Slashdot Mirror
FSF FTP Site Cracked, Looking for MD5 Sums
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has
a statement
on the FTP site explaining the matter.
Sure, I've got the "correct" MD5s right here. You trust me, don't you?
Did you know that some files are just about impossible to get anywhere else?
Are there no mirrors of this site?
http://threetechguys.info Come, discuss Technology. Got a technology question? Come ask!
GNU is the definitive location of loads of packages. Virtually everyone who uses Linux is potentially affected. It's as if Windows Update were cracked. I don't see anything on the main GNU page yet though...
I'll wait while the "wind0ze suX0rs!" 1337 Hackors try to make this sound insignificant to linux, but can blow up on MS when a virus is released.
Just a healthy reminder that nothing is 100% secure, so no point in pointing fingers (on MS OR linux).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I know, I clicked on the link :)
Hmm odd...one day they speak of taking sco support out of gcc, the next their ftp server gets comprised, interesting.
"Real men don't use backups, they post their stuff on a public ftp server and let the rest of the world make copies." - Linus Torvalds
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
'compromised', the /. crowd would be laughing their heads off. Just goes to show that 'open source' or 'free software' isn't 100%, and the "no backups" just goes to show that poor sysadmin skills is not limited to proprietary platforms.
But do to some sort of wierd computer problem my machine keeps on restarting...
I will get around to fixing it sometime next week.
It's all good.
Taking a brief glance over my FreeBSD server, all of the entries in the Ports tree have the MD5SUMs in the "files" file. The Ports tree includes many many FSF software package installs.
Fully licensed blockchain psychiatrist
Hate it when that happends...
:D
Who wants to sell off some MD5 checksums off ebay? Let's make a few dallors!
This space is not for rent.
the list goes on abd on and...
now, grep for 'vi' : nothing, nada, null.
Of course, what do you think? This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!
Move along folks, nothing to see here. alpha.gnu.org was cracked many months ago.
== I am not Me.
how did the crackers break into the ftp site? anyone know?
someone guessed the root password "itsGNUlinux!!!"
Crackers exploited this vunerability, there was even a patch available!!
There is no god
if you understand the headline
FSF FTP Site Cracked, Looking for MD5 Sums
You just might be a geek.
There is no reasonable defense against an idiot with an agenda
:wq
Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.
They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.
*goes off to dock another point from his faith in humanity*
"Honey, it's not working out; I think we should make our relationship open-source."
Was he lying?
Only as much as a priest of a false religion is lying.
Microsoft servers _do_ get hacked more than Linux servers, but this is because there are far more MS servers of an identical configuration than there are Linux servers. They also tend to crash more--especially IIS.
So, Linux does get hacked, and there have been viruses written for Linux--but there are far far more hackers and virus-writers aimed at MS Windows as opposed to Linux.
Unbelievable. And I'm supposed to trust their methods and products with my enterprise?
Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.
Not 100%, but 99.9%, sure.
Having just read the above, let me add: Let a thousand jokes be posted!
Dawn of the Dead
Well no OS is proof against shitty passwords or real bad practices (like not running backups). As usual the most important factor is the quality of your admin, not the OS.
It IS insignificant as far as security is concerned, because it's almost certainly an inside job or a password theft. It'd be insignificant even if it were on an MS-DOS webserver. The only reason this is on /., or is significant in any way, is that GNU is the victim and evidently they haven't been doing proper backups.
The compromise was probably a weak password or an inside job.
Which is why syslog should be on another secure computer, and dumped to paper in a locked room for high-security sites.
It won't help the recovery, but helps pinpoint the intrusion
What does apache, an http server, have to do with their ftp server being cracked?
But no, Apache isn't 100% secure. There is no such 100% server, except one unplugged from the net, encased in titanium, and buried beneath the Pacific seabed.
We would already be flooded with posts about how if this were a Microsoft server we would already be flooded with posts bashing Microsoft and talking about....oh, right, my bad.
Then next time you will catch the joke...
It's all good.
