but I'm not of anyone who claims their software is "absolutely secure" and from what has been said so far it is not apache that has been cracked (http) but their ftp server (I am unaware what ftp server they run) What makes people complain about how insecure MS systems is the fact that the insecurities occur much more often than in open source equivilants, and that ms is generally MUCH slower to patch the vulnerabilities

Re:So apache no invulnerable then...

apache is an HTTP server, we're discussing an FTP server issue

Re:So apache no invulnerable then...

[jyak]

Actually....it doesn't. They have not said if the ftp software was vulernable or it is was actually hacked. They only said the ftp server was compromised. Someone unauthorized could have gained access to the server. Who knows....

Re:Wait? I thought Linux was Secure??

[saskwach]

I think you want OpenBSD...7 years running, 1 remote hole in the default install. (I think it was patched within 3 days, but am too lazy to look it up.)

Not 100%, but 99.9%, sure.

That is awful...

[Badanov]

I run a coupla Linux boxes at work and a couple at home, and I swear I don't even take a dump unless I am certain I have backups.

Having just read the above, let me add: Let a thousand jokes be posted!

Re:That is awful...

[Fammy2000]

I hope you have brown pants.

Re:That is awful...

[sdriver]

Don't you need to take a dump to backup? :)

man dump ;)

Re:That is awful...

[Uruk]

I think one of the issues is that even if they did have backups, they can't trust them. Hypothetically if someone broke in, got root, and then modified a bunch of programs to add some evil trojan, even if GNU restored their nightly backups, they'd be restoring all of the archives that have the trojan in them.

I would be willing to bet that they do have backups - hunting around for md5sums isn't going to reconstruct any files, it's going to verify the authenticity of what they have. The "MISSING_FILES" list is a list of files that are missing from the FTP server because they can't be verified, not those that GNU has lost a copy of.

Re:That is awful...

[BlindSpot]

I run a coupla Linux boxes at work and a couple at home, and I swear I don't even take a dump unless I am certain I have backups.

Perhaps you should consider fixing your toilet.

Re:That is awful...

[jemfinch]

How many backups do you keep? How many do you have on rotation? If you were compromised 5 months ago would you still have your backups since then? Or would you have overwritten them with more recent backups?

It's not that the FSF didn't have backups, it's that they've overwritten them with data that may itself have been compromised. I don't know many people who keep backups from 5 months ago.

Jeremy

Trusted mirrors with the MD5 sums?

[gspr]

Surely there must be some mirrors that are 100% trusted? Ran by GNU staff, and the such?

Re:Can someone please tell me...

[E-Rock]

Well no OS is proof against shitty passwords or real bad practices (like not running backups). As usual the most important factor is the quality of your admin, not the OS.

Re:Wait? I thought Linux was Secure??

[JeffTL]

It IS insignificant as far as security is concerned, because it's almost certainly an inside job or a password theft. It'd be insignificant even if it were on an MS-DOS webserver. The only reason this is on /., or is significant in any way, is that GNU is the victim and evidently they haven't been doing proper backups.

Re:So apache no invulnerable then...

we need a RTFA (and please understand the motherfucker before you post) moderation

Re:So apache no invulnerable then...

[gowen]

I guess that blows the "Apache is absolutely secure" myth

Hmmm. Apache is a Web server. The FSF had their FTP server cracked -- I don't know which they use, possibly wu-ftpd. I don't think this reflects on Apache at all.

But then, unlike you, sir, I am not an idiot.

Re:So apache no invulnerable then...

[rokzy]

you claim there's no gloating when open source is hacked, but this is one of many gloats to this effect already posted.

obvious conclusion

/puts on tinfoil hat/

BUSH/ASHCROFT/CIA haxored it and put trojans in all GNU software. They are using it to track peopled down and send them to Gitmo!!!

It's FTP, need you ask?

Never, ever, EVER run an FTP server - you are committing suicide by doing so. You are asking in big bold block letters posting your IP to slashdot to get hacked. Always make your files available to the public via HTTP/SSL in a chroot filesystem that is set no-write. Uploading of new files should be via SMTP (through trusted hosts)w/ PGP or worst-case (if you're a usability freak) (OpenSSH) SSH2 + SFTP.

People use solutions other than this. I do not understand why outside of willful stupidity.

--Ryv

Re:It's FTP, need you ask?

[Electrum]

Never, ever, EVER run an FTP server - you are committing suicide by doing so.

Anonymous FTP is fine.

Re:It's FTP, need you ask?

PGP is, for all my purposes, no more secure than SFTP, nor do I have something sitting on the other end to recieve files.

- Tiggy

Re:It's FTP, need you ask?

[DrSkwid]

not true

plan9 ftp doesn't even use passwords to gain entry (and not just for ftp)

here's my previous post

Always make your files available to the public via HTTP/SSL in a chroot filesystem that is set no-write.

That would be a sad reflection on your OS

Re:So apache no invulnerable then...

[reddfoxx]

You do realize that Apache is a http server don't you? If you are serving FTP through your webserver I think that you have more problems than whether the software is secure.

I bet SCO knows something about this..

[dBLiSS]

Just yesterday there was a story runnign about FSF talking about pulling SCO support. I bet the slick SCO fellahs had nothing to do with this...

Re:I bet SCO knows something about this..

Yes you dumbass. SCO conviced the fsf that backups were a stupid idea.

As far as I am concerned if the code lost is never found we'll be better off.

Re:So apache no invulnerable then...

[Directrix1]

Who here believes Apache is absolutely secure? I see vulnerability/exploit reports fairly frequently.

Obligatory Simpson's Quote

GNUDoh!

Re:So apache no invulnerable then...

[chef_raekwon]

maybe i missed something, but isnt the problem with an ftp server? and probably one that was not chrooted??

what the hell does this have to do with apache? IIS has a an ftp module...ofcourse..and it IS laughable...

so what gives? whad I miss?
is the parent just an i D 10 T?

apache?

[DreadSpoon]

What does apache, an http server, have to do with their ftp server being cracked?

But no, Apache isn't 100% secure. There is no such 100% server, except one unplugged from the net, encased in titanium, and buried beneath the Pacific seabed.

Re:apache?

entropy, friend, will eventually cause the server to become less than 100% secure

If this had been an open source ftp server

[Stalemate]

We would already be flooded with posts about how if this were a Microsoft server we would already be flooded with posts bashing Microsoft and talking about....oh, right, my bad.

Re:If this had been an open source ftp server

That calls for some Python!

I think all right-thinking people in this country are sick and tired of being told that ordinary decent-thinking people are fed up in this country with being sick and tired. I'm certainly not, and I'm sick and tired of being told that I am.

Re:So apache no invulnerable then...

is the parent just an i D 10 T?

Bingo!

Re:So apache no invulnerable then...

[Electrum]

Yes, but I'm not of anyone who claims their software is "absolutely secure"

http://cr.yp.to/qmail/guarantee.html
http://cr.yp.to/djbdns/guarantee.html

Put your glove on

[Zabu]

Then next time you will catch the joke...

Re:Put your glove on

[ikkonoishi]

I'll catch the joke if you'll actually throw it.
:p

Re:Put your glove on

Great come back.

NOT!!!

Re:Put your glove on

[MicroBerto]

I missed the joke too. Care to explain? THanks

Re:Put your glove on

[blancolioni]

I would have pretended that I was doing a purposely deadpan and subtle commentary on overly helpful but slightly clueless geek wannabees on slashdot and other web-based discussion pages.

But your way was good too.

Re:Put your glove on

[Zabu]

The MSblaster worm.

Yahoo News

wuftpd is trouble, use ProFTPD

[bigberk]

Why not use ProFTPD? It has a much better security track record that wuftpd, and is actively developed. Considering all the roots that happen from default wuftpd installs, one of the first thing I recommend to linux newbies is to scrap wuftpd. And setting up a chroot environment is as easy as one directive: "DefaultRoot ~"

Re:wuftpd is trouble, use ProFTPD

[Oliver_Etchebarne]

Do you had tried PureFTPD? I'm newbie on Linux, and it was very easy to install and configure.

This FTPD focus on security: Unlike other popular FTP servers, the number of root exploits found since the very first released version is zero. (taken from its website)

Re:wuftpd is trouble, use ProFTPD

ProFTP actually has a very poor security record. Neither it nor wuftpd are good choices.

Re:Wait? I thought Linux was Secure??

[ceejayoz]

this comment claims that this vulnerability was exploited... it's not always an inside job or password theft

Why no PGP signature?

[molo]

Why does the FSF not use a OpenPGP signature on the files and md5sum lists in their archives? Unless the key is kept on the same (compromised) host, then it becomes easy to figure out what files are valid, and what isn't.

BTW, here is my contribution:

> md5sum sed-4.0.7.tar.gz
005738e7f97bd77d95b6907156c8202a sed-4.0.7.tar.gz

-molo

Re: Why no PGP signature?

Yeah, I was wondering this myself. If I were in charge of things over there, not only would proper backups be made daily, but all files would have be cryptographically signed on a computer that was *not* on the Internet, so as to limmit the likelyhood of a compromise.

Worst case senario, they *could default to their yearly CD set, but they'd lose a few months of work. I hope they learn from this mistake, I really do...

Re:Why no PGP signature?

Yes, thank you immensely. FSF staff will be reloading this article every few minutes to check for new MD5 sums, and will find yours.

Re:Why no PGP signature?

[dvdeug]

Why does the FSF not use a OpenPGP signature on the files and md5sum lists in their archives?

Hindsight's twenty-twenty; that is what they're going to do in the future. Perhaps they didn't feel the need to change longstanding practices that predate OpenPGP before now?

Re:Why no PGP signature?

[molo]

Plenty of sites have been doing PGP signatures for a while. Just look at the Linux Kernel FTP for example. Hopefully the FSF ftp maintainers will improve their methods because of this breakin.

-molo

Re:Can someone please tell me...

[utmecheng]

A virus in windows is easy. users can delete system files. a very very simple permissions setup in linux prevents major damage to a system by a virus unless that virus has suid which is frankly a user error. think about this: if the source to windows was open, how easy would it be to write a virus to take it down? security through obscurity doesnt work in the world of open source. so, qualitatively linux beats MS here. its not just a 'number of servers' thing. bugger off.

Re:Wait? I thought Linux was Secure??

[rute20740]

Ahem... I believe we should be blaming this on third party software right? Tell me if I'm wrong :)

ACK!

[devphaeton]

Wow.. This is actually... um... embarrassing.

Don't have full backups?

eesh!

We geeks know better than this!

Oh well. let this be a lesson to us all :o)

Re:ACK!

yeah, I'll make sure to do some backups.. erm tomorrow or so..

And in other news...

...the ftp.vim.org was counter attacked by irate Emacs fans!!!

Re:And in other news...

[iapetus]

Well, it will be as soon as they can remember the key combination for 'hack into VI web site' is. Now I know it's in here somewhere - is it M-~ h C-V...?

Re:And in other news...

[kurosawdust]

M-x hack-into-vi-website

Re:Can someone please tell me...

Yes, but if the site was running IIS no one would be pointing that out - people would simply post "ha ha ha - Here is more proof IIS sucks!"

Not surprising

the GNU people always strike me as not too bright people who only code to further their political agenda

Re:Can someone please tell me...

[silas_moeckel]

No server is immune to Hacking it's just a question of ease. Microsoft servers are often not well configured and often not maintained. They are also a large percentage of the host avalible on the internet so a good target. This all cuppled with a apparent pollicy that ease of use is more important than security by default from Microsoft has led to the current situation. The more secure you make a box the harder it is to work with. Linux, BSD and Unix in general are somewhere in the middle by default. You could move to secure versions that are a pain to do anything on and I do mean a pain. Just think of it as a variable rather than a booleen it's not is it secure yes no but rather how secure is it and allways remember if effort is applied by a knoledgeable expert it can become more secure to a point.

Full backups

[aridhol]

Remember, you can't trust backups if you've been compromised. How long ago was the system compromised without somebody noticing? How many compromised packages have you been backing up?

So even if they did have full backups of the FTP site, they still need to verify that the files are correct. Unless they have backups reaching to the beginning of the archive, they can never be 100% sure that the correct files are online.

Re:Full backups

[TheLink]

Uh, if the system was compromised a long time ago, then they can't really use 3rd parties to verify the files are correct - coz the 3rd parties have been getting the stuff from their server.

They have to recompile the stuff from the developers who hopefully have had better success in maintaining the integrity of their systems and data.

Re:Full backups

[Milhouse_ph]

mod this parent up...

while everyone else is trolling and flaming about how the admin should be fired or if this had been a "windows box"... this seems to be one of the few posts that makes a good point... at least someone is paying attention to the details instead of just pointing fingers...

Re:Full backups

[Anonamused+Cow-herd]

then they can't really use 3rd parties to verify the files are correct - coz the 3rd parties have been getting the stuff from their server.

"Uh," Unless they are smart enough to do a checksum on THEIR files (which of course they are), then reject all MD5 submissions that are the same. Then, they collect all the other MD5s submitted for that file, and take the most frequently occurring one, assuming that most people are honestly trying to help. That's your MD5.

Re:Full backups

Or, thats the compromised file that has been most distributed and most md5sum'd and reported. I'm glad you're not the ftp.gnu.org admin.

Re:Full backups

[Anonamused+Cow-herd]

Please, dumb one, refer to my original post. Once you realize that your server is compromised, you assume that any modified source has only been modified once (why code a hole into something more than once unless necessary?) by the attacker. Thus, the package on the server IS the compromised software. So if you MD5 sum that file, and throw out all checksums that are the same as the md5 for the compromised file that you have on the server, then you are left with the set of checksums that belong to something BESIDES the compromised software.

