Gnome.org Compromised?

Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."

Should have been running a windows box

[BurKaZoiD]

...woulda been uncrackable.

Re:Should have been running a windows box

I'd say the likelihood of you being a moron IS pretty high ... retard

Re:Should have been running a windows box

[DaHat]

Heaven forbid that someone make a disparaging comment about Linux and make a joke about its stability/reliability/security with regards to windows where Linux looses.

Re:Should have been running a windows box

You think the only difference between Linux and OpenBSD is the kernel? Well, you're quite wrong then.

Re:Should have been running a windows box

[airrage]

I always miss that rule, verb and noun have to agree, so it would be 'are' with morons (plural)?

Re:Should have been running a windows box

"I've got nothing against Linux... it's just its fan club I can't stand."

You've never "discussed" Windows on Usenet, have you? Windows supporters outside of Slashdot are just as obnoxious and idiotic as the worst anonymous cowards here.

Re:Should have been running a windows box

it would be -are- if it was -likelihoods-

Re:Should have been running a windows box

Heaven forbid that you learn to spell.

Re:Should have been running a windows box

hkjhkjh

Re:Should have been running a windows box

How many times will comments like this get modded up? Every time someone makes EVEN A JOKE relating Windows to Linux, some delusional moron who thinks he's the lone voice of reason steps in and points out how Windows is CLEARLY superior to Linux. Of course he doesn't need any facts to back this up, he's the Voice of Reason. All hail lord DaHat.

Re:Should have been running a windows box

Weed and no, you may not. But thanks for the ad hominem attack, anyway.

Re:Should have been running a windows box

[Tandoori+Haggis]

AFAIK both Windows and Linux have their vulnerabilities, strengths and weaknesses. I've made my choice and you've made your's. That's cool.

I've got nothing against windows fans it's just their operating system I can't stand

Re:Should have been running a windows box

[Foolhardy]

He does have a point though; when was the last time Microsoft.com was hacked, or down? They run Windows and even IIS for their webserver. They must be doing something right.

Re:Should have been running a windows box

[wampus]

Dunno when the last time it was hacked. They didn't tell anyone.

Re:Should have been running a windows box

> ...woulda been uncrackable

As opposed to a Linux box?

Re:Should have been running a windows box

You can read about some of the times it got hacked here. Hacked by Chinese anyone? The link lists over a dozen more.

Re:Should have been running a windows box

[Malek+the+Damned]

This guy's got the right idea. I use both WinXP and Debian Linux, and I find that each has strengths and weaknesses.

I happen to prefer Linux for most things (especially my servers), but that doesn't mean Windows has no place on my HDDs.

I've said it before and I'll say it again: XP is a fairly decent OS if you can get past all the bugs, security holes, and DRM.

Re:Should have been running a windows box

[OmegaBlac]

...woulda been uncrackable.

Why "crack" when you can just use the "source"?

Re:Should have been running a windows box

[pAnkRat]

uncrackable my ass....

Why for pete's sake are they still using FTP?
This is plain dumb.

Re:Should have been running a windows box

[wtrmute]

Now, now... There's no such thing as an uncrackable machine. Linux boxes can be compromised just as Windows boxes can. I think it's actually a good sign when the GNOME security team voluntarily takes steps to minimize damage even if it causes bad press. After all, they're trying to build good software, and shutting up about problems is not the way things get fixed.

Re:Should have been running a windows box

[Ice_Balrog]

Heh. If it was Win, it would have been hacked, but no one would have known.

Blame windows

[superpulpsicle]

I guess the next version of longhorn will now look like GNOME.

Re:Blame windows

[11223]

Imagine how damaging this could be if the intruders got the source code! Now Microsoft can view our source!

Re:Blame windows

but i thought microsoft released gnome under the GPL. is ur nam lunis torballs?

Re:Blame windows

[OurColon]

Even Microsoft beleives OSS increases security. W2K source code leaked my ass.

Re:Blame windows

[igloo-x]

Imagine how damaging this could be if the intruders got the source code! Now Microsoft can view our source!

Don't worry, it's worthless anyway

Re:Blame windows

Our source? And which part of it did you write exactly???

Ahh!

Damn you KDE zealots!! Let us have our release!

Re:Ahh!

[useosx]

It's KDE terrorists, thank you.

Re:Ahh!

[iminplaya]

Sorry. It's KDE freedom fighters

Re:Ahh!

[claygate]

But KDE freedom fighters are KDE terrorists to the Gnome bunch.

Re:Ahh!

Let the jihad begain.

Brought to you by the Iraqi Information Minster.

Re:Ahh!

[david.gilbert]

Sorry. It's KDE militants.

Re:Ahh!

[f0rt0r]

Dear KDE Freedom Fighter,

Congratulations! You have just one a free vacation of undetermined length at our Guantanamo Bay resort, courtesy of Patriot Act Studios! Don't worry about travel plans, as several of our black-suited customer service specialists will be arriving at your door to escort you to the resort, all on our dime!

Re:Ahh!

[FurryFeet]

So, they used to be french fighters?

Re:Ahh!

[AkaXakA]

Didn't you get the memo?
It's now the KDE Kracker Klan

Re:Ahh!

[alvint]

if they were french fighters, gnome would have kicked kde's ass long ago.

OK

[big_groo]

Who left the key under the mat?

More info

[after]

Does anyone know anything else about how this was done? What exactely was comprimised? The word "comprimised" has a braud meaning, more information would be interesting.

Sucks, I was just going to go to art.gnome.org

Re:More info

braud meaning

Braud meaning what? What does braud mean?

Broad/./?

Re:More info

[after]

I meant broad, sorry.

Re:More info

You aren't a very good karma whore...

Re:More info

[Alan+Cox]

More info will appear as the forensics are done.

But to emphasize: cvs.gnome.org is a seperate system

Re:More info

> ok, alan. how many languages are you fluent in? (i mean naturual lanaguages)

25, not counting Elvish, Minbari, and Klingon.;-)

Re:More info

[cbrocious]

Although it may be a seperate system, depending on how long ago this intrusion happened, loggers could've been put in place to get passwords for other boxen on the network. Hopefully this didn't happen, but it's possible.

Re:More info

[Alan+Cox]

Its also on a seperate switched port 8)

Re:More info

Very 'creative', but the word is broad, not braud. Not every word is spelt the way your brain fucking well imagines it.

Re:More info

[ae]

As you surely know, switched ethernet does not provide any real additional security, since you can do the same sniffing as on a hub using ARP spoofing. (Unless you have taken special precautions to detect ARP spoofing, that is.)

Re:More info

I'm usually not a grammar fascist, but members of the security community are among the worst offenders and their misuse of the word "forensic" is particularly annoying. First, "forensics" is not a word, because "forensic" is an adjective, not a noun. Second, "forensic" describes something used in legal proceedings or public rhetoric. It does not describe general investigation. For example, the phrase "forensic eloquence" can be used to describe writing or speech that is carefully-crafted and well-presented (much like a legal argument), but it does not describe a manner of finding evidence.

I realize this is potentially annoying and I intend no offense.

Re:More info

Yes, not only a separate system, but a very bad one (updated once a day).

Re:More info

[Alan+Cox]

I do know. I think I may even have been the first person to post a good explanation of how to sniff switched networks to bugtraq in fact 8)

There was arp monitoring stuff running too

Re:More info

All together now, "There's 'a rat' in separate!"

Re:More info

he's got a rat, duh, it's the "par" he's missing.

Re:More info

Heh, the student tries to teach the master. Here's a hint guys, Take what Alan says as law, for your mere existence on this medium is solely because he chooses it to be so.

Smack'em down Alan! (even tho' I'm a KDE guy myself), and for the GP Poster, you got taken to school, and Alan drove the bus!

Re:More info

[alex_tibbles]

I do not read Welsh. I looked at your diary and thought "Aha! Google translation will help". Oh no it doesn't. I think that either the english on the page tricks it, or perhaps the meta-data DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN", too? Of course, google translation may not support Welsh.

Shouldn't that read...

Shouldn't that read Gnome.org Kompromised? No, no, that's KDE. It should read Gnome.org Gnompromised.

Re:Shouldn't that read...

[FooAtWFU]

No, if the KDE folks are behind it, as some have jokingly speculated, Kompromised would work. :)

Re:Shouldn't that read...

bunch of flat-nose code writing ape niggahs over there done hacked the gNome.

Re:Shouldn't that read...

[dohcvtec]

... bad gnus for GNOME.org

Hrmm

[222]

This has got to be the work of those KDE bastards!

Re:Hrmm

[Jukeb0x]

Yes.. I'm afraid the KDE Sith Knights are finally attacking :( May the force be with us all!

Re:Hrmm

[frankmu]

they probably defaced the index page and replaced gnome with knome

Re:Hrmm

[phalse+phace]

So what you're saying is that the gnome.org servers were Kompromised by the KDE people, right?

Re:Hrmm

[srinivas_rc]

you must update your knowledge. Bengali is spoken by most of the people in Bangladesh and in West Bangal(state) in India.

Re:Hrmm

[zephc]

which, because of English peculiarities, both sound the same. Unless you're a 'tard and pronounce 'gnome' as 'guh-nome'

Re:Hrmm

well for a start I think there are over 200 million Bengali speakers (from a quick web search ... www.localization-translation.com) that's about 1/5 of the number of English speakers or more than the French and German speakers put together .... oh yeah and the same group doing KDE internationalization for Bengali are also doing Gnome ..... (www.bengalinux.org).

You really have to get out in the world more ....

Re:Hrmm

[jrockway]

Guh-nome is the correct pronounciation namely because the G is from/stands for GNU (Guh-new). There's a page at their site, but its down now :)

Re:Hrmm

[zephc]

except 'gnu' (as in the animal) is *supposed* to be pronounced 'noo' or 'nyoo'

blame Miguel and Novel

I read on an irc channel that this was in response to Miguel insistence to use .NOT for gnome.

old news...

The GNOME sysadmin team
23 March 2003

Oh come on, someone find a dupe, hurry!

I predict:

[Neil+Blender]

The Slashbots will point blame at the admins. However, if it were Microsoft...

Re:I predict:

I predict the Slashbots will overwhelmingly blame Microsoft, and all their posts will receive (+5 Insightful)

Re:I predict:

I predict the slashbots will talk about the hypocrisy of slashbots.

Re:I predict:

My guess is that Microsoft was behind this. They wanted to get their hands on that release before anyone else could. We've seen this before, we see it now, and we'll see it again without a doubt

Re:I predict:

[zurab]

My guess is that Microsoft was behind this.

Nonsense. It's clearly SCO trying to inject their Sys V code into GNOME and then sue all its users.

Re:I predict:

But Microsoft have also been suspected to be behind the SCO actions. +1, Insightful

Re:I predict:

[Bull999999]

Right you are! It's Mircosoft's fault that I overcooked my steaks last night.

Re:I predict:

[Trolling4Dollars]

Of course, since Darl and his flying monkey lawyers haven't clue about what Linux is (they seem to imply that ALL free/open software is "Linux"). they WILL try to inject "their code" into any free software and then claim that it's theirs because it's Linux! Here's an open message to Darl:

Blow me.

Re:I predict:

[aardvarkjoe]

Don't be stupid. It was obviously Ashcroft's doing. And he had the support of the RIAA.

Re:I predict:

[FooBarWidget]

If it were Microsoft then Slashbots will make it sound like it's a minor issue and pretend nothing significant happened, while flaming Linux down for being insecure.

Sometimes acronyms are too much...

[_Sharp'r_]

Am I the only one who started picturing little lawn ornament men being caught in embarrassing positions?

Shades of Toy story....

Re:Sometimes acronyms are too much...

[zoloto]

actually check out my post below, but the Gnome Liberation Front may have been involved!
Check out these stories!

Pretty cool eh?

Re:Sometimes acronyms are too much...

WOW THAT JOKE IS SO ORIGINAL. +5, ORIGINAL!

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.

Re:Sometimes acronyms are too much...

Phew! Thank goodness I'm not the only one..

Re:Sometimes acronyms are too much...

Yes yoy are. The white van will be here shortly.

Re:Sometimes acronyms are too much...

Thinking of that travel commercial with the little gnome guy in it:

["click click" of slide projector is heard, slide projected on wall is of a LAWN GNOME bent over, his pants around his ankles...]
GNOME [voice over] : Oh heavens, I seem to have been terribly drunk, so terribly drunk again.

Re:Sometimes acronyms are too much...

[budgenator]

The biggest problem with these terrorist is that the "liberated" Gnome are throughly domesticated and unable to survive in the wild on their own. The police agencies frequently are reduced to holding the gnomes until their owners claim them in facilities unsuitable for the well-being of gnomes such as boxes kept in dark dusty evidence rooms. Many owners never claim them, dooming the gnomes to live out their live in pathetic gnome refugee camps.

The Gnomes would be better served if the gnome liberation front meerly protested against the few owners who abuse their gnomes rather than trying to liberate gnomes from their love families.

Re:Sometimes acronyms are too much...

Gnomes and underpants, it's like ham and cheese.

CRC

[oO+Peeping+Tom+Oo]

I wonder if they have CRC'd the source and bins yet? Christ, who attacks OPEN SOURCE? Oh....heh.

Re:CRC

[bersl2]

GNU.org ftp server... check
Linux kernel backdoors... mixed results
[Some distro's] entire infrastructure... check
GNOME's web site... check

Who attacks open source?
A) A pathological hacker
B) Someone with a really big ego
C) Someone commissioned to sabotage open source

Take your pick.

Re:CRC

[JamesHenstridge]

The script used to upload files to the master FTP site also mailed MD5 sums to a mailing list hosted on another machine. That script doesn't appear to have been altered (to insert a backdoor, the script would need to repack the tarballs with an exploit on the fly), so the MD5 sums from that mailing list should be reliable.

Re:Boo, Hiss.

[0x0d0a]

Well...I suppose that if this is a new vulnerability, it's better that they go after a high-profile webserver with a good admin team that can catch the attack than that they attack many poorly-adminned ones.

text copy

We've discovered evidence of an intrusion on the server
hosting www.gnome.org and other gnome.org websites.
At the present time, we think that the released gnome
sources and the gnome source code repository are unaffected.

We are investigating further and will provide updates
as we know more. We hope to have the essential services
hosted on the affected machine up and running again as soon
as possible.

The GNOME sysadmin team
23 March 2003

Re:text copy

[David+McBride]

23 March 2003

A year old?

Re:text copy

From: Owen Taylor
To: gnome-announce-list gnome org
Subject: Intrusion on www.gnome.org
Date: Tue, 23 Mar 2004 13:52:28 -0500

We've discovered evidence of an intrusion on the server
hosting www.gnome.org and other gnome.org websites.
At the present time, we think that the released gnome
sources and the gnome source code repository are unaffected.

We are investigating further and will provide updates
as we know more. We hope to have the essential services
hosted on the affected machine up and running again as soon
as possible.

The GNOME sysadmin team
23 March 2003


Just a typo by the email's author.

Re:text copy

no wonder their system is compromised ... they dont even know what day it is

Re:text copy

Who posted the parent? Why is the parent considered informative? The parent has no merit because it was posted as Anonymous Coward.

Re:text copy

And the text of the update:

A quick status update on the situation:

* No additional damage has been discovered; at the current time we are cautiously hopeful that the compromise was limited in scope.

* ftp.gnome.org is back on now that we have additional confidence in the integrity of the tarballs.

* We've now restored a number of services running on a replacement machine

- Websites including www.gnome.org, and developer.gnome.org are back up in limited service; dynamic content is still off so some parts may be inaccessible.

- planet.gnome.org is again providing all your favorite blogs and gossip.

- Bugzilla is in testing mode; we hope to restore general access in the next day.

Thanks for your patience; we'll continue to provide updates as we move back to fully operational status.

The GNOME sysadmin team
24 March 2004

Re:Boo, Hiss.

if Linux boxes were not attacked security would not be as good. Look at this in a positive manner. At least on Linux the problem will be remedied within hours and life goes on.

This wouldn't happen

... if they weren't using an insecure OS like Windows for all their development work.

At least now

[Ethernet_Jedi]

At least they caught it now, instead of after the release. Now the code can be checked before it goes out, instead of everyone worrying about whether they downloaded compromised code

Re:At least now

[ernstp]

I think the code already is out. At least it's already done.