Why does the FSF not use a OpenPGP signature on the files and md5sum lists in their archives? Unless the key is kept on the same (compromised) host, then it becomes easy to figure out what files are valid, and what isn't.
a sed-4.0.7.tar.gz
BTW, here is my contribution:
> md5sum sed-4.0.7.tar.gz
005738e7f97bd77d95b6907156c8202
-molo
Using your sig line to advertise for friends is lame.
Or maybe, JUST FUCKING MAYBE , Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.
;)
That would be OpenBSD.
-- Will quantum computers run imaginary-time operating systems?
$ md5sum complete-gnu.tgzf complete-gnu.tgz
deadbeefdeadbeefdeadbeefdeadbee
- Peter Brodersen; professional nerd
I guess this blows the "slashdotters know what they are talking about" myth. Oh wait......
;-)
That myth existed? Seems fairly unlikely to me...
Hmmm. You mention Apache. This is an FTP server. What kind of tool runs an FTP server using web server software? So far as we know (given that there are no details of how the server compromise was carried out), this says nothing about the security of a particular FTP server software, Apache, GNU/Linux, or any other Free Software package.
:)
As is the case with most installations of MS Windows, other operating systems and pretty much any user level software, the security of the system is only as strong as the weakest link: usually that's the user (and the sysadmin falls into that group). Bad passwords, bad security policies, and lax attention to security patching affect every system because every system has users.
Why might Free Software Zealots be laughing when MS products are demonstrated to be insecure? Because people have paid MS billions of dollars for that software. MS has billions of dollars in the bank. You'd think a company with those kinds of resources could hire a few security experts-- or even a few thousand-- and have them really work out the bugs. Free Software, on the other hand, is largely produced as charity, costs little or nothing to obtain, and at least when the code is demonstrably insecure, you (the user) have both the means and the right to fix it. Not so with the expensive binaries you get from Redmond.
Oh, thanks for trolling. I assume this response is exactly what you were hoping for.
I do not have a signature
I'll wait while the "wind0ze suX0rs!" 1337 Hackors try to make this sound insignificant to linux, but can blow up on MS when a virus is released.
This is not at all insignificant. Of course more detail is really needed to asses the situation.
Here are two possible scenarios:
1. Some idiot with lots of access rights does something dumb like log in in the clear. I think this is unlikely, but if it did happen this guy (or girl) should be soundly beat about the head and shoulders.
2. The software they were running has some yet not found flaw (at least is was found by the crackers). Oh well, we need to look for it and fix it. There has probably not been a single piece of non-trivial software (not just OS) written that has not had some known or unkown security flaw waiting to be exploited.
As far as blowing up when a virus exploiting an MS vulnerability, it should be the MS users up in arms. Especially when they refuse to fix some of their systems, like NT4 (I know it is EOL'd, but this last one is a major problem).
In another thread I post a message criticizing incompetant/lazy sysadmins and now this get noticed (after nearly a week).
Could someone pass on to them that CDR/RW drives get put on sale at CompUSA for around $20 on a fairly regular basis? If you rebate the CDrs you can practically get them for free. DO A BACKUP ONCE IN A WHILE, SOMEBODY WILL BREAK LOOSE FOR THAT MUCH IN POCKETCHANGE!
It doesn't matter what you wrap your emotions around, Reality is a brick wall specifically designed to scramble eggs
...that the cream of IT people would do regular revolving backups, securing sessions and have a standalone staging enviroment for all their stuff should the connected setup get compromised. Especially files which are distributed into the entire world to run on bazillions of computers once released. That's all a big fat hairy bad-ass no-brainer.
Sorry, gnu.org team, no icecream tonight.
We suffer more in our imagination than in reality. - Seneca
Well, it will be as soon as they can remember the key combination for 'hack into VI web site' is. Now I know it's in here somewhere - is it M-~ h C-V...?