Checksum P is part of set X, where X is all respondent MD5 sums (i.e. all the sums everyone sent to them).

Checksum P belongs to the compromised package residing on the gnu.org software. This can be calculated by summing the software on the server.

Thus, if a respondent checksum=P, then exclude it from set X of all respondent checksums. (X-P)

The mode of (X-P) will be the correct checksum, if and only if:

1. Most of the respondents are trustworthy, i.e. not collaborating in an attempt to thwart gnu.
2. The package has not been modified more than once.

Next time, understand the concepts before posting.

Complete md5sum

[Penguin]

$ md5sum complete-gnu.tgz
deadbeefdeadbeefdeadbeefdeadbeef complete-gnu.tgz

Re:So apache no invulnerable then...

[ceejayoz]

I guess this blows the "slashdotters know what they are talking about" myth. Oh wait......

That myth existed? Seems fairly unlikely to me... ;-)

Re:Wait? I thought Linux was Secure??

Doesn't OpenBSD run their site off Solaris?

Re:So apache no invulnerable then...

[ichimunki]

Hmmm. You mention Apache. This is an FTP server. What kind of tool runs an FTP server using web server software? So far as we know (given that there are no details of how the server compromise was carried out), this says nothing about the security of a particular FTP server software, Apache, GNU/Linux, or any other Free Software package.

As is the case with most installations of MS Windows, other operating systems and pretty much any user level software, the security of the system is only as strong as the weakest link: usually that's the user (and the sysadmin falls into that group). Bad passwords, bad security policies, and lax attention to security patching affect every system because every system has users.

Why might Free Software Zealots be laughing when MS products are demonstrated to be insecure? Because people have paid MS billions of dollars for that software. MS has billions of dollars in the bank. You'd think a company with those kinds of resources could hire a few security experts-- or even a few thousand-- and have them really work out the bugs. Free Software, on the other hand, is largely produced as charity, costs little or nothing to obtain, and at least when the code is demonstrably insecure, you (the user) have both the means and the right to fix it. Not so with the expensive binaries you get from Redmond.

Oh, thanks for trolling. I assume this response is exactly what you were hoping for. :)

FTP

not Apache. Chucklehead.

Re:Wait? I thought Linux was Secure??

[El+Cubano]

I'll wait while the "wind0ze suX0rs!" 1337 Hackors try to make this sound insignificant to linux, but can blow up on MS when a virus is released.

This is not at all insignificant. Of course more detail is really needed to asses the situation.

Here are two possible scenarios:

1. Some idiot with lots of access rights does something dumb like log in in the clear. I think this is unlikely, but if it did happen this guy (or girl) should be soundly beat about the head and shoulders.

2. The software they were running has some yet not found flaw (at least is was found by the crackers). Oh well, we need to look for it and fix it. There has probably not been a single piece of non-trivial software (not just OS) written that has not had some known or unkown security flaw waiting to be exploited.

As far as blowing up when a virus exploiting an MS vulnerability, it should be the MS users up in arms. Especially when they refuse to fix some of their systems, like NT4 (I know it is EOL'd, but this last one is a major problem).

mod parent down to -1 Stupid

please mod this asshole down. Dude, the GNU FTP server got hacked, not their web server. A web server (Apache) is called an HTTP server, because it uses that protocol to deliver its information to other clients (web browsers if you will). Your comments have about as much wisdom as: I am allergic to elephants and catnip so I will die if I walk barefoot in my backyard with a broom in my left hand

sheesh! Can you fire a volunteer sysadmin?

[digrieze]

In another thread I post a message criticizing incompetant/lazy sysadmins and now this get noticed (after nearly a week).

Could someone pass on to them that CDR/RW drives get put on sale at CompUSA for around $20 on a fairly regular basis? If you rebate the CDrs you can practically get them for free. DO A BACKUP ONCE IN A WHILE, SOMEBODY WILL BREAK LOOSE FOR THAT MUCH IN POCKETCHANGE!

Gentoo to the rescue

[tangent3]

just rsync with rsync://rsync.gentoo.org/gentoo-portage/sys-devel/ gcc/files
all the MD5s for more recent versions of the gcc versions are there.

Re:Gentoo to the rescue

[DrJimbo]

The FSF site was cracked back in March so it is likely that a lot of the FSF software in the Gentoo system is also compromised. You'd have much better luck with Debian because its stable tree is much less up-to-date then Gentoo's.

One would think...

[Qbertino]

...that the cream of IT people would do regular revolving backups, securing sessions and have a standalone staging enviroment for all their stuff should the connected setup get compromised. Especially files which are distributed into the entire world to run on bazillions of computers once released. That's all a big fat hairy bad-ass no-brainer.
Sorry, gnu.org team, no icecream tonight.

Re:One would think...

One would think that you believe FSF is a wealthy company, rather than a poor nonprofit. But you could help with that.

Re:So apache no invulnerable then...

[Samus]

From your post history it looks like you accidentally used the wrong account to post such a troll. Or maybe you are reactivating an old troll account? I've been around here long enough to remember the hot grits and petrified Natalie Portman trolls. They were funny for a while. It was a short while though...

Sounds like a good example for using SSH

[chill]

FTP should be for anonymous downloads only, with no user accounts able to login.

SSH/SFTP is for logging in using usernames.

The details about whether this was an exploit of insecure code (i.e. buffer overflow), or bad admin practices (i.e. cleartext logins) hasn't been made public.

If the former, I expect to see an announcement soon of a patch. God help them if they were running known flawed, unpatched, ftpd software.

If the latter, then it is time for the FSF to review their policies & procedures on user logins accessing their FTP server.

Of course, it could have just been a poor password that was guessed. That means enforcing and verifying the use of strong passwords. This really should have been done before, but is the most likely of scenarios. People get lazy and unless there is a mechanism for automatically dealing with this, then poor passwords are inevitable.

LOL!!!

[Dysan2k]

I have to admit, it's kinda funny. Firstly, NO one has posted what the heck FTP server they were using (which might be helpful to determine if it was a security hole.) Secondly, 'bout time this happened to one of the distributer sites. Though, a Linux bigot I may be, no OS (that I've seen) is 100% secure.

Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup) No backups! That's hilarious!! I wanna know what kinda beating the current admin is getting!

Well, hopefully they'll be able to get it pieced back together now. I'm sure it won't take more than a day to do so. Heck, I'll email my LUG and let the Deb folks spin MD5sums for a while to send over to 'em.

Enjoy the chaos! (Least only 1 person has managed to link this to SCO so far)

Re:LOL!!!

[swordgeek]

"Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup)"

Does it HAVE to be GNU, or just free to use and modify?

Check out Amanda. It's free, it works well, and it's mighty powerful.

Be aware that at its core, it uses gtar--just like NetBackup does.

Re:LOL!!!

[stevey]

Good backup systems like Amanda already exist - I'm guessing that the reason that the FSF people don't have backups is because they're relying upon donations to buy backup servers/tape drives, etc. (Yes that was a subtle plea to donate them cash ;)

On this breakin I have only two comments:

1. Why not use proftpd, wu-ftpd has traditionally been prone to attacks. (Granted its a little bit more secure after each one is discovered and patched, but after so many its hard to trust it).

2. Why use MD5 sums? I use GPG signatures on all my software - forging signatures is .. non-trivial.

Steve

Re:LOL!!!

[Omar+El-Domeiri]

Dear god people, its not that they don't have backups... its that they feel the backups might be compromised as well.

Re:Wait? I thought Linux was Secure??

[freeweed]

No one's ever claimed Linux is 100% secure.

However, the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid.

Re:Wait? I thought Linux was Secure??

[WindBourne]

Just a healthy reminder that nothing is 100% secure, so no point in pointing fingers (on MS OR linux).
You are right, there is no 100% security. But at the same time, Linux is the number server on the net (according to netcraft) yet gets cracked but a fraction of the time. MS is number 2 server, but almost 100% of the CC thefts are from MS. The cost is very high for running MS.

Comparing Linux to MS is a bit like comparing a pick pocket to Gacy or Dahmer. While both are criminal, you know which is worse.

Gentoo Portage Tree

[frankjr]

Gentoo has md5sums recorded in it's digests.

backups

[chef_raekwon]

maybe im missing something here...but don't most people backup their stuff?

i mean, all the posts here are about how insecure FSF is, or OPensource sucks...or windows sucks more...

what about the bloody principle of backing up your own software? let me guess, stallman and his crew has ONE FTP server, and they never back the bloody thing up? they should all be punished for such foolishness. nobody in a corporation would allow this...what would have happened if the harddrive crashed, or the raid crashed hard on that FTP ser4ver? the same thing!!!
asking the world for MD5 sums...

tsk tsk.

oh, and I use OPen Source just about everywhere, except my workstation (manditory windows). I run a chrooted Wu-FTPD, never had too much trouble either...but, we have a tape backup, just incase...

Re:backups

[mystran]

mm.. in case you didn't notice from the post above, the exploit used was an old (and fixed) wu-ftpd off-by-one bug.

Now that I think of it, for some strange reason, I remember several vulnerabilities with wu-ftpd...

Re:backups

[BigRare]

what about the bloody principle of backing up your own software? let me guess, stallman and his crew has ONE FTP server, and they never back the bloody thing up? they should all be punished for such foolishness. nobody in a corporation would allow this...what would have happened if the harddrive crashed, or the raid crashed hard on that FTP ser4ver? the same thing!!! asking the world for MD5 sums...

From my take, it's not that they don't have backups, it's that the backups they have are potentially compromised due to the length of time the server was compromised. Thus the need for parity checks.

Then again, I could be wrong...

Re:backups

[Piquan]

Huh? It was a ptrace exploit, from what I read. Nothing to do with wu-ftpd.

Re:backups

[dvdeug]

maybe im missing something here...but don't most people backup their stuff?

A backup of a trojan is still a trojan. If they uploaded a new version after the server was owned, and then made a backup, it's useless, since you don't know if the backup was trojaned or not.

Re:backups

[xmda]

what about the bloody principle of backing up your own software? let me guess, stallman and his crew has ONE FTP server, and they never back the bloody thing up? they should all be punished for such foolishness. nobody in a corporation would allow this...what would have happened if the harddrive crashed, or the raid crashed hard on that FTP ser4ver? the same thing!!!


Well, if you had read this more carefully, you would not be so cocky:


Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.

Re:Can someone please tell me...

[iamsure]

Microsoft servers _do_ get hacked more than Linux servers, but this is because there are far more MS servers of an identical configuration

Bzzt, Wrong. There are more Apache servers (by far) than IIS servers, and IIS gets more attacks - by over a four to one margin.

It gets more attacks because it is less secure, NOT because of volume.

Re:Wait? I thought Linux was Secure??

[rokzy]

I like the idea of linux, and MS pisses me off, but am too ignorant to be a true geek...

but it seems to me that there's no meaningful comparison between an individual linux system being specifically attacked (maybe not even remotely) and brought down... and... every single XP computer with internet connection being susceptible by default to MSBlast... ?

Where do we send MD5sums?

[molo]

Anyone have an address where we are supposed to send MD5sums?

Also, does this effect GCC sources?!?! See Ken Thompson's Reflections on Trusting Trust.

-molo

Re:Where do we send MD5sums?

Anyone have an address where we are supposed to send MD5sums?

Slashdotters!!! Act now!!! Send your MD5sums along with $9.95 shipping and handling to the following address and receive your free Bill Gates is a Weeney mug!!! But that's not all, if you act within the next five minutes, you'll also get a free "I HATE SCO" T-Shirt

FSF MD5Sum Recovery Center
C/O RMS
One True Way
Cambridge, MA

Re:Wait? I thought Linux was Secure??

[xenotrout]

not according to netcraft

Re:So apache no invulnerable then...

[iapetus]

That myth existed? Seems fairly unlikely to me... ;-)

Well that blows the "There's a "slashdotters know what they are talking about" myth" myth...

Hacking ONE system does not mean shit

MSBlaster hacked millions of computers WITHOUT human intervention.

Linux IS SECURE. If people can't set it up, don't blame the OS.

MS needs to get patched >>=====> CONSTANTLY.

Re:Hacking ONE system does not mean shit

Since when did 187,000 computers become equivelent to 1,000,000?

Re:Hacking ONE system does not mean shit

No, Linux ISN'T secure.

If it was, this wouldn't have happened.

This exploit wasn't down to misconfiguration.

Whether an OS is secure or not isn't about any other OSes.

Gotta love how the zealots try and blame Microsoft even when their own systems get owned...

Any information on this?

[iabervon]

All we have in this story is the list of packages whose authenticity they haven't been able to confirm yet (I'd guess that they'll get the MD5SUMs from whoever is trusted to upload them in the first place).

Someone commented that the attack was through a known wu-ftp (not GNU software) exploit. I've often wondered why people run ftp servers instead of http ones to distribute stuff; http supports the same operations in a simpler way, and apache is much more cleanly written than wu-ftp.

Re:Any information on this?

[Zigg]

Bradley Kuhn says it was ptrace.

OpenBSD

See, they should have been running OpenBSD. Even with the wu-ftpd exploit, the W^X protection in current would have prevented it from happening!

Re:Wait? I thought Linux was Secure??

[xenotrout]

woops, posted wrong *BSD, but openBSD uses openBSD or netBSD, according to netcraft

Putting on my troll hat

[batkins]

Oh, gosh. Look at this. A site running Linux was hacked. Gee, that must mean that Linux is fundamentally insecure and that OSS is just no good. After all, everyone knows that FTP access is provided directly by the kernel. Let's everyone use Windows.

Oh, come on, trolls. Give it a rest.

Re:Putting on my troll hat

[Coneasfast]

Gee, that must mean that Linux is fundamentally insecure and that OSS is just no good.

sarcasm unnecessary, who is saying this?

