Slashdot Mirror

← Back to Stories (view on slashdot.org)

FSF FTP Site Cracked, Looking for MD5 Sums

Posted by CmdrTaco on from the two-scoops-of-paranoia dept.

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

12 of 752 comments (clear)

  1. Re:Correct MD5s by brechmos · · Score: 4, Insightful
    Yeah, but if enough people send in the same MD5 sums for each file, then it "should be" easy to confirm it is correct or not.

    Surely, there aren't that many dishonest people, and if there were, then it would be hard for them all to get together and come up with the same MD5.

  2. You're Kidding? by System+Control · · Score: 5, Insightful
    The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups.

    Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

    1. Re:You're Kidding? by Lxy · · Score: 4, Insightful

      While your post is somewhat trollish, I have to agree that this is an interesting prediciment for the FSF. To save face, I hope they post a detailed account of how they were cracked, and own up to their mistakes so they can all teach us what not to do. That's the power of openness :-)

      --

      There is no reasonable defense against an idiot with an agenda
      :wq
  3. Re:Correct MD5s by Henry+V+.009 · · Score: 4, Insightful

    The man of the million email addresses replies: Are they confirming MD5s in person, or over the phone, or by other electronic means? You have yet to master the art of paranoia, grasshopper.

  4. Re:the $64,000 question: by iii_rjm · · Score: 5, Insightful

    No. The real $64,000 question is why didn't they have reliable backups and a disaster recovery plan

  5. Re:Well that's good and all, but by Uruk · · Score: 5, Insightful

    I'll bet that 90% (or more) of all break-ins are the result of problems that could have been patched. Yeah, it sucks that this happened to GNU, but they're only human. Last I heard, they only have one system administrator to handle all of their machines, including Savannah. I can understand that this happens from time to time. GNU has to be a relatively high profile target (such as for disgruntled BSD h4x0rs and so on) so cut them some slack. If you patch 40 machines 99.9% of the time, nobody remembers that, what they remember is that you got cracked on one tiny detail you missed.

    At least they yanked the programs until they could verify that they were correct. That really was the only thing they could do. The lesson to take from this is that with computer security and auditing, nothing less than absolute perfection is necessary. And so long as human beings are doing the admin work, absolute perfection just isn't realistic. :)

    --
    -- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
  6. How Long by jpmorgan · · Score: 4, Insightful
    How long was the server compromised and serving out possibly trojan-horse software before it was detected?

    Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

  7. Re:Wait? I thought Linux was Secure?? by the_othergy · · Score: 5, Insightful
    the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid
    The next time a virus takes down 90% of Windows installs and toasts most of the internet, let ME know...

    Though don't bother if it only toasts about 50% of Windows installs and bring down only a significant portion of the internet. That's becoming too common place.
  8. Re:Well that's good and all, but by bmj · · Score: 4, Insightful

    While I agree with the premise of the post, this is sort of thing that would get flamed to hell and back if the thread dealt with a Microsoft security breach (case in point, see yesterday's discussion about the RPC worm). According to that thread, being overworked, underpaid, or anything else is not an excuse for having an unpatched machine.

    --
    Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
  9. Re:the $64,000 question: by vadim_t · · Score: 4, Insightful

    They shouldn't be.

    If a bug in IIS causes a remote exploit then that's a bug in IIS, and that's it. Now, if there's a bug in the Windows TCP/IP stack, networking components, some kernel call, etc, which causes an exploit then that *is* a bug in Windows.

    A bug in wu-ftpd doesn't just affect Linux. It will also affect the other supported platforms: BSD/OS 1.1, and 3.1, FreeBSD 2.2.6, SCO OpenServer 5.x, SCO UnixWare 2.1, Solaris 2.4, 2.5.1 and 2.6, Sun Sparc Platforms, Solaris 2.6, Solaris 2.5.1, SunOS 4.1.4

    The only real security vulnerabilities in Linux are the ones that affect only the kernel and Linux specific tools. Everything else is just a vulnerability in some other program.

  10. Easy to point out someone else's mistakes by ThePyro · · Score: 5, Insightful

    It's very easy to point out other people's "mistakes" like this, but I wonder how many people actually take all these various precautions that they're so quick to accuse others of not implementing?

    The fools! They forgot to install a firewall!
    The fools! They didn't purge all the old user accounts!
    The fools! They didn't install the latest security patch! On all the boxes in the office!
    The fools! They didn't require 10 character passwords, to be changed every 15 days!
    The fools! They didn't update their virus definition files! Within the last 24 hours!
    The fools! They didn't make triple-redundant off site backups!
    The fools! They didn't have a plan C!
    The fools! They don't know where their towel is!

    Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.

  11. Go easy on 'em... by chuckw · · Score: 4, Insightful

    Yeesh guys, go easy on these people. They bust their asses every day for us. Their GPL enforcement queue is usually about 50 cases deep. They're on the phones and on capital hill every day educating and lobbying industry groups and politicians. Say what you will about the GPL, you don't even have to like it or agree with it and perhaps you even think RMS is a narrow minded prick (for the most part RMS isn't even involved in the day to day operations at the fsf). They are making life easier for all of us.

    Rather than boast about all of the work they do, they quietly work behind the scenes just so you can play Monday morning quarterback. They have one fulltime systems administrator who is *INCREDIBLY* overworked. They are doing everything they can to keep the boat together. Last year they were over $315,000 in the red. Thanks to the FSF associate program and some skillful fundraising they're back in the black.

    Want to help? Go get your FSF associate membership. It's not that expensive and it goes a long way towards helping to protect your freedoms.

    Incidentally, this is also old news. They had MD5 sums verified, and the servers were patched up and back online almost two full weeks ago. None of the software was trojaned.

    Who am I? Just another hacker who bothered to pay for an associate membership (#1142)...

    --
    *Condense fact from the vapor of nuance*