The REAL Gnome-2.6-is-done date was 22:nd and the Put-out-pressrelease date is tomorrow, 24:th. They are probably waiting for the mirrors to sync.

Yeah, look here, the mirrors have synced.
http://ftp.belnet.be/mirror/ftp.gnome.org/sources/ gnome-desktop/2.6/

So, hopefully Gnome 2.6 was out before the "compromise"...

Re:At least now

[Menthos]

Indeed, GNOME 2.6 will only be announced after the tarballs have been verified not to be compromised. And the good news is that so far at least there's no evidence for that being the case.

Re:Help!

uhm, check ask slashdot a few days ago. someone actually asked that same question, got some good replys.

(yes i know you're joking, this is just so people know i am too)

And naturally if somehow microsoft.com was

compromised you'd all be laughing your asses off. Gee, I thought all this Open Source stuff was supposed to be secure!

Just Wrong

[SlydogSZ]

A Compromised Gnome. The image is just wrong.

well, what do you expect?

[tlord]

Maybe this will turn out to be a non-event
but, in general, the development community
is a very tempting target.

Actually, breakins are crude. Subtley malicious
code is the sophisticated approach.

A Wakeup Call.

[jellomizer]

Well I Hope it is a good wake up call to some of those people who are running the server. That it doesn't matter what OS they are running that they still need to take security seriously. Unfortunately this can make Linux look bad with a lot of eyes on the Gnome for desktop Linux having a security breach can make a lot of people skeptable of taking the time to switch to an other OS if they figure that one is just as insecure as the other. If it was some Script Kiddies little Linux box that got hacked we can go well he probably didn't configure properly or turned off the security on it to make administration easier. But with something as visible as the Gnome project you need to be more careful and put a little more time in administration the system right.

Re:A Wakeup Call.

Nah. Gnome isn't running their web servers. This woudl fall sqarely on Apache I would think.

Gnome 2.6

[potpie]

...Gnot today.

It's a bit disappointing that somebody was able to compromise their gnetwork, but i guess gno system can be comletely secure. I only hope people would stop putting G's in front of all the N words they use when they're talking about Gnome. It's getting on my gnerves.

Re:Gnome 2.6

Gnigga please!

bad for gnome

[zoloto]

It may have been the GLF. They've been causing problems in europe..

Now the internet? Guess I'm not the only one waiting for the new release!

FREE THE GNOME!!!

Bad news...

[Erwos]

But, just like in previous break-ins to other systems (Gentoo, Debian, Savannah), they're taking the correct actions by shutting everything down and BEING CAREFUL. I often wonder if commercial companies are always this fastidious.

You can't beat all the crackers, but handling a bad situation correctly should be commended. Good job, GNOME team!

I'm eagerly awaiting 2.6, too, I may add! :)

-Erwos

Re:Bad news...

[MyFourthAccount]

You can't beat all the crackers

Heh, now there's a sentiment you rarely hear when certain other software is involved.

(I agree though)

Re:Bad news...

[Mike+McTernan]

I often wonder if commercial companies are always this fastidious.

I'd guess not, because depending on the company and their business, they could be losing lots of money for every minute their systems are off-line. That's not to say that Open Source can't make money though.

Oh no!!

[cluke]

Oh my God! I hope they didn't steal any source code!!

Re:Oh no!!

[rmohr02]

They believe that the CVS and FTP servers (which is where source code would be) are unaffected. Phew!

Re:Boo, Hiss.

Why can't the crackers leave the good guys alone?

I've come to the conclusion that the "crackers" see no one as the good guys. There are 10 types of systems to them: "Victims and Potential Victims."

They give us other sociopaths a really bad name. :(

Re:backup

[/dev/trash]

A backup is useless if you are not sure of its integrity.

Hm, I like this idea

[CatPieMan]

Project behind in the programming? Have a 'break-in' and push off release indefinitly. Worked for the Half-life 2 team.

In all seriousness, however, it would not be good if they did have a break in, as this is a very large, popular project.

-CPM

maybe it was

[gotem]

someone trying to change the File DIalog for one that doesn't suck

I can imagine.

[LordK3nn3th]

MOHAWK DAN: LOL D00DS IM IN
sLiPkNoT696969: omg d00d hax0rs them
p1kap1ka: hahaha pwnage u go d00d what proxy r u using
MOHAWK DAN: WHATS A PROXY LOL
p1kap1ka: uh... it hikes ur ip
MOHAWK DAN: LOL WHATS AN IP TELL ME NOW THAT IM A HAX0R

Re:I can imagine.

[Anonymous+Crowhead]

MOHAWK DAN: LOL D00DS IM IN
sLiPkNoT696969: omg d00d hax0rs them
p1kap1ka: hahaha pwnage u go d00d what proxy r u using
MOHAWK DAN: WHATS A PROXY LOL
p1kap1ka: uh... it hikes ur ip
MOHAWK DAN: LOL WHATS AN IP TELL ME NOW THAT IM A HAX0R

And what exactly would that say about the security?

Re:I can imagine.

[black+mariah]

That it's so incomprehensibly strong a bunch of IRCtards can bust it?

Hahahaahahahahahahaha

Now I'm waiting for you smartasses to come up and say "it's Microsoft's fault"

heh

Re:Hahahaahahahahahahaha

don't click here

Gnome logo?

[xot]

Maybe someone desperately wanted a copy of the original Open Source Gnome LOGO!
Besides what would one get out of breaking into an open source server.Source code thats already available? try to corrupt that? Not a good plan.

Best excuse since my dog ate my homework!

...

Oh Heavens ...!

[psycho_tinman]

I hear these hackers are going to release the source

Re:Blame windows it already looks like Gnome

http://www.nbr.co.nz/home/column_article.asp?id=85 76&cid=3&cname=Technology
Enough said if you read that article.
Last years distro of Linux from any major vendor required three times as many downloads and many more megabits than any previous windows version ever and that's not counting the time wasted keeping up with all this shit.
But this will get modded down to hell won't it.

Tomorrow is another day...

[pholower]

So what if it isn't released tomorrow? I would rather have a code that works than worry about a compromise. If only Microsoft would learn from this. Then again, they have Updates (aka bug fixes)

Re:Tomorrow is another day...

Microsoft code works fine and you know it. Shut up.

sorry wrong article

[didjit]

Imagine a beowulf cluster of compromised gnome servers.

Re:sorry wrong article

[Ronin+Developer]

Ah...but it conjures up a better than image than a cluster of compromised gnomes serving beofwulf.

Re:sorry wrong article

[tiny69]

Imagine a beowolf cluster of compromised widows comput....oh, wait....

It's true

[GillBates0]

Gnomdor has fallen to the dark forces of Redmond. The Dark Lord grows in power and sends forth his armies to conquer Linux_land.

Re:It's true

[alext]

Next thing you know they'll be saying how .NET and C# are the greatest thing ever.

Re:It's true

Linux_land should be .. the land of Linux.
At least finish it with style :)

Although I am an implied troll

I actually feel slighty amused with this event, as if they deserved it! I am very disapointed with Gnome 2.5.x, with the following reasons....

• The new file manager has a "computer" Icon (look familiar)
• Epiphany STILL dosen't have nested bookmark support, plus there is a huge bug where the spinner can't moved!
• Zip creator STILL dosen't let you extract files from the context menu
• I STILL have to use gconf-editor for TRIVIAL everyday JOE USER settings such as window button order, menu ordering, icon styles!

So although I may get the -1, troll treatment, I actually feel glad that someone understands my frustration with GNOME! I'm sticking with kde 3.2!

Re:Although I am an implied troll

Hey, you didn't give the obligatory bitch rant about the file dialog!

Re:Although I am an implied troll

But 2.6 was going to be released tomorrow. Too bitter and virginized to give them a second chance?

oh my gosh!

[jwhamilton]

they're going to get the source code!!! i do hope this doesn't affect the release of gnome 2.6 though. i can't wait to see gnomes vision of a spatial file manager

Re:oh my gosh!

[cubic6]

I've been running the betas for about a week, and the spatial file manager is surprisingly good :)

In related news

In the next episode of the broken your stalwart hosts will feature a story on how to compromise an OSS project's webserver!

use the brain, luke!

[Mr2cents]

Obviously, since gnome is a GNU/linux cornerstone, it must be coming from sco. Go get'em, feds!

(logic used: same as in "sco.com was attacked by a worm -> it must have been a linux fan")

Re:use the brain, luke!

[deminisma]

Maybe it wasn't SCO, but a SCO fan! Oh wait...

Re:use the brain, luke!

[Mr2cents]

naah, he died last month..

Re:Not GNOME!!

do you feel that linux is weak enough for a windows script kiddie to hack?

Re:Boo, Hiss.

[rgmoore]

That's the wrong attitude to take. If a Linux-based server is compromised because of software flaws, that's a perfectly legitimate point in an argument about security, just as the compromise of a Windows-based server because of a software flaw would be. If there's a real vulnerability that let somebody crack the system (as opposed to a misconfiguration or incorrect belief that the system was broken into) it needs to be fixed pronto, rather than written off as a PR event.

What a fiasco

Now everybody can look at the code and find exploits...

oh wait....

And all this happening on GNOME Love Day

http://mail.gnome.org/archives/gnome-hackers/2004- March/msg00016.html

crazy

my website, www.employmentcenter.reidsystems.com was compromised as well, is it coincidental or what?

mod parent up!

mod up please!

This is almost as amusing...

...as those cybersquatters sitting on gnomefoundation.org a few years back, and redirecting it to KDE!

Linux security

[0x0d0a]

You know...honestly...

There have been serveral major, high profile compromises of numerous FOSS servers in the past twelve months. Including a compromise of the GNU source repository.

Microsoft has not made a big deal out of these (at least as far as I've seen). Whereas every security flaw at Microsoft is treated by Slashdot as if someone got access to the crown jewels (well, admittedly the Windows source is running around all over the place...)

Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

That being said, I'm just *waiting* for a sourceforge compromise. That would be a *huge* hit, and it just plain has to happen sooner or later.

It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.

Re:Linux security

[msimm]

Right, but why is Microsoft being so quiet? I mean I understand that they've got to pretend that Linux isn't even a contender (yet) but I'm sure they've got some lacky's at a couple major 'computing magazines' that could be speading a little FUD.

Re:Linux security

[ameoba]

There's a big difference. Every time a F/OSS project's box get's hacked, it's a single machine getting broken into. When there's a windows flaw, the next day there's a worm that compromises MILLIONS of computers.

The two events are incomparable, since there are numerous ways a single box can be compromised that are not directly related to an OS flaw.

Re:Linux security

[Sick+Boy]

You said yourself, every security flaw at Microsoft is treated by Slashdot as if....

I don't think you realize just how little weight the constant whinging of thousands of nerdlingers carries in the mainstream citizenry.

If Microsoft picked on FOSS, they'd look like bullies- nobody would even think to say, "but look, slashdot was mean to them!" Except, apparently, you.

Re:Linux security

Microsoft has not made a big deal out of these

Of course they have. In boardrooms etc. But you will never know.

Re:Linux security

A few too many, I agree, and call me paranoid but I really do not believe in co-incidence.

Re:Linux security

I really do not believe in co-incidence.

Nor proper spelling.

Re:Linux security

Free and Open source software. You see, the GNU zealots don't like people to use the term OSS. So, just like their pedantic whining about the GNU prefix to Linux, they want people to add the F to OSS.

Re:Linux security

[Dalcius]

It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.

If you ask me, anyone running a service important enough for security to be more than a casual concern should be using a distro which is secure out of the box. Minimalist distros (Gentoo comes to mind) seem a good solution here.

When it comes to deploying a service, it should be you who makes the box insecure by adding the service, and then you open up a whole big can of worms with this argument. If the distro is secure and adding a service makes it insecure, unless the addition is distro-specific, it falls on the service maintainer to write good guides.

That doesn't mean it shouldn't happen, I like all the guides I can get -- but I think looking primarily to the distros is perhaps a bit mis-aimed. A little idle interest in security and 20-30 minutes of research when putting up a new service is all it really takes to cover most of your ass(ets), at least that's my perception.

Disclaimer: I am obviously not a security expert, I only have a standing interest in keeping the two services (apache & ssh) running on my home network secure.

Cheers :)

Re:Linux security

[The+Bungi]

In June 2001 some "Fluffy Bunny" dude rooted SF.NET, Akamai and (I think) a bunch of SETI servers, all through Apache and SSH. Shocking, I know.

As I recall the intrusion went unnoticed for a long time (at least for SourceForge) and when it was discovered SF threw out a long-winded press release that detailed how the break-in had been "detected immediately" and had not "compromised" anything of value.

So it wouldn't be the first time.

Yep, GNU/Savannah (the "really free" alternative to SF) was rooted along with the rest of the GNU/Infrastructure a few months ago. It was GNU/Terrible.

I'd just as soon not see SF.net hacked. They provide a valuable service and they manage to actually make a living at it. Actually I'd rather not see anything related to FOSS cracked and rooted.

But I do find it hilarious that whenever something like this happens the Slashbots come out of the woodwork to post things like "Oh M$ is teh worse!!1" and promptly get modded up to +5, Insightful. Of course, Linux is perfect and absolutely secure, and the crap posted on linuxsecurity.com is all lies. Blatant lies.

Ah well. The higher you think you are the more it will hurt when you hit the ground.

Re:Linux security

That being said, I'm just *waiting* for a sourceforge compromise. That would be a *huge* hit, and it just plain has to happen sooner or later.
It's already happened.

Re:Linux security

[The+Bungi]

There's a big difference. Every time a F/OSS project's box get's hacked, it's a single machine getting broken into. When there's a windows flaw, the next day there's a worm that compromises MILLIONS of computers.

Yes, you're right. You're absolutely right. 100%, certified right.

So let us extrapolate this. Hmmm. Let's say that Linux was the leading consumer desktop OS. And someone found a vulnerability in the kernel, SSH, Apache, whatever. And a distro (like RedHat) that allows me to set IPTables to allow SSH requests. Because, you know, Linux rules now so people write stuff for it and there's this cool app that everyone uses that requires SSH. Or whatever.

Would you say that MILLIONS of computers would be compromised? How would you get your MILLIONS of users to patch their machines quickly so as to avoid Armaggedon?

Fascinating!

Re:Linux security

[Pecisk]

In fact, I agree with you. We should promote 'be safe and careful with Linux' about how to manage a VERY good security in Linux. First law: follow the paches and bugtraq announcements, for Linux it isn't hard as it is for Windows Second law: follow the good practices about security (no root from ssh shell, password policy should be strict, etc.) Third law: Never say never - breaks happens, get over with it (don't think you are invulnerable) .... And last: just don't be lazy, create some kind of system for alarms and security checks and lot of hazzle with all that will be gone.

Re:Linux security

[k_head]

"Microsoft has not made a big deal out of these (at least as far as I've seen)."

you mean besides taking out ads in magazines telling everybody windows is more secure. I guess that does not count in your book as a big deal right.

I am wondering if paying analysts to say that linux is insecure counts as a "big deal" to you?

"That being said, I'm just *waiting* for a sourceforge compromise. That would be a *huge* hit, and it just plain has to happen sooner or later."

It's already happened. It's not a big deal as it seems. Millions of people have the code checked out. It's pretty easy to determine which parts are hacked and which are not.

"It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution."

Nah. What would be real nice is if the major distros and projects would set a good example by using LIDS, AIDE, Chroots and other off the shelf items as a matter of policy.

If they had LIDS in place they would be safe now.

Re:Linux security

[leandrod]

> Would you say that MILLIONS of computers would be compromised?

Perhaps. But there are several mitigating factors.

First, there is a much bigger diversity of GNU/Linux implementations and configurations over there, so the actual potentially vulnerable systems are likely to be much less even if GNU/Linux indeed takes over the world.

Second, GNU/Linux is enabling a return to hosts and X terminals, where the host is likely to be much better adminstrated than multiple clients.

Third, GNU/Linux is more scalable. Less, bigger systems also tend to be better administrated than many small ones.

Fourth, by being a free software implementation of many open standards, GNU/Linux leaves the path open to a bigger OS diversity -- things like the Unices and BSDs. This diversity will also help protecting the Net.