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
I have to admit, it's kinda funny. Firstly, NO one has posted what the heck FTP server they were using (which might be helpful to determine if it was a security hole.) Secondly, 'bout time this happened to one of the distributer sites. Though, a Linux bigot I may be, no OS (that I've seen) is 100% secure.
Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup) No backups! That's hilarious!! I wanna know what kinda beating the current admin is getting!
Well, hopefully they'll be able to get it pieced back together now. I'm sure it won't take more than a day to do so. Heck, I'll email my LUG and let the Deb folks spin MD5sums for a while to send over to 'em.
Enjoy the chaos! (Least only 1 person has managed to link this to SCO so far)
-What have you contributed lately?
No one's ever claimed Linux is 100% secure.
However, the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
No. The real $64,000 question is why didn't they have reliable backups and a disaster recovery plan
maybe im missing something here...but don't most people backup their stuff?
i mean, all the posts here are about how insecure FSF is, or OPensource sucks...or windows sucks more...
what about the bloody principle of backing up your own software? let me guess, stallman and his crew has ONE FTP server, and they never back the bloody thing up? they should all be punished for such foolishness. nobody in a corporation would allow this...what would have happened if the harddrive crashed, or the raid crashed hard on that FTP ser4ver? the same thing!!!
asking the world for MD5 sums...
tsk tsk.
oh, and I use OPen Source just about everywhere, except my workstation (manditory windows). I run a chrooted Wu-FTPD, never had too much trouble either...but, we have a tape backup, just incase...
We're like rats, in some experiment! -- George Costanza
I like the idea of linux, and MS pisses me off, but am too ignorant to be a true geek...
but it seems to me that there's no meaningful comparison between an individual linux system being specifically attacked (maybe not even remotely) and brought down... and... every single XP computer with internet connection being susceptible by default to MSBlast... ?
Do you had tried PureFTPD? I'm newbie on Linux, and it was very easy to install and configure.
This FTPD focus on security: Unlike other popular FTP servers, the number of root exploits found since the very first released version is zero. (taken from its website)
drmad
not according to netcraft
They were using wu-ftp? That's a worse security hole magnet than sendmail or bind.
Need a Python, C++, Unix, Linux develop
I don't think it's that easy. What would prevent an attacker from modifying the md5sums that were present with the machine so that the backup then contained the modified md5sums of the trojaned applications?
No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
No you're not. You're not supposed to trust the FSF, you're supposed to trust commercial distributors like RedHat.
The FSF is the Free Software Foundation. They don't exist to help your business, they exist to provide... well... Free Software.
Whatever happens to FSF's own servers is completely irrelevant. Your distributor is the only thing that matters.
What I have heard in irc the cracker had user level access to system and used linux ptrace bug to gain root. It is sad that this happened. Cracker probably used at least some of GNU tools to do his work.
and patched August 31, 2003
I knew the open source community worked fast but that's just scary.
I'll bet that 90% (or more) of all break-ins are the result of problems that could have been patched. Yeah, it sucks that this happened to GNU, but they're only human. Last I heard, they only have one system administrator to handle all of their machines, including Savannah. I can understand that this happens from time to time. GNU has to be a relatively high profile target (such as for disgruntled BSD h4x0rs and so on) so cut them some slack. If you patch 40 machines 99.9% of the time, nobody remembers that, what they remember is that you got cracked on one tiny detail you missed.
:)
At least they yanked the programs until they could verify that they were correct. That really was the only thing they could do. The lesson to take from this is that with computer security and auditing, nothing less than absolute perfection is necessary. And so long as human beings are doing the admin work, absolute perfection just isn't realistic.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
leaving out the profanities, this isn't flamebait
Duhhh. "If it wasn't for the flames, this wouldn't be a flame."
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Okay, then it is likely a vulnerability, in which case I hope it is fixed soon; consider my words eaten. Vulnerabilities are ALWAYS worth noting, because though you can never find them all, the ones that are found can be sealed.
Depends on how you define secure. If a major windows site gets broken into like this, you don't hear about it. You only hear about Windows problems when a.) Microsoft decides to release a "security fix", or b.) when large corporations and state governments are brought to their knees.
