Gnome.org Compromised?

Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."

I predict:

[Neil+Blender]

The Slashbots will point blame at the admins. However, if it were Microsoft...

Re:Boo, Hiss.

[0x0d0a]

Well...I suppose that if this is a new vulnerability, it's better that they go after a high-profile webserver with a good admin team that can catch the attack than that they attack many poorly-adminned ones.

At least now

[Ethernet_Jedi]

At least they caught it now, instead of after the release. Now the code can be checked before it goes out, instead of everyone worrying about whether they downloaded compromised code

Bad news...

[Erwos]

But, just like in previous break-ins to other systems (Gentoo, Debian, Savannah), they're taking the correct actions by shutting everything down and BEING CAREFUL. I often wonder if commercial companies are always this fastidious.

You can't beat all the crackers, but handling a bad situation correctly should be commended. Good job, GNOME team!

I'm eagerly awaiting 2.6, too, I may add! :)

-Erwos

Re:Boo, Hiss.

[rgmoore]

That's the wrong attitude to take. If a Linux-based server is compromised because of software flaws, that's a perfectly legitimate point in an argument about security, just as the compromise of a Windows-based server because of a software flaw would be. If there's a real vulnerability that let somebody crack the system (as opposed to a misconfiguration or incorrect belief that the system was broken into) it needs to be fixed pronto, rather than written off as a PR event.

Linux security

[0x0d0a]

You know...honestly...

There have been serveral major, high profile compromises of numerous FOSS servers in the past twelve months. Including a compromise of the GNU source repository.

Microsoft has not made a big deal out of these (at least as far as I've seen). Whereas every security flaw at Microsoft is treated by Slashdot as if someone got access to the crown jewels (well, admittedly the Windows source is running around all over the place...)

Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

That being said, I'm just *waiting* for a sourceforge compromise. That would be a *huge* hit, and it just plain has to happen sooner or later.

It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.

Re:Linux security

[ameoba]

There's a big difference. Every time a F/OSS project's box get's hacked, it's a single machine getting broken into. When there's a windows flaw, the next day there's a worm that compromises MILLIONS of computers.

The two events are incomparable, since there are numerous ways a single box can be compromised that are not directly related to an OS flaw.

Re:Blame windows it already looks like Gnome

You can't compare a Linux distribution with hundreds of packages to Windows, which is basically a kernel/GUI/browser combo.

Try using (for Linux) the number of kernel/X11/Mozilla vulnerabilities instead and at least you'll start making sense.

Windows joke

[bonch]

I fully expect a bunch of lame Microsoft jokes.

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

Can you honestly rail on Microsoft? When was the last time their servers were compromised? I only vaguely recall something in 2000 about alleged stolen source code, and a real good that has turned out all these years later. As for this year's stolen source code, Slashdot never reported this but it was taken from a Linux computer at MainSoft.

Just funny how things are viewed around here, with a certain bias some people don't even realize they have.

Re:Windows joke

[krlynch]

I understand your point, but to be fair you should have noted that Microsoft is under no obligation, as far as I am aware, to tell anyone when they have been compromised. Microsoft's servers could have been cracked once a day, once a week, or once a month, and you would never know.

Re:Windows joke

[brokenwndw]

Let me offer some pseudo-arithmetic here:

(number of server compromises you hear about) = (number of servers in existence) * (relative vulnerability of servers) * (willingness of those running servers to reveal compromises)

I realize there are some people who have biases they don't appreciate. But data, taken at face value, is famous for having those same biases. No?

Re:Windows joke

[merdark]

Well, for one, their servers always seem to be up. www.microsoft.com going down would normally make news. Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

(Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

Re:Windows joke

[ferratus]

I am in a position where I currently get to use all three major platforms everyday (Linux, OSX, Windows) ans while I will admit to have a bias against Microsoft, I think there's a few key differences between OSS and Microsoft-like cies.

First, I don't pay to get linux on my servers. Nobody said open source software were flawless, the key is that many here (including me) believe that you can get a more secure server if the source is open.

Second, the Gnome project is not "linux inc." whereas Microsoft *is* Microsoft inc. That is to say, Microsoft controls all the aspect of their security, Gnome doesn't. Did the sysadmin patch everything ? Did they perhaps forget to update apache or some other software ? In microsoft's case, they provice all the security update, so when they are hacked, they are directly responsible.

Thirdly, remember that this is a third party site. If we would get report of all the windows servers that are getting hacked everyday, we'd here much more news like this. We are hearing about this because GNU, Gnome, Debian, etc. are public projects... othewise, this would be just another hacked site.

Considering the amount of software present on a current-day OS, expecting any of them to be flawless and completly secure in a real-world scenario is a bit ridiculous. They point is, I believe you get more for your money with an Open Source OS (of which linux is one alternative) than with a Microsoft OS.

Re:Windows joke

[Thagg]

Merdark says Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

Note that the compromisers of the debian, GNU, and now Gnome sites did not let it be known. They are either not driven by publicity or have longer term goals. Believing that systems are secure because crackers don't announce themselves is foolish at best, mendacious at worst.

thad

Re:Windows joke

[leandrod]

> their servers always seem to be up

Do you realize how many servers MS has? Free software projects are lucky if they have two.

> it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it

And get black helicopters hovering over your backyard?

> I used hackers instead of crackers

You insensitive.

Re:Windows joke

[Tony]

(Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

By that logic, scientists should start using "theory" instead of "hypothesis," simply because popular culture uses it that way. Or "velocity" when they mean "speed." Or "light years" when they mean "months" (as in time). Or maybe they should start using "pounds" as a unit of mass.

Or in the computer industry, maybe we should start using the word "CPU" when we mean "computer case." Or "RAM" when we mean "hard drive." Or "cup holder" when we mean CD/DVD drive. Or.... getting the idea?

Just because the public uses a word incorrectly does not mean folks in the industry need to follow suit.

Re:Windows joke

[nathanh]

Everytime something happens w/ linux "oh its only debian.org", "oh thats only local", "only 3 kernel advisories this month, that should be all for a while". We _can not_ keep brushing things off and pretending they are not significant.

We are not brushing things off and pretending they are insignificant.

Some people brush it off. Some people do not. This is not a collective. We do not all share the same opinion.

I was never of the opinion that the debian.org incident was something to casually dismiss. Luckily, the Debian sysadmins agreed. They treated it very seriously and took several Debian servers offline to fix it. The gnome.org sysadmins are being equally professional.

Just because you can read /. user-id 702942 saying something stupid like "M$ is dumheds and Lunix Rulze" does not mean that WE are all of the same opinion.

So shut the fuck up.

FBI Task Force

[theCoder]

So, when is the FBI going to accounce their special task force to track down these dangerous hackers? After all, isn't that what they did when the Microsoft code was leaked? Something tells me this won't even make the FBI's radar, though...

Kudos to the Gnome team for their timely reaction

[RichiP]

We have to remember that most of the people working on Gnome and/or maintaining the servers are volunteers. That said, I have to tip my hat to these people for the very professional action they provided post the compromise. Taking down the compromised server, informing the community, and, most importantly, not releasing premature statements of blame or excuses (which is more than what I can say for a lot of professional companies).