> How would you get your MILLIONS of users to patch their machines quickly so as to avoid Armaggedon?

aptitude update; aptitude upgrade. Hey, one can even pay someone else to type these commands!

Re:Linux security

[LinuxHam]

Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

They're being sensible. They're the last ones who should say anything about lapses in security. Even if the lapses are with the admins doing a poor job of managing the system, which includes applying patches. The most upright, non-contentious thing Microsoft could say right now is, "see? EVERY OS needs vigilant care and feeding." People have been saying on /. for years now, "just wait until Linux gets more popular. It will become worthy of hackers' attention and we will start seeing many more high profile compromises." Well, we're reaching critical mass and it is taking off. And just as predicted, the attacks, vulnerabilities, and compromises are starting to roll right in.

Wasn't there a vulnerability that was discovered in the last couple of months that has been in there for 4 years? Its going to keep happening. We are entering a period of big time code cleanup. If people could just tighten up the damn web servers on critical projects, we might not have to air this out in public this way. I mean, christ, try out LIDS or something. Try *anything* for containment.

Finally, I think Sourceforge is setting themselves up for a big hit, in a way. I created a project there but ended up abandoning it before releasing anything. I asked them to delete the project since I couldn't get it off the ground, and I didn't want pose a threat to their servers by keeping an unmaintained PHP Nuke-based site up. I qualified for deletion never having released a file, but they believe that once started as Open Source, all projects should be allowed to live on forever.

And to answer the burning question :), I wanted to a build a router that automatically detected networks in use on one side and configured itself using ip aliasing to become the gateway for each detected network and seamlessly handle all traffic. I had to build dozens of servers at the time, each with static IPs on different subnets but I needed to install software on them from one file server sitting there in the lab. Having a router automatically detect new subnets as they showed up on the wire and adjust itself to route for those subnets would have been a godsend. Deleting stale routes after a while would have been a nice touch.

Just sniff for arps for a .1 address that's not getting replies (remember, highly controlled environment). Bring up a new ip alias running that new .1 address, and a new route for that subnet should be added automatically. Just make sure the file server has the far side of the autorouter as the default gateway. Hell, you could do it on just 1 NIC.. (but would you want to...)

Re:Linux security

[leandrod]

> anyone running a service important enough for security to be more than a casual concern should be using a distro which is secure out of the box. Minimalist distros (Gentoo comes to mind) seem a good solution here.

Gentoo isn't stable enough, and it isn't meant to be. You probably want Debian or one of the 'Enterprise' ones.

Re:Linux security

[Dalcius]

> Gentoo isn't stable enough, and it isn't meant to be. You probably want Debian or one of the 'Enterprise' ones.

If it's built from the ground up with no services, what does 'Gentoo' have to do with security?

The whole point is taking the distro and auto-config utils out of the equasion (e.g. ftp on by default) so you can build a secure services box and know exactly what is on it and what its purpose is. If something is insecure, it's your fault, not the fault of some distro organization who turned something on by default.

In my opinion, anyone do-it-yourselfer who delegates security to a distro or to an auto-config package isn't in a position to run more than your typical home or non-critical, small business network. In other words, if it's a do it yourself project, take the 30 minutes worth of time to do some basic research before turning something on.

Cheers

Re:Linux security

[donnz]

Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

Nice MS, yes, so nice.

Re:Linux security

[LinuxHam]

Every time a F/OSS project's box get's hacked, it's a single machine getting broken into

Not necessarily true. Remember the Debian compromise? The hackers used a weak password to run a privilege escalation exploit that had been in the kernel running in MILLIONS of computers. Turned into a major kernel patch.

Re:Linux security

[The+Bungi]

First, there is a much bigger diversity of Linux implementations and configurations over there, so the actual potentially vulnerable systems are likely to be much less even if Linux indeed takes over the world.

Consolidation of markets dictates that if this indeed happens you'll eventually have one or two "leading" providers. Ten years ago there were 200+ PC clone makers. Today there are four. Your diversity just went out the window, so to speak. Plus, "killer apps" tend to cut down on diversity as well. If anything you have to figure out what version everyone is running.

Second, Linux is enabling a return to hosts and X terminals, where the host is likely to be much better adminstrated than multiple clients.

Um, right. Except in the consumer market.

Third, Linux is more scalable. Less, bigger systems also tend to be better administrated than many small ones.

Um, right. Except in the consumer market.

Fourth, by being a free software implementation of many open standards, GNU/Linux leaves the path open to a bigger OS diversity -- things like the Unices and BSDs. This diversity will also help protecting the Net

See above.

aptitude update; aptitude upgrade. Hey, one can even pay someone else to type these commands

How is this different than automatic updates on Windows. Note that's not a question.

Re:Linux security

[leandrod]

> If it's built from the ground up with no services, what does 'Gentoo' have to do with security?

Integration and support. Debian and the 'Enterprise' distros are thoroughly tested and supported. With 'do-it-yourself' distros, good luck is needed to choose versions, testing and integrating them, and keeping up with security updates. In the end it takes time better spent actually auditing systems.

Re:Linux security

[Cyno]

The difference is Microsoft systems are being compromized by programs not users. I think TRON explains it best. Users are like magical beings that don't have to conform to poorly written rules and protocols. They are far more dynamic and intelligent than a vb script, making them harder to protect against.

Re:Linux security

ptitude update; aptitude upgrade. Hey, one can even pay someone else to type these commands

How is this different than automatic updates on Windows.

Windows is proprietary and is controlled by a hateful dictatorship.

Note that's not a question.

Note that my reply does not need an answer because any rebuttal you come up with can be itself rebutted with, "Windows is proprietary and is controlled by a hateful dictatorship." You've lost.

Re:Linux security

Bwahahaha!

Re:Linux security

[leandrod]

> Consolidation of markets dictates

Consolidation is a phenomenon, therefore it dictates nothing.

Moreover it is in part a result of massification and proprietary lock-in, both of which are actually reversed by free software and open standards.

> "killer apps" tend to cut down on diversity as well

Open standards apps are inherently safer, due to open discussion in specification phase.

> Except in the consumer market

Where a market does exist. In Third World countries people have computing access in community centres operated with hosts and X terminals. This has potential to get bigger than First World consumer markets, especially with more and more companies going X terminals. Right now 2.6 is getting better and better at serving terminals, with scaling and scheduling improvements. Java, Flash, Gecko and OpenOffice.org are still problematic apps, but not inherently so.

> See above.

Wrong. Servers were always viable in alternative platforms. It is free software and open standards that enable alternative platforms to the consumer market. See that what got IBM PowerPC efforts rolling in the XXI century wasn't neither MS WNT nor IBM OS/2, but Debian GNU/Linux which comes preinstalled with every PoP system sold (Eyetech and Genesi). GNU tools gave a boost to proprietary Unices and to BSDs, and GNU/Linux is giving StrongARM a lease on life, as well being the platform for both IA-64 and AMD-64. Also it is BSD which powers the Macintosh now.

> How is this different than automatic updates on Windows

Automatic updates covers MS Windows, MS Office, MS BackOffice. aptitude covers all apps, and draws from a fundamentally saner development and deployment process to boot.

Re:Linux security

[Dalcius]

While I agree that there's a benefit to testing, with the nature of open source what benefits will Debian have that, say, Apache won't pick up on? If a problem is found, it's patched or documented. In my experience lots of relevant documentation along these lines can be trudged up in about 20-30 minutes.

Choosing the proper version and keeping up with security updates is a very reasonable responsibility. Testing an integration is openly documented, I don't see much of a loss here.

If you're a large corporation who needs bullet-proof software which is exposed to the outside world, I certainly see the benefit of using a distro coming from a corporate environment -- I'm not saying you're wrong. I will say, though, for most applications, especially for those discussed here on /., I think a minimalist distro like Gentoo -- created by the community -- serves all ends well. A little bit of effort into research on what others in the open community have done will eliminate the vast majority of your problems.

Cheers

Re:Linux security

[leandrod]

> with the nature of open source what benefits will Debian have that, say, Apache won't pick up on?

There is lots of integration in any given installation. The distro is where these issues gets hashed out by users, packagers and developers. Eventually the upstream gets it, but then he has to release, users have to learn about the fix and recompile. With aptitude it's a command line, no pressing need to follow each advisory unless you are a really sensitive site.

> Choosing the proper version and keeping up with security updates is a very reasonable responsibility.

I don't think so. Installations can easily have dozens or hundreds of software providers to keep track of.

> a minimalist distro

This is nice for learning and spending your time, but it isn't realistic professionally. One simply does not have the time to play his own distro packager.

Now if you were talking BSDs, where the whole ports mechanism is much more mature and the OS core is much simpler...

Re:Linux security

[The+Bungi]

Moreover it is in part a result of massification and proprietary lock-in, both of which are actually reversed by free software and open standards.

Tell that to the people who invested in RedHat's desktop products.

Open standards apps are inherently safer, due to open discussion in specification phase.

Apparently not. Hence this article's topic. Or, for example this or this or this or this or this or this or... well, you get the idea. What does "inherent" mean again? Last I looked there were several MB worth of RH advisories in my inbox, and hitting linuxsecurity.com really doesn't make me any happier than hearing about the latest IE exploit. So I suggest you think twice next time you use the word "inherent".

Where a market does exist

You accuse me of using a "phenomenon" (which is indeed a proven fact of how markets work, regardless of what you consider a market to be) to make a point and then you turn around and regale me with an account of some vaporous scheme to wire the third world. That's fantastic

It is free software and open standards that enable alternative platforms to the consumer market

Mmmkay, that was weird. Let me know when you transition 120 million consumer PCs to dumb terminals running "GNU/Linux" and controlled from their ISPs central Brainiac super mainframe.

aptitude covers all apps, and draws from a fundamentally saner development and deployment process to boot.

But of course it does.

Re:Linux security

GNU Arch has gpg signed archive support since 1.2...

Re:Linux security

[leandrod]

> Tell that to the people who invested in RedHat's desktop products.

If they didn't actually invested and therefore just want something for free, there is Fedora and a host of other RPM-based desktop distros.

But if they actually invested, they already have received Red Hat Enterprise Linux WS "for desktop/client systems" or Red Hat Professional Workstation "Enterprise Linux for personal use".

In fact even if Fedora, Red Hat and every other RPM distro out there ceased to exist, even if SCO and MS had their way, still free software and open standards would make it easy to migrate to Unix or BSD. Now if MS folded where would its users go?

> Hence this article's topic

This article is a nice example on how we're safer: we don't hide dirt under the rug.

> a proven fact of how markets work

Are you trying to prove your economical ignorance? Markets don't inexorably tend to consolidation. There is always an exuberant phase in any market where it's fragmented, then it matures, but unless there is a strong network effect or monopolist practices unchecked it never kills diversity.

More than that, big corporations tend to senility, and new initiatives tend to carve niches or explore related markets. So it's more of a up-and-down movement than just consolidation.

> an account of some vaporous scheme to wire the third world

Are you claiming Sao Paulo's 100 Telecenters with 3000+ X terminals serving 300000 people are vapourware? And that the Brazilian governmental program to reproduce Sao Paulo's initiative is just a fake? That LTSP.org doesn't exist? BTW, it is not just the Third World, even First World schools and community centres are using this 20-years-old architecture.

> Let me know when you transition 120 million consumer PCs to dumb terminals running "GNU/Linux" and controlled from their ISPs central Brainiac super mainframe.

Actually by alternative platforms I was not referring to host-and-X-terminals as opposed to client-server, but to small and efficient RISCs as opposed to obsolete and bloated CISC.

Re:Linux security

[0x0d0a]

The whole point is taking the distro and auto-config utils out of the equasion (e.g. ftp on by default) so you can build a secure services box and know exactly what is on it and what its purpose is. If something is insecure, it's your fault, not the fault of some distro organization who turned something on by default.

The problem I have is that currently, you really have to know your stuff WRT security to set up a secure server and no matter what, there are going to be a lot of people who don't setting up important servers.

Microsoft got together with the US government to put out a list of common misconfigurations, a sort of checklist for Windows. Sure, a Windows security guru probably doesn't need it, but *most* Windows boxes aren't set up by "security gurus". Same goes for UNIX, even if the average degree of security cluefullness might be slightly higher. There are a *lot* of things you have to know, a lot of unintuitive potential issues, and there *are* going to be people running into this.

Take screen locking for a local issue. RH and most distros provide a screensaver in X. This screensaver can provide password protection. A *lot* of people out there just assume "oh, the screensaver is running with passwords on, so nobody can get into my desktop". New Linux users often don't know that you can switch out of an X to a console, and like to start X using startx. Result? They leave something crucial on their system (which is "locked") and someone can, in a moment, walk in, switch to a virtual console, tap ^Z, and do whatever they want.

The concept of "single user mode" is not familiar to a lot of Windows admins. "But it's...*password* protected!" Microsoft has gone out of their way to *avoid* providing a way to boot into Windows from a CD, so most Windows admins w/o much security experience consider someone with local access (esp. in a lab or with a secured case somewhere that they cannot easily physically open the case and get at the drives) to be seriously inconvenienced by the Windows password. Show them that their Linux box can be booted into "single user mode" in a couple of seconds by anyone with physical access to the console, and they get this shocked look on their face. Why not? It's not intuitive to someone with their experiences. Software that must be secure or may be destructive must be intuitive. People are pretty careful to at least provide safeguards and warnings on potentially destructive software, but no such culture exists around security. For many people, it's a set of knowledge picked up by hits and tips over time. That doesn't work. It's not as if mucking up a configuration and opening a hole on a major server is like running a longer command line to locate a piece of text in a file because you don't know the "quickest way"...you have to do things *right* the first time.

Take reverse compromise from a box that uses SSH X11 tunnelling. I know a couple people that *religiously* *never* bounce through any box other than a set of trusted ones when sshing from one machine to another -- they open a new, direct connection from their original computer. Why? So that nobody compromising a second computer can grab their passwod if that computer is compromised. Problem is, they have X11 tunneling enabled by default to the first of two machines. So when they SSH in, they aren't just opening a little terminal window to that machine, where only giving that terminal focus and hitting a key exposes data, but letting that machine log their local keystrokes, dump their screen contents, do really whatever it wants.

I've found a lot of unintutive things in Linux security over the years. Moving directories is a good one. The kernel only does security checking when traversing between two directories. It doesn't check the whole path to see whether you have access to the directories or not. I had a friend using an FTP server on my computer. I moved a directory from his home directory to my home directory. He happened to be in that d

Re:Linux security

[0x0d0a]

Well...I'm really not an FSF/RMS nut. I don't like the GNU/ prefix.

The problem is that the first acronym I tried using was "OS" for "Open Source". Problem is, that acronym is already commonly used to refer to an OS.

Then I tried "OSS". Well, that's dandy, except under Linux that refers to the standard sound driver system (now being phased out in favor of ALSA).

So, finally I started using FOSS. A couple of people like FLOSS (adding a "libre" in) which is also okay but requires another letter, and really, nobody confuses "FOSS" with anything but "FOSS". The "libre" is unnecessary.

Re:Linux security

He's not going to listen to you. Read his .sig. He's a Debian shill. Of course he hates Gentoo, it's in his blood.

Re:Linux security

Because it's a professional organization. Whereas all the linux zealots are slashdot geeks with no sense of professionalism

Re:Linux security

Something about glasshouses springs to mind...

Re:Linux security

[msimm]

ROFL

Re:Linux security

Now they can go with Progeny, RedHat Enterprise and I am sure that there are more.

Re:Linux security

Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

Thats because M$ knows that it cant really emphasise too much on security, else its present
user base might migrate to more secure OSes.

Re:Linux security

[juhaz]

Turned into a major kernel patch.

It had already been found and patched at that point.

Only nobody thought it was exploitable and thus anyone didn't update their servers and/or backport fix.

Re:Linux security

Thanks for the correction.. i thought about rewording that after I clicked Submit..

I've only got one question...

[Caedar]

How can we pin the blame on Microsoft? Dooooo +p.

Re:Blame windows it already looks like Gnome

You can't compare a Linux distribution with hundreds of packages to Windows, which is basically a kernel/GUI/browser combo.