The real story is (and this groks with your point, by the way), how do you trust someone trying to proselytize you with an alien philosophy of computer use when they still run wu-ftpd and don't do backups?
who are those slashdot people? they swept over like Mongol-Tartars.
You mean the $65,536...
How about a spell checker for slashdot, or even more impressive, a spell checker for strings in C-Code? Use lint! -DG
Uh, if the system was compromised a long time ago, then they can't really use 3rd parties to verify the files are correct - coz the 3rd parties have been getting the stuff from their server.
They have to recompile the stuff from the developers who hopefully have had better success in maintaining the integrity of their systems and data.
Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.
another piece of software from our big friend d.j.bernstein? tell you what, there is no way in hell that thing gets anywhere near my machine. djbdns sucks enough as it is
Turn that pee-cee thing off and go to bed RIGHT NOW!
/pull covers over head and laptop/
Yes mom....
Though don't bother if it only toasts about 50% of Windows installs and bring down only a significant portion of the internet. That's becoming too common place.
Wouldn't that be "GNPisNotthePassword"?
I choose to remain celibate, like my father and his father before him.
While I agree with the premise of the post, this is sort of thing that would get flamed to hell and back if the thread dealt with a Microsoft security breach (case in point, see yesterday's discussion about the RPC worm). According to that thread, being overworked, underpaid, or anything else is not an excuse for having an unpatched machine.
Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
How about next time that happens to windows, in those numbers, you let me know. In the meantime, why don't you be a little more realistic and a little less biased in your numbers?
-----BEGIN PGP SIGNED MESSAGE-----
.tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file, .asc, contains a list of files
... REASON]
Hash: SHA1
To the Free Software Community:
Summary
* gnuftp, the FTP server for the GNU project was root compromised.
* After substantial investigation, we don't believe that any GNU
source has been compromised.
* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.
Events Concerning Cracking of Gnuftp
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Historical Integrity Checks
We have compared the md5sum of each source code file (such as
ftp://ftp.gnu.org/before-2003-08-01.md5sums
in the format:
MD5SUM FILE [REASON,
The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.
Remaining Files
The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.
We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.
However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.
Alpha FTP Site
The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.
- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/OnYb53XjJNtBs4cRAqplAJ95PHJhIwRiwjKBqSIx ZH SVlTOtxACgyouK
QAfYhiLJcwPHio6fsk+s2uY=
=DUMO
- ----END PGP SIGNATURE-----
It was an exploit in wu-ftp, not Linux, the story even says it was an FTP exploit. So yes, it was an unpatched vulenrability, but no, it was not in Linux.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
This was modded as informative why? This is what it says on the FSF web site:
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
There are backups from before the crack.
If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money.
Become a FSF associate member before the low #s are used
[root@localhost src]# cat md5sum
Dickie Stallman why do you make this possible? Start making money and fix your software!!
because anonymous ftp is the best way to let people download files? ftp server [theoretically] is much simpler than HTTP server (apache) and therefore is more secure. In this particular case I don't think that the FTP server APPLICATION was compromised. I think the FTP server (as in "computer serving ftp requests") was compromised.
I passed the Turing test.
Last time I checked, it was wu_ftpd that had the vulnerability, not Linux. It doesn't matter if you were running it on Cygwin, *BSD, HURD, or Linux. Geesh. Stop calling everything OS Linux, because it isn't.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
From http://ftp.gnu.org/MISSING-FILES.README
.tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file, .asc, contains a list of files
... REASON]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To the Free Software Community:
Summary
* gnuftp, the FTP server for the GNU project was root compromised.
* After substantial investigation, we don't believe that any GNU
source has been compromised.
* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.
Events Concerning Cracking of Gnuftp
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Historical Integrity Checks
We have compared the md5sum of each source code file (such as
ftp://ftp.gnu.org/before-2003-08-01.md5sums
in the format:
MD5SUM FILE [REASON,
The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.
