Slashdot Mirror

← Back to Stories (view on slashdot.org)

FSF FTP Site Cracked, Looking for MD5 Sums

Posted by CmdrTaco on from the two-scoops-of-paranoia dept.

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

11 of 752 comments (clear)

  1. BSD Ports trees should have them by lactose99 · · Score: 5, Informative

    Taking a brief glance over my FreeBSD server, all of the entries in the Ports tree have the MD5SUMs in the "files" file. The Ports tree includes many many FSF software package installs.

    --
    Fully licensed blockchain psychiatrist
    1. Re:BSD Ports trees should have them by lactose99 · · Score: 5, Informative

      Oops... its the "distinfo" file that contains the MD5SUMs, not "files".

      --
      Fully licensed blockchain psychiatrist
    2. Re:BSD Ports trees should have them by mph · · Score: 4, Informative
      As a port maintainer and committer, I can confirm what you say. The recorded md5 signatures are for the distributed source archive (e.g. from ftp.gnu.org, or Sourceforge, or whatever). They are there to ensure that the source has not been tampered with.

      BSD-specific patches are then applied to the downloaded source, but have no implications for the md5 signature that's on file.

  2. Re:Well that's good and all, but by rkz · · Score: 5, Informative

    Crackers exploited this vunerability, there was even a patch available!!

    --
    There is no god
  3. Re:Mirrors? by gearheadsmp · · Score: 4, Informative

    Mirror, mirror on the wall, who is the fastest of them all?

  4. Re:the $64,000 question: by prizog · · Score: 4, Informative

    There are backups from before the crack.

    If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money.

    --
    Become a FSF associate member before the low #s are used
  5. Re:You're Kidding? by pongo000 · · Score: 4, Informative

    You mean, an accounting like this? Seems pretty detailed to me...

  6. RTFA: There *are* backups, and they *did* patch by stewby18 · · Score: 5, Informative

    ...The machine appears to have been cracked in March 2003, but we only very recently discovered the crack.
    [snip]
    (For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)
    Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised.

    (emphasis added). So in other words, they were cracked in the brief space between the exploit post and the patch, and didn't find it right away. Now, they are carefully vetting all their backups from that period to remove any possibility that a compromised backup could be redistributed.

    So, to answer your poorly-researched questions:

    • They have reliable backups of everything, except for those files which, due to their upload time, cannot possibly be considered secure
    • They are systematically verifying the reliability of the files where there could be any doubt

    Which part of this would you not consider a disaster recovery plan?

  7. Re:Status update from FSF on GNU FTP site crack by bkuhn · · Score: 4, Informative

    Yes, the crack was carried out by a local user. We don't know if it was a social engineer or someone who compromised an existing account.

  8. WTF? by MasTRE · · Score: 4, Informative

    Neither the OP _nor_ the moderator think it important to note in front-page post that the box was compromised in _March_ 2003? Jeez, is this /. or -.?

    --
    Must-not-watch TV!
  9. Re:You're Kidding? by NoOneInParticular · · Score: 5, Informative

    As some other posters in other threads noticed, the FSF does not have full backups because all backups made after early 2003 can be compromised. The crack happened in March, and what they miss is all the stuff that was uploaded after the crack. Backups from before March are available. In this situation no backup strategy at all would leave you with total security after March. The fact that the site was cracked five months ago is a bit scary though.