Everybody is complaining about the lack of
responsibility among the GNU admins, not
of OSS.

If they had taken some precautionary measures
it would have been fine.

Just about everyone here knows this.

Oh, come on, trolls. Give it a rest.

Oh, the irony. :)

Re:Putting on my troll hat

[batkins]

I'm assuming you didn't read this post, this post, or this post.

I was posting to point out that Linux is unrelated to wuftpd and that the trolls who suggest that it is are incorrect.

Re:Putting on my troll hat

[Coneasfast]

first of all, 2 of those posts were modded for 'troll', secondly, none of those posts say anything about OSS not being good, just that linux/oss may not be 100% stable. The fact is, just about nobody thinks OSS or Linux is 'bad' because of this reason alone, and it seems like you were implying this.

Re:Putting on my troll hat

[IM6100]

No. A site running Linux that consists of the primary repository for much of the software that makes up Linux was hacked. And there was no backup of the files on the site. And the maintainers of the site have had to resort to a public 'please help us get this all put back together' plea.

And it isn't a matter of 'Let's everyone use Windows.'

Oh! I think I've been trolled.

fanbois?

and where are all the M$ bashing fanbois when linux gets hacked. Sure is quiet on this thread. I guess they are all too busy thinking up clever replies to the MS blaster worm article. I like linux dont get me wrong but if this was a MS exploit this thread would be 3 pages already due to fanbois posting MS sucks a thousand times as if I forgot that linux was the end all be all to all life's problems. Funny how things work here....

Re:fanbois?

We would have 3 pages of "linux suxXorz Im l337" if the M$ fanbois weren't busy with their system rebooting from the latest windows blaster crisis

Make take on it...

As an advocate of open source in a business that doesn't "smile" at the thought of open source software, I have to say that this is an illustration that my supervisors may be right.

Making good backups is >basic control. If FSF doesn't have even that level of competency, how can I argue that software advocated by that group is good enough for our enterprise.

Who the !#@$@ doesn't make backup anyway...

Hate to say it: Idiots.

Isn't it just a little bit stupid...

[ihummel]

for them not to have made backups of the MD5SUMS at least? Especially considering how tiny that would be, especially in a tarball?

No you're not

[FooBarWidget]

No you're not. You're not supposed to trust the FSF, you're supposed to trust commercial distributors like RedHat.
The FSF is the Free Software Foundation. They don't exist to help your business, they exist to provide... well... Free Software.

Whatever happens to FSF's own servers is completely irrelevant. Your distributor is the only thing that matters.

Re:No you're not

[IM6100]

With some 'distributions', i.e. Free/Net/OpenBSD, the source tarball for packages is downloaded directly from the source repository at GNU. An MD5sum test is made, of course, but it is NOT a matter of trusting a commercial distributor.

Why do people assume there needs to be a commercial distributor?

how cracker got in

[latroM]

What I have heard in irc the cracker had user level access to system and used linux ptrace bug to gain root. It is sad that this happened. Cracker probably used at least some of GNU tools to do his work.

Re:So apache no invulnerable then...

...if this was a site hosted on IIS, then we would already be flooded with posts laughing at how insecure M$ systems are and gloating how this doesn't happen with open source systems.
Actually, this happens on a daily basis to literally 1000 of MS systems. The real problem is the accumulating costs of this stuff. Horrible.

!HURD

[Trix]

Almost everything related to The HURD is gone (the ISOs were off the root of the server). Not sure how I feel about that.

Worse than that

[kyz]

much, MUCH worse:

It was running wu-ftpd.

wu-ftpd. just. say. no.

Friends don't let friends use wu-ftpd. Or ProFTPD. Not even the OpenBSD ftpd. Instead, they make them use publicfile.

Re:Worse than that

[Feyr]

another piece of software from our big friend d.j.bernstein? tell you what, there is no way in hell that thing gets anywhere near my machine. djbdns sucks enough as it is

Re:Worse than that

The GNU folks won't like Dan Berstein's license. Too bad for them. The FTP program looks good.

Re:Worse than that

no one like's djb's license. it's retarded.

Re:Worse than that

> Friends don't let friends use wu-ftpd. Or ProFTPD. Not even the OpenBSD ftpd. Instead, they make them use publicfile.

OK, I'll bite: What's wrong with ProFTPD?

Re:Worse than that

[hdw]

And publicfile would protect them against a local kernel exploit?
// hdw

Re:So apache no invulnerable then...

[Omnifarious]

So, what are you getting me for myth myth?

Re:Wait? I thought Linux was Secure??

[JeffTL]

Okay, then it is likely a vulnerability, in which case I hope it is fixed soon; consider my words eaten. Vulnerabilities are ALWAYS worth noting, because though you can never find them all, the ones that are found can be sealed.

Re:Wait? I thought Linux was Secure??

[lone_marauder]

Depends on how you define secure. If a major windows site gets broken into like this, you don't hear about it. You only hear about Windows problems when a.) Microsoft decides to release a "security fix", or b.) when large corporations and state governments are brought to their knees.

The real story is (and this groks with your point, by the way), how do you trust someone trying to proselytize you with an alien philosophy of computer use when they still run wu-ftpd and don't do backups?

patched August 31, 2003

[hungfarlow]

pretty cool.My calendar is reporting that today is August 13, 2003. or maybe that was your point and I'm an idiot.

Explains Why

[4of12]

Perhaps my favorite link to checkout new releases from the FSF hasn't been working the past week or so.

Can you give me the exact time this happened?

I downloaded gcc 3.3.1 yesterday or the day before, then installed it. :( They'd better get me those md5s fast!

Re:Can you give me the exact time this happened?

The Missing Files list at ftp.gnu.org is dated the 2nd of August, so you're probably safe.

GNU Archives cdroms

Can't you just get a fairly recent GNU archives cdroms from cheapbytes or somewhere, then get the source and MD5 sums from the maintainers of each package that has changed since that last archive snapshot was taken?

How full of shit are you?

You mention poor sysadmin as being the cause of proprietary platforms problems, yet you mention that the systems were "compromised" because 'open source' or 'free software' isn't 100%

Don't you think poor admin skills could be the reason for the "intrusion" aswell (we have a good case here), or is it only where you say it is?

Re:So apache no invulnerable then...

[The+Bungi]

Because people have paid MS billions of dollars for that software

You shouldn't use that analogy. It compiles to "you get what you pay for - and you're no better off if you don't pay for it anyway".

Oh, and comparing free software to "charity" is also a bad idea.

Probably mentioned, but

[lemming552]

This just shows that anything can be broken whether Windows or other OS.
I'm surprised that they're backup scheme was this shoddy. Possibly something where they didn't save back far enough to be sure, or something fairly recent that can't be verified as non-hacked in their backups.
Of course, I'd be wary of any MD5dsums sent in unless sent in from various verified sources. Of course they might not be trusting their own MD5sums and want to verify from the outside as well?
Certainly a black eye for the FSF, but I'm sure they'll learn a lesson from this in any case.

Re:Top Five Ways For The Linux Zealot To Deal With

[DunbarTheInept]

6. Recognize it for what it is - stupid admins.

Well

OpenBSD isn't a security panacea, but on the x86 it's the next best thing.

Really, though - a tool is only as good as its user, and running an FTP server is always suicide.

--Ryv

very dangerous

[7-Vodka]

This could have been a tragedy. If they don't have backups, what would happen if say the assailant had just deleted everything?

Then we would be up shits creek without a paddle.

Re:very dangerous

[Atzanteol]

I rather doubt that the public FTP server is the only location for all the code that was on the server. I mean, c'mon. If it *was*, then these guys are a bunch of morons.

Re:very dangerous

[IM6100]

There are mirrors of ftp.gnu.org all over the Internet.

The 'damage' done here is much more severe than somebody just deleting everything at the actual ftp.gnu.org site. Because if that had happened, it would have been a simple matter to stream it all back from one of the mirror sites.

What happened instead is far worse. Someone got in and (may have) corrupted some of the source tarballs. Then, because it wasn't noticed immediately, these corrupted files made their way out to the mirrors.

How Long

[jpmorgan]

How long was the server compromised and serving out possibly trojan-horse software before it was detected?

Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

Re:How Long

[pongo000]

Looks like March 2003.

Re:How Long

Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

The MD5sums are for when you download from a mirror. Nothing short of GPG signed files would have prevented this (and how many GNU developers are in your web of trust?

Re:How Long

[ComputerSlicer23]

Well, if you want real security. First off, don't trust just an MD5SUM. An MD5SUM is an integrity checker to ensure the file you got had no problems in transmission. It's not to tell you that the file you have is authentic, and secure.

You take the MD5SUM file, and you PGP sign it (sneaker net it to the machine which has the PGP key and has never been connected to a network), and sneaker net the signature back. Now, the original MD5SUM inside of a signature can be used as an authenticity check. PGP signing a bunch of large files is excessive (I suppose you could sign a digest, which is all MD5SUM really is). I believe kernel.org posts signatures for kernel images. The PGP signature tells you that the person who signed the MD5SUM believes that those are the pristine files, and their MD5SUM. You are placing your security in their hands, in how well you believe they have done their job.

If you want to get really secure, you've got to ensure the physical security of the machine with the key. You have to ensure the security of the original install media for the signature machine. Oh, and you have to wear a tinfoil hat and gloves while running PGP.

Kirby

Re:How Long

[volkerdi]

Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

MD5 sums are only secure if they are provided through a secure channel (like within a GPG-signed message). Using a second machine to serve out the MD5 sums is only twice as safe (two machines to crack), and that's still not too safe.

What I wonder is why they didn't sign accepted packages with GPG. I've been doing that for a while (well, since breaking-and-trojaning became fashionable).

I hope when ftp.gnu.org comes back that it's with *.asc files next to all the archives...

Re:How Long

[ysachlandil]

And threfore they will now GPG sign the md5sums, problem solved!

--Blerik

Re:In Soviet Russia

[Delphix]

Actually that's:

In Democratic America, GNU Mirrors you.

Re:Can someone please tell me...

[Rhubarb+Crumble]

Bzzt, Wrong. There are more Apache servers (by far) than IIS servers, and IIS gets more attacks - by over a four to one margin.

Are you sure you mean servers rather than web sites?

Most of the www.my-crappy-little-domain.com type sites are hosted on Apache, but they're hosted by the hundreds on the same (usually sun) box.

It gets more attacks because it is less secure, NOT because of volume.

It also gets more attacks because the sites hosted on IIS tend to be owned by higher-profile outfits (e.g. MS) - nobody cares about hacking someone's personal home page.

DARL! DARL!!

[pair-a-noyd]

Turn that pee-cee thing off and go to bed RIGHT NOW!

Yes mom.... /pull covers over head and laptop/

BACKUPS 101

(1) you should make a backup every day.

Re:BACKUPS 101

[gregarican]

(2) You should (gasp) RTFA to see they did backup.

It was SCO!!!!

[vaderhelmet]

Dear SCO,
You hacked our FTP site. We're suing you for the damages, and demanding that you return our original files and the MD5 Sums. Unfortunately due to this being our IP and trade secrets, we can't tell you which files and MD5 Sums we want. So instead, we're going to start charging your stockholders a license fee to use your stock.
Love,
Free Software Loving People Everywhere

Re:Wait? I thought Linux was Secure??

[the_othergy]

the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid

The next time a virus takes down 90% of Windows installs and toasts most of the internet, let ME know...

Though don't bother if it only toasts about 50% of Windows installs and bring down only a significant portion of the internet. That's becoming too common place.

Re:Wait? I thought Linux was Secure??

[danheskett]

MS is number 2 server, but almost 100% of the CC thefts are from MS
Care to back that up with a link, source, or other credible method?

Re:Wait? I thought Linux was Secure??

you realized you just proved his point, right?

Its not wu-ftpd

I doubt its wu-ftpd. From http://vsftpd.beasts.org/ it appears that ftp.gnu.org uses vsftpd. They may also use wu-ftpd but that is very bad choice on their part since wu-ftpd has a very bad record of security.

Re:Its not wu-ftpd

[robslimo]

I doubt its wu-ftpd. From http://vsftpd.beasts.org/ it appears that ftp.gnu.org uses vsftpd. They may also use wu-ftpd but that is very bad choice on their part since wu-ftpd has a very bad record of security.

In which possibility I am doubly interested in discovering the story behind the 'compromise' at gnu.org

hmmm

I wonder what the linux crowd will do if it ever gets over a 1% market share and hackers start to REALLY target it. What are all these fat cheap bastards sitting in their mom's basement on a 486 gonna do then? As it stands now a hacker really has nothing to gain by learning to hack linux. Windows on the other hand has 90% of the market and some very non technically savy individuals using it. Hmm, what OS would I pick to hack? Seems obvious... but just watch and see if linux ever becomes even 1/5 as popular as MS then you can bet your ass exploits will be popping up left and right. Especially if the new linux crowd is even half as retarded as the MS users nowdays. No OS is 100%...at least people using MS are willing to admit it unlike the linux crowd.

What about the Honkeys?

[StringBlade]

...or what if they were Honkey crackers?

mmmm....honkey crackers and cheese....*ghgllhglhglhg*

...just for the record...I am a white honkey cracker!

Re:Wait? I thought Linux was Secure??

[FortKnox]

I'd like to thank every single reply to my parent comment!

You truely help make the only true point I was trying to make. It doesn't matter if this was a hole built into the kernel that was the size of Texas, the fact that it happened on Linux will be downplayed and if the slightest thing happens on windows you blow up on it. The poll running right now (worst zealot) is pretty pertinant to this conversation, isn't it?

They don't have a backup!

Should we ever trust these stupid people?

Re:Wait? I thought Linux was Secure??

