Slashdot Mirror

← Back to Stories (view on slashdot.org)

FSF FTP Site Cracked, Looking for MD5 Sums

Posted by CmdrTaco on from the two-scoops-of-paranoia dept.

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

5 of 752 comments (clear)

  1. You're Kidding? by System+Control · · Score: 5, Insightful
    The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups.

    Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

  2. Re:the $64,000 question: by iii_rjm · · Score: 5, Insightful

    No. The real $64,000 question is why didn't they have reliable backups and a disaster recovery plan

  3. Re:Well that's good and all, but by Uruk · · Score: 5, Insightful

    I'll bet that 90% (or more) of all break-ins are the result of problems that could have been patched. Yeah, it sucks that this happened to GNU, but they're only human. Last I heard, they only have one system administrator to handle all of their machines, including Savannah. I can understand that this happens from time to time. GNU has to be a relatively high profile target (such as for disgruntled BSD h4x0rs and so on) so cut them some slack. If you patch 40 machines 99.9% of the time, nobody remembers that, what they remember is that you got cracked on one tiny detail you missed.

    At least they yanked the programs until they could verify that they were correct. That really was the only thing they could do. The lesson to take from this is that with computer security and auditing, nothing less than absolute perfection is necessary. And so long as human beings are doing the admin work, absolute perfection just isn't realistic. :)

    --
    -- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
  4. Re:Wait? I thought Linux was Secure?? by the_othergy · · Score: 5, Insightful
    the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid
    The next time a virus takes down 90% of Windows installs and toasts most of the internet, let ME know...

    Though don't bother if it only toasts about 50% of Windows installs and bring down only a significant portion of the internet. That's becoming too common place.
  5. Easy to point out someone else's mistakes by ThePyro · · Score: 5, Insightful

    It's very easy to point out other people's "mistakes" like this, but I wonder how many people actually take all these various precautions that they're so quick to accuse others of not implementing?

    The fools! They forgot to install a firewall!
    The fools! They didn't purge all the old user accounts!
    The fools! They didn't install the latest security patch! On all the boxes in the office!
    The fools! They didn't require 10 character passwords, to be changed every 15 days!
    The fools! They didn't update their virus definition files! Within the last 24 hours!
    The fools! They didn't make triple-redundant off site backups!
    The fools! They didn't have a plan C!
    The fools! They don't know where their towel is!

    Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.