Gnome.org Compromised?
Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."
From Netcraft:
Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/3.0.7
Could it have anything to do with the old version of OpenSSL, and the numerous vulns found lately?
With OSS, an intrusion, even a full bore compromise of the code base is more likely to be caught. I would hope that there are diligent OSS people that cross-compare their copies of the source to the CVS copies and look for disrepancies. A distributed analysis of all changes (including the officially sanctioned ones) would help uncover malicious code.
In contrast, the users of proprietary code have only the manufacturer's word on what changes occured, who made them, and what those changes do. We users have no easy way (short of reverse engineering the code deltas on the binaries) of determining what happened between version X and version X.1. The security of non-OSS code is in nontransparent hands and that makes it insecure.
Two wrongs don't make a right, but three lefts do.
But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.
Compromise is bad for the most part, but I was particularly impressed with the professional conduct of the above parties after their systems had been compromised. It seems like they were very upfront with what had happened, and probably fixed whatever allowed the break-in fairly quickly. If I remember correctly, the debian and gentoo compromises were internal access kinds of breakins, not an excuse, but definitely a lot better then the horrendous amounts of viruses being spread around through outlook.
As for microsoft, it might be possible that they have been compromised before, but due to the financial stakes involved, they were afraid of letting that fact out into the open.
Don't worry though, I get your point about the bias of slashdot. It's kind of frustrating sometimes, but I'm kind of frustrated with the thought of my gnome2.6 being delayed. :)
Here is what the devolopers should do.
Each time they submit a file that they have made changes to in the cvs archive, then also hmac it and sign it with their private key. Then later on if the system was compromized you could go back and computer the hmac of the file to make sure it matches that which the programmer submitted it to be.
And then even if the system was compromised you wouldn't have to question which ones were changed or not since it can be checked just by confirming the hmacs.
The best design for security have perfect forward security. And a signed hmac would prove the validity of the file unless the signing key was compromised.
Not that I'm defending M$ security, but I wonder how many of their easter eggs are *really* slipped in by programmers without anyone else's knowledge...
:)
I know someone who worked for several weeks on an "easter egg" at Intuit that was scheduled form the start and went through the full QA cycle - though she actually got in a fair bit of trouble for trying to sneak an easter egg in the easter egg...