Try using (for Linux) the number of kernel/X11/Mozilla vulnerabilities instead and at least you'll start making sense.

Re:Blame windows it already looks like Gnome

[Ulven]

And at the end of all the downloads and patching, which was the more secure?

Just out of interest...

Just goes to show that

Security through immaturity is not viable.

it's redhat's fault!

Netcraft sez that it runs/ran Redhat Linux, so it must be Redhat's fault!

What? Me? Of course, I looovve Redhat!

Re:To date

Given that the article does not specify what method was used to compromise the servers, speculation of a flaw in Gnome is absolutely relevant and appropriate.

+1 Informative, dude.

"The GNOME mailing lists seem to be up"

[stefanlasiewski]

The GNOME mailing lists... seem to be up

Well, now that you linked to mail.gnome.org on Slashdot, it won't be up for long!

I wonder how many people are downloading code from the CVS servers to check for comprimised code. Their CVS was already slow at times...

Re:backup

[pholower]

You make a good point. Unless they know when the security compromise happened, and the backup is not wired. Then again, what is the point of a back up if it too can be hacked?

Re:Not GNOME!!

You are a typical slashdot idiot. People don't attack other guys because they are enemy. This has been the case since the early days of the internet. You guys are really too stupid. People attack because they can, and there is always this weird satisfaction of attacking a site, being able to own it using different methods. That's the glory for most of the people who do this.

Linux probably will face more and more of these as people use Linux more often. Businesses that use Linux will have more of these as they switch to linux from Unixes.

Re:Another Debian Hole?

[eloki]

must.. resist.. temptation to moderate...

I wonder if they are running a Debian based or Debian itself, and Debian has another hole in it.

Funny. Too bad that was just a regular kernel hole, not one special to Debian's kernel. Any other distros can simply count themselves lucky the attackers didn't choose them.

Microsoft vs gnome.org

[0x0d0a]

When Microsoft undergoes a security breech, their source code spills out and leaks across the entire Internet.

When gnome.org undergoes a security breech, their source code is more *difficult* to get.

Fun, eh?

Re:Microsoft vs gnome.org

Actually, that was a Linux security breach at Mainsoft. But, hey, all the same thing when you are a Linux zealot.

Re:Microsoft vs gnome.org

How you managed to deliver this observation without slipping in a reference to Soviet Russia is beyond me!

Re:Microsoft vs gnome.org

Actually, he was making a joke. But hey, it's hard not to take it personally when you are a Windows zealot.

Re:Microsoft vs gnome.org

Actually it wasn't a security breach moron. It was a leak. There was no evidence that it was hacked, but I guess it's ok to make things up when it serves you.

Re:Blame windows it already looks like Gnome

Hey, when windows comes with half the stuff that most Linux distros ship with and install by default you might have a point; until then your argument is like comparing Apples and PCs.

hackers

[Jukeb0x]

Joey hacked the gibson?? o wait.. it was just the gnome server.. o.. wait.. that's even worse!

Re:Blame windows it already looks like Gnome

numerous tests prove longhorn to be a much more secure home desktop, while linux is better for internet webservers. however most vulnerabilites for linux were done by random. windows however were common errors.

Re:backup

[Anonymous+Crowhead]

The thing to do is backup your integrities. I mean use tripwire.

Skeptability

...having a security breach can make a lot of people skeptable...

Skeptable? Is that some gnomish word I'm unfamiliar with?

Windows joke

[bonch]

I fully expect a bunch of lame Microsoft jokes.

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

Can you honestly rail on Microsoft? When was the last time their servers were compromised? I only vaguely recall something in 2000 about alleged stolen source code, and a real good that has turned out all these years later. As for this year's stolen source code, Slashdot never reported this but it was taken from a Linux computer at MainSoft.

Just funny how things are viewed around here, with a certain bias some people don't even realize they have.

Re:Windows joke

[krlynch]

I understand your point, but to be fair you should have noted that Microsoft is under no obligation, as far as I am aware, to tell anyone when they have been compromised. Microsoft's servers could have been cracked once a day, once a week, or once a month, and you would never know.

Re:Windows joke

[brokenwndw]

Let me offer some pseudo-arithmetic here:

(number of server compromises you hear about) = (number of servers in existence) * (relative vulnerability of servers) * (willingness of those running servers to reveal compromises)

I realize there are some people who have biases they don't appreciate. But data, taken at face value, is famous for having those same biases. No?

Re:Windows joke

[FuzzzyLogik]

better yet.. when a vulnerability becomes known, how long does it normally take a free implementation to fix the problem (in the compromised program)? compared to microsoft?

Re:Windows joke

thats hardly being fair ... your crappy logic can be applied all Unix and Linux servers too ...

Re:Windows joke

[eakerin]

Can you honestly rail on Microsoft? When was the last time their servers were compromised?

More like, "When was the last time Microsoft publicly announced a compromised system?". For all you know, the last break in could have been yesterday, or 2 days ago. That's not the kind of thing they put out a press release about.

Major companies don't annouce bad news, it's just not good for business. So any comparison is not valid.

Re:Windows joke

[Fourier]

When was the last time their servers were compromised?

When's the last time MS hosted their source code on a publically-viewable CVS tree, or offered anonymous FTP access? This is not a fair comparison.

Re:Windows joke

[thenextpresident]

Can you honestly rail on Microsoft?

Yes, I can. When Microsoft ships product with a virus pre-installed, yes, I can very much so.

I don't care if they are broken into. Same thing with Gnome. However, if in the end, Gnome turns around and releases code that is bugged, or otherwise harmful, I will be just as upset as I was with Microsoft.

Re:Windows joke

[Alan+Cox]

Microsoft do all their development internally so the security situation is different. Internal control in MS does not appear to be reliable given the number of large easter eggs that appear in applications. If someone can sneak a mini-flight sim into an app then they can sneak other stuff in.

Re:Windows joke

[DenOfEarth]

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

Compromise is bad for the most part, but I was particularly impressed with the professional conduct of the above parties after their systems had been compromised. It seems like they were very upfront with what had happened, and probably fixed whatever allowed the break-in fairly quickly. If I remember correctly, the debian and gentoo compromises were internal access kinds of breakins, not an excuse, but definitely a lot better then the horrendous amounts of viruses being spread around through outlook.

As for microsoft, it might be possible that they have been compromised before, but due to the financial stakes involved, they were afraid of letting that fact out into the open.

Don't worry though, I get your point about the bias of slashdot. It's kind of frustrating sometimes, but I'm kind of frustrated with the thought of my gnome2.6 being delayed. :)

Re:Windows joke

[TruenoSuave]

On the contrary,

As of July 1, 2003, any company which considers residents of the state of California a customer, must disclose all security breaches

http://www.securityfocus.com/news/1984

Re:Windows joke

[merdark]

Well, for one, their servers always seem to be up. www.microsoft.com going down would normally make news. Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

(Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

Re:Windows joke

[TruenoSuave]

err, sorry, the law only applies under certain circumstances, still a crappy law ;-)

Re:Windows joke

[Eberlin]

As far as I know, that only applies to security breaches that lead to a leak of personal information. Even then, if disclosure would impede any form of investigation, people did not have to say anything at all.

So technically, even if it DID happen, people can dance around it all they want.

Re:Windows joke

[ferratus]

I am in a position where I currently get to use all three major platforms everyday (Linux, OSX, Windows) ans while I will admit to have a bias against Microsoft, I think there's a few key differences between OSS and Microsoft-like cies.

First, I don't pay to get linux on my servers. Nobody said open source software were flawless, the key is that many here (including me) believe that you can get a more secure server if the source is open.

Second, the Gnome project is not "linux inc." whereas Microsoft *is* Microsoft inc. That is to say, Microsoft controls all the aspect of their security, Gnome doesn't. Did the sysadmin patch everything ? Did they perhaps forget to update apache or some other software ? In microsoft's case, they provice all the security update, so when they are hacked, they are directly responsible.

Thirdly, remember that this is a third party site. If we would get report of all the windows servers that are getting hacked everyday, we'd here much more news like this. We are hearing about this because GNU, Gnome, Debian, etc. are public projects... othewise, this would be just another hacked site.

Considering the amount of software present on a current-day OS, expecting any of them to be flawless and completly secure in a real-world scenario is a bit ridiculous. They point is, I believe you get more for your money with an Open Source OS (of which linux is one alternative) than with a Microsoft OS.

Re:Windows joke

[Pros_n_Cons]

It's starting to look like M$ is taking security more serious than we are. Everytime something happens w/ linux "oh its only debian.org", "oh thats only local", "only 3 kernel advisories this month, that should be all for a while". We _can not_ keep brushing things off and pretending they are not significant. Pretend for just a second if this was MSFT that had been compromised, thier stock would plummet, investors would duck for cover and Tech writers would be spitting out bad press for months. We cannot keep sliding by, sooner or later with the move to the enterprise we WILL be held accountable.
Personally I'd like to see "year of the OSS audit" where NOBODY adds new features we just hammer away at code reviews and optomizations. Course that will never happy, we are too busy trying to play beat the cock (M$) instead of playing beat the rock (BSD).

Re:Windows joke

Microsoft's servers could have been cracked once a day, once a week, or once a month, and you would never know.

They wouldn't probably know either...

Re:Windows joke

[red+tiger]

And not only the companies. The Soviet Russians were exactly like that, and they haven't changed much.

For example, Chernobyl:

• The first day they didn't tell anyone.
• The second day they said: "Yes, something little has really happened..."
• .......

Re:Windows joke

[red+tiger]

$ lftp ftp.microsoft.com
[ftp] ftp.microsoft.com:~> ls
dr-xr-xr-x 1 owner group 0 Nov 25 2002 bussys
dr-xr-xr-x 1 owner group 0 May 21 2001 deskapps
dr-xr-xr-x 1 owner group 0 Apr 20 2001 developr
dr-xr-xr-x 1 owner group 0 Nov 18 2002 KBHelp
dr-xr-xr-x 1 owner group 0 Jul 2 2002 MISC
dr-xr-xr-x 1 owner group 0 Dec 16 2002 MISC1
dr-xr-xr-x 1 owner group 0 Feb 25 2000 peropsys
dr-xr-xr-x 1 owner group 0 Jan 2 2001 Products
dr-xr-xr-x 1 owner group 0 Apr 4 2003 PSS
dr-xr-xr-x 1 owner group 0 Sep 21 2000 ResKit
dr-xr-xr-x 1 owner group 0 Feb 25 2000 Services
dr-xr-xr-x 1 owner group 0 Feb 25 2000 Softlib
[ftp] ftp.microsoft.com:/>

Re:Windows joke

[mcc]

While I've never managed to find a hard cite for this, it was widely reported that during the original Code Red outbreak, the windows update page was showing "hacked by Chinese Worm".

Let's ignore for a moment the obvious consequences if these reports were true-- that one, the windows update server was for some time susceptable to the idx exploit before Code Red happened to find it by chance, and two, it's possible someone else could have discovered this before code red did, and three, if this happened we would never have known.

If one takes a bit of liberty in applying logic, this seems to imply some rather horrible things. Windows Update is, roughly speaking, the single network facility Microsoft has that it is most important is not compromised; the Code Red worm was roughly the easiest sort of compromise to protect oneself against. Yet it happened. Given Microsoft is under no obligation to disclose internally-discovered breakins, what does this imply about the frequency of more subtle, targeted attacks on lower-profile targets within Microsoft?

Remember to take into account that unlike, say, the GNOME developers-- a disparate, largely disconnected group spread across the world-- Microsoft is a singular network, and thus it is possible that compromising a very low-profile target within the Microsoft internal network is likely to make it vastly easier, both from a technical and a social-engineering standpoint, to have effect on more important targets within the network...

Just a thought.

Re:Windows joke

... they didn't know. The last time Microsoft's network was *KNOWN* to be compromised, the crackers had been running around for 3 or 4 months before anyone at Microsoft noticed.

Re:Windows joke

[Thagg]

Merdark says Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

Note that the compromisers of the debian, GNU, and now Gnome sites did not let it be known. They are either not driven by publicity or have longer term goals. Believing that systems are secure because crackers don't announce themselves is foolish at best, mendacious at worst.

thad

Re:Windows joke

(Yes, I used hackers instead of crackers, get over it, the word hacker is used by popular culture that way)

It is indeed. Except by HACKERS who think their shit don't stink.

Re:Windows joke

[Dahamma]

Not that I'm defending M$ security, but I wonder how many of their easter eggs are *really* slipped in by programmers without anyone else's knowledge...

I know someone who worked for several weeks on an "easter egg" at Intuit that was scheduled form the start and went through the full QA cycle - though she actually got in a fair bit of trouble for trying to sneak an easter egg in the easter egg... :)

Re:Windows joke

[leandrod]

> their servers always seem to be up

Do you realize how many servers MS has? Free software projects are lucky if they have two.

> it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it

And get black helicopters hovering over your backyard?

> I used hackers instead of crackers

You insensitive.

Re:Windows joke

[Ender+Ryan]

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

I take your point, however... Wasn't at least one of those not a software exploit, ie. someone "inside" messed up and a password got into the wrong hands? And wasn't the Gentoo exploit just one of the mirrors, said mirror not even running Gentoo?

Can you honestly rail on Microsoft?

Sure! Their business practices are detestable, their software is geared towards vendor lock-in instead of providing customers with what they need, and thier complicity in the SCO fiasco is deplorable and deserving of harsh punishment, possibly jail time. They have engaged in fraud, conspiracy, perjury, and corruption, if not more. Not to mention being a convicted predatory monopoly, and now they are a predatory monopoly that uses political influence to gain near impunity.

When was the last time their servers were compromised?

Really, how the fuck is anyone supposed to know that?

Hotmail just had a huge downtime, we don't know why it was taken offline. Perhaps it got "hacked." There's no reason to take anything they say at face value, they are known liars.

Just funny how things are viewed around here, with a certain bias some people don't even realize they have.

It seems to run both ways these days. Any pro-MS response seems to get modded up without consideration of merit - personally, I think it may be because a lot of the newcomers here are intimidated by the prospect of something different than what they're used to, ie. MS, Windows, Apple, proprietary development, etc.

Re:Windows joke

[leandrod]

> ftp.microsoft.com:~> ls dr-xr-xr-x 1 owner group 0 Nov 25 2002 bussys

This ain't exactly source code.

Re:Windows joke

[leandrod]

> We _can not_ keep brushing things off and pretending they are not significant

Fully agree, but...

Other than going for OpenBSD and lacking some functionality, what else do you propose?

I do happen to think we should use vastly simpler systems: functional programming, perhaps Lisp, certainly all data relationally organised down to kernel level, multisserver microkernel, RISC implementation... but how realistic is this when POSIX simply has so much critical mass? This is not a technically-driven world, not even in free software or academia.

Re:Windows joke

[tolan-b]

passport compromised
beta place compromised
ms internal network compromised

Re:Windows joke

[iminplaya]

Can you honestly rail on Microsoft? When was the last time their servers were compromised?

Well, Hotmail has been pretty slow lately...

Re:Windows joke

[no_space_in_time]

For the amount of bad press MS receives, it's market cap is still top 10.

Detroit makes faulty autos, though better now then ever, but that doesn't stop consumers from buying cars.

Re:Windows joke

[LWATCDR]

What does the fact that the Windows source code was take from a Linux box have to do with anything???
If I remember the Debian compromise was an inside job. You can hack just about anything if you have physical access to it.
But yes these compriomises are serious and need to be looked into.

Re:Windows joke

[black+mariah]

You MIGHT have a point were it CVS or the source that was compromised, but it wasn't. It was their main web server (are we down to not even reading the front page blurb anymore?). This sounds more like a hole in Apache, and the question is whether it's the fault of Gnome's web server admin or if Apache just has a hole that was previously unknown.

Re:Windows joke

[simonfairfax]

I was just reading Unix Unleashed and they claimed that when a vulneranbility in some sort of TCP/IP stack code that everyone used was discovered a while ago, the Linux community took less than 3 hrs. to release a working patch.

Re:Windows joke

Microsofts server are constantly being cracked, hacked and otherwise abused. Just last year windowsupdate had a virus that was transmitting via asp. Their front page gets changed several times per month (you usually dont notice it). MS pays out alot of money to keep things running like they have 24x7 availability.

