Gnome.org Compromised?

Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."

Blame windows

[superpulpsicle]

I guess the next version of longhorn will now look like GNOME.

Re:Blame windows

[11223]

Imagine how damaging this could be if the intruders got the source code! Now Microsoft can view our source!

Re:Blame windows

[OurColon]

Even Microsoft beleives OSS increases security. W2K source code leaked my ass.

Ahh!

Damn you KDE zealots!! Let us have our release!

Re:Ahh!

[useosx]

It's KDE terrorists, thank you.

Re:Ahh!

[iminplaya]

Sorry. It's KDE freedom fighters

More info

[after]

Does anyone know anything else about how this was done? What exactely was comprimised? The word "comprimised" has a braud meaning, more information would be interesting.

Sucks, I was just going to go to art.gnome.org

Re:More info

[Alan+Cox]

More info will appear as the forensics are done.

But to emphasize: cvs.gnome.org is a seperate system

Re:More info

[Alan+Cox]

Its also on a seperate switched port 8)

Re:More info

[ae]

As you surely know, switched ethernet does not provide any real additional security, since you can do the same sniffing as on a hub using ARP spoofing. (Unless you have taken special precautions to detect ARP spoofing, that is.)

Re:More info

[Alan+Cox]

I do know. I think I may even have been the first person to post a good explanation of how to sniff switched networks to bugtraq in fact 8)

There was arp monitoring stuff running too

Shouldn't that read...

Shouldn't that read Gnome.org Kompromised? No, no, that's KDE. It should read Gnome.org Gnompromised.

Re:Shouldn't that read...

[FooAtWFU]

No, if the KDE folks are behind it, as some have jokingly speculated, Kompromised would work. :)

Hrmm

[222]

This has got to be the work of those KDE bastards!

I predict:

[Neil+Blender]

The Slashbots will point blame at the admins. However, if it were Microsoft...

Sometimes acronyms are too much...

[_Sharp'r_]

Am I the only one who started picturing little lawn ornament men being caught in embarrassing positions?

Shades of Toy story....

Re:Sometimes acronyms are too much...

[budgenator]

The biggest problem with these terrorist is that the "liberated" Gnome are throughly domesticated and unable to survive in the wild on their own. The police agencies frequently are reduced to holding the gnomes until their owners claim them in facilities unsuitable for the well-being of gnomes such as boxes kept in dark dusty evidence rooms. Many owners never claim them, dooming the gnomes to live out their live in pathetic gnome refugee camps.

The Gnomes would be better served if the gnome liberation front meerly protested against the few owners who abuse their gnomes rather than trying to liberate gnomes from their love families.

CRC

[oO+Peeping+Tom+Oo]

I wonder if they have CRC'd the source and bins yet? Christ, who attacks OPEN SOURCE? Oh....heh.

Re:CRC

[JamesHenstridge]

The script used to upload files to the master FTP site also mailed MD5 sums to a mailing list hosted on another machine. That script doesn't appear to have been altered (to insert a backdoor, the script would need to repack the tarballs with an exploit on the fly), so the MD5 sums from that mailing list should be reliable.

Re:Boo, Hiss.

[0x0d0a]

Well...I suppose that if this is a new vulnerability, it's better that they go after a high-profile webserver with a good admin team that can catch the attack than that they attack many poorly-adminned ones.

text copy

We've discovered evidence of an intrusion on the server
hosting www.gnome.org and other gnome.org websites.
At the present time, we think that the released gnome
sources and the gnome source code repository are unaffected.

We are investigating further and will provide updates
as we know more. We hope to have the essential services
hosted on the affected machine up and running again as soon
as possible.

The GNOME sysadmin team
23 March 2003

Re:Boo, Hiss.

if Linux boxes were not attacked security would not be as good. Look at this in a positive manner. At least on Linux the problem will be remedied within hours and life goes on.

At least now

[Ethernet_Jedi]

At least they caught it now, instead of after the release. Now the code can be checked before it goes out, instead of everyone worrying about whether they downloaded compromised code

Just Wrong

[SlydogSZ]

A Compromised Gnome. The image is just wrong.

Gnome 2.6

[potpie]

...Gnot today.

