Slashdot Mirror
Gnome.org Compromised?
Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."
Does anyone know anything else about how this was done? What exactely was comprimised? The word "comprimised" has a braud meaning, more information would be interesting.
Sucks, I was just going to go to art.gnome.org
I wonder if they have CRC'd the source and bins yet? Christ, who attacks OPEN SOURCE? Oh....heh.
http://www.nbr.co.nz/home/column_article.asp?id=85 76&cid=3&cname=Technology
Enough said if you read that article.
Last years distro of Linux from any major vendor required three times as many downloads and many more megabits than any previous windows version ever and that's not counting the time wasted keeping up with all this shit.
But this will get modded down to hell won't it.
From Netcraft:
Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/3.0.7
Could it have anything to do with the old version of OpenSSL, and the numerous vulns found lately?
Major companies don't annouce bad news, it's just not good for business. So any comparison is not valid.
With OSS, an intrusion, even a full bore compromise of the code base is more likely to be caught. I would hope that there are diligent OSS people that cross-compare their copies of the source to the CVS copies and look for disrepancies. A distributed analysis of all changes (including the officially sanctioned ones) would help uncover malicious code.
In contrast, the users of proprietary code have only the manufacturer's word on what changes occured, who made them, and what those changes do. We users have no easy way (short of reverse engineering the code deltas on the binaries) of determining what happened between version X and version X.1. The security of non-OSS code is in nontransparent hands and that makes it insecure.
Two wrongs don't make a right, but three lefts do.
Can you honestly rail on Microsoft?
Yes, I can. When Microsoft ships product with a virus pre-installed, yes, I can very much so.
I don't care if they are broken into. Same thing with Gnome. However, if in the end, Gnome turns around and releases code that is bugged, or otherwise harmful, I will be just as upset as I was with Microsoft.
Jason Lotito
Microsoft do all their development internally so the security situation is different. Internal control in MS does not appear to be reliable given the number of large easter eggs that appear in applications. If someone can sneak a mini-flight sim into an app then they can sneak other stuff in.
But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.
Compromise is bad for the most part, but I was particularly impressed with the professional conduct of the above parties after their systems had been compromised. It seems like they were very upfront with what had happened, and probably fixed whatever allowed the break-in fairly quickly. If I remember correctly, the debian and gentoo compromises were internal access kinds of breakins, not an excuse, but definitely a lot better then the horrendous amounts of viruses being spread around through outlook.
As for microsoft, it might be possible that they have been compromised before, but due to the financial stakes involved, they were afraid of letting that fact out into the open.
Don't worry though, I get your point about the bias of slashdot. It's kind of frustrating sometimes, but I'm kind of frustrated with the thought of my gnome2.6 being delayed. :)
It's starting to look like M$ is taking security more serious than we are. Everytime something happens w/ linux "oh its only debian.org", "oh thats only local", "only 3 kernel advisories this month, that should be all for a while". We _can not_ keep brushing things off and pretending they are not significant. Pretend for just a second if this was MSFT that had been compromised, thier stock would plummet, investors would duck for cover and Tech writers would be spitting out bad press for months. We cannot keep sliding by, sooner or later with the move to the enterprise we WILL be held accountable.
Personally I'd like to see "year of the OSS audit" where NOBODY adds new features we just hammer away at code reviews and optomizations. Course that will never happy, we are too busy trying to play beat the cock (M$) instead of playing beat the rock (BSD).
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
They wouldn't probably know either...
Here is what the devolopers should do.
Each time they submit a file that they have made changes to in the cvs archive, then also hmac it and sign it with their private key. Then later on if the system was compromized you could go back and computer the hmac of the file to make sure it matches that which the programmer submitted it to be.
And then even if the system was compromised you wouldn't have to question which ones were changed or not since it can be checked just by confirming the hmacs.
The best design for security have perfect forward security. And a signed hmac would prove the validity of the file unless the signing key was compromised.
At least as far as I been aware it never been a a OS that was at fault.
nitpicking? Well yes. But just ask yourselve this. Gnome runs Red Hat. If there was a hole in Red Hat then why is only gnome under attack and not every Red Hat box in the world? Are linux hackers more easily satisfied and think 1 box is enough?
So what do you think has happened here. Someone found a fault with Red hat or did someone find a fault with the Gnome setup of their Red Hat server?
Only fools blaim MS for users who download a "keygen" that turns out to be a virus. However we do blaim MS for making holes in their software that affects every damn installation of windows out there.
That is the difference.
As for your howto suggestion. They exist. They just are a lot of work and most people don't bother. Hell if you follow such howto's then Windows can be made secure (rule 1 Windows is not an internet OS, run it behind a firewall that means not a firewall ON windows but windows BEHIND a firewall). I follow them. My windows/dos box has never been compromised. Neither has my linux box.
Then again neither of my machines is supposed to do what gnomes machines are supposed to do. It is easy to secure to the outside world when nobody is supposed to access it. Fort Knox is secure because nobody is allowed in there. The highstreet bank is a lot harder to secure.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
While I've never managed to find a hard cite for this, it was widely reported that during the original Code Red outbreak, the windows update page was showing "hacked by Chinese Worm".
Let's ignore for a moment the obvious consequences if these reports were true-- that one, the windows update server was for some time susceptable to the idx exploit before Code Red happened to find it by chance, and two, it's possible someone else could have discovered this before code red did, and three, if this happened we would never have known.