Re:Windows joke

[aardvarkjoe]

Any pro-MS response seems to get modded up without consideration of merit

You have got to be kidding me. I'm in full agreement that unworthy posts are modded up all the time, but if you think that there is an overall pro-Microsoft bias, you must either be blind or you bought your impressive UID and posting history off of somebody else.

Re:Windows joke

Other than going for OpenBSD and lacking some functionality, what else do you propose? I didn't mean achieving security though less default software, though that is a nice option. What I mean is we push software out so fast I don't think security gets the attention stability and features get. OpenBSD is very adamant about security, where as Linus wont take a look at security unless it can be achieved seamlessly from what I understand. I can agree in not breaking compatibility where security is concerned but where are the code reviews _before_ changes are accepted? Nobody gets the flair for finding a BoF in beta software so they look in stable releases.
I have no answers, only questions. I let smarter people handle the former.

Re:Windows joke

...disclose YOU.

Re:Windows joke

[Coryoth]

Other than going for OpenBSD and lacking some functionality, what else do you propose?

How about making SELinux with a good default security policy the standard setup for all distributions using the 2.6 kernel?

The quality and power of SELinux in terms of security is literally light years ahead of any other commonly available Operating system (except, perhaps an obscure BSD fork which I believe was implementing a similar security structure).

Honestly, SELinux really is that good, and has been fully folded into the 2.6 kernel. People just need to start using it.

Jedidiah

Re:Windows joke

[bebing]

As for this year's stolen source code, Slashdot never reported this but it was taken from a Linux computer at MainSoft.
Whoa, I was under the impression that development(of the version of the 'stolen' code) was taking place on a Linux box, and the source code was leaked.
It seems you are implying that somehow that Linux box was cracked, and the code stolen?

Re:Windows joke

[ArekRashan]

I just think it's sad that one way or another, people still make the attempt to rationalize their choice of 'hacker', 'cracker' or somesuch in public. I'm tired of reading these silly little disclaimers, and as the reader my interpretation of the term is what gets used. Putting it at the end is no help at all, and putting it at the beginning is just an invitation for the reader to disagree with you.

The nebulousness of these terms should suggest to you that it would be a good idea to tailor your choice of words to aid ease of comprehension by the audience they are intended for. You may also want to add contextual clues to avoid ambiguity.

Part of the problem stems from the fact that even under the most semantic interpretation of 'hacking isn't cracking', cracking can be hacking. At least, the first time. Then it's just a documented crack, and left to the kidz and crookz.

Re:Windows joke

[Bull999999]

But if you RTFA, the GNOME team did not state how their system were compromised. It could be due to the software flaw, but it could also be due to bad settings or cracked password.

Re:Windows joke

[leandrod]

> How about making SELinux with a good default security policy the standard setup for all distributions using the 2.6 kernel?

Perhaps. I'd propose you help Debian maintainers with this. But will it need attention from sysadmins? If so, one more issue to deal with...

Yet it does not solve what I think are the basic issues: excess complexity, lack of code auditing and lack of maintenance.

Re:Windows joke

[Tony]

(Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

By that logic, scientists should start using "theory" instead of "hypothesis," simply because popular culture uses it that way. Or "velocity" when they mean "speed." Or "light years" when they mean "months" (as in time). Or maybe they should start using "pounds" as a unit of mass.

Or in the computer industry, maybe we should start using the word "CPU" when we mean "computer case." Or "RAM" when we mean "hard drive." Or "cup holder" when we mean CD/DVD drive. Or.... getting the idea?

Just because the public uses a word incorrectly does not mean folks in the industry need to follow suit.

Re:Windows joke

We are not a company. We don't have a responsibility to shareholders. We won't be held accountable. You may be held accountable. If you are the system administrator, it is your responsibility for the security of the system. Linux is free. It comes with no warantee and none should be expected. If you think someone will give you a warantee if you pay for it, try a commercial product. They might.

Re:Windows joke

[ashayh]

For the past few months, MSN messenger and hotmail servers have been down a number of times.
No reason was ever given my MS.

Re:Windows joke

[arkanes]

Microsoft HAS been compromised, and these things have not happened. So there you go.

Re:Windows joke

i'm also in a position: Doggy style.

what's your position?

Re:Windows joke

your mom goes down every day, but that don't mean she's been trojaned or got a virus... oh i see what you mean!

Re:Windows joke

And not only the companies. The Soviet Russians were exactly like that, and they haven't changed much.

Yeah, the soviets haven't changed much, except for that whole "collapse of the soviet union" thing.

Re:Windows joke

[nathanh]

Everytime something happens w/ linux "oh its only debian.org", "oh thats only local", "only 3 kernel advisories this month, that should be all for a while". We _can not_ keep brushing things off and pretending they are not significant.

We are not brushing things off and pretending they are insignificant.

Some people brush it off. Some people do not. This is not a collective. We do not all share the same opinion.

I was never of the opinion that the debian.org incident was something to casually dismiss. Luckily, the Debian sysadmins agreed. They treated it very seriously and took several Debian servers offline to fix it. The gnome.org sysadmins are being equally professional.

Just because you can read /. user-id 702942 saying something stupid like "M$ is dumheds and Lunix Rulze" does not mean that WE are all of the same opinion.

So shut the fuck up.

Re:Windows joke

[ZeroConcept]

Acording to the the American Heritage Dictionary of the English Language, hacker means:

1. One who is proficient at using or programming a computer; a computer buff.
2. One who uses programming skills to gain illegal access to a computer network or file.
3. One who enthusiastically pursues a game or sport: a weekend tennis hacker.

By this definition, he used the term correctly.

Re:Windows joke

I'm referring to the collective opinion if you got to this story early you'd have seen what direction the majority of posts were going. I was going to count how many +5's I had to get through that were not directed at M$ or aploligists but I got bored and stopped at 10, yes the first 10 +5's are trying to offer why linux is still more secure instead of how it happened, why and what we can do to fix it.

Re:Windows joke

[UnMutedChaos]

He isn't writing a paper... he isn't in the 'industry'. Maybe you don't understand who 'makes' the language... Everyone does, so if the public uses the word hacker you better get used to it, because sooner, than later it's their definition that will prevail. Just look at http://dictionary.reference.com/search?q=hacker and see how anal you realy are.

Re:Windows joke

I'm not talking about warntees, I'm talking about this phrase:
"Windows is more secure than redhat/suse"
one day becomming a fact if we're not careful.

Re:Windows joke

[GoofyBoy]

>the word "CPU"

What is this word? True computer industry professionals only know the term "Central Processing Unit".

>Or "RAM"

What is this "RAM" you are speaking of? Only the elite computing priests who are blessed to be operaters of the high and holy machines use the term "Random Access Memory".

>we mean CD/DVD drive.

"CD/DVD" what? Are you making these things up?

Please don't taint computer industry with your "popular culture" just because they use it.

Re:Windows joke

When you say "We _can not_ keep brushing things off and pretending they are not significant," who exactly is "we"?

I continue to be amazed by seemingly intelligent individuals who take the comments of several or even dozens of miscellaneous individuals out of a group of hundreds of thousands and then claim that these out-spoken individuals are the voice of the entire "community."

There are always going to be some individuals who are fans of a particular OS who are going to down-play negative incidents. Now if these individuals are some how responsible for the security of the item in question then it would be cause for concern. However, seeing as the vast majority of the time it is just fans being overly defensive then, when looking at the big picture, who gives a flying fuck what they say?

Re:Windows joke

[Ender+Ryan]

Heh, I didn't go as far as saying that Slashdot now has a pro-MS bias, I was just pointing out that there are quite a number of MS "fanboys" here these days, and it really shows in the moderation.

Also, I've noticed large numbers of pro-MS posts getting modded up and pro-*nix posts getting modded negatively, several days after stories leave the main page.

Re:Windows joke

[MechaStreisand]

This ain't exactly source code.

From the grandparent:

When's the last time MS hosted their source code on a publically-viewable CVS tree, or offered anonymous FTP access?

Might want to brush up on your reading comprehension skills there.

Re:Windows joke

[incom]

Actually, when a story is new, the modding is in fact decidedly pro-MS. And it later tips the other way as the story gets older. Wierd phenomenon. conspiracy> maybe someone is paying for people to do this /conspiracy

Re:Windows joke

[ClosedSource]

But "hacker" is a word that doesn't even have a single meaning among geeks.

The original MIT meaning was someone who was driven to passionately persue their area of interest as an intense hobby rather than being paid for it (in grades or money). That hobby wouldn't necessary concern computers.

On Slashdot a hacker often means someone who reverse-engineers a computing device and then uses that knowledge to do something that the system wasn't orginally intended to do as in "They hacked the XBox and made it run Linux".

You'll notice that the Slashdot definition fits "cracker" behavior better than the original definition.

Re:Windows joke

[Xabraxas]

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

You must be one of those people that just reads headlines. Gentoo was never hacked. I have to constantly correct people on this. A mirror, which also served other platforms, was hacked. The system wasn't running Gentoo or specific to Gentoo at all. It was a mirror, that's it. Gentoo just happened to be the first ones to report it because they are very open about security issues and bugs.

Re:Windows joke

You're a fucking idiot.

Re:Windows joke

[Xabraxas]

I think you're being a little paranoid. When every other email you receive can potentially turn your computer into a zombie then you should really start worrying. Linux is actively persuing security. Take a look at things like propolice and grsecurity, both projects that you can use right now.

Re:Windows joke

[Flower]

Language isn't static. It evolves because, heaven forbid, we humans happen to be social animals. You need to get over it.

Re:Windows joke

"But let's be real, here."

Ok let's be real. During the period ending around August 2001 M$ was taken down around 26 times in an 18 month period. My numbers, both frequency and period, may be off by 2 or 3. It's been a while.

This includes simple web defacements as well as major security breaches such as the one others have pointed out that lasted up till 9-12 weeks.

MS has also distributed viruses to their corporate update service clients on two known occassions. Of course MS has been hit with both code red and nimda as well.

And these are only the known events. Sources... various defacement mirrors, most of which no longer exist, attrition org etc.

Re:Windows joke

Neither is any other company or organization.. For all we know KDE could have been compromised, but they don't have to reveal it.

Re:Windows joke

[Xenographic]

Moreover, they have been compromised!

They offered the guy a job afterwards (when it was made public) ... of course, he wound up leaving not long after that little PR stunt...

I don't remember any other compromises, offhand, but I find it unlikely that any institution that large (particularly one with Microsoft's security record) could not have had at least a few breaches of various severities...

Re:Windows joke

[Xenographic]

I hate to repeat myself, but we know that Microsoft has been compromised.

Doesn't anyone else remember that guy who trojaned a bunch of their developers' machines or something and broke into their internal network?

They turned it into a PR stunt and hired the guy instead of prosecuting him, as a matter of fact (though I also remember that he left soon after...)

Re:Windows joke

"Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame."

The difference is that there really isn't that much of value on the Microsoft websites. They're a corporation and deliver most of their product via sales channels. They are smart enough to keep only information on their websites.

For FOSS, it's different. Everything is available to everybody else because their distribution system is the web.

This is a good reason why distributions should be made available via BitTorrent, which is encrypted to ensure that what the tracker says you're getting, you get. Then users only need to validate the tracker instead of downloading some ISO's and checking the md5sum's (and how many of us always do that?). Of course the intelligent/paranoid would still check their md5sum's, but this way you won't waste time downloading corrupted files. You check beforehand through a secure channel (signed by a private key or the equivalent) so even if the web server or ftp server is compromised, you can still count on the digital signature.

Re:Windows joke

[forlornhope]

You know something I noticed that everytime MS is compromised they get the FBI to look into it. I have yet to see the FBI look into one OSS compromise. I guess it has something to do with the money and all, but I think its high time the OSS community to get our friends in goverment involved.
I would vote for bringing in the NSA(makers of SELinux) with their dark rooms and "friendly convincing" methods. Im sure they would get to the bottom of who is causing these breakins, plus the added bonus of the fear factor. After people hear of some cracker being put through the anal probes, umm I mean friendly inspections, of the NSA I doubt that there would be many more people out there willing to attempt a compromsise an OSS system again.

Re:Windows joke

[Nathan]

WTF is an 'Impressive UID'? :)

Re:Windows joke

[shird]

Updates on the windows update site are digitally signed. The key being kept very secure and obviously not on the server. The rest of your post is pretty bogus too, but I couldnt be bothered wasting anymore time answering.

Re:Windows joke

[FireFury03]

Remember that Microsoft has far less internet-facing servers than all the different projects that make up a Linux distribution put together. Less internet facing servers means it is inherently less likely to get compromised.

Re:Windows joke

[LittleBigLui]

Idiots using the word forced it to become a word in the dictionary.

How do you think new words get introduced into a language? Does god hand them down from heaven? Are they discovered by wordologists in the sands of the sahara desert? Are they invented by licensed WordInventors in top-secret high-tech laboratories?

Or are they created by people just starting to use them?

Re:Windows joke

[paramecio]

Maybe Microsoft just shut up its mouth. Maybe they are not telling us whenever they get compromised.

Do any of you expect Microsoft announcing

"err... our windows update site have been compromised. please expect some trojans for some weeks".
(joke)"please run windowsupdate.com to apply a patch to avoid the trojans".

Knowing the way Microsoft deals with vulnerabilities in its software, same or worst policy must apply to this kind of issue on its servers. I think so.

Re:Windows joke

[Ed+Avis]

Fishes is in the dictionary too but it's not really a fucking word. Idiots using the word forced it to become a word in the dictionary.

Er - this may depend on your definition of idiots, but see Matthew 14:17:

And they say unto him, We have here but five loaves, and two fishes.

Re:Windows joke

We are hearing about this because GNU, Gnome, Debian, etc. are public projects... othewise, this would be just another hacked site.

Agreed. Moreover, to come to think about it, there even were plenty of cases where script kitties were uploading their warez stuff on corperate servers which were running, a product of this company.. what is it called? Oh yes, Microsoft. And all their MCSE admins could say was: Err.. well, now we know why our backups took twice longer than usual. We thought it was a feature.

Re:Windows joke

[hkmwbz]

I, too, have noticed a trend lately (well, it's been going on for a while), and that is that obvious flamebaits from pro-MS posters are modded up. Ignorant comments praising MS and bashing Linux will frequently get modded up, whether there is merit to it or not.

It looks like there's a kind of backlash from pro-MS people who are sick and tired of hearing about how bad and evil Microsoft is. So they post comments about "why should Apple be allowed to bundle a browser, but MS not" (answer: Apple is not a convicted monopolist), and these get modded up.

Re:Windows joke

[jmcneill]

(number of server compromises you hear about) = (number of servers in existence) * (relative vulnerability of servers) * (willingness of those running servers to reveal compromises)

That has to be the most rediculous math I have ever seen. Please, in the future, proofread your posts before you submit them:)

Re:Windows joke

[Gondorian+Warrior]

Your point was well made until the last line. It is true that everyone isn't just a Linux Zelot, but as Linux becomes more mainstream the 'its free what do you expect' statement will have to become redundant.

Re:Windows joke

[Ben+Hutchings]

Some of the windowsupdate.microsoft.com servers were hit by Code Red. One reason why Microsoft would be less vulnerable is that (AFAIK) they make less use of remote access for development, so their development systems can be firewalled off from the outside world. Debian, Gentoo and so on are dependent on distributed development and remote access to various servers from anywhere in the world.

Re:Windows joke

YOU WILL BE PUBLICLY BEATEN! The People's Republic of SLASHDOT.COM does not take anti-open source comments lightly! Supporting Microsoft on these boards is a CAPITAL OFFENSE!

Re:Windows joke

[dylan_-]

Fishes is in the dictionary too but it's not really a fucking word. Idiots using the word forced it to become a word in the dictionary.

Where did you get this idea from? "Fishes" is certainly a word. Modern usage is that you use "fish" as the plural when speaking of one type of fish and "fishes" when you are referring to more than one species.

Re:Windows joke

[thepeete]

Maybe Internet Explorer filters slashdot and "translates" it to pro-microsoft propaganda.

Re:Windows joke

rediculous

The problem is that here on Slashdot it's impossible to know whether that was deliberate or not...