It's a bit disappointing that somebody was able to compromise their gnetwork, but i guess gno system can be comletely secure. I only hope people would stop putting G's in front of all the N words they use when they're talking about Gnome. It's getting on my gnerves.

bad for gnome

[zoloto]

It may have been the GLF. They've been causing problems in europe..

Now the internet? Guess I'm not the only one waiting for the new release!

FREE THE GNOME!!!

Bad news...

[Erwos]

But, just like in previous break-ins to other systems (Gentoo, Debian, Savannah), they're taking the correct actions by shutting everything down and BEING CAREFUL. I often wonder if commercial companies are always this fastidious.

You can't beat all the crackers, but handling a bad situation correctly should be commended. Good job, GNOME team!

I'm eagerly awaiting 2.6, too, I may add! :)

-Erwos

Oh no!!

[cluke]

Oh my God! I hope they didn't steal any source code!!

I can imagine.

[LordK3nn3th]

MOHAWK DAN: LOL D00DS IM IN
sLiPkNoT696969: omg d00d hax0rs them
p1kap1ka: hahaha pwnage u go d00d what proxy r u using
MOHAWK DAN: WHATS A PROXY LOL
p1kap1ka: uh... it hikes ur ip
MOHAWK DAN: LOL WHATS AN IP TELL ME NOW THAT IM A HAX0R

Gnome logo?

[xot]

Maybe someone desperately wanted a copy of the original Open Source Gnome LOGO!
Besides what would one get out of breaking into an open source server.Source code thats already available? try to corrupt that? Not a good plan.

Oh Heavens ...!

[psycho_tinman]

I hear these hackers are going to release the source

sorry wrong article

[didjit]

Imagine a beowulf cluster of compromised gnome servers.

use the brain, luke!

[Mr2cents]

Obviously, since gnome is a GNU/linux cornerstone, it must be coming from sco. Go get'em, feds!

(logic used: same as in "sco.com was attacked by a worm -> it must have been a linux fan")

Re:Boo, Hiss.

[rgmoore]

That's the wrong attitude to take. If a Linux-based server is compromised because of software flaws, that's a perfectly legitimate point in an argument about security, just as the compromise of a Windows-based server because of a software flaw would be. If there's a real vulnerability that let somebody crack the system (as opposed to a misconfiguration or incorrect belief that the system was broken into) it needs to be fixed pronto, rather than written off as a PR event.

Linux security

[0x0d0a]

You know...honestly...

There have been serveral major, high profile compromises of numerous FOSS servers in the past twelve months. Including a compromise of the GNU source repository.

Microsoft has not made a big deal out of these (at least as far as I've seen). Whereas every security flaw at Microsoft is treated by Slashdot as if someone got access to the crown jewels (well, admittedly the Windows source is running around all over the place...)

Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

That being said, I'm just *waiting* for a sourceforge compromise. That would be a *huge* hit, and it just plain has to happen sooner or later.

It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.

Re:Linux security

[ameoba]

There's a big difference. Every time a F/OSS project's box get's hacked, it's a single machine getting broken into. When there's a windows flaw, the next day there's a worm that compromises MILLIONS of computers.

The two events are incomparable, since there are numerous ways a single box can be compromised that are not directly related to an OS flaw.

Re:Linux security

[Dalcius]

It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.

If you ask me, anyone running a service important enough for security to be more than a casual concern should be using a distro which is secure out of the box. Minimalist distros (Gentoo comes to mind) seem a good solution here.

When it comes to deploying a service, it should be you who makes the box insecure by adding the service, and then you open up a whole big can of worms with this argument. If the distro is secure and adding a service makes it insecure, unless the addition is distro-specific, it falls on the service maintainer to write good guides.

That doesn't mean it shouldn't happen, I like all the guides I can get -- but I think looking primarily to the distros is perhaps a bit mis-aimed. A little idle interest in security and 20-30 minutes of research when putting up a new service is all it really takes to cover most of your ass(ets), at least that's my perception.

Disclaimer: I am obviously not a security expert, I only have a standing interest in keeping the two services (apache & ssh) running on my home network secure.

Cheers :)

Re:Linux security

[The+Bungi]

In June 2001 some "Fluffy Bunny" dude rooted SF.NET, Akamai and (I think) a bunch of SETI servers, all through Apache and SSH. Shocking, I know.