[cp5i6]

Because we all know that a worm by definition spreads only when it takes over an OS that acutally DOES own 90% of all OSes out there.

So you're going to be waiting a long time my friend and it's not because linux is more secure =)

webpage was cracked, not FTP

[samhalliday]

i emailed FSF a few days ago about about missing links on the main www.gnu.org webpage; the response was that the webserver had been cracked. i asked about FTP, but i was told that they didnt think it was compromised and i was given a GPG signed list of md5sums from before and after the incident, compared and nothing had changed (bar obviously the ones in this article).

this is quite worrying, i undertand it was the ssh v1 crack (probably some script kiddy inspired by the matrix reloaded) and i was told that savannah (which currently used ssh v1 for cvs commits) will be upgraded to ssh v2 in the near future.

damn, i was gonna commit this story :-), but didnt have any more news besides the emails i got.

Re:webpage was cracked, not FTP

[samhalliday]

hmm, everyone else on this article seems to be saying contradictory stuff to what i was told (i.e. FTP cracked, no GPG sums, wu-ftp was the vulnerability). i am beginning to wonder how much FUD is really floating around in the talkbacks. after all: the submitter didnt even give us any evidence and all i have to go on are the few emails i had from a spokeperson for the webserver a few days ago.

i'd love to hear an offical response from the FSF, wouldnt you all?

Re:webpage was cracked, not FTP

[samhalliday]

ok, so im daft; please forgive me

http://ftp.gnu.org/MISSING-FILES.README

Learn to read, jackass.

NO TEXT.

Re:Wait? I thought Linux was Secure??

[crandall]

How about next time that happens to windows, in those numbers, you let me know. In the meantime, why don't you be a little more realistic and a little less biased in your numbers?

Status update from FSF on GNU FTP site crack

[bkuhn]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To the Free Software Community:

Summary

* gnuftp, the FTP server for the GNU project was root compromised.

* After substantial investigation, we don't believe that any GNU
source has been compromised.

* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.

Events Concerning Cracking of Gnuftp

A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.

(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)

Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.

Historical Integrity Checks

We have compared the md5sum of each source code file (such as .tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file,
ftp://ftp.gnu.org/before-2003-08-01.md5sums .asc, contains a list of files
in the format:

MD5SUM FILE [REASON, ... REASON]

The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.

Remaining Files

The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.

We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.

However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.

Alpha FTP Site

The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.

- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/OnYb53XjJNtBs4cRAqplAJ95PHJhIwRiwjKBqSIx ZH SVlTOtxACgyouK
QAfYhiLJcwPHio6fsk+s2uY=
=DUMO
- ----END PGP SIGNATURE-----

Re:Status update from FSF on GNU FTP site crack

[meshko]

I've already posted this question but I'll post it again here since this is obviously a better place ;)

------------------

Could someone more 1337 than me explain how could they crack it using the ptrace exploit? Isn't it local only? Does this mean that someone who had an account on the ftp.gnu.org did it? Are they not disclosing the exact method of attack? Why? Of all people FSF should be happy to tell exactly what happened, no?

Re:Status update from FSF on GNU FTP site crack

[bkuhn]

Yes, the crack was carried out by a local user. We don't know if it was a social engineer or someone who compromised an existing account.

Re:Status update from FSF on GNU FTP site crack

I thought RMS refused to use a password on his accounts? That is the first place I'd start looking.

Re:Status update from FSF on GNU FTP site crack

[McSnarf]

This just shows that political correctness ("Everybody with an account here has to be good because he/she believes in Free Software") is an inferior approach to best practice ("You are a friend, but I trust you only so far, besides, I feel responsible for the security of my site.").

Re:Can someone please tell me...

> Bzzt, Wrong.

FYI, this makes you sound like an ass.

>There are more Apache servers (by far) than IIS servers

Assume you are referring to Netcraft, which counts SITES, not SERVERS.

Fact is there are far more IIS SERVERS running on intranets and personal machines, not under the control of a professional administrator. That makes it a much more juicy target for an automated attack like a worm.

They're too busy modding down the dissenters.

You know, those who question the bias and fanatical pro-FSF, anti-MS lunacy on Slashb^Hdot.

Texinfo

Wouldn't it be nice if texinfo went missing and nobody noticed?

Re:Wait? I thought Linux was Secure??

[MagPulse]

takes down 90% of Linux installs and toasts most of the internet

Maybe when Linux comes anywhere astronomically close to the share that Windows computers have they might (a) do some serious damage and (b) be worth crackers' time to use.

My pet OS has never had an exploit and has never caused any massive Internet interruptions. That doesn't make it more secure than Windows.

Re:Wait? I thought Linux was Secure??

check www.openbsd.org. It's Solaris.

Corrupted Backups (a.k.a. Why request MD5s?)

[Valdrax]

Just how long has the server been cracked? Backup media and its proper storage can be expensive, and it's perfectly likely that they don't have backups that are older than the crack. Even if they did, they can't necessarily be sure that they know for a fact when the the crack happened.

Note that they are asking for valid MD5 sums. You do know what MD5s are used for, right? They're used to verify that you haven't downloaded a compromised copy of the application. So, it's very likely that they have archives of the applications. The problem is that they don't know if their applications are compromised, and they can't use their backed-up MD5s because they could be compromised too! That's why their requesting valid MD5s -- so that they can verify that their archives are good. They also can't just recompile everything because they don't know if the source code has been compromised too, and reading it all or even doing diffs against other official archives is unfeasable due to the man-hours it would involve.

They also can't just grab files and MD5s from their mirrors because their mirrors could have compromised files too. Without MD5s for quick verification, they're screwed.

Re:Corrupted Backups (a.k.a. Why request MD5s?)

[BattleTroll]

So are you saying that performing regular, predictable backups is completely pointless because you never really know when the system was first compromised? How then is it safe to ever use anything from the FSF? If the backup is compromised and the MD5 hash is compromised, you're back to square one. Better yet, how can anyone convince their boss to use FSF release binaries knowning there is no guarantee they're original?

Excusing really sloppy practices by implying those practices are pointless doesn't cut it. Comprehensive, qualified backups should be the norm.

Re:Corrupted Backups (a.k.a. Why request MD5s?)

[Valdrax]

Backups don't help if you don't know when you were cracked, and they don't help replace files which only exist after the crack if you can't verify that they weren't cracked. A comprehensive backup is not a magical wand that you can just wave to get back everything that could've been damaged by a crack or other catastrophic event. Backups are there to minimize losses. The FSF is doing what is right in this situation; they're not blindly trusting their backups. It's sad to see the ignorance in this thread where people assume that because they're asking for help that they don't even have any backups.

The FSF's admin is just savvy enough to realize what the limits of backups are. They are hoping that other people who may have downloaded these packages before the crack will have what the valid MD5s for them are. On the other hand, this isn't going to be a reliable answer for them either. People who have cracked binaries will report back the cracked sum. They have to look for files for which they get contradictory responses on. This isn't foolproof either thanks to malicious trolls who post false info and potentially cracked files for which no one responds with the correct MD5 to. I wish them good luck, but they are going to be carrying suspect data for a long time.

Read the link off of the Alpha site for more information on what they're doing and why. (Yes, Virginia, they did have backups.)

You don't dumpl unless you have backups?

[YetAnotherName]

I don't even take a dump unless I am certain I have backups.

Odd, I take a dump when I run backups...

% dump -0anf /dev/nst0 /

ftp?

[Cyno]

Why do we still use ftp?

Re:ftp?

[meshko]

because anonymous ftp is the best way to let people download files? ftp server [theoretically] is much simpler than HTTP server (apache) and therefore is more secure. In this particular case I don't think that the FTP server APPLICATION was compromised. I think the FTP server (as in "computer serving ftp requests") was compromised.

Re:ftp?

[Cyno]

It was the ftp server that was compromised. It was insecure. I've never known ftp to be secure. Even ssh and cvs have their problems, but ftp is notorious for these types of breakins. It should not run with root access, it should run in a chroot jail, and it should never be off the DMZ if you intend to use it for production, just like a DNS server. It should never be trusted. If you set it up differently you're just asking for trouble.

Why aren't ssh/scp, cvs, or http perfectly good protocols to use for this type of service? Again, why do we still use ftp? What does it offer that the others don't?

Re:ftp?

[meshko]

Please read the announcement. The system was compromised using the the ptrace Linux kernel bug. But a person with a local account. Absolutely nothing to do with the FTP protocol or ftp server applications. It is true that some FTP servers (wu-ftp, proftp etc) have had a history of security problems. It doesn't make the FTP protocol somehow insecure. Of course authenticated FTP is as insecure as telnet because of clear text passwords, but anonymous FTP is a perfectly fine protocol and there is absolutely nothing wrong with running an anonymous ftp server. You are not advising people to stop running web servers because IIS is insecure? Or stop using email because sendmail has a bad security history?

Re:ftp?

[_xeno_]

While it does have nothing to do with the FTP protocol, but it might have had something to do with the FTP server software. The bug they claim was exploited is a local exploit (the ptrace race condition). It requires code to be executed on the local machine. So the question remains - how did the code get there?

"It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted on bugtraq." (from the MISSING-FILES.README)

So who was the local user? Was this a shell account that the hacker had legitimate access to? Or did the hacker steal someone else's account when they logged in through another compromised machine? Or was it the FTP server that allowed a local, non-root shell? There just isn't enough information given to know - it sounds the FTP server software wasn't responsible, but you never know...

Re:ftp?

[Cyno]

Why did I mention chroots and DMZ and stuff?

Compromise an ftp server, gain root through any typical userland insecurity. This is a common occurence. Happened to me once.

I bet it would be rather easy to steal a user's password by snooping an ftp server's line. Does ftp transmit passwords in clear text like telnet? Yeah, real secure.

How can there be any security when people can't stop using things like ftp and windows 98? There can't. So fuck it. Nevermind.

Re:ftp?

[Cyno]

Actually, yeah I'd recommend people stop using email or ftp.

You are not advising people to stop running web servers because IIS is insecure?

No, but I would stop running IIS because IIS is insecure, same goes for all Microsoft products. Who really wants to support a monopoly anyway?

Re:ftp?

[meshko]

I don't know why did you mention chroots and DMZ.
They have said at least twice today that it was compromised by a local user. Let me repeat that: local user. Not through the ftp server. And no, they can not "snoop an ftp server's line" to get passwords, because it is an anonymous ftp server. Anonymous ftp servers do not use passwords. That's why they are not a problem.

Connected to ftp.gnu.org.
220 GNU FTP server ready.
User (ftp.gnu.org:(none)): rms
530 This FTP server is anonymous only.
Login failed.

Re:ftp?

[Cyno]

I'm sorry, I misread the FSF's statement. I thought I read they were running gnuftp, when I know I read elsewhere they were running wu-ftpd.. gnuftp, hmmm, never heard of that ftp daemon. Probably because that's the hostname of the server. Doh! :P

Okay, so maybe anonymous ftp isn't all that bad. I've just been frustrated with security this week. I'm like, 'If it ain't encrypted I don't wanna hear about it'. Maybe I've had too much SCO and MSBlast.

ptrace exploit?

[meshko]

Could someone more 1337 than me explain how could they crack it using the ptrace exploit? Isn't it local only? Does this mean that someone who had an account on the ftp.gnu.org did it? Are they not disclosing the exact method of attack? Why? Of all people FSF should be happy to tell exactly what happened, no?

GNUBlaster

[root@localhost src]# cat md5sum
Dickie Stallman why do you make this possible? Start making money and fix your software!!

Re:Wait? I thought Linux was Secure??

[Slime-dogg]

Last time I checked, it was wu_ftpd that had the vulnerability, not Linux. It doesn't matter if you were running it on Cygwin, *BSD, HURD, or Linux. Geesh. Stop calling everything OS Linux, because it isn't.

Pure-FTPd

[nutznboltz]

If they new what they were doing they would have been using Pure-FTPd.

Re:Pure-FTPd

[0racle]

Pure-FTP doesnt like to work through my firewall, of course i could be just stupid, its been known to happen.

Re:Pure-FTPd

[chrysalis]

Read the FAQ : http://pure-ftpd.org/FAQ

And if you still have issues, ask for help on the mailing-list. Maybe you forgot to forward some ports or something like that.

However the problem with the GNU Server is that someone with local shell access used a Linux kernel bug to gain root access. Pure-FTPd wouldn't help a lot in this case.

Enough speculation -- here's the story

[pestilence4hr]

From http://ftp.gnu.org/MISSING-FILES.README

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To the Free Software Community:

Summary

* gnuftp, the FTP server for the GNU project was root compromised.

* After substantial investigation, we don't believe that any GNU
source has been compromised.

* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.

Events Concerning Cracking of Gnuftp

A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.

(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)

Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.

Historical Integrity Checks

We have compared the md5sum of each source code file (such as .tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file,
ftp://ftp.gnu.org/before-2003-08-01.md5sums .asc, contains a list of files
in the format:

MD5SUM FILE [REASON, ... REASON]

The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.

Remaining Files

The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.

We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.

However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.

Alpha FTP Site

The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.

- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/OnbO53XjJNtBs4cRAkZaAJ0ZdQ98ZNe4GRgAT2bR 4h BHRqo/aQCglWnU
kmOLmrVCzPxrJ/S68R1q42w=
=+pu6
- ----END PGP SIGNATURE-----

Actual reason is the ptrace vulnerability

[mopomi]

From the MISSING-FILES.README on ftp.gnu.org:

Events Concerning Cracking of Gnuftp

A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.

(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)

Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.

MOD THIS UP!

[oddtodd]

d00dz

Re:So apache no invulnerable then...

[ichimunki]

It compiles to "you get what you pay for - and you're no better off if you don't pay for it anyway".