Re:Windows joke

if you think that there is an overall pro-Microsoft bias, you must either be blind

Quite. Slashdot is as pro-MS as the media is liberal. I.e. not at all.

Re:Windows joke

[gregmac]

Nobody said open source software were flawless

This is a good point that often seems to escape the microsoft camp. Open source is NOT flawless. In fact, go look at any of the security sites.. you'll find lots of bugs and possible exploits for almost any server. However, in every case, there's a fix. Now, if an admin doesn't apply it, obviously they'll be vulnerable to any exploits created for that hole. This is no different from Microsoft - or any other company's - products.

The problem with Microsoft (or any closed) code is that if there is a bug, and their small (compared to the OSS world) and non-diverse (as in, they've all been hired by the company, and probably have roughly the same credentials and experience) QA team doesn't find it, then it's likely that a cracker will find it and create an exploit before there is a fix.

With OSS, most of the problems are found much earlier (many eyes.. yadayada), and so a fix is created before a cracker can create an exploit.

If we would get report of all the windows servers that are getting hacked everyday, we'd here much more news like this. We are hearing about this because GNU, Gnome, Debian, etc. are public projects... othewise, this would be just another hacked site.

This is also true of pretty much any software/site. Lots of companies using Microsoft software get hacked (not counting the thousands of virus-infected servers sitting on the net), and don't announce it. Lots of companies using Linux and other OSs get hacked too, and don't announce it. Often they don't even know about it.

The bottom line is this: a server running 3 year old versions of everything, no matter what OS, likely has problems. If you don't keep patches up to date, you are going to have holes. Generally speaking though, an up-to-date linux box is going to be more secure than an up-to-date windows box.

We could also mention the quality of updates: breaking other services, causing unexpected problems because of strange inter-dependencies (gee, guess which platform I'm talking about..), but thats a whole different can of worms.

Re:Windows joke

[eyeye]

The bible was written in english?

OMFG!

Re:Windows joke

[FooBarWidget]

I agree with you, there's a pro-Microsoft mentality at Slashdot, even though people don't want to admit it and even claim the opposite.

Re:Windows joke

[alvint]

[quote] ...Or maybe they should start using "pounds" as a unit of mass...
[/quote]

'pounds' is also a unit of mass. there are two types: pounds force (lbf) and pounds mass (lbm).

on earth at sea level (i.e., gravitational acceleration of 32 ft/sec^sec), 1 lbm generates 1 lbf.

Re:Windows joke

[alvint]

whoops, gravitiational acceleration is 32 ft/sec^2

Re:Windows joke

Not only that, they jammed the radio.

And in Soviet Russia, servers compromise YOU!! ...Ewwww......

Re:Windows joke

[jonadab]

> By that logic, scientists should start using "theory" instead of "hypothesis,"

They already do that. The old idea that a hyphothesis had to be tested in
multiple experiments in order to become a theory is gone decades ago. Now
it's good enough to get enough other scientists that several countries are
represented to agree with you that your hypothesis might be correct, and you
can call it a theory. If you're famous enough in the scientific community,
you can just call your ideas theories right off the bat.

This is especially true in certain sciences, most notably evolutionary biology.
(An even better example, if you consider it a science at all, which is no
foregone conclusion IMO, is psychology.) Harder sciences like physics are a
little more rigid with the terminology, however.

Then there's math: testing, schmesting; no amount of experimentation or
testing can ever be enough; if you haven't *proven* it, it's not a theorem.
You can, however, make it a postulate if you want, but then you're defining
your own system and can't make claims about other established systems based
on it, unless you can prove that your system is isomorphic to the other
system (which you probably can't do if you've added postulates). Math rocks.

Re:Windows joke

[Thagg]

As opposed to dishonest, I felt that mendacious carried with it the added meaning of intent to harm.

thad

Re:Windows joke

[Xabraxas]

It's only now a word because people don't know how to speak. It was DEFINITELY not a word to describe mroe than one species of fish. It became that way through misuse.

Re:Windows joke

[Xabraxas]

Schools have an english class for a reason. If we all just chose to speak however the hell we wanted to then language would evolve at such a rapid pace that I wouldn't have a clue what anyone was saying on the other side of my own country.

Re:Windows joke

[Flower]

We all aren't choosing random definations and connotations when it comes to the word hacker. Even in it's negative connotation it still retains an assumption that the person is skilled as opposed to a script-kiddie. It isn't like I go to Indiana and hacker means computer geek and I head off to California and suddenly it means serial killer who dismembers victims. And if one is participating in the conversation it isn't difficult to determine the connotation of the term.

I also think your assertation in how rapidly the language would evolve is little more than rhetoric. You forget the influence of national broadcasts, the fact that people travel all over the US, telephony, etc. as forces to keep American English uniform.

If you absolutely must have a "pure" English you are always free to lobby for some mechanism like the French have and the government can determine exactly what words mean what in official correspondance every five years. Good luck. From my understanding it doesn't stem the flow of informal speech or changing connotation of words either.

Re:Windows joke

Their servers??

[unix@unix unix]$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.akadns.net.
www.microsoft.akadns.ne t is an alias for www2.microsoft.akadns.net.
www2.microsoft.akadns. net has address 207.46.134.221
www2.microsoft.akadns.net has address 207.46.245.92
www2.microsoft.akadns.net has address 207.46.250.252
www2.microsoft.akadns.net has address 207.46.249.252
www2.microsoft.akadns.net has address 207.46.156.220
www2.microsoft.akadns.net has address 207.46.144.188
www2.microsoft.akadns.net has address 207.46.156.188
www2.microsoft.akadns.net has address 207.46.250.222
[unix@unix unix]$

Perhaps....

[dmp123]

somewhere, out there, a Kracker is laughing....

David

Sorry guys

[agent+dero]

My bad, won't happen again.

-KDE

MOD PARENT UP - FUNNY

When ever we hear about a windows box being hacked we hear "that wouldn't happen if you ran Linux"... is it so bad to have the joke the other way around?

OpenSSL Vulnerabilites

From Netcraft:

Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/3.0.7

Could it have anything to do with the old version of OpenSSL, and the numerous vulns found lately?

Re:OpenSSL Vulnerabilites

[Rich]

Two things:

1. Most distros patch holes in existing versions but do not change the version numbers.

2. The OpenSSL holes recently were a null pointer dereferrence and a DoS - neither would lead to a compromise.

Re:OpenSSL Vulnerabilites

[Pros_n_Cons]

OpenSSL were DoS issues, so its doubtful.
http://www.openssl.org/news/secadv_20040317.txt

Re:OpenSSL Vulnerabilites

[CTho9305]

2. The OpenSSL holes recently were a null pointer dereferrence and a DoS - neither would lead to a compromise.

Remeber the openssl worm? Anything less than 0.9.6e is vulnerable. And they're using 0.9.5a????

Their versions of php and apache are both incredibly old (1.3.27 or 1.3.28 is current for apache, and PHP just released 5 RC1 with 4.3.x being current) - I hope they set up apache to lie about its versions.

Re:OpenSSL Vulnerabilites

[Mike+Hawk]

Wow, I heard a story once where someone said something about attacks only resulting from announced and patched vulnerabilities. Of course, that claim was quickly "debunked" by the slashbots. Weird.

Re:OpenSSL Vulnerabilites

[Dalcius]

Possibly, but I somehow doubt it. The vulns in OpenSSL of late were capable of crashing the service using the OpenSSL libs, but it's just a DOS attack. That's not to say that there isn't something more or that a DOS is what alerted the GNOME folks, but I don't know that that is the case here.

Cheers

Re:OpenSSL Vulnerabilites

[sglane81]

1.3.29 is the latest apache.

4.3.4 is the latest PHP, but some people can't upgrade due to backwards compatibilities.

Re:OpenSSL Vulnerabilites

[rastos1]

>Anything less than 0.9.6e is vulnerable.

0.9.6d is the latest. Where did you get e?

Re:OpenSSL Vulnerabilites

[Henk+Poley]

Copy-paste from http://www.openssl.org/ :

17-mar-2004: OpenSSL 0.9.7d is now available, including important bugfixes

That's 7d, not a 6d.

Re:OpenSSL Vulnerabilites

[juhaz]

Remeber the openssl worm? Anything less than 0.9.6e is vulnerable. And they're using 0.9.5a????

In case you failed to read the 1) in parent:

Most, if not all distros backport security fixes. Version numbers tell you NOTHING about vulnerabilities.

Basically it means they take the patch and modify it to work with older version of software, which helps avoiding other bugs or changes that might be introduced with new versions.

You basically can't release an all-new version fast enough to respond to a security compromise because it's going to take a LOT of testing to make sure it doesn't break something else, and so backporting is almost always the preferred option. Unfortunately it also introduces mix-ups like yours.

Urgent!

Help! I'm going to France soon and I need to know where I can go to be insulted. I mean REALLY insulted...

Re:Urgent!

Iraq, you dumbass.

Re:Urgent!

I said to be insulted, not to be sold WMDs by France, Germany, and Russia, which are then snuck into Iran...

The server's system date was compromised

The GNOME sysadmin team
23 March 2003

Re:Gnome Gsucks

[OECD]

Gnome Gsucks.

Gno, it dogn't.

Yep, they shut down that 486/33 SX box...

...that was serving all 4 users of Gnome.

Re:Gnome Gsucks

Then you enjoy contributing to Trolltech's Qt protection racket?

I didn't think so.

ssl

ssl bug? or is it the big dog, apache?

Re:Blame windows it already looks like Gnome

[fforw]

so I followed your link..

ADODB.Parameter error '800a0d5d'

Application uses a value of the wrong type for the current operation.

E:\DATA\INETPUB\WWWROOT\NBR\HOME\../ inc/select_article.asp, line 9

guess next you'll tell us that ASP.NET is the better plattform for web services =)

..

Re:backup

Don't bring up the backup until you figure out how they got in.

Should have been running KDE!

If only because... it's better! And... I HAVE FURY!!!!

Re:Should have been running KDE!

Too much Game Boy Advance for you... ;)

Why OSS servers are never hacked.

There's nothing worth stealing!!!

Al Qaeda???

[alokeb]

I'm sure it was the terrorists. They were last seen tunneling somewhere.

I doubt it was compromised

[TaraByte]

It was probably just slashdotted!

KDE did it!

[MMHere]

Geez, I know the KDE folks think they're superior, but hacking your competitors website? That's so Microsoft-y.

This is getting annoying

[nurb432]

Why cant these idiots find something else to do with their time then screw up systems. ( be it some OSS project or a commercial behemoth )

Perhaps we just need to forget the courts, and find people that do this and take care of the problem.

All it does is make everyone's life harder, it doesn't get 'them' anywhere...

Disclaimer: I'm not even a Gnome fan.. it's the principle.

Re:This is getting annoying

[Seydlitz]

Yeah, vigilante justice is all very well and good; but this is slashdot, man.

What are we going to do, honestly? Camp outside their house and point our wi-fi's at them?

Well, saying that, the people who kompro... compromised their server were probably from the "geek" community too, so we'd stand a chance. Let the wardialing commence!

Re:This is getting annoying

"Disclaimer: I'm not even a Gnome fan.. it's the principle."

Yes you are, you just haven't accepted it yet. Remember the immortal words of our esteemed leader, George Bush, "you're either with us or against us".

Re:This is getting annoying

[joeljkp]

The problem, of course, lies in the possibility that you'll find the wrong people.

Unless, of course, there were some way to prove that the person you're going to "take care of" is actually guilty... Why, you'd need some kind of court system... oh, wait...

Re:Another Debian Hole?

Gnome's servers were all running RedHat, between versions 7 and 9 last time I checked... they should switch those to a better maintained distro already as RH7-9 is deprecated...

Re:Blame windows it already looks like Gnome

[Mark+Pitman]

Not to pick nits, but that error didn't come from ASP.Net, it is from classic ASP and is actually an ADO (data access) error.

gnowned!

[straponego]

...sorry.

Silliness aside cvs and www are seperate

[Alan+Cox]

The Gnome team didn't mix all the web sites (where user custom shell scripts are always a risk) with the cvs box.

OSS - Security through lack of motivation

[The-Dalai-LLama]

Just a thought, and I haven't been around very long, but if a major software company had reason to suspect their security had been compromised the day before a major release, which is to say sometime after major effort and bucks went into promoting the release, would they publicize it?

It seems to me that since Gnome is open-source, they don't have a lot to lose by delaying the release until they know their product has not been compromised.

The Dalai Llama
Just thinking out loud, try not to get any on your shoes

Re:OSS - Security through lack of motivation

And your point is... ?

Re:OSS - Security through lack of motivation

[The-Dalai-LLama]

Sorry, should have been more explicit.

This story highlights the fact that the Gnome folks went out of their way to actively inform the community that their product may have been compromised.

My point is this: proprietary vendors have an incentive to hide from their customers security compromises; OSS software makers have an incentive to alert their customers to potential security compromises.

The idea is related to the "more eyes examining it" argument, but also subtly different.

The Dalai Llama
willing to create a cute metaphor or analogy, if that will help

Could be anything, including false alarm...

[Pecisk]

But if we love conspiracy theories, it could be simply like that. We all know about that there really should be connection between Antivirus developers and virus writers. So, they got a serious headache about Linux coming to common user's desktop, as, if it's properly locked down by admin or service provider for that box, there's no need of any kind of antivirus in Linux (IF we are talking about desktop, mail servers which serving also Windows boxes is another story).
So they see a danger for their market. What they should do? Do some bad PR for open source. How? Gnome will release 2.6 in Wendsday, 24th of March? I see. Let's hack some server. REMEMBER, everything could be broken, even properly set-up OpenBSD box. So some black hat get's paid and do his dirty job. For what? Just for PR stunt - in miracle, tomorrow every main IT news site will knew about GNOME release AND possible compromise.

In summary - guys, get ready for such events to happen. It's a fight, a battle. Even if it is simple hacker who wanted to be proud what he has done - so beat it, we must be more careful about security in future :) And if it is how I said so - be ready for anything, because those people doesn't want to change. They want their old market back.

Yet more proof in the security fallacy of OSS

Not many more people look at OSS code than propretary code in practice, and since both are written in c, both are prone to human coding error. Therefore, OSS code is no more secure than proprietary code, all else being equal.

Re:Yet more proof in the security fallacy of OSS

[ArekRashan]

Even if I accept that as true, Windows still isn't nearly as good in this area as just about anything that tries a little harder for POSIX compliance.

If you are comparing OSS code to Solaris or AIX or something, you might have a point. But not much of one.

Re:Bad news(not)... distributed code comparison

[G4from128k]

With OSS, an intrusion, even a full bore compromise of the code base is more likely to be caught. I would hope that there are diligent OSS people that cross-compare their copies of the source to the CVS copies and look for disrepancies. A distributed analysis of all changes (including the officially sanctioned ones) would help uncover malicious code.

In contrast, the users of proprietary code have only the manufacturer's word on what changes occured, who made them, and what those changes do. We users have no easy way (short of reverse engineering the code deltas on the binaries) of determining what happened between version X and version X.1. The security of non-OSS code is in nontransparent hands and that makes it insecure.

Re:backup

[/dev/trash]

I'd think that if tripwire came back okay, the backup to a separate tripwired enabled box would commence.

Re:Blame windows it already looks like Gnome

you have to take the space out of the link. slashcode adds it for some reason. without the space, it works fine.

Re:backup

> Don't bring up the backup until you figure out how they got in.

And when.

Traced the break-in

[rixstep]

Hi,

I represent a security company who were asked to analyse the logs on the compromised system. All the originating IPs point to a place called Lindon, Utah in the US.

Anyone know what that means?

Re:Blame windows it already looks like Gnome

[Bull999999]

If windows came with SQL and Exchange server, Office suite and various other add-ons and softwares, it'll be easily as big. But that doesn't matter since you cannot download non-trial version of Windows from MS in the first place.

Re:Bad news(not)... distributed code comparison

[rixstep]

With OSS, an intrusion, even a full bore compromise of the code base is more likely to be caught.

Naive. Cf Ken Thompson, Reflections on Trusting Trust. Unix back in those days was, at least at Bell Labs, about as OSS as it can get, and the body of code was nothing compared to today either.

Re:Blame windows it already looks like Gnome

Neither and that's the point.
Tommorro someone will find a vunerability in both of them.