Remaining Files
The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.
We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.
However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.
Alpha FTP Site
The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.
- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/OnbO53XjJNtBs4cRAkZaAJ0ZdQ98ZNe4GRgAT2bR 4h BHRqo/aQCglWnU
kmOLmrVCzPxrJ/S68R1q42w=
=+pu6
- ----END PGP SIGNATURE-----
[snip]
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)
Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised.
(emphasis added). So in other words, they were cracked in the brief space between the exploit post and the patch, and didn't find it right away. Now, they are carefully vetting all their backups from that period to remove any possibility that a compromised backup could be redistributed.
So, to answer your poorly-researched questions:
Which part of this would you not consider a disaster recovery plan?
Bzzt, Wrong. There are more Apache servers (by far) than IIS servers, and IIS gets more attacks - by over a four to one margin.
I said "of identical configuration."
How many Apachae instances are running exactly the same combination of modules?
ftp as a protocol is far simpler to implement than ssh2 for example, so if you have no authentication to do, use ftp.
/much/ better. its very simple and designed from scratch to be secure above all else. afaik it has never had a security bug found, and I would say is as close to secure as it is possible to be.
Using ssl is good if you have eg. passwords to hide, but other than that it just introduces complexity. more complexity tends to mean more possibility for bugs, which means more possible exploits.
However, don't use bloated, over-complicated stuff like wuftpd etc. something like vsftpd is
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
I'll sick my cat on them....
Don't become a regular here, you will become retarded. -- Yoda the Retard
They do have more than one sysadmin, but none of them are full-time, I believe.
There are also some "interesting" schools of thought regarding security over in gnu.org land, and I'm sure there's tension between them as well. For example, savannah has to have some level of security, but their shell machine (not savannha) has almost zero "sysadmin-added" security: important configuration files are world-writable[*], because RMS doesn't believe in restricting individual actions of users on that machine. The only security is what's provided by the default installation, minus the world-writabilities.
So it should come as no suprise that the shell machine has been compromised multiple times. All from local users exploiting holes. The most recent was done in April, but they didn't find out about it until a few weeks ago. They're still recreating accounts.
I don't know about the ftp machine; I assume it's neither the same system as savannah nor the shell box. But it wouldn't surprise me to find the same situation: some important people gnu.org don't believe in locking down machines, some important people do, but (gripping hand) it almost doesn't matter because none of them have the time to do so.
(If you wonder why the GCC manuals, web pages, etc, on {savannha,www,ftp}.gnu.org are occasionally out of date, it's because gcc.gnu.org (the master) is not admin'd by the same group. Events like this are why it's not admin'd by the same group.)
[*] Backups are done by having little Emacs hooks in comments in the files. When you edit the file -- and of COURSE you're using GNU/FSF Emacs, not XEmacs or any other editor in the world, cuz it's a gnu.org machine -- Emacs knows to make backup copies. I have no idea whether real backups are done, or how.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
This is another illustration of why Configuration Management should be beaten into the head of anyone taking Computer Science or Engineering. Many of the security problems I have to fix at customer sites are caused by systems having different versions, no one knowing what version is correct, not keeping backups, etc. This is not rocket science, folks. Buy a damn DVD-RW drive and back stuff up. Keep the checksums. Know what is the latest version.
End of sermon.
and proud of it... this has nothing to do with your post, it has to do with your sig. I can't stand misquotes, especially not from The Simpsons. You cannot simply say that the quote was from "The Simpsons", there have been 14 seasons of episodes to choose from. The quote in question was delievered by Superintendant Chalmers in Season 5, episode 19 "Sweet Seymour Skinner's Baadasssss Song" upon hearing Ned Flanders (the interim principle of Springfield elementary) thanking God for another glorious day.
Now that I have proven that my geek is bigger than yours, please for the love of the gods mod me down so no one else will ever be able to read this.
The chains are broken
Loki is free
Ragnarok is at hand...
being overworked, underpaid, or anything else is not an excuse for having an unpatched machine
RFTA before critisizing their admin(s):
Is the lack of a patch an excuse not to be patched?