No, what it compiles to is "Wow. Those people spent lots of money and it didn't do so well. Apparently you don't always get what you pay for. "

...comparing free software to "charity" is also a bad idea.

How is it a "bad idea"? The FSF is a charity. Much free software is developed for no pay and given away freely. You make it sound like charity is a bad thing. It's not.

No backups?

[KlomDark]

WTF? No BACKUPS? What kind of a stupid idiot doesn't make backups. Somebody needs to get fired, or at least kicked out of the room. Missing a recent patch, understandable. No recent backups, unforgivable.

Reminds me, I need to go do backups!

Re:No backups?

[gregarican]

If you'd have bothered to RTFA you'd see they had backups, but these were done during times when their servers had been compromised. So the data itself might not have integrity. Get it?

Re:No backups?

[TheKodiak]

I think the best part about this particular comment is that not only did they make backups, they ALSO patched to fix the vulnerability as soon as it was available.

Re:NO Backups?

[gregarican]

People who can't RTFA is actually the STUPIDEST THING that I have heard all day. They had backups. Try following the link and actually read.

Why MD5?

[n1ywb]

Why is the FSF, a forerunner of innovation, using an weak and insecure hash algorithm like MD5? Why not SHA1, which is considered to be strong?

Re:Why MD5?

What difference does it make? SHA1 is just as useless as MD5 if it isn't signed.

RTFA: There *are* backups, and they *did* patch

[stewby18]

...The machine appears to have been cracked in March 2003, but we only very recently discovered the crack.
[snip]
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)
Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised.

(emphasis added). So in other words, they were cracked in the brief space between the exploit post and the patch, and didn't find it right away. Now, they are carefully vetting all their backups from that period to remove any possibility that a compromised backup could be redistributed.

So, to answer your poorly-researched questions:

• They have reliable backups of everything, except for those files which, due to their upload time, cannot possibly be considered secure
• They are systematically verifying the reliability of the files where there could be any doubt

Which part of this would you not consider a disaster recovery plan?

Re:RTFA: There *are* backups, and they *did* patch

[iii_rjm]

I stand corrected

Re:RTFA: There *are* backups, and they *did* patch

[Prong]

The part where they don't discover the compromise until August. Seriously. There are plenty of known methods of verifying an exposed server on an ongoing basis. Why weren't any of them used here?

Re:RTFA: There *are* backups, and they *did* patch

[Zebra_X]

I think then the question is: why is this just being discovered now? Why was it not considered a "risk" that an exploit was available in the period of time the machine was vulnerable to the time it was patched? On such a high profile system, I would think that the integrity of the system would be of the utmost concern. I understand that it takes time to do such things - but if FSF is in the "business" of distributing software for the world to use they'd better be in the business of protecting it too.

Re:RTFA: There *are* backups, and they *did* patch

My annoyance with that particulart bug was that the kernel maintainers dod not make a patch which patches cleanly against a stock kernel.

Basically, Marcelo was sleeping in Brazil and Alan did not release a new 2.4.x kernel (not even a 2.4.21-ac3) once this exploit was in the public; even though the exploit code included a patch.

Anyone with a Linux box had to depend on their distributer to get a working patch.

- Sam

Re:RTFA: There *are* backups, and they *did* patch

[LWATCDR]

The big lession in all of this should be... If there is a known exploit on your system you should check to see if anyone used it after you patch your system.

No system is perfect.

Re:RTFA: There *are* backups, and they *did* patch

[Mooncaller]

Maybe because they are a non-profit and have limited funds for doing such things. And don't give me "Well they should have been using automated tools". I'm more of a programmer then an Admin, yet even I know enough to get around any automated tool once I have root. The person who did this exploit knew what they were doing and used the exploit to do something rather subtile. I.e. they were carfull not trigger any alarms, so the intrusion was only detectible by a live person. And please note, this incident involed a very busy server accessed by a large number of people. Taking 4 months to find the intrusion is not suprising at all. If you could do better, I suggest you put your time where your typing finger is, and help out the FSF. Otherwise stop whining.

Re:RTFA: There *are* backups, and they *did* patch

Score one for security through obscurity, at least for not posting exploit code before a working patch is available.

Re:RTFA: There *are* backups, and they *did* patch

[Prong]

I'm more of a programmer then an Admin, yet even I know enough to get around any automated tool once I have root.

Obviously, you need to start that new career as a sooper-sekrat cracker. I'm sure you'll do wonderfully.

The person who did this exploit knew what they were doing and used the exploit to do something rather subtile. I.e. they were carfull not trigger any alarms, so the intrusion was only detectible by a live person.

You have absolutely no way of knowing that, unless you are personally maintaining those systems. Here are the known facts: sometime between the release of an exploit in ptrace and the time the system was patched to close that exploit, someone remote rooted the machine in question. Now, given that the admin(s) applied the patch, why didn't they check the system at that time? 4 months to realize that a production server that a large number of people depend on being secure is atrocious, despite your claim that it's "not surprising at all". If I allowed that to happen to my customers, I'd not only be fired, but probably sued.

If you could do better, I suggest you put your time where your typing finger is, and help out the FSF.

I could, but I'm not a big fan of RMS or many of the FSF policies. Both smell kinda funny to me.

BTW, your spelling is horrible.

Re:Wait? I thought Linux was Secure??

[El_Ge_Ex]

However, the next time a virus is released that takes down 90% of Linux installs

I'll be happy to, just as soon as Linux is worth writing a virus for...

-B

Why yes, I _am_ wearing flame retartdent underwear. Why do you ask?

Re:Can someone please tell me...

[Planesdragon]

Bzzt, Wrong. There are more Apache servers (by far) than IIS servers, and IIS gets more attacks - by over a four to one margin.

I said "of identical configuration."

How many Apachae instances are running exactly the same combination of modules?

FTP (the protocol) is NOT the problem.

[MartinG]

ftp as a protocol is far simpler to implement than ssh2 for example, so if you have no authentication to do, use ftp.

Using ssl is good if you have eg. passwords to hide, but other than that it just introduces complexity. more complexity tends to mean more possibility for bugs, which means more possible exploits.

However, don't use bloated, over-complicated stuff like wuftpd etc. something like vsftpd is /much/ better. its very simple and designed from scratch to be secure above all else. afaik it has never had a security bug found, and I would say is as close to secure as it is possible to be.

Re:FTP (the protocol) is NOT the problem.

If you only encrypt the secrets, then they know where the secrets are.

Re:FTP (the protocol) is NOT the problem.

[Politburo]

afaik it has never had a security bug found

Ha. Go read the first line in any software engineering book.

Re:FTP (the protocol) is NOT the problem.

[depeche]

Or just use OpenBSD. Their ftp server is solid and their approch to security should minimize risks. If you need security, use an appropriate OS--and untill (a distro of) Linux has the track record of OpenBSD they might as well use a known, reliable platform for their ftp server. After all this system, by its nature, will be voulnerable to potential threats.

Re:FTP (the protocol) is NOT the problem.

(from netcraft)

The site ftp.openbsd.org is running Apache/1.3.27 (Unix) PHP/4.3.1 mod_perl/1.27 on Solaris.

Re:FTP (the protocol) is NOT the problem.

[Florian+Weimer]

ftp as a protocol is far simpler to implement than ssh2 for example, so if you have no authentication to do, use ftp.

FTP is not really firewall-friendly. But if you want to run it, vsftpd is a good choice (certainly the best one I've looked at so far).

IT and developers are different

[mec]

The Free Software Foundation is not about IT. It's about development. They are different things.

That is, they know all about how to write software, and not much about operating a public Internet site.

MOD PARENT DOWN: TROLL

(such as for disgruntled BSD h4x0rs and so on)

Re:MOD PARENT DOWN: TROLL

BSD si teh sht1!!!

j00 4re the TROLL!

Backup befoer the crack?

[iii_rjm]

If that is the case then I don't understand why the call for copies of the files. Should they not just pull them from their backup?

Re:Backup befoer the crack?

[Mooncaller]

Files uploded after exploit, therefor possibly compromised backups. Think befor you post moronic comments!

Re:Backup befoer the crack?

[prizog]

As I understand it (and I'm not the sysadmin), there were many files uploaded after the crack. Backups of those files are worthless.

disaster recovery plan

[donutz]

No. The real $64,000 question is why didn't they have reliable backups and a disaster recovery plan

So wait, now you're telling me that asking the community for backups of my files isn't a disaster recovery plan? Great...now I have to go make one up...

They sure covered their tracks well!

# grep ircflood *.c
gcc.c:#include "ircflood.h"

I can't believe it.

MODERATORS: RTFA!

For the love of God, stop moderating all the stupid questions/comments about lack of backups, or incompetant server admins, interesting/insightful. Until you've RFTA'd, you can't possibly know what an insightful question is.

SCO did it! SCO did it!

[aggieben]

I'll sick my cat on them....

Re:SCO did it! SCO did it!

[cherad]

I'll sick my cat on them....

That should probably be "sic", unless you really don't like SCO. Or your cat.

FSF systems

[devphil]

They do have more than one sysadmin, but none of them are full-time, I believe.

There are also some "interesting" schools of thought regarding security over in gnu.org land, and I'm sure there's tension between them as well. For example, savannah has to have some level of security, but their shell machine (not savannha) has almost zero "sysadmin-added" security: important configuration files are world-writable[*], because RMS doesn't believe in restricting individual actions of users on that machine. The only security is what's provided by the default installation, minus the world-writabilities.

So it should come as no suprise that the shell machine has been compromised multiple times. All from local users exploiting holes. The most recent was done in April, but they didn't find out about it until a few weeks ago. They're still recreating accounts.

I don't know about the ftp machine; I assume it's neither the same system as savannah nor the shell box. But it wouldn't surprise me to find the same situation: some important people gnu.org don't believe in locking down machines, some important people do, but (gripping hand) it almost doesn't matter because none of them have the time to do so.

(If you wonder why the GCC manuals, web pages, etc, on {savannha,www,ftp}.gnu.org are occasionally out of date, it's because gcc.gnu.org (the master) is not admin'd by the same group. Events like this are why it's not admin'd by the same group.)

[*] Backups are done by having little Emacs hooks in comments in the files. When you edit the file -- and of COURSE you're using GNU/FSF Emacs, not XEmacs or any other editor in the world, cuz it's a gnu.org machine -- Emacs knows to make backup copies. I have no idea whether real backups are done, or how.

Re:FSF systems

[IM6100]

Historically, Richard Stallman was one of the hackers at MIT who actively opposed the impostion of passwords on the Unix account logins. He and other hackers like him at the time opposed passwords because they believed in a community of sharing and openness. They refused to put passwords on their accounts for as long as possible.

Re:FSF systems

[Zebra_X]

Damn, why do we not lock our houses, leave our keys in our cars and while we are at it - stores won't need any employees, everyone can be trusted to pay before they leave. Wait, money is evil.

Such ideoligies are better left on paper.

Re:FSF systems

[Mooncaller]

They should'nt even be put down on paper.

Re:FSF systems

In my family, we usually don't lock the house during the daytime. Of course, that's partly because there's always somebody home...

Re:FSF systems

Take a look at the New Testament sometime, sunshine.

Re:FSF systems

Nice ;)

Re:FSF systems

[Zebra_X]

I live in a city - my parents live in the middle of nowhere. Funny thing is that they too leave their keys in their cars and the house unlocked - all the time. You can do that in the country, but it can't be done in an urban setting. I think that it can't be done in a suburban setting with any sort of reliabilty either. So then that is to say that such a level of trust cannot be practiced with any sort or reliability in all major population centers in the world.

The fact of the matter is that we are humans and on the whole, history has proven that humans can't be trusted. As a species we are not yet to a point where every member can be counted on to do the "right thing".

And the internet shall be your tape backup

[EMR]

And why are there no mirrors of ftp.gnu.org?
Did no one head Linus' advice?

Re:And the internet shall be your tape backup

[gregarican]

They would be mirrors of the same compromised data, genius. If you'd have bothered to RTFA you'd see they backed up. But since the site was been compromised since 3/2003 the datasets backed up aren't 100% "clean".

RMS and Security

[hackrobat]

RMS's "Information wants to be Free" mindset is famous. At MIT, he was against the use of passwords in the computer labs. Quoting from The Last of the True Hackers:

As a true hacker, RMS despised passwords, and was proud of the fact that the computers he was paid to maintain did not use them.

He even cracked the password system in the lab such that it would display the user's password on the system console; he found it "amusing".

In this interview on KDE's site, RMS admits that he was forced to use passwords on his systems after a few bad experiences.

HY: In a lecture, you mentioned that you didn't use passwords, and had no security for your computer.

RMS: Uh-huh. Security might make sense with banks and military facilities, but in a computer lab, that is a sign of a social breakdown.

HY: (!!!) Social Breakdown?!?!!

RMS: Yes. It's like curing the symptom and worsening the disease. The disease here are the young people who are cut off from warmth and anything really worthwhile, who have nothing on their hands that to rebel and get attention by sneaking into other peoples system. But then the attention that they get from this is one of total hate and hostility. Security sends out that message of hostility, and I don't want to be on either side of it.

HY: So, you still don't have security?

RMS: I regret to say that we had to. There was this one person who repeatedly erased our files and there was no choice. So we made a gateway, a login server. But since I thought that this was such a sad thing, I thought I should suffer more from it so I can't log in on that server.

We have to appreciate the man for his ideals; it's really sad that they have no place in this world. If there's one person whom I can give God status, it's RMS. He's a pain in the ass, alright, but that's characteristic of all Gods (look up Greek mythology, Hindu mythology, etc.).

Re:RMS and Security

[maxume]

Does he take the form of GNU and take advantage of innocent young maidens? What results from these trysts of his?