Once again...

[HenryFjord]

some punk thought it would be funny to steal our newest lawn GNOME.

Lucky Anyhow...

[oacis]

Lucky anyhow that the server is unavailable 'before' it got slashdotted.

safe system for submitting code

[Graphyx]

Here is what the devolopers should do.
Each time they submit a file that they have made changes to in the cvs archive, then also hmac it and sign it with their private key. Then later on if the system was compromized you could go back and computer the hmac of the file to make sure it matches that which the programmer submitted it to be.

And then even if the system was compromised you wouldn't have to question which ones were changed or not since it can be checked just by confirming the hmacs.

The best design for security have perfect forward security. And a signed hmac would prove the validity of the file unless the signing key was compromised.

Re:safe system for submitting code

[rotty]

GNU Arch can already do this.

Haha

[Bendebecker]

Gnome got powned. On a more serious note, I bet it was some deranged KDE fan or something. The GUI wars have been heating lately.

Most the security breaches are the fault of....

[SmallFurryCreature]

Most the security breaches are the fault of bad installs. Basically the admins left a hole and someone made use of it. At worst it is an application like the ftp server that should have been patched or wasn't.

At least as far as I been aware it never been a a OS that was at fault.

nitpicking? Well yes. But just ask yourselve this. Gnome runs Red Hat. If there was a hole in Red Hat then why is only gnome under attack and not every Red Hat box in the world? Are linux hackers more easily satisfied and think 1 box is enough?

So what do you think has happened here. Someone found a fault with Red hat or did someone find a fault with the Gnome setup of their Red Hat server?

Only fools blaim MS for users who download a "keygen" that turns out to be a virus. However we do blaim MS for making holes in their software that affects every damn installation of windows out there.

That is the difference.

As for your howto suggestion. They exist. They just are a lot of work and most people don't bother. Hell if you follow such howto's then Windows can be made secure (rule 1 Windows is not an internet OS, run it behind a firewall that means not a firewall ON windows but windows BEHIND a firewall). I follow them. My windows/dos box has never been compromised. Neither has my linux box.

Then again neither of my machines is supposed to do what gnomes machines are supposed to do. It is easy to secure to the outside world when nobody is supposed to access it. Fort Knox is secure because nobody is allowed in there. The highstreet bank is a lot harder to secure.

Re:Most the security breaches are the fault of....

[nick+this]

Only fools blaim MS for users who download a "keygen" that turns out to be a virus. However we do blaim MS for making holes in their software that affects every damn installation of windows out there.

Not true. Or... perhaps it is, and I'm a fool. Yeah, I do blame Microsoft for a fault in which a user can execute something that destroys his or her machine, as well as those around it.

On my linux box, if I'm logged in as the user I typically log in as, the worst that could happen is something could trash my home directory. Bad enough, but it wouldn't affect other machines around me.

With Windows, almost all users are local admins on the workstations. They have to be, because software (both Microsoft and 3rd parties) require it to run. So a user running a "bad" program can destroy the workstation. It's possible that a class of users has blanket admin permissions on a host of machines that they regularly log into, and those can be remotely broken by the same program.

A regular user takes down a bunch of workstations isn't an unlikely occurrance. Root problem is that Microsoft doesn't give tools to set fine-grained permissions necessary to stop someone from having to run as local administrator.

So yeah, I *do* blame Microsoft, for making such an "easy to use" OS that *forces* poor security, bad practices, and guarantees you a shot in the foot for it.

Nice. Thanks, Microsoft.

Or it could be that I'm bitter over wasting yet ANOTHER day of my life restoring a crappy exchange box.

Re:Most the security breaches are the fault of....

[SeregonSandgrain]

"So what do you think has happened here. Someone found a fault with Red hat or did someone find a fault with the Gnome setup of their Red Hat server?"

The part I was specifically referring to with that quote was: "with the Gnome setup of their Red Hat server." Why the hell would they be running gnome on a web server? Call me an idiot but I've always been told that for a critical system like that (dedicated web server) you run what you need to and NOTHING more, everyone non-essential service is just one more security hole...

But then again, what do I know?

-<ASP>-

It's not hacked

until Netcraft confirms it.

GNOME code

[endrek]

I'd actaulyl think the code might have been touched. The timing of the hack is interesting because it is so close to a release. If I was going to try and plant something I'd wait until just before it goes out the door in a mssive release. Less chance of getting caught and biggest dispersal oppurtunity. Sigh

Re:GNOME code

Yes... "IF I [were] going to try and plant something...Less chance of getting caught...Sigh"

You seem to have put a great deal of thought into this prospect...

GET 'EM, BOYS!

Still Waiting

[RichiP]

For news regarding what was compromised and HOW it was compromised. I doubt we'll ever find WHO and WHY, but here's hoping that we do.

I would like to know if it was some known exploit that the admin didn't take care of. Or some easy-to-guess password by one of the developers. Or, worse, some as-yet-unknown exploit.

Just to be fair...

Of course we want to be fair... let's blame SCO!

Re:Blame windows it already looks like Gnome

Guess you've not purchased a windows PC from any major vendor lately. Mine came with everything including a kitchen sink.
Basically what your saying is the linux kernel is secure and everything else is shit. If it weren't for several linux kernel vulns within the last several months that might hold some water.
That's like saying shell32 is shit because symantec coded an activeX backdoor into a windows machine. The only difference is Windows ain't free and neither is Symantec.

Yes

I run NetBSD and FreeBSD. When was the last time the NetBSD or FreeBSD servers were comprimised?

Re:Yes

[Narchie+Troll]

When is the last time anyone cared?

Audit required ASAP

[niittyniemi]

> But let's be real, here. Last year in the span of six months,
> Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.


We'll have to wait for an explanation of how it happened but my opinion is that Linux needs properly auditing and a security officer needs to be appointed who's job it is to check out stuff that goes into the tree.

The BSDs have this and they haven't had the security problems that Linux has had. Maybe it's due to the popularity of Linux but an audit/security officer wouldn't do any harm.

You have to expect that the admins of these boxes are far from clueless yet they still got broken in to. To me that indicates a problem with Linux development rather than use.

If an audit isn't done, then the cracks will keep on opening up & the reputation of Linux will be trashed.

I knew it!

That explains it!

KDE was trying to steal GNOME's super secret source code.;-)

Re:Bad news(not)... distributed code comparison

[a_n_d_e_r_s]

His paper is a good example of how hard it is too change a open source projekt of today - since the compiler nowadays is separate from the rest of the code.

It's mucher harder today since one need to crack the security on soo many webbsites because of the distibuted development that is done in free and open software today on the Internet.

His example also shows that it only works if the same developer makes both the OS and the compiler.

Linux are not developed that way - however a large competetitor to Linux is....

SCO at it again? Call Laura Didio!

Let's call up the media and analysts and tell them that Darl is attacking Linux projects again.

We would have the same proof he does of the attacks on SCO, right?

FBI Task Force

[theCoder]

So, when is the FBI going to accounce their special task force to track down these dangerous hackers? After all, isn't that what they did when the Microsoft code was leaked? Something tells me this won't even make the FBI's radar, though...

Re:FBI Task Force

[nexex]

depends if gnome files a report, and subsequently puts out a press release :)

Re:FBI Task Force

[King_TJ]

The FBI seems to base everything on theoretical "dollars lost". Being an open-source, free project - there's no easy way to claim the Gnome developers lost X number of dollars due to the break-in. Therefore, the FBI is uninterested.

Re:FBI Task Force

[caller9]

You have to somehow demonstrate losses of $5000 or more before the FBI cares. Does Gnome have a business model that this type of thing could put a $5000 plus dent in?

That's the problem with most OSS orginization cracks and even the last few waves of mostly benign virii.

Without demonstrable losses(and preferably press coverage on a cable network) the authorities aren't going lift a finger. I think the hacker community knows this.

Re:FBI Task Force

maybe there should be virtual value on these projects? Suppose a coder works an hour on a patch, the value would be increased by $40? Would be interesting to see how much OSS is worth.

Re:FBI Task Force

[Kashif+Shaikh]

They won't consider the case unless it involves atleast $10000US(that is their federal "should I, or should I not" threshold for persuing cases).

So unless you just lost $10K, don't think the FABEE will be setting a up a "special task force for Gnome".

No, not pansy justice

[nurb432]

I mean take them out back and hang the fuckers.

One less jerk on the face of the earth to deal with.

And no, im not kidding. Raise the stakes high enough and most wont risk it. And hunt down the few that do.

Re:No, not pansy justice

[sglane81]

Raise the stakes high enough and most wont risk it. And hunt down the few that do.

Some hackers do it for the fame.
Some hackers do it for the money.
Some hackers do it for political reasons.
Some hackers do it because they (and / or their families) are held hostage in one way or another.

Kudos to the Gnome team for their timely reaction

[RichiP]

We have to remember that most of the people working on Gnome and/or maintaining the servers are volunteers. That said, I have to tip my hat to these people for the very professional action they provided post the compromise. Taking down the compromised server, informing the community, and, most importantly, not releasing premature statements of blame or excuses (which is more than what I can say for a lot of professional companies).

Somebody is taking care of the problem

[wazzzup]

It appears that somebody has decided that it's time to hack the hackers.

MacSlash

The most disturbing part

The most disturbing part is the message they left on the hacked GNOME main page:

You can not stop us.
We have this source.
GNOME dies gnow. Are you afraid?
Death to GNOME. Death to Linux.
Longhorn is great.

Re:Blame windows it already looks like Gnome

[PickyH3D]

You mean if they bundled? Someone is not an MSDN subscriber.

Re:Blame windows it already looks like Gnome

[Atzanteol]

Troll? I'll bite...

People tend to forget that 'RedHat' and 'Debian' are much more than just an OS. They issue security reports for a webserver, several databases, ssh server, etc. Much more software is available through a Linux vendor. I doubt Microsoft even included it's other product lines in those security alerts their counting.

probabloy, the break-in was...

---to insert something e-vile to the downloads, no doubt methinks. I can't think of any other reason for the intrusion that makes any sense. (not counting casual maliciousness of course)

zogger

GNOME 2.6 is out...

Just check the ftp server and its mirrors. All of the 2.6 components are out (nautilus included) with the version bumped up to 2.6.

You can get it and run it now...

Re:Blame windows it already looks like Gnome

[Bull999999]

MSDN subscription doesn't count since they come with restrictions on use, just like the "free" version of windows you may find on the net.

I use GNOME...

[Ayanami+Rei]

... mental.sanity SHIELDS UP

oh no

[nomadic]

They might steal the GNOME source code!!

Re:Not GNOME!!

[SphericalCrusher]

That's not always true. Sure, people attack other people even though they have never met them before, but don't you think that if they were an enemy it would make them more of a target to a big attack like that?

Besides, I was joking. You shouldn't take shit like that so seriously and make little 6th-grade insults.

Oh My God!

Gnome.org runs IIS? We all know that only Microsoft products are vulnerable....

New KDE Application just went beta

Yup, KhackSite version 0.81 beta was just released yesterday with just one sample site in its .RC file. Not really a surprise, when you think about it. ;-)

Re:Blame windows it already looks like Gnome

[Foolhardy]

First it's "Microsoft bundles too many things with Windows" and now it's "You can't compare Windows to a Linux distro because it only has 3 packages: kernel/GUI/browser"

Pick one.

Oh No!

[slapout]

Someone might actually be able to see the code to Gnome! Oh wait. Nevermind. :-)

Why would someone try to hack into an open source project?

Re:Blame windows it already looks like Gnome

Free version of Windows? Or do you mean a pirated copy?

Good News!

> This is bad, because GNOME 2.6 was supposed to be released tomorrow.

Actually, it is good news. Imagine the chaos if Gnome 2.6 was released, then a crack was detected. This way around Gnome 2.6 can be released at a later date with confidence.

Re:Blame windows it already looks like Gnome

[Bull999999]

Pirated copy, thus "free" instead of free.

Forget to pay SCO ?

$699 license fee for "Linux" IP

You're WRONG!!!

From Netcraft:

http://uptime.netcraft.com/up/graph?site=www.gnome .org

Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.1.2 mod_perl/1.26 on Linux

Also the net block is not owned by Red Hat. Unlike redhat.com which sits on a difference cluster owned by Red Hat itself.

Re:Blame windows it already looks like Gnome

[EzInKy]

First it's "Microsoft bundles too many things with Windows" and now it's "You can't compare Windows to a Linux distro because it only has 3 packages: kernel/GUI/browser"

Pick one.


"Pick one" is exactly the problem with Windows. The system only gives you a choice of one kernel, one GUI, one Browser, one MediaPlayer, etc. A decent Linux distro will offer the user a variety of choices for all the above and much more.

+ * Copyright 2002,2003,2004 SCO

[openmtl]

Ah, so thats what all those

+ /* Copyright 2002,2003,2004 (C) SCO */

were when I did a cvs diff last !

Exactly

Yep, yep.. That's exactly the problem.

They're using an unmaintained distro with more holes than a NJ highway.

In Soviet Russia

gnome.org compromises YOU.

Re:Blame windows it already looks like Gnome

[arkanes]

All of those will install with a single CD image, you just don't have acccess to the full spectrum of packages. It's apples and oranges, Linux distros traditionally ship with a great many packages because the baseline of whats considered a "working system" is much higher. On the other hand, just because the stock image for a distro is some ungodly number of CDs doesn't mean that you have to download them all.

In any case, I'm not sure what that has to do with the previous posters comment, which was it's own brand of troll.

Re:Blame windows it already looks like Gnome

A typical linux distro comes with multiple office apllications, multiple web browsers, multiple mail clients, a mail, http, dns, sql, and samba server, irc clients, chat clients, multple desktop environments, tons of duplicated apps between gnome and kde. These distros come on multple CDs, I would expect this amount of patches for gigabytes of compiled programs. You choose what you put in, the distro has to patch what it choose to give you options for.

Sourceforge

[patcho]

Looks like you were right...Sourceforge.net is locked down now, and will not allow logins! (I tried to submit..."rejected").

Re:Sourceforge

[patcho]

Ok, we can breathe again, Sourceforge is back up! :-)

Re:Your sig

[Cid+Highwind]

"Gentoo isn't stable enough, and it isn't meant to be."

Why does it not surprise me to see Gentoo-bashing from a Debian developer...

Don't you have something better to do, like delaying the release of Sarge again, or participating in an all-night license flamewar?

It's Back

[benguru]

Hi, I just noticed it is back online. I guess it wasn't anything too serious, hope it doesn't delay Gnome 2.6

http://gnomese.cx anyone?

I hear the web site is back up on a new domain.

Uhh Ohh

[benguru]

Umm, this looks bad. Look at art.gnome.org. It is about pango.

How many?

naturual lanaguages

At least one more than you, I would say.

Gun control

[gd2shoe]

I'm all for the right to bear arms, but something here worries me.

Combine your post and your .sig and you'll know one reason why we have gun control.

It's not all an attempt to restrain "crime" (in the way we normally think of it), but also a fear of vigilantes (sometimes acting contrary to law).

If we want the right to bear arms, then other voters are going to need to understand that criminals are going to get weapons on the black market anyway, and those who legitimately own guns are going to abide by the law (my worry). I understand that you weren't literally serious, but it doesn't instill confidence in me about your owning a gun.

Re:Gun control

I've often found this position curious. I believe people in general have a misunderstanding of why we have a right to bear arms to begin with. Many people seem to think that it's so we can hunt, or defend ourselves, or some other similarly innocuous reason.

The fact is, we were guaranteed this right for neither purpose. The actual reason was to make the will of the people into another counterbalance for the government. If said government was to become so corrupt that it did not represent the people, then it was the right and _duty_ of these people to take up arms and remove said government. It may sound strange, and it rightfully sounds violent. You must remember that this is in the context of a newly founded country, attempting to throw off the yoke of British repression.

The people who penned our constitution were by no means worried about what the average person in the US today thinks about gun ownership, control, or how comfortable one is of the thought that another owns a gun. The purpose was to ensure that members of the government were uncomfortable enough with their leadership roles that they wouldn't kick citizens around in the manner that it happens today. Interesting how things have changed, isn't it?