If one takes a bit of liberty in applying logic, this seems to imply some rather horrible things. Windows Update is, roughly speaking, the single network facility Microsoft has that it is most important is not compromised; the Code Red worm was roughly the easiest sort of compromise to protect oneself against. Yet it happened. Given Microsoft is under no obligation to disclose internally-discovered breakins, what does this imply about the frequency of more subtle, targeted attacks on lower-profile targets within Microsoft?
Remember to take into account that unlike, say, the GNOME developers-- a disparate, largely disconnected group spread across the world-- Microsoft is a singular network, and thus it is possible that compromising a very low-profile target within the Microsoft internal network is likely to make it vastly easier, both from a technical and a social-engineering standpoint, to have effect on more important targets within the network...
Just a thought.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Not that I'm defending M$ security, but I wonder how many of their easter eggs are *really* slipped in by programmers without anyone else's knowledge...
:)
I know someone who worked for several weeks on an "easter egg" at Intuit that was scheduled form the start and went through the full QA cycle - though she actually got in a fair bit of trouble for trying to sneak an easter egg in the easter egg...
His paper is a good example of how hard it is too change a open source projekt of today - since the compiler nowadays is separate from the rest of the code.
It's mucher harder today since one need to crack the security on soo many webbsites because of the distibuted development that is done in free and open software today on the Internet.
His example also shows that it only works if the same developer makes both the OS and the compiler.
Linux are not developed that way - however a large competetitor to Linux is....
Just saying it like it are.
Fully agree, but...
Other than going for OpenBSD and lacking some functionality, what else do you propose?
I do happen to think we should use vastly simpler systems: functional programming, perhaps Lisp, certainly all data relationally organised down to kernel level, multisserver microkernel, RISC implementation... but how realistic is this when POSIX simply has so much critical mass? This is not a technically-driven world, not even in free software or academia.
Leandro Guimarães Faria Corcete DUTRA
DA, DBA, SysAdmin, Data Modeller
GNU Project, Debian GNU/Lin
Just check the ftp server and its mirrors. All of the 2.6 components are out (nautilus included) with the version bumped up to 2.6.
You can get it and run it now...
Other than going for OpenBSD and lacking some functionality, what else do you propose?
How about making SELinux with a good default security policy the standard setup for all distributions using the 2.6 kernel?
The quality and power of SELinux in terms of security is literally light years ahead of any other commonly available Operating system (except, perhaps an obscure BSD fork which I believe was implementing a similar security structure).
Honestly, SELinux really is that good, and has been fully folded into the 2.6 kernel. People just need to start using it.
Jedidiah
Craft Beer Programming T-shirts
I just think it's sad that one way or another, people still make the attempt to rationalize their choice of 'hacker', 'cracker' or somesuch in public. I'm tired of reading these silly little disclaimers, and as the reader my interpretation of the term is what gets used. Putting it at the end is no help at all, and putting it at the beginning is just an invitation for the reader to disagree with you.
The nebulousness of these terms should suggest to you that it would be a good idea to tailor your choice of words to aid ease of comprehension by the audience they are intended for. You may also want to add contextual clues to avoid ambiguity.
Part of the problem stems from the fact that even under the most semantic interpretation of 'hacking isn't cracking', cracking can be hacking. At least, the first time. Then it's just a documented crack, and left to the kidz and crookz.
The fact that this would be a good time to TRY to touch the code does not mean that they had any success.
Actually, when a story is new, the modding is in fact decidedly pro-MS. And it later tips the other way as the story gets older. Wierd phenomenon. conspiracy> maybe someone is paying for people to do this /conspiracy
True genius is grasping a situation like a peice of fruit, and peircing it just right so that it drains dry.
But "hacker" is a word that doesn't even have a single meaning among geeks.
The original MIT meaning was someone who was driven to passionately persue their area of interest as an intense hobby rather than being paid for it (in grades or money). That hobby wouldn't necessary concern computers.
On Slashdot a hacker often means someone who reverse-engineers a computing device and then uses that knowledge to do something that the system wasn't orginally intended to do as in "They hacked the XBox and made it run Linux".
You'll notice that the Slashdot definition fits "cracker" behavior better than the original definition.
A metric assload of posts talking about how all (800,000ish and counting) Slashdot readers are one person (the infamous Slashbot).
:)
:)
A bunch of "hey, Linux has problems, so stop saying anything negative about Microsoft" posts getting moderated to +5.
At least 100 people posting "Linux projects have been hacked many times in the past year, Microsoft none", while ignoring the complete and utter lack of Code Red, Slammer, Blaster, or any Warhol-type worm ever appearing for a *nix-based system, even though the majority of the internet is run off *nix. And no, the Morris worm doesn't count - Microsoft didn't even have a TCP/IP stack back in those days
A fair number of posts by > 500,000 UIDs, coincidentally almost always as a Microsoft apologist. Hmm, wonder who the new people are
Oh yeah, and (give or take) 20 different moderations to this post, varying between -1, Flamebait to +1, Insightful. I'd kill to see the UIDs of the moderators on something like this, because I'd bet a lot of money that I could guess the UID based on the moderation.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
you have to take the space out of the link. slashcode adds it for some reason. without the space, it works fine.
The 'some reason' is the old page-widening trolls - they'd post a string of thousands of characters to screw up formatting.
It looks like there's a kind of backlash from pro-MS people who are sick and tired of hearing about how bad and evil Microsoft is. So they post comments about "why should Apple be allowed to bundle a browser, but MS not" (answer: Apple is not a convicted monopolist), and these get modded up.
Clever signature text goes here.