Re:RMS and Security

A lot of pissed off, sexually frustrated young women.

Why Configuration Management Is Important

[DoctorMabuse]

This is another illustration of why Configuration Management should be beaten into the head of anyone taking Computer Science or Engineering. Many of the security problems I have to fix at customer sites are caused by systems having different versions, no one knowing what version is correct, not keeping backups, etc. This is not rocket science, folks. Buy a damn DVD-RW drive and back stuff up. Keep the checksums. Know what is the latest version.

End of sermon.

Troll/Flamebait... please mod me down

[felis_panthera]

and proud of it... this has nothing to do with your post, it has to do with your sig. I can't stand misquotes, especially not from The Simpsons. You cannot simply say that the quote was from "The Simpsons", there have been 14 seasons of episodes to choose from. The quote in question was delievered by Superintendant Chalmers in Season 5, episode 19 "Sweet Seymour Skinner's Baadasssss Song" upon hearing Ned Flanders (the interim principle of Springfield elementary) thanking God for another glorious day.

Now that I have proven that my geek is bigger than yours, please for the love of the gods mod me down so no one else will ever be able to read this.

Re:Troll/Flamebait... please mod me down

Oh, sad, sad, day.

This is why I don't like to post under my account any more.

(Score -1, Troll)

Did the moderater even bother to look.

Sad, sad day.



BTW, I never expected this to get moderated. It was a just a friendly rub against the poster of the parent comment. Follow the link and you'll understand. Sad.

Re:Troll/Flamebait... please mod me down

[Black+Copter+Control]

I really wanna know how Slashdot does it's moderation math:

• Moderation +1
  30% Funny
  30% Offtopic
  20% Troll
  

Crack details

I have an account on gnu.org and below is a summary of the details from an email sent out on Sat Aug 2, to all account holders by Bradley Kuhn:

The crack occured on March 2003 but was only recently discovered. It was an inside job (local user) using a ptrace exploit. The cracker was using their account to gain access to other systems.

The machine was re-installed over the weekend and all account holders had to re-instate their accounts starting the following Monday.

What, they don't run Tripwire???

In addition to not doing backups, the FSF also doesn't have any real way of determining whether the files they offer are correct or not. Wow. I'd have expected something a litle more professional than that.

If they a.) backed up their server now and then, and b.) ran Tripwire regularly, they wouldn't be in this situation. There *is* a GPL'd version of Tripwire, after all, it's on SourceForge, it's not hard to find.

$10

Maybe they can take the $10 I give them every month and figure out how to do a backup of their server...

No excuse? How about the directional flow of time?

[stewby18]

being overworked, underpaid, or anything else is not an excuse for having an unpatched machine

RFTA before critisizing their admin(s):

For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.

Is the lack of a patch an excuse not to be patched?

MS Maybe

[Coneasfast]

Probably was Microsoft, we all know how 'closed-minded' they can be...

sorry, bad joke ;)

Special Limited Time Offer!!!

Slashdotters!!! Act now!!! Send your MD5sums along with $9.95 shipping and handling to the following address and receive your free "Bill Gates is a Weeney" mug!!! But that's not all, if you act within the next five minutes, you'll also get a free "I HATE SCO" T-Shirt

FSF MD5Sum Recovery Center
C/O RMS
One True Way
Cambridge, MA 12345

And your statement isn't stupid?

[stewby18]

Sure, this incident demonstrates that the person(s) in charge of the maintenance of ftp.gnu.org is/are incomptent

Given that there wasn't yet a patch available when they were cracked, they in fact did discover the crack, and they in fact do have complete backups, on what basis do you conclude that the admin(s) "is/are incompetent"?

Re:And your statement isn't stupid?

[Kevin+DeGraaf]

Given that there wasn't yet a patch available when they were cracked, they in fact did discover the crack, and they in fact do have complete backups, on what basis do you conclude that the admin(s) "is/are incompetent"?

Running wuftpd when publicfile and pureftpd exist is strong evidence of incompetence.

Re:And your statement isn't stupid?

publicfile is not considered Free Software by the FSF due to the brain-damaged "Licencse" that DJB insists on using.

Running wu-ftp is still stupid though.

FSF statement

[p_trekkie]

Check it out


It explains that the system was compromised back in March by a vulnerability that had not yet been patched at the time. The cracker left a behind a trojan to keep getting in, even after the software was patched. Unfortunately, the FSF people didn't realize it had been compromised until recently, so all the backups for the past few months can't be trusted, hence the verification.

Re:No excuse? How about the directional flow of ti

[bmj]

RFTA before critisizing their admin(s):

Please note the "article" is an UPDATE to the initial post, meaning some posts to this thread couldn't read the "article" before posting.

If it was a private enterprise you wouldn't hear

[Stone316]

about it. Private companies get hacked, held ransom all the time but you never hear about it because they are afraid (rightfully so) it will scare their customers. At least the FSF had the courage to admit it.

Shill!

[lysium]

SCO paid you to say that. Admit it!

----------

Re:Shill!

[Homology]

SCO paid you to say that. Admit it!

Is the admittion tax deductible, and will you indemnify me for any infringement of my possible admittance?

Re:Shill!

[lysium]

They buried that somewhere in the fine print of the contract -- better check carefully, considering how they do business....

-------

Re:Wait? I thought Linux was Secure??

So in the grandparent post you were talking out of your ass. How can we be sure of anything you're saying now??

Think of what you're asking.

[pclminion]

You're asking if there are mirrors of the content on a Free Software organization's website, an organization that prides itself in producing and improving software whose raison d'etre is to be freely, unhinderably distributed among the people of the world.

Are you fucking MAD, man?

Re:So apache no invulnerable then...

[ideut]

WARNING: fruitcake alert.

Please do not go near the software advertised in the parent post.

Re:Wait? I thought Linux was Secure??

almost 100% of the CC thefts are from MS.

Who would trust a Linux server to store credit card numbers on? Certainly very few people, hence there just aren't CC numbers to steal off Linux servers.

they've been GNU/Hacked

or GNU/compromised. GNUws at 11.

Re:Wait? I thought Linux was Secure??

[IM6100]

The only XP computers 'suspectable to MSBlast' are those that are unpatched, which is significantly fewer than 'every single machine'. Just the same as the only Linux servers (known) to be susceptible are those without current patches applied. And there are plenty of Linux boxes out there that aren't kept up to date. Nobody told the people who put them online that the 'free' operating system was going to require 10 hours a week of reading Usenet security groups and update websites and applying patches.

Re:No excuse? How about the directional flow of ti

[stewby18]

So maybe RTFA isn't the right acronym: how about "WUYHAIBSOATTM" (Wait Until You Have Actual Information Before Shooting Off At The Mouth).

Posting that things like this are hypocritical, and/or that the admin is an idiot, is stupid regardless of whether or not the statement was available yet. I don't see how leaping to unjustified conclusions is defendable regardless of whether it's due to inavailability of actual facts, or just laziness.

Ignorance is ignorance, and wild, ignorant speculation doesn't help any issue.

FSF WAS BACKING UP!

[DrJimbo]

Sorry for shouting but there are so many messages here chastizing FSF for not backing up. They were backing up but they were compromised in March '03 and they can't trust backups that were made since the intrusion.

Re:Wait? I thought Linux was Secure??

[slug359]

Since when is OpenBSD FreeBSD?
Correct link: Netcraft (but it says they use Solaris on their site?)

I know what's next.

[gregarican]

It's certainly been an interesting week. Everything from Windows worm exploits to now some GNU FTP compromises.

Seems like each section of the computing populace is getting slapped around.

But there are some exceptions. Maybe the next target will be Apple users working on a Banyan VINES network or maybe some VAX junkies working on ARCnet!

Serisouly though. Most of the lessons I've learned tell me that it's not all to be blamed on programmers, nor is it all to be blamed on sysadmins and endusers. But God knows I subscribe to every security mailing list possible provided by me hardware/software vendors.

Re:Wait? I thought Linux was Secure??

The next time a virus takes down 90% of Windows installs and toasts most of the internet, let ME know...

that might be kind of hard with all those Windows boxes hiding behind linux firewalls?

Re:No excuse? How about the directional flow of ti

[bmj]

I'm not trying to judge the FSF sys admin at all. I _am_ making a statement about the Slashdot community however -- regardless of whether someone has complete information, if it's a Windows problem, there are NO excuses...but since this is a linux-related problem (obviously not directly related to the kernel) no one wants to rush to judgement.

My only conclusion is that there are some hypocrites that post here (and I'm not refering to you ;-))

Pointless

[isn't+my+name]

The whole idea of a mirror is that it actually mirrors what is on another site. If they've been rooted since March 2003, then it is somewhat unlikely that the www.mirror.ac.uk is actually going to have files any different than FSF.

Unless of course, the mirror hasn't been updated since sometime in mid-March.

Re:Pointless

[gearheadsmp]

True. But they certainly have more bandwidth for "hungry" Slashdotters. From what I understand, many of the missing non-Alpha-stage packages are available at most distro-specific mirrors, such as Debian, Gentoo, and in RPMS form.

Re:Wait? I thought Linux was Secure??

Yes, but if you read your E S Raymond and drink heavily of his magickal kool-aide, you would recognize that the Open Source movement is inherently more secure.

Easy to point out someone else's mistakes

[ThePyro]

It's very easy to point out other people's "mistakes" like this, but I wonder how many people actually take all these various precautions that they're so quick to accuse others of not implementing?

The fools! They forgot to install a firewall!
The fools! They didn't purge all the old user accounts!
The fools! They didn't install the latest security patch! On all the boxes in the office!
The fools! They didn't require 10 character passwords, to be changed every 15 days!
The fools! They didn't update their virus definition files! Within the last 24 hours!
The fools! They didn't make triple-redundant off site backups!
The fools! They didn't have a plan C!
The fools! They don't know where their towel is!

Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.

Re:Easy to point out someone else's mistakes

Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.

Indeed, I imagine if you get paid big bucks to think nothing about security all day then you would have a large soft vulnerable belly..... not to poke fun at nerds, but the mental image I have the type of security guy who pulls 300k+ for and secures his own "one-man" forked inhouse distro of OpenBSD has a large belly. He would be vulnerable to the social engineering of a pretty lady. The 300k+ goes out the window once she begins her hack on his unexperienced *erhm* vanilla "kernel".

WTF?

[MasTRE]

Neither the OP _nor_ the moderator think it important to note in front-page post that the box was compromised in _March_ 2003? Jeez, is this /. or -.?

Re:WTF?

[Myrv]

You do of course realize the information saying the compromise occured in March wasn't available until several hours after the original post?

Re:Wait? I thought Linux was Secure??

[rokzy]

did you miss the "by default" part?

AFAIK, linux generally doesn't leave unsecure ports open by default. what happens if someone reinstalls XP at some point in the future - could MSBlast come back when all the fuss has died down?

I don't read a single second of usenet security groups, let alone 10 hours a week. SuSE YOU takes care of all that for me automatically.

I let YOU do updates automatically because I trust it, whereas I turn off Windows automatic updating because I don't. since when is Media Player 9 and IE6 a "critical" update? plus windows updates often require a restart, and many need to be applied one at a time.

once I did install IE6 to see what it was like and immediately there were another ~10 critical security updates that I required, so that was hardly a step forward for security imo.

Re:No excuse? How about the directional flow of ti

[Rinikusu]

They did patch. However, shouldn't admins check their systems for exploits after applying the patch? I mean, are you supposed to apply a patch and just assume you were not compromised?

Re:No excuse? How about the directional flow of ti

[stewby18]

My only conclusion is that there are some hypocrites that post here

No argument there... but comparing a root due to a just-published exploit to comments about Windows compromises--most of which (at least what's posted here) tend to be about old vulnerabilities that people didn't bother to patch, is (IMO) not the best way to make that point.

But I'm all for fewer hypocrites and less ignorance on Slashdot :)

NO Backups?

This is the STUPIDEST THING I have heard all day. For a major entity such as the FSF to not have backups is pure stupidity. These people, who at least try to sound like intellectuals, should know better.

Root compromised?

So, not only are they not doing backups, they're running ftp daemons as root?

DUH DUH DUH DUH DUH... FOOTBALL!

Re:Root compromised?

[gregarican]

Not only did they do backups, but they had someone locally run a ptrace exploit to elevate themselves to root. See Ptrace defined here.

RTFA!!!!

Re:So apache no invulnerable then...

If you think him an idiot, then why do you address him as sir? To show respect to an idiot is to be one.

Re:Wait? I thought Linux was Secure??

[IM6100]

Slackware 3.6, and any version of Slackware before version 4.0 came out, didn't assign a root password, or prompt the installer to assign a root password.

I happened upon a friend's system one night (after determining her IP address by reading a recent mail header) and on a lark telnetted in and typed 'root' as a user name. Bip! I had root access to her Slackware box. She'd been online through a PPP connection for several weeks with her box in that state.

I am sure this is not the only anecdotal evidence of security problems with Linux distributions. There are so many versions of Linux out there now, that I'm sure there are stories to tell with any of them.

20 years of work lost.

[Reservoir+Penguin]

Thje bastards deleted all the HURD code!

backup software...

Maybe they should be using some open source backup software like DIBS or Bacula.

ENOUGH!!!!!!!

[gregarican]

Can't someone edit the original post so that it doesn't erroneously indicate they didn't have backups? In their statement they indicate they did, but they were backups of potentially compromised data.

Half of the posts I am reading now pertain to not backing up or not patching. No one RTFA or follows the linked FSF statement.

Re:ENOUGH!!!!!!!

actually its jsut the linux zealots avoiding the real point...linux can and will be hacked. Funny how all the posts here pointing that out have been modded trolls. Thats ok i can act like a rabid fanboy as well.