Re:Why OSS servers are never hacked. - MOD UP

word, motherfucker, word

Re:Your sig

[leandrod]

> Why does it not surprise me to see Gentoo-bashing from a Debian developer...

I am not a developer, and am not bashing.

Re:Another Debian Hole?

Too bad that was just a regular kernel hole, not one special to Debian's kernel. Any other distros can simply count themselves lucky the attackers didn't choose them.

Nope. Debian's kernels are special, because they are so far out of date.

Other Distributions use modern kernels. By contrast 2.4 only just made it into Debian-Stable prior to the release of 2.6 for Christ's sake.

"What was Linux like back in the mid 90's Daddy?"

"Install Debian son, find out for yourself."

Re:Blame windows it already looks like Gnome

[Foolhardy]

I don't know any Linux distros that use anything but a Linux kernel. Actually, with Windows, you have a choice between the 9x kernel and the NT kernel.
It's also not like I can't install any alternatives on Windows. I use Winamp, Mozilla, Sysinternals's process explorer, and several cygwin tools instead of their MS alternatives. So what if they aren't listed by MS, they weren't very hard to find. Microsoft only provides one choice for each, but at least they are easy to use. When I first started using Linux, it wasn't helpful to know that there are 20 text editors I available; I don't know which to use, and many, like vim and emacs require a lengthy tutorial to do even simple things. No obvious choice as to which is the easiest to get started with.
Once I got X windows working, the window environs were easier, but I had to edit XF86's config file to get that far.

KDE

[RoadkillBunny]

It must have been a KDE user...

Re:Blame windows it already looks like Gnome

[weorthe]

The other difference is your windows PC came full of adware and spyware and crippleware.

Can't get it up

[OurColon]

I knew they wouldn't finish on time

Re:Blame windows it already looks like Gnome

[EzInKy]

I don't know any Linux distros that use anything but a Linux kernel. Actually, with Windows, you have a choice between the 9x kernel and the NT kernel.

There is usually a choice between different kernel versions and patches for special uses, hardened, gaming, multimedia, not to mention kernels for different hardware platforms.

It's also not like I can't install any alternatives on Windows. I use Winamp, Mozilla, Sysinternals's process explorer, and several cygwin tools instead of their MS alternatives. So what if they aren't listed by MS, they weren't very hard to find.

Yes, you can use other tools, but can you choose not to install IE or MediaPlayer if you choose to use another app?

Microsoft only provides one choice for each, but at least they are easy to use. When I first started using Linux, it wasn't helpful to know that there are 20 text editors I available; I don't know which to use, and many, like vim and emacs require a lengthy tutorial to do even simple things. No obvious choice as to which is the easiest to get started with.

Compare apples to apples. You want an editor? If you chose KDE as your GUI KWrite is simple enough. From the command line nano suffices for an intuitive interface.

Anyway, the point is that the size difference between a decent Linux distro and Windows is due to Linux offering more choices. We can agree that finding documentation on how to use the software is usually better in Windows, but OSS apps have come a long way in that regards in the last couple of years.

Re:YOUR FIRST POST SUCKS

Fascinating. But what are the implications for the egg donor industry?

Attempt != success

[cookie_cutter]

I'd actaulyl think the code might have been touched. The timing of the hack is interesting because it is so close to a release

The fact that this would be a good time to TRY to touch the code does not mean that they had any success.

Backing up IS Redundant!

Hey, backing up creates Redundant data so in this case the moderation is surprisingly correct. Must have been a mistake.

Re:Blame windows it already looks like Gnome

There's a lot of that around here. Every time a program in a Linux distro has a problem we're reminded that it isn't really part of Linux. Every time someone says Linux doesn't have as many features, suddenly those flawed programs are reclassified as part of Linux again.

Re:Blame windows it already looks like Gnome

[Foolhardy]

There is usually a choice between different kernel versions and patches for special uses, hardened, gaming, multimedia, not to mention kernels for different hardware platforms.

Yes, since the Linux kernel is open source, it has much more practical flexibility. Still, they are all variants of the same kernel.

Yes, you can use other tools, but can you choose not to install IE or MediaPlayer if you choose to use another app?

It is bad that MS crippled the add/remove programs so I can't uninstall anything important. Not using them is the next best thing.

Compare apples to apples. You want an editor? If you chose KDE as your GUI KWrite is simple enough. From the command line nano suffices for an intuitive interface.

With a fresh Red Hat 9 install, I had a terrible time even getting X windows to work, let alone KDE, requiring manual config editing. nano sounds like a good idea; I plan to check it out after I post this. The problem is that I don't know which programs are good for what. Microsoft usually has something obvious to use for common things and nothing for uncommon things (uncommon = anything MS doesn't think is common).

Anyway, the point is that the size difference between a decent Linux distro and Windows is due to Linux offering more choices. We can agree that finding documentation on how to use the software is usually better in Windows, but OSS apps have come a long way in that regards in the last couple of years.

OSS apps ARE getting better. A lot better; they are improving so fast that I think they will even become the future of mainstream software.

I guess I'm just complaining about the learning curve; there is so much out there to learn.

Hotmail down for hours two weeks ago

[IncohereD]

Man...don't you know anyone who uses Hotmail? It was down for hours a few fridays ago. A lot of net semi-literates (e.g. my girlfriend and her roommate) assumed their whole connection was down because hotmail and msn are the first two things their computers load.

Re:Hotmail down for hours two weeks ago

[merdark]

Nope, dont' use hotmail. But doesn't hotmail still run on FreeBSD? Or did they finally manage to migrate it to Windows Server?

Re:Hotmail down for hours two weeks ago

[IncohereD]

Man...don't you know anyone who uses Hotmail?
Nope, dont' use hotmail.

Neither do I, but I find it hard to believe that you don't know anyone who does. If not you really need to get out more.

But doesn't hotmail still run on FreeBSD? Or did they finally manage to migrate it to Windows Server?

And I wasn't commenting on the reliability of Windows Server, but rather on your comment that:

Well, for one, their servers always seem to be up.

Re:Hotmail down for hours two weeks ago

[merdark]

Neither do I, but I find it hard to believe that you don't know anyone who does. If not you really need to get out more.

I know a few people who uses hotmail, but never do I talk about hotmail with them. We have better things to talk about. ;)

And I wasn't commenting on the reliability of Windows Server, but rather on your comment that:

Well, I admittedly dont' visit Microsoft's homepage all that often, but if they were seriously being hacked so often the I'm *sure* it would hit the news. Hell, the *possibility* of a worm making www.microsoft.com unavaliable due to DOS attack makes the news. They can only cover up so much, news agencies LOVE that stuff it seems.

O/T

[IncohereD]

I love that the first two comments on this said the complete opposite thing. Who's the troll?

What's the shmeal?

It is quite a coincidence that software developers these days use hackers/crackers/magicians as scapegoats for project delays.

Re:Another Debian Hole?

[trixie_czech]

why not use unstable then? it has the 2.6 kernel.

other distributions also deprecate branches/versions that thousands use. debian continues to maintain everything.

Re:Blame windows it already looks like Gnome

[EzInKy]

With a fresh Red Hat 9 install, I had a terrible time even getting X windows to work, let alone KDE, requiring manual config editing. nano sounds like a good idea; I plan to check it out after I post this.

What you really want for commandline config file editing is Midnight Commander (mc). It's a file manager that you can use to get a good understanding of the directory structure and has a built-in editor. As for getting X up and running, try the generic vesa driver. Once you have gui running you can seek out info on the particulars on your card. Or you could stick to the command line and use lynx or links.

Let's track down the crackers and

[srcosmo]

sic the GIMP on 'em!!

There would be a pro-Microsoft bias

[Azureflare]

If Microsoft fanatics could come up with better comebacks then, "haha, see, linux is just as insecure as windows"

Remember, the security of a system still depends greatly on the ability of the sysadmin.

The fact is, no one can say Microsoft is a nice, big, happy corporation that wants to play nice and fair with everyone in the world and be equal. It's just not true. Hence, it's hard to root for the big bad guy. I mean, unless you like that kind of thing.

It's much easier to be biased towards linux (for whatever reasons) but I think security isn't something you can say that linux is better than windows, or windows is better than linux. It really depends on the administrator.

There are other things that I personally like about linux (i.e. the fact that it's a community effort, (most of) the code is free, no tyranical and mystical empire ruling my destiny, etc.). I'm sure you don't need a laundry list...

Sabotage -- Inside Job?

[Gary+Destruction]

Has sabotage been ruled out? There's nothing worse than your own people turning their backs on you. For all we know, someone who worked on the project might've been bribed into sabotaging the server.

And I predict:

[freeweed]

A metric assload of posts talking about how all (800,000ish and counting) Slashdot readers are one person (the infamous Slashbot).

A bunch of "hey, Linux has problems, so stop saying anything negative about Microsoft" posts getting moderated to +5.

At least 100 people posting "Linux projects have been hacked many times in the past year, Microsoft none", while ignoring the complete and utter lack of Code Red, Slammer, Blaster, or any Warhol-type worm ever appearing for a *nix-based system, even though the majority of the internet is run off *nix. And no, the Morris worm doesn't count - Microsoft didn't even have a TCP/IP stack back in those days :)

A fair number of posts by > 500,000 UIDs, coincidentally almost always as a Microsoft apologist. Hmm, wonder who the new people are :)

Oh yeah, and (give or take) 20 different moderations to this post, varying between -1, Flamebait to +1, Insightful. I'd kill to see the UIDs of the moderators on something like this, because I'd bet a lot of money that I could guess the UID based on the moderation.

Maybe this is why?

HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 24 Mar 2004 06:53:00 GMT
Server: Microsoft-IIS/6.0
Last-Modified: Wed, 24 Mar 2004 02:06:59 GMT
Accept-Ranges: bytes
Content-Length: 4100
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: ASPSESSIONIDRMSANDICAZASITTINGINATREEKISSING; path=/
Cache-control: private

Re:Blame windows it already looks like Gnome

[rodgerd]

Because you want to trust a news source whose site crashes with AODB errors when I decline to allow cookies.

Re:Blame windows it already looks like Gnome

[boaworm]

I don't know any Linux distros that use anything but a Linux kernel. Actually, with Windows, you have a choice between the 9x kernel and the NT kernel.

Sorry to say it, but this was by FAR the most stupid comment I read in a while. WHY DO you think it's called LINUX ? *hint* the linux kernel *hint*

Now, if you want to use another Opensource kernel, try BSD. Both are UNIX clones, and both uses about the same portion of userspace applications, such as editors, X servers, desktop managers etc.

Now, about choice. Most current linux distributions come with either Linux 2.4 OR Linux 2.4. And that OR is non-exclusive, some distributions come with 2.4, but are already prepared to run 2.6 as well. Is you WinME NT-ready ? ;-)

Uhh, minor nitpick; BSD *is* Unix [nt]

Apparently /. requires a subject body - isn't that just lovely. Well, hopefully this will suffice, after all, my RSI wasn't really bad enough, so why not make it worse than it has to be?

Re:More info - UPDATE

* From: Owen Taylor
* To: gnome-hackers gnome org
* Cc: gnome-announce-list gnome org
* Subject: Update [was Re: Intrusion on www.gnome.org]
* Date: Wed, 24 Mar 2004 01:58:36 -0500

On Tue, 2004-03-23 at 13:52, Owen Taylor wrote:
> We've discovered evidence of an intrusion on the server
> hosting www.gnome.org and other gnome.org websites.
> At the present time, we think that the released gnome
> sources and the gnome source code repository are unaffected.
>
> We are investigating further and will provide updates
> as we know more. We hope to have the essential services
> hosted on the affected machine up and running again as soon
> as possible.

A quick status update on the situation:

* No additional damage has been discovered; at the current
time we are cautiously hopeful that the compromise was
limited in scope.

* ftp.gnome.org is back on now that we have additional
confidence in the integrity of the tarballs.

* We've now restored a number of services running on a
replacement machine

- Websites including www.gnome.org, and developer.gnome.org
are back up in limited service; dynamic content is still
off so some parts may be inaccessible.

- planet.gnome.org is again providing all your favorite
blogs and gossip.

- Bugzilla is in testing mode; we hope to restore general
access in the next day.

Thanks for your patience; we'll continue to provide updates
as we move back to fully operational status.

The GNOME sysadmin team
24 March 2004

Obvious

[pxnoll]

Isn't it pretty obvious that they're pulling a Valve(tm) ? ;/

Yeah, this is offtopic. It still needs to be said.

[Ben+Urban]

The quality and power of SELinux in terms of security is literally light years ahead of any other commonly available Operating system

I think you may want to check out this link.

Re:Blame windows it already looks like Gnome

you have to take the space out of the link. slashcode adds it for some reason. without the space, it works fine.

The 'some reason' is the old page-widening trolls - they'd post a string of thousands of characters to screw up formatting.

velocity==speed?

[Pius+II.]

Out of interest, what is the supposed difference between velocity and speed? Googling for the definition brought up "distance travelled per unit time" as first hit for both, and my dictionary says has the same translation for both.

Re:velocity==speed?

[kristoferkarlsson]

The difference is basically that velocity is a vector and speed is an absolute value. I.e. a velocity consists of a direction and a speed.

Re:Blame windows it already looks like Gnome

[Asic+Eng]

Why? I think we are looking at completely different issues there. If you want to compare the security of two systems you need to do that with similar configurations. Whether it's legal to distribute software in a certain way is independent of it's quality.

GNOME 2.6 Rescheduled for March 31st

[twener]

As seen on gnome-announce

Microsoft tried to steal the code

[thepeete]

They didn't realize you can just download it from the public ftp.

Apparantly, some thick headed manager still can't concieve that code you can download for free can be valuable.

One Word

Slammer. It brought down M$'s internal SQL servers because their admins had not installed the 6 month old security patch. Thank you.

Re:Blame windows it already looks like Gnome

[The+Spoonman]

Yes, you can use other tools, but can you choose not to install IE or MediaPlayer if you choose to use another app?

So what? If the associations are setup to launch your app of choice, who cares? If it ain't run, it may as well not be there.

Re:Blame windows it already looks like Gnome

[Atzanteol]

Yay!

Now your an obsessive moron! (find the missing ' please?)

The were running Debian. therefore, hacked

i guess they were running debian. so, it was so difficult to hack their system(s). too many gnu

Re:Blame windows it already looks like Gnome

[Foolhardy]

I know Linux distros only use the Linux kernel; I was replying to the statement made by EzInKy:

"Pick one" is exactly the problem with Windows. The system only gives you a choice of one kernel, one GUI, one Browser, one MediaPlayer, etc. A decent Linux distro will offer the user a variety of choices for all the above and much more.

Stating that Linux has a variety of choices for a kernel. I misunderstood, so EzInKy later clairified that to mean specialized builds and versions. Several hours before you posted. Try reading related posts before posting yourself.

Re:Blame windows it already looks like Gnome

[Aardpig]

Now your an obsessive moron! (find the missing ' please?)

There's also a missing "e": it should be "you're". Oh, and by the way, your website is riddled with grammatical errors. So I'm led to believe that your mistakes aren't even deliberate: you really are a retard.

Re:Blame windows it already looks like Gnome

[Atzanteol]

*rofl*

Dude, you're a hoot. Some of the mistakes you've been finding *are* deliberate, some aren't. Yes, the missing 'e' was deliberate. But what the fuck do I care? I'm sorta curious as to why the fuck you care. But in the end, its much more fun to annoy you. Whether it's on purpose or its not. :-)

Insult me all you like fucknuts! At least I'm not anal enough to go search out some guys web-site and check it for grammar... Christ, you need a woman. Bad. Seriously. Even if you have to pay dude.

Re:Blame windows it already looks like Gnome

YHBT. YHL. HAND.

Re:Blame windows it already looks like Gnome

Wow, your really serious to, arent you.

But looking at your rather bland posting history, I suppose this demonstration of stupidity and ironisy shouldnt be surprising.

DiBold isn't

We know of at least one company that doesn't do much "cleaning up" after such an incedent: the electronic voting company DiBold.

In reality you can trust nothing on a compromised system. You need to install it from scratch and only copy data files over that you can verify (through checksums, signatures, etc.) have not been modified. You can not do this checking on the compromized system because the programs to do the checking may have been modified, or even the kernel.