Slashdot Mirror
FSF FTP Site Cracked, Looking for MD5 Sums
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has
a statement
on the FTP site explaining the matter.
Surely, there aren't that many dishonest people, and if there were, then it would be hard for them all to get together and come up with the same MD5.
Unbelievable. And I'm supposed to trust their methods and products with my enterprise?
Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.
Having just read the above, let me add: Let a thousand jokes be posted!
Dawn of the Dead
The man of the million email addresses replies: Are they confirming MD5s in person, or over the phone, or by other electronic means? You have yet to master the art of paranoia, grasshopper.
The compromise was probably a weak password or an inside job.
Which is why syslog should be on another secure computer, and dumped to paper in a locked room for high-security sites.
It won't help the recovery, but helps pinpoint the intrusion
Why does the FSF not use a OpenPGP signature on the files and md5sum lists in their archives? Unless the key is kept on the same (compromised) host, then it becomes easy to figure out what files are valid, and what isn't.
a sed-4.0.7.tar.gz
BTW, here is my contribution:
> md5sum sed-4.0.7.tar.gz
005738e7f97bd77d95b6907156c8202
-molo
Using your sig line to advertise for friends is lame.
Hmmm. You mention Apache. This is an FTP server. What kind of tool runs an FTP server using web server software? So far as we know (given that there are no details of how the server compromise was carried out), this says nothing about the security of a particular FTP server software, Apache, GNU/Linux, or any other Free Software package.
:)
As is the case with most installations of MS Windows, other operating systems and pretty much any user level software, the security of the system is only as strong as the weakest link: usually that's the user (and the sysadmin falls into that group). Bad passwords, bad security policies, and lax attention to security patching affect every system because every system has users.
Why might Free Software Zealots be laughing when MS products are demonstrated to be insecure? Because people have paid MS billions of dollars for that software. MS has billions of dollars in the bank. You'd think a company with those kinds of resources could hire a few security experts-- or even a few thousand-- and have them really work out the bugs. Free Software, on the other hand, is largely produced as charity, costs little or nothing to obtain, and at least when the code is demonstrably insecure, you (the user) have both the means and the right to fix it. Not so with the expensive binaries you get from Redmond.
Oh, thanks for trolling. I assume this response is exactly what you were hoping for.
I do not have a signature
Anyway, the only purpose of the MD5 checksum should be to make sure that the file was transfered properly. And with TCP/IP it would be quite uncommon to get bit flipped while traveling from the server to you (unless their is a "man" in the middle).
Any use of the checksum to ensure that the file has not beeen altered before the transfer is useless. As a person who crack a server will replace the file and it's checksum.
File checksum should always be signed by someone who can be trusted. If that's not the case, they are worthless.
...that the cream of IT people would do regular revolving backups, securing sessions and have a standalone staging enviroment for all their stuff should the connected setup get compromised. Especially files which are distributed into the entire world to run on bazillions of computers once released. That's all a big fat hairy bad-ass no-brainer.
Sorry, gnu.org team, no icecream tonight.
We suffer more in our imagination than in reality. - Seneca
No one's ever claimed Linux is 100% secure.
However, the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
No. The real $64,000 question is why didn't they have reliable backups and a disaster recovery plan
I'll bet that 90% (or more) of all break-ins are the result of problems that could have been patched. Yeah, it sucks that this happened to GNU, but they're only human. Last I heard, they only have one system administrator to handle all of their machines, including Savannah. I can understand that this happens from time to time. GNU has to be a relatively high profile target (such as for disgruntled BSD h4x0rs and so on) so cut them some slack. If you patch 40 machines 99.9% of the time, nobody remembers that, what they remember is that you got cracked on one tiny detail you missed.
:)
At least they yanked the programs until they could verify that they were correct. That really was the only thing they could do. The lesson to take from this is that with computer security and auditing, nothing less than absolute perfection is necessary. And so long as human beings are doing the admin work, absolute perfection just isn't realistic.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.