Re:Wait? I thought Linux was Secure??

[lightcycle]

Are you listening to yourself? The only XP computers suspectible to MSBlast? It seems those are a very large number of computers. One would think this would clue Windows apologists in that something is wrong in Windows security as well as the methods of updating. And 10h a week to read usenet? Most linux boxen will be brought up to date with a couple of shell commands. It's quite embarrasing that a FSF server is exploited, but in this case I'd say that whoever administered it has fucked up quite majorly.

Where to send md5sums

[zgornz]

I found cvs-1.11.5.tar.gz that I had downloaded March 10th, looked for the email or ftp upload directory or /somewhere/ to send it. It's not listeded anyway. I email gnu@gnu.org with it but it seems that there would be a better place. Anyone?

Re:sheesh! Can you fire a volunteer sysadmin?

[IM6100]

Yes, but those are IDE CDR drives, and everybody knows that (for god knows what reason) the maintainer of cdrecord only directly supports SCSI CDR drives. Is it still necessary to use the 'SCSI emulation kludge' in a recompiled kernal to get your IDE CDR to work in Linux? It's been a few years since I tried.

The question isn't whether BSD is dying...

[aphor]

The question isn't whether BSD is dying but whether people keep going back and realizing/appreciating all the elegance and cleverness in BSD's evolution. Sure, its dying, but it's constantly reincarnating too, isn't it!

Post a reply if you would like me to send you an RPM for a Red Hat compatible PORTS tree...

No really: I have lots of old FreeBSD CDROMs with a veritable history of (the best) GNU software and MD5 sums. I can go back to FreeBSD 2.2.2. Check your timeline. BSD subscribers save the day HA!

Bzzzt! Both of you are wrong

[NoWhereMan]

While I agree with the premise of the post

The premise is wrong. Looks like neither of you read the explanation.

(For the ptrace bug, a root-shell exploit was available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that gnuftp was cracked during that week.)

This indicates that a patch was not available yet.

Go easy on 'em...

[chuckw]

Yeesh guys, go easy on these people. They bust their asses every day for us. Their GPL enforcement queue is usually about 50 cases deep. They're on the phones and on capital hill every day educating and lobbying industry groups and politicians. Say what you will about the GPL, you don't even have to like it or agree with it and perhaps you even think RMS is a narrow minded prick (for the most part RMS isn't even involved in the day to day operations at the fsf). They are making life easier for all of us.

Rather than boast about all of the work they do, they quietly work behind the scenes just so you can play Monday morning quarterback. They have one fulltime systems administrator who is *INCREDIBLY* overworked. They are doing everything they can to keep the boat together. Last year they were over $315,000 in the red. Thanks to the FSF associate program and some skillful fundraising they're back in the black.

Want to help? Go get your FSF associate membership. It's not that expensive and it goes a long way towards helping to protect your freedoms.

Incidentally, this is also old news. They had MD5 sums verified, and the servers were patched up and back online almost two full weeks ago. None of the software was trojaned.

Who am I? Just another hacker who bothered to pay for an associate membership (#1142)...

Re:Go easy on 'em...

[dennisr]

Member #1235, Joined on 2003-06-08:)

Also a member of:

EFF
ACLU
Greenpeace
SierraClub

and I have to mention subscribing to:

Slashdot
Ars Technica
Salon
Digital Blasphemy
Gamespot
Fileplanet

I am not a coder and most a lurker so the best I can do is give money... But I don't feel bad - money is needed too!

Re:Go easy on 'em...

[OAB]

I will go easy on the FSF when they go easy on anybody else, i.e. never. They will admit no excuse when they think you are wrong, I see no reason to treat then differently.

Re:Go easy on 'em...

[chuckw]

Care to explain specifics?

Re:Go easy on 'em...

GPL? My freedom? Are you joking or what?

Re:Wait? I thought Linux was Secure??

[rokzy]

how much anecdotal evidence for windows insecurities do you think we could come up with if we're going all the way back to 1998?

I don't think the point is that linux is 100% secure, just that it's much more secure than windows.

Users

Unsophisticated users use windows.

You don't think that giving those same users Linux instead of Windows will result in lot's of unpatched, wide open linux installs?

And 90%? You must have been the same person who counted lines of SCO infringing code in Linux. Insightful my ass.

Just 2 points

1) Why did it take so long to find out they were compromised? 2) I hope they have a safe copy of the MD5 checker, 'cos this would be a fine place to put a Trojan . Coward - but still using Windows !

And tell everyone...

...that it's just b.o. from all the creatine supplements that you're taking.

So.. what... Did your kernel compile fail?

[pr0ntab]

Did you go running to mommy?? Boo hoo hoo, buy me a Latitude! Buy me a Powerbook!

Re:So.. what... Did your kernel compile fail?

actually both my parents are dead and i have lived on my own since 15. I have bought every single thing i own by my own means....and would NEVER buy an overpriced,overhyped mac pos. I noticed you didnt deny any of my claims. So you live at home in mommies basement? Does she tuck you in at night still? Hows that 486 holding up?

Re:Top Five Ways For The Linux Zealot To Deal With

you shouldve been modded up...your post was funny and dead on the truth. I plan to punch the next linux user I meet just for you. That's if one ever comes out of his mom's basement.

March WHEN?

SCO filed suit against IBM on March 6, you know.

I'll let someone else make a lame joke about the new contents of "README.SCO".

2K3 Not the best year for Linux

[Captain+McCrank]

Between this and SCO, Linux sure doesn't seem to be having a good year. Compromised since March? How many other distros may have used gnu's site as a source between today and then? Good gravy!

Re:told you

[resignator]

lol, right on brother...fuck you stupid linux asslicks.

Re:told you

[resignator]

and yes i was totally serious...*cough* not

+100000 Insightful

[mrscott]

If I had mod points today I'd mod this as high as I possibly could. No matter how good you are at your job, no matter how much you get paid, no matter what you do, there is always something that could be done better. Let's face it: mistakes happen, a patch is missed, they forgot to delete a user account, etc. I'd be willing to bet that almost everyone out there has worked in at least one place where user accounts were not removed until well after the door had hit the ass of the former employee on his last day.

What's really sad about this...

[Simon+Brooke]

Is that it was an inside job. Someone trusted with a shell account on the server. Someone who was seen as part of the team, but betrayed it. A pretty shitty thing to do, in my opinion.

The FSF don't say (and probably shouldn't say) whether they know who did it. I hope they do, because if they don't the mistrust which will be engendered will cause a lot of unhappiness, and will distract maintainers from looking after the packages we all use.

If the FSF don't know, I hope the culprit has the guts to own up, and own up quickly.

Re:What's really sad about this...

it was me - AnTiNix0r

Re:What's really sad about this...

[phishst1k]

It was me, Linus.

Re:Wait? I thought Linux was Secure??

[GigsVT]

It was fixed months ago. It was the local root ptract exploit.

The only reason they got cracked was because they allowed local shell accounts, and due to questionable reporting practices, an exploit was released before linux kernel people had a chance to fix it.

How many patches do you install in a month?

[mrscott]

Ok - let's say that you have 10 SuSE Linux 8.2 systems. In July, patches were released on 8 days for this product (the 3rd, 9th, 11th, 14th, 15th, 16th, 21st and 25th). For arguments sake, you need to install at least one of the patches each day as some days there were multiple patches released. Based on the logic above, you would have to perform 8 total security audits in July. I don't know too many admins that have that kind of time on their hands.

Re:Wait? I thought Linux was Secure??

[GigsVT]

Actually it was Linux. A local-only kernel exploit.

Re:No excuse? How about the directional flow of ti

Yeah but it looks like a local user exploited it - why would ftp.gnu.org have local users?

Also its the entire MD5 signing system which is stupid - so they got hacked, that happens to the best of us. - the software up on ftp.gnu.org shouldn't have MD5 signature files - anyone with access to the server , the actual archive files should be crypto signed with public/private keys.

Re:So apache no invulnerable then...

[ColdGrits]

Nope, nothing so sinister, just posting whilst half asleep.

Thinking "ftp", but typing "apache".

The rest of my points still stand though. As proven by many of the posts on this thread - people falling overthemselves to declare "It must be an inside job", only shutting up when the official announcement of what happened is posted - yet, it was a bug in some open source software, which caused their system to be compromised5 MONTHS ago.

Now, hands up all those who would be so happy to absolve any M$ box admins for not detecting that they had been compromised 5 months ago?

Just pointing out the inevitable hypocricy of it all - for evidence, just dip into this topic and read some of the many "It must have been an inside job" posts - they are hard to miss...

Correct Terminology!

[nurb432]

yea! someone used the proper term, 'CRACKED', for a change.

hey gazbo

shaddup ya arrogant coont.

read-only media?

[mnmoore]

Not to slam the FSF, but for important distribution sites is it feasible to host the files from read-only media? Like burned CD-R or perhaps (for ease of update) a SCSI HD with the write disable jumper in place?

Seems like keeping the authoritative archive on machines unconnected to the 'net would be the way to go. Hard to beat physical security. But maybe this would be too much a pain-in-the-ass.

Anybody know of a site using a similar strategy?

the RO filesystem defense

Why not make the whole site read only by making bootable cdroms/dvds with the entire environment and files so that it can't be compromized so easily? The drawback is updates would appear maybe daily instead of instantaneously. There's a site somewhere that shows how to do this...

I'm taking names and handing out torches

[nortcele]

Y'all raise your hand if you think SCO or Microsoft did this or had reasonable intent to do it...

Torch for you... fork for you... shovel for you...

Actually, I use windows 2000

[pr0ntab]

to download pictures of little boys who get sucked off by older women.

Sorry to break it to you kid, but your mom isn't dead, because I just saw her in alt.binaries.pictures.erotica.yno.trolling

As it stands now a hacker really has nothing to gain by learning to hack linux.
So you mean it'd be of no value to root RackSpace or Verio and launch a massive attack from systems with redundant backbones as opposed to a bunch of crappy dial-up boxes? I wasn't responding to your so-called claims because they are groundless and uninformed.

1) Linux runs like on shit on a 486 and nobody does it anymore except to brag about it. You can buy spare PII and PIII systems for less than the time it takes to get the 486 booted up, even at minimum wage. Asshat.

2) 1% marketshare is more like 5% of all Internet facing machines, and about 25% of all machines with decent bandwidth. Also, holes that can hit Linux may also be applicable to FreeBSD (think Yahoo, Akamai), so that might be even higher in terms of oppurtunity.

3) Which linux users who actually know anything claim that it's unbreakable? I sure don't. And for the longest time, Microsoft was claiming the opposite. So now they are owning up to a terrible security record. Thanks a lot, we know that already, hhuhuh, talk about pot calling the kettle black.

You might have noticed that a lot of the positively moderated comments for this story are lamenting FSF's policies on backups and patches, and urging them to get on the fucking stick instead of being apologetics.

At least it wasn't a remote root exploit (cough RPC cough).

Re:Actually, I use windows 2000

[AlphaSys]

You might have noticed that a lot of the positively moderated comments for this story are lamenting FSF's policies on backups and patches, and urging them to get on the fucking stick instead of being apologetics.

You might've noticed that the replies to all of these are modded redundant as we point out for the mozillionth time that they did make backups, but there's not enough evidence that the backup tools themselves were not compromised.

I imagine it is Windows 2000 that uses you.

Re:So apache no invulnerable then...

I can't fucking wait until Q**** gets cracked. I'll go to DJB's house and take a picture for prosterity.

Re:Wait? I thought Linux was Secure??

Especially when they refuse to fix some of their systems, like NT4 (I know it is EOL'd, but this last one is a major problem).

If you are talking about 'this last one' as in the blaster worm, you can easily get a fix for any version of NT4, it appears. The following link is for NT4.0 Server/Workstation:

http://download.microsoft.com/download/6/5/1/651 c3 333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE

This file is available right from the link located on MS's homepage, and they also have downloads for other OS's there as well. There might not be a fix for old-ass NT3.5 or other ancient OS's, but there is no need to spread disinformation about something that can be verified so easily.

get over it

[jlusk4]

What, you think Unix has no vulnerabilities, and that's why there haven't been more cracks?

As the "general spiffiness" and "in widespread use" factors increase for a platform, which they are for Linux, this sort of thing is going to happen more frequently. Don't assume the wonderfulness of open source/many eyes/separate address spaces/better fundamental design constitute a suit of armor.

As we make executable content availabe in email messages (Flash, Evolution, anyone?), as we make lots o' hooks for pieces of software to play with each other (Gnome, anyone?), we open up the possibility of some unexpected interaction biting us in the ass.

Similarly, as more and more organizations deploy Linux, it becomes a juicier target to attack.

(The lesson being: developers (especially developers of cool shit) should not relax about security.)

John.

Re:Wait? I thought Linux was Secure??

[IM6100]

I'm sure there are plenty of stories to tell. However, most Windows exploits are rather weak. Very few give the cracker a bash prompt, with C Compiler and all the tools that a root shell exploit on a Linux box gives.

you're suprised?

[konduct]

Once again, it should not come as a suprise that ftp.gnu.org was compromised. Hackers target centralized source code and binary distribution sites. That way, they can backdoor 200,000 birds with one stone. cvs.openbsd.org was hacked last summer too. My advice: build everything from source.

Re:you're suprised?

This is a very good argument against Open Source

Re:you're suprised?

build everything from source? Who says they're just going to put up backdoor binary files.. theyd probably upload modified source code too.. sure you can check the source but whos going to read EVERY peice of code they download.. youd have to go line by line, figure out how everything works.. a back door could be hidden to look like its a normal part of the code

Re:you're suprised?