They shouldn't be.
If a bug in IIS causes a remote exploit then that's a bug in IIS, and that's it. Now, if there's a bug in the Windows TCP/IP stack, networking components, some kernel call, etc, which causes an exploit then that *is* a bug in Windows.
A bug in wu-ftpd doesn't just affect Linux. It will also affect the other supported platforms: BSD/OS 1.1, and 3.1, FreeBSD 2.2.6, SCO OpenServer 5.x, SCO UnixWare 2.1, Solaris 2.4, 2.5.1 and 2.6, Sun Sparc Platforms, Solaris 2.6, Solaris 2.5.1, SunOS 4.1.4
The only real security vulnerabilities in Linux are the ones that affect only the kernel and Linux specific tools. Everything else is just a vulnerability in some other program.
Backups don't help if you don't know when you were cracked, and they don't help replace files which only exist after the crack if you can't verify that they weren't cracked. A comprehensive backup is not a magical wand that you can just wave to get back everything that could've been damaged by a crack or other catastrophic event. Backups are there to minimize losses. The FSF is doing what is right in this situation; they're not blindly trusting their backups. It's sad to see the ignorance in this thread where people assume that because they're asking for help that they don't even have any backups.
The FSF's admin is just savvy enough to realize what the limits of backups are. They are hoping that other people who may have downloaded these packages before the crack will have what the valid MD5s for them are. On the other hand, this isn't going to be a reliable answer for them either. People who have cracked binaries will report back the cracked sum. They have to look for files for which they get contradictory responses on. This isn't foolproof either thanks to malicious trolls who post false info and potentially cracked files for which no one responds with the correct MD5 to. I wish them good luck, but they are going to be carrying suspect data for a long time.
Read the link off of the Alpha site for more information on what they're doing and why. (Yes, Virginia, they did have backups.)
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The whole idea of a mirror is that it actually mirrors what is on another site. If they've been rooted since March 2003, then it is somewhat unlikely that the www.mirror.ac.uk is actually going to have files any different than FSF.
Unless of course, the mirror hasn't been updated since sometime in mid-March.
It's very easy to point out other people's "mistakes" like this, but I wonder how many people actually take all these various precautions that they're so quick to accuse others of not implementing?
The fools! They forgot to install a firewall!
The fools! They didn't purge all the old user accounts!
The fools! They didn't install the latest security patch! On all the boxes in the office!
The fools! They didn't require 10 character passwords, to be changed every 15 days!
The fools! They didn't update their virus definition files! Within the last 24 hours!
The fools! They didn't make triple-redundant off site backups!
The fools! They didn't have a plan C!
The fools! They don't know where their towel is!
Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.
Neither the OP _nor_ the moderator think it important to note in front-page post that the box was compromised in _March_ 2003? Jeez, is this /. or -.?
Must-not-watch TV!
did you miss the "by default" part?
AFAIK, linux generally doesn't leave unsecure ports open by default. what happens if someone reinstalls XP at some point in the future - could MSBlast come back when all the fuss has died down?
I don't read a single second of usenet security groups, let alone 10 hours a week. SuSE YOU takes care of all that for me automatically.
I let YOU do updates automatically because I trust it, whereas I turn off Windows automatic updating because I don't. since when is Media Player 9 and IE6 a "critical" update? plus windows updates often require a restart, and many need to be applied one at a time.
once I did install IE6 to see what it was like and immediately there were another ~10 critical security updates that I required, so that was hardly a step forward for security imo.
They would be mirrors of the same compromised data, genius. If you'd have bothered to RTFA you'd see they backed up. But since the site was been compromised since 3/2003 the datasets backed up aren't 100% "clean".
Since the server was hacked sometime in March, even the backups have the possibility of being compromised. I doubt they keep 5+ months of nightly or even weekly backups sitting around.
