Slashdot Mirror

← Back to Stories (view on slashdot.org)

FSF FTP Site Cracked, Looking for MD5 Sums

Posted by CmdrTaco on from the two-scoops-of-paranoia dept.

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

7 of 752 comments (clear)

  1. Mirrors? by ryan76 · · Score: 3, Interesting

    Are there no mirrors of this site?

    --
    http://threetechguys.info Come, discuss Technology. Got a technology question? Come ask!
  2. This pisses me off more than it should. by Deadbolt · · Score: 5, Interesting

    Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.

    They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.

    *goes off to dock another point from his faith in humanity*

    --
    "Honey, it's not working out; I think we should make our relationship open-source."
  3. Re:the $64,000 question: by saskwach · · Score: 4, Interesting
    Actually, this vulnerability had already been patched, just not on this particular server.
    iSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.
    and patched August 31, 2003
  4. FTP (the protocol) is NOT the problem. by MartinG · · Score: 4, Interesting

    ftp as a protocol is far simpler to implement than ssh2 for example, so if you have no authentication to do, use ftp.

    Using ssl is good if you have eg. passwords to hide, but other than that it just introduces complexity. more complexity tends to mean more possibility for bugs, which means more possible exploits.

    However, don't use bloated, over-complicated stuff like wuftpd etc. something like vsftpd is /much/ better. its very simple and designed from scratch to be secure above all else. afaik it has never had a security bug found, and I would say is as close to secure as it is possible to be.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  5. FSF systems by devphil · · Score: 5, Interesting


    They do have more than one sysadmin, but none of them are full-time, I believe.

    There are also some "interesting" schools of thought regarding security over in gnu.org land, and I'm sure there's tension between them as well. For example, savannah has to have some level of security, but their shell machine (not savannha) has almost zero "sysadmin-added" security: important configuration files are world-writable[*], because RMS doesn't believe in restricting individual actions of users on that machine. The only security is what's provided by the default installation, minus the world-writabilities.

    So it should come as no suprise that the shell machine has been compromised multiple times. All from local users exploiting holes. The most recent was done in April, but they didn't find out about it until a few weeks ago. They're still recreating accounts.

    I don't know about the ftp machine; I assume it's neither the same system as savannah nor the shell box. But it wouldn't surprise me to find the same situation: some important people gnu.org don't believe in locking down machines, some important people do, but (gripping hand) it almost doesn't matter because none of them have the time to do so.

    (If you wonder why the GCC manuals, web pages, etc, on {savannha,www,ftp}.gnu.org are occasionally out of date, it's because gcc.gnu.org (the master) is not admin'd by the same group. Events like this are why it's not admin'd by the same group.)

    [*] Backups are done by having little Emacs hooks in comments in the files. When you edit the file -- and of COURSE you're using GNU/FSF Emacs, not XEmacs or any other editor in the world, cuz it's a gnu.org machine -- Emacs knows to make backup copies. I have no idea whether real backups are done, or how.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  6. Re:Wait? I thought Linux was Secure?? by GigsVT · · Score: 3, Interesting

    It was fixed months ago. It was the local root ptract exploit.

    The only reason they got cracked was because they allowed local shell accounts, and due to questionable reporting practices, an exploit was released before linux kernel people had a chance to fix it.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  7. Re:How Long by volkerdi · · Score: 3, Interesting

    Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

    MD5 sums are only secure if they are provided through a secure channel (like within a GPG-signed message). Using a second machine to serve out the MD5 sums is only twice as safe (two machines to crack), and that's still not too safe.

    What I wonder is why they didn't sign accepted packages with GPG. I've been doing that for a while (well, since breaking-and-trojaning became fashionable).

    I hope when ftp.gnu.org comes back that it's with *.asc files next to all the archives...