[konduct]

I beg to differ. Do you know how many backdoors are in Microsoft products? Not many people do. In fact, I doubt anyone knows of all of them. The counter-argument against closed-source commercial binary-only software products is that it's harder to find binary backdoors than it is to find them in source code; even while using disassemblers and debugging tools. This compromise could have been prevented.

Take FreeBSD for example. Sure their mirrors may have been compromised in the past; but they have a solid architecture designed for managing a centralized repository. Only a very select few people have access to that system. You can bet that the ftp.gnu.org box had tens or hundreds of local accounts. The hackers might not have even directly compromised ftp.gnu.org. They could have hacked a workstation belonging to a developer, and worked their way back into that machine by trojaning ssh, storing the login/password information and logging in from a bounce-point.

Obviously the guys that hacked the machine understand the blackhat value in having complete and unfettered control of that server and its data. When the next vulnerability is discovered in the services provided by any FSF servers, you can bet these guys will be back with a vengance. What blows my mind is that the GNU/FSF crew don't have backups of the MAIN DISTRIBUTION SITE.

Re:To much shit I switch to MS

I agree

Re:No excuse? How about the directional flow of ti

But I'm all for fewer hypocrites and less ignorance on Slashdot :)

Daring to dream the impossible dream, are we? ;)

Re:Wait? I thought Linux was Secure??

Pretty much all of the worms exploit known and fixed problems.

So, it's not totally Microsoft's fault.

Solution

[orionware]

Well maybe if you dumb (L)users would stop using windows and start using Linux you wouldn't have this problem!

Ohh... wait....

Re:Wait? I thought Linux was Secure??

and wu_ftpd has what to do with this?

The exploit that owned the gnu guys was a local-user kernel hole. You know, kernel. As in Linux.

That sure as hell ain't *BSD, HURD, Cygwin, etc.

But since it was mentioned... only a bloody idiot would run wu_ftpd anyway. It's always been swiss-cheese as far as security goes.

But then, this was gnu.org ...

Re:Wait? I thought Linux was Secure??

[JonMartin]

Doesn't OpenBSD run their site off Solaris?

Yes. From the OpenBSD FAQ:

Although none of the developers think it is particularly relevant, this question comes up frequently enough in the mailing lists that it is answered here. www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.

MOD UP, UP, UP...

[AlphaSys]

...and not just because it points out the disparity in tolerance for MS holes vs. others, but because it points out the emotional difference. Either way, the LINUX zealot is grabbing his torch. But in the MS case it's their fault. In this case, it's for the perp.

I think only the BSD proponents have it right and so what... it's not snobbery if you're right.
Off that topic tho... the problem is... what about all the GNU software installs that have gone down since March? If you buy the GNU line here, it's all suspect. And let's be clear here that this includes GNU software for any platform, including Win32! Imagine if a library used in a cross platforn GNU-distributed product has "malcode" inserted! If I stretch my imagination, I can believe that a sizeable percentage of the *X/BSD crowd will know to get fresh everything that might be suspect... but Joe Windows who wanted to try GIMP, oOo or something to avaoid paying for the commercial offerings?* Forget it, he'll never know the diff... and besides, he's r00+3d six ways from sunday anyway already. But now if someone in the know ever hips him to the fact, he'll probably blame the GNU installs.

I'm a Windows user a lot of the time, but there's no denying that the mean value of intelligence of users on the platform is far below that of most others.

*(note -- I'm leaving out the other great GNU software that runs on Windows like Apache, MySQL, just to name a few because the caliber of moron we're talking about here has no need for a web server or DB engine, etc. then again, MS would install it by default until recently...)

UK Mirror Service

[SamBC]

Well, I must say that I've never met Mustafa at work... the people who run the UK Mirror Service are, however, there for all to see on the UKMS Crew Page

In all seriousness, you have until some time tonight (on BST, which is UTC+1) before we should be fully synced, including any files that have been pulled, with the source site. There are some exceptions, but I don't think they will apply in this case. And if any files were compromised, they are compromised on our servers as well.

WARNING: SHAMELESS PLUG: If you are a fan of the Mirror Service, or even just a user, please note the message on our homepage, as we are about to be able to serve even more users, at higher speeds.

Re:Wait? I thought Linux was Secure??

[JeffTL]

In that case, as I suspected, social engineering and/or an ID10T error was to blame,

Ah, I didn't know that!

[pr0ntab]

Also I use linux all the time, at work and on my laptop, and that 2000 box is dual boot.

So *pbbbbt* on you.
I just like to flame trolls and/or idiots. Can you just LET ME FLAME!?!?!

Re:Ah, I didn't know that!

[AlphaSys]

Damn, my bad. It's so thick with zeal and ignorance in here, it's getting hard to tell the trolls from the folks who don't know any better. I was confused, to be sure; I was sure I had seen you post cogently before about OSS in general and Linux in particular. I'm so used to the repugnant anonymous trolls, it never crossed my mind that someone might do it with identity. I guess I'll cross reference earlier posts the next time I wonder if it's a troll or memorex.

Why did it take this long to announce it?

[Sanity]

Surely they had a responsibility to announce this compromize as soon as it was discovered so that those that had downloaded potentially compromized files could take appropriate action immediately?

Re:Wait? I thought Linux was Secure??

FTP software is very much part of the operating system. Just like the web browser, media player, and Solitare.

See? Everything is easier with Windows.

Re:Mirrors would also copy the bad code

[complete+loony]

Yes there are, but they've been "rooted" for the last three months, and any malitious code would have propergated to the mirrors as well.

Wow

Compromised for 5 months and didn't know it.

That is about as shameful it gets.

I am... speechless.

Don't trust commercial distros

[Phronesis]

No. You're not supposed to trust commercial distros! If you're going to trust commercial software, you might as well trust Microsoft. Only trust hand-compiled software.

Read all the FSF source and understand it. When you're sure it's safe, hand-execute the build-cycle for the linux kernel and gcc. Enter the resulting binary into your computer using the toggle switches on the front panel (you did hand-build your computer to be sure the manufacturer didn't sneak anything malicious into the ROMS, didn't you?). Then, and only then, can you build the rest of the distribution without the risk of a trojan compiler.

The great advantage of free or open-source software for the superconduting lead hat paranoid is that you can't do a clean build like this for Windows. Only if you have the source can you be sure your compiler is not sneaking malicious op-codes into your machine.

Re:Don't trust commercial distros

[FooBarWidget]

No, you're supposed to trust commercial software. Remember that Slashdotters always brag about how commercial software is usually higher quality? With much better GUIs because they have UI designers? And much more stability and features and security because they supposely have to listen to their customers?
Well, that's what many Slashdotters always brag about anyway.

Is that a bad excuse I smell?

The FSF statement says that an exploit for the ptrace vuln. was available on 17 March and that a working fix wasn't available until a week later.

But my search through linux-kernel and bugtraq shows that Alan Cox published the vuln. along with a patch on the 17th. Although the patch didn't apply cleanly on 2.4.20 it was very easy to fix and a clean patch was posted the next day.

The earliest exploit I can find was posted to Bugtraq on the 19th.

I understand that sometimes servers get hacked but they shouldn't imply that it happened because the linux developers were slow.

Re:Can someone please tell me...

[E-Rock]

Well this is /. for Bob's sake. You'll have to giggle on the inside; just like you have to cringe on the inside when a stupid admin does something dumb with an MS product, or MS marketing does something that makes you fear for the future of humanity.

Tomorrows Headline News

[NullProg]

From: AP Satline
Subject: Microsoft was right, GPL is viral.
Redmond, WA.

In the latest development in the war for users,
Microsoft today announced they were correct two years ago when they called the GPL viral.

Microsoft PR spokesman "Matthew Stewart CollinsEdward" (MSCe) had this to say. "You see thier Web Site has been hacked, the GPL was just sitting there at www.gnu.org for anyone to modify". "You just can't trust any license thats not certified". "With our EULA, your guaranteed no changes in between versions". "Because of this flaw we are going to get those Linux Server users to change back to our five user version of WinXP2k+Plus."

When asked about the Windows Worm earlier this week Matthew responded "Thats not our fault, we used a modified version of the RPC specification wich was Open Sourced. Obviously it's not our fault when the GPL has been compromised".

When asked for a Linux comment Larry Allen Mark Petry (LAMP), a linux user/admin said this. "Oh man, the press is getting it all wrong. It was an FTP server problem, not a Linux one". "I, think Microsoft was behind the attack". When asked for proof, Larry said this, "Proof, you want proof, just look who is behind the latest SCO lawsuit!". He then mumbled something about "Bush" and wondered off.

When asked for interviews, Bill Gates (tantrum) and Richard Stallman (bath) were not available for additional comments.

End: AP Satline.

No o/s's were harmed during the making of this news flash.

Re:sheesh! Can you fire a volunteer sysadmin?

[digrieze]

I think you still do, but honestly if they're not going to invest in an automated jukebox to back up the system, or mirror to a secured site, then having someone sitting in front of a CD-RW feeding 800MB disks to the monster all night would be fitting punishment for lack of foresight.

Besides, It fits well into the "LINUX is cheap and (mostly, almost) works" mentality.

I wonder if any of their sysops are currently rethinking the "trusted ftp" architecture? I suspect idealism just met the legendary brick wall of reality.

history is build out of learning from mistakes

don't slam them for messing up, but then again don't hold back and feel from giving good criticism out of a fear their wittle feelings will be hurt. To me it is highly ironic that in such a distributed environment as FSF development and not to mention their philosophy, that there is not a distributed or mirrored redundancy system in place. Physician heal thyself

They got r00ted in March, for pete's sake!

[lorcha]

According to their site, they were hacked in March '03. It is now August '03.

Do you keep 5 months worth of backups? Well? Do ya?

Well, cut them some slack, then!

Heh, in Canada...

LOL -- in Canada, we do all of these things from time to time (well, we don't lock our doors, ever... and most of us have our car key hidden behind the plates... as for stores? well, yes, i've walked into a store and left my money on the counter.)

The sad part is that you think a world where such things are possible is *undesirable.*

I would *love* to trust my fellow man, personally :)

On paper?

[screenrc]

Such ideologies should be ecouraged. If you
cannot find the right friends (or relatives)
to live like this, maybe, you should look for
new friends and relatives.

I don't want to live in my house suspecting
everyone as if they are crooks or thiefs.
And you treat your friends like potential thiefs, don't expect
much in return.

whew!

[rsax]

frankjr... I thank you sir. I was going through the comments and was starting to get alarmed. Something is wrong here; a story on Slashdot and I still haven't seen anything being mentioned about Gentoo or Portage??!! WTF?

P.S. I'm just kidding. Turn the flame throwers off

This should teach them...

To use OpenBSD from now on !!

Re:This should teach them...

[borgheron]

Yes, security through obscurity should work just fine.

Habor on too much coffeine ???

[B0mbtruck]

"I was a fanatic supporter of Linux" -- we don't need You, especially if you are a fanatic!

" but this is too much for me" -- if you can't take it get the fudge out. Linux people have courage, that's why we can face the storm.

"I think de Open Source Goeroes" -- who the fuck is Goeroes????

"are technical not so good as I thought" -- I bet they can make clearer sentences than you. And "technical" YOU are full of it

"I think de Unix technolgy is a lost path" -- and YOU are a lost case, too bad nobody cares.

In fact i'll just stop commenting on this shit, I have better things to do.

B0mbtruck
--
I set YOU up the b0mb.

Sums should be stored at different site

[Krellan]

It is highly recommended that checksums be stored on a different server!

Many high profile sites surprisingly do not do this.

By keeping checksums separate from the files themselves, it makes the cracker's job more difficult, because they will have to crack two machines in order to Trojan a file. It is also recommended that these two machines be running different operating systems, such as Linux and OpenBSD, so that an exploit affecting one will hopefully not also affect the other.

If only one server is compromised and the files or the checksums are changed, but not both, people will be able to detect this by the mismatched sums. When the checksums are on the same server as the files themselves, the cracker can replace the checksums at the same time as the files, and nobody will know that the files have been compromised.

Also, GPG keys should be used to put some cryptography into guaranteeing that the files haven't been tampered with. The cracker will have to forge a GPG signature, much more difficult than regenerating a checksum. I am glad to see that the GNU project will do this for future files, to help prevent a situation like this from happening again. Of course, the GPG public keys should be on a different server than the signed files!

CVS repositories

[Poulpy]

I believe most GNU projects have CVS repositories (or any other source versioning system), and they are not located on the compromised server.

Then with a little scripting, all archives can be rebuilt.

It would take some computing time though but would be an automated process.

Oh. My. God.

[Rogerborg]

Rooted in March 2003 by a "local user". They started restores 12 days ago. Without telling anyone.

This is worse than anything that Microsoft has ever done.

They started restores 12 days ago and didn't tell anyone.

I cannot trust the FSF, ever again.

They started restores 12 days ago and didn't tell anyone .

There is no difference in practice between the FSF and Microsoft. The experiment is over.

So we understand what happened...

[Azekeal]

Fair enough that they were compromised, it can happen to anyone, even the most security-minded individual - I'm not going to go into the insider job ideas.

They're human. meh.

They're using back-ups that they know are safe, meaning that they are also out of sync with their more recent uploads...so my question is this:
Between you guys (and madams), what should they have done/do to get it up and running faster (and remove the clouds of the loss of trust from over their heads)?

How?

[jmcnamera]

Why did it take so long to realize they were compromised? Does FSP really run Windows under the hood?

You troll

Be sure to mention that to Hitler while you're fellating him in Hell

what?

[twitter]

If they catch the perp, the punishment should be something really heinous like locking them up with a computer that has Microsoft "Bob" installed and have continuous "Barney" tunes piped into their cell. That'll teach 'em.

But they ALREADY work for Microsoft's "research" department.