Though don't bother if it only toasts about 50% of Windows installs and bring down only a significant portion of the internet. That's becoming too common place.
While I agree with the premise of the post, this is sort of thing that would get flamed to hell and back if the thread dealt with a Microsoft security breach (case in point, see yesterday's discussion about the RPC worm). According to that thread, being overworked, underpaid, or anything else is not an excuse for having an unpatched machine.
Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
Last time I checked, it was wu_ftpd that had the vulnerability, not Linux. It doesn't matter if you were running it on Cygwin, *BSD, HURD, or Linux. Geesh. Stop calling everything OS Linux, because it isn't.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
They shouldn't be.
If a bug in IIS causes a remote exploit then that's a bug in IIS, and that's it. Now, if there's a bug in the Windows TCP/IP stack, networking components, some kernel call, etc, which causes an exploit then that *is* a bug in Windows.
A bug in wu-ftpd doesn't just affect Linux. It will also affect the other supported platforms: BSD/OS 1.1, and 3.1, FreeBSD 2.2.6, SCO OpenServer 5.x, SCO UnixWare 2.1, Solaris 2.4, 2.5.1 and 2.6, Sun Sparc Platforms, Solaris 2.6, Solaris 2.5.1, SunOS 4.1.4
The only real security vulnerabilities in Linux are the ones that affect only the kernel and Linux specific tools. Everything else is just a vulnerability in some other program.
The whole idea of a mirror is that it actually mirrors what is on another site. If they've been rooted since March 2003, then it is somewhat unlikely that the www.mirror.ac.uk is actually going to have files any different than FSF.
Unless of course, the mirror hasn't been updated since sometime in mid-March.
It's very easy to point out other people's "mistakes" like this, but I wonder how many people actually take all these various precautions that they're so quick to accuse others of not implementing?
The fools! They forgot to install a firewall!
The fools! They didn't purge all the old user accounts!
The fools! They didn't install the latest security patch! On all the boxes in the office!
The fools! They didn't require 10 character passwords, to be changed every 15 days!
The fools! They didn't update their virus definition files! Within the last 24 hours!
The fools! They didn't make triple-redundant off site backups!
The fools! They didn't have a plan C!
The fools! They don't know where their towel is!
Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.
Mirrors as a backup methodolgy have at least one fatal flaw which has been clearly exposed by this incident:
A mirror is a random (whenever the mirror was made) point in time back up. There is no assurance that at any given point in time in the future that a mirror is available in a particular point in time in the past. As a result, the answer to the question "do we have a backup" resolves to "maybe". Generally this sort of answer makes people squirm.
In this particular situation the problem is exacerbate by the fact that every release from march until NOW needs to reaquired from it's source becuase after march 2003 - the source repository and it's mirrors can no longer be considered safe.
Indeed, a very difficult situation to be in.
In order to answer Yes to the point in time question one must invest considerable cash in hardware and software to provide such backups.
Yeesh guys, go easy on these people. They bust their asses every day for us. Their GPL enforcement queue is usually about 50 cases deep. They're on the phones and on capital hill every day educating and lobbying industry groups and politicians. Say what you will about the GPL, you don't even have to like it or agree with it and perhaps you even think RMS is a narrow minded prick (for the most part RMS isn't even involved in the day to day operations at the fsf). They are making life easier for all of us.
Rather than boast about all of the work they do, they quietly work behind the scenes just so you can play Monday morning quarterback. They have one fulltime systems administrator who is *INCREDIBLY* overworked. They are doing everything they can to keep the boat together. Last year they were over $315,000 in the red. Thanks to the FSF associate program and some skillful fundraising they're back in the black.
Want to help? Go get your FSF associate membership. It's not that expensive and it goes a long way towards helping to protect your freedoms.
Incidentally, this is also old news. They had MD5 sums verified, and the servers were patched up and back online almost two full weeks ago. None of the software was trojaned.
Who am I? Just another hacker who bothered to pay for an associate membership (#1142)...
*Condense fact from the vapor of nuance*