Mirrors as a backup methodolgy have at least one fatal flaw which has been clearly exposed by this incident:
A mirror is a random (whenever the mirror was made) point in time back up. There is no assurance that at any given point in time in the future that a mirror is available in a particular point in time in the past. As a result, the answer to the question "do we have a backup" resolves to "maybe". Generally this sort of answer makes people squirm.
In this particular situation the problem is exacerbate by the fact that every release from march until NOW needs to reaquired from it's source becuase after march 2003 - the source repository and it's mirrors can no longer be considered safe.
Indeed, a very difficult situation to be in.
In order to answer Yes to the point in time question one must invest considerable cash in hardware and software to provide such backups.
The question isn't whether BSD is dying but whether people keep going back and realizing/appreciating all the elegance and cleverness in BSD's evolution. Sure, its dying, but it's constantly reincarnating too, isn't it!
Post a reply if you would like me to send you an RPM for a Red Hat compatible PORTS tree...
No really: I have lots of old FreeBSD CDROMs with a veritable history of (the best) GNU software and MD5 sums. I can go back to FreeBSD 2.2.2. Check your timeline. BSD subscribers save the day HA!
--- Nothing clever here: move along now...
The premise is wrong. Looks like neither of you read the explanation.
(For the ptrace bug, a root-shell exploit was available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that gnuftp was cracked during that week.)
This indicates that a patch was not available yet.
Yeesh guys, go easy on these people. They bust their asses every day for us. Their GPL enforcement queue is usually about 50 cases deep. They're on the phones and on capital hill every day educating and lobbying industry groups and politicians. Say what you will about the GPL, you don't even have to like it or agree with it and perhaps you even think RMS is a narrow minded prick (for the most part RMS isn't even involved in the day to day operations at the fsf). They are making life easier for all of us.
Rather than boast about all of the work they do, they quietly work behind the scenes just so you can play Monday morning quarterback. They have one fulltime systems administrator who is *INCREDIBLY* overworked. They are doing everything they can to keep the boat together. Last year they were over $315,000 in the red. Thanks to the FSF associate program and some skillful fundraising they're back in the black.
Want to help? Go get your FSF associate membership. It's not that expensive and it goes a long way towards helping to protect your freedoms.
Incidentally, this is also old news. They had MD5 sums verified, and the servers were patched up and back online almost two full weeks ago. None of the software was trojaned.
Who am I? Just another hacker who bothered to pay for an associate membership (#1142)...
*Condense fact from the vapor of nuance*
The FSF don't say (and probably shouldn't say) whether they know who did it. I hope they do, because if they don't the mistrust which will be engendered will cause a lot of unhappiness, and will distract maintainers from looking after the packages we all use.
If the FSF don't know, I hope the culprit has the guts to own up, and own up quickly.
I'm old enough to remember when discussions on Slashdot were well informed.
It was fixed months ago. It was the local root ptract exploit.
The only reason they got cracked was because they allowed local shell accounts, and due to questionable reporting practices, an exploit was released before linux kernel people had a chance to fix it.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Well, I must say that I've never met Mustafa at work... the people who run the UK Mirror Service are, however, there for all to see on the UKMS Crew Page
In all seriousness, you have until some time tonight (on BST, which is UTC+1) before we should be fully synced, including any files that have been pulled, with the source site. There are some exceptions, but I don't think they will apply in this case. And if any files were compromised, they are compromised on our servers as well.
WARNING: SHAMELESS PLUG: If you are a fan of the Mirror Service, or even just a user, please note the message on our homepage, as we are about to be able to serve even more users, at higher speeds.
We do have archival backups. But many packages were uploaded between when the machines were cracked and when we noticed the crack. That's mainly what we need.
Our backup process is flawed, but that's because we can't afford good backup hardware.
Become a FSF associate member before the low #s are used
here. I'd like people to contribute reasons they think OpenBSD is "the bestest thing for security since the NRA!!!!" and such. Contact information are at the top of the piece, have fun.
I just crawled out of a bad karma slump, and here I go getting myself back into it..