As I recall the intrusion went unnoticed for a long time (at least for SourceForge) and when it was discovered SF threw out a long-winded press release that detailed how the break-in had been "detected immediately" and had not "compromised" anything of value.

So it wouldn't be the first time.

Yep, GNU/Savannah (the "really free" alternative to SF) was rooted along with the rest of the GNU/Infrastructure a few months ago. It was GNU/Terrible.

I'd just as soon not see SF.net hacked. They provide a valuable service and they manage to actually make a living at it. Actually I'd rather not see anything related to FOSS cracked and rooted.

But I do find it hilarious that whenever something like this happens the Slashbots come out of the woodwork to post things like "Oh M$ is teh worse!!1" and promptly get modded up to +5, Insightful. Of course, Linux is perfect and absolutely secure, and the crap posted on linuxsecurity.com is all lies. Blatant lies.

Ah well. The higher you think you are the more it will hurt when you hit the ground.

Re:Linux security

[The+Bungi]

There's a big difference. Every time a F/OSS project's box get's hacked, it's a single machine getting broken into. When there's a windows flaw, the next day there's a worm that compromises MILLIONS of computers.

Yes, you're right. You're absolutely right. 100%, certified right.

So let us extrapolate this. Hmmm. Let's say that Linux was the leading consumer desktop OS. And someone found a vulnerability in the kernel, SSH, Apache, whatever. And a distro (like RedHat) that allows me to set IPTables to allow SSH requests. Because, you know, Linux rules now so people write stuff for it and there's this cool app that everyone uses that requires SSH. Or whatever.

Would you say that MILLIONS of computers would be compromised? How would you get your MILLIONS of users to patch their machines quickly so as to avoid Armaggedon?

Fascinating!

Re:Linux security

[LinuxHam]

Every time a F/OSS project's box get's hacked, it's a single machine getting broken into

Not necessarily true. Remember the Debian compromise? The hackers used a weak password to run a privilege escalation exploit that had been in the kernel running in MILLIONS of computers. Turned into a major kernel patch.

Re:Blame windows it already looks like Gnome

You can't compare a Linux distribution with hundreds of packages to Windows, which is basically a kernel/GUI/browser combo.

Try using (for Linux) the number of kernel/X11/Mozilla vulnerabilities instead and at least you'll start making sense.

Re:Another Debian Hole?

[eloki]

must.. resist.. temptation to moderate...

I wonder if they are running a Debian based or Debian itself, and Debian has another hole in it.

Funny. Too bad that was just a regular kernel hole, not one special to Debian's kernel. Any other distros can simply count themselves lucky the attackers didn't choose them.

Microsoft vs gnome.org

[0x0d0a]

When Microsoft undergoes a security breech, their source code spills out and leaks across the entire Internet.

When gnome.org undergoes a security breech, their source code is more *difficult* to get.

Fun, eh?

Re:Microsoft vs gnome.org

Actually, that was a Linux security breach at Mainsoft. But, hey, all the same thing when you are a Linux zealot.

Windows joke

[bonch]

I fully expect a bunch of lame Microsoft jokes.

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

Can you honestly rail on Microsoft? When was the last time their servers were compromised? I only vaguely recall something in 2000 about alleged stolen source code, and a real good that has turned out all these years later. As for this year's stolen source code, Slashdot never reported this but it was taken from a Linux computer at MainSoft.

Just funny how things are viewed around here, with a certain bias some people don't even realize they have.

Re:Windows joke

[krlynch]

I understand your point, but to be fair you should have noted that Microsoft is under no obligation, as far as I am aware, to tell anyone when they have been compromised. Microsoft's servers could have been cracked once a day, once a week, or once a month, and you would never know.

Re:Windows joke

[brokenwndw]

Let me offer some pseudo-arithmetic here:

(number of server compromises you hear about) = (number of servers in existence) * (relative vulnerability of servers) * (willingness of those running servers to reveal compromises)

I realize there are some people who have biases they don't appreciate. But data, taken at face value, is famous for having those same biases. No?

Re:Windows joke

[eakerin]

Can you honestly rail on Microsoft? When was the last time their servers were compromised?

More like, "When was the last time Microsoft publicly announced a compromised system?". For all you know, the last break in could have been yesterday, or 2 days ago. That's not the kind of thing they put out a press release about.

Major companies don't annouce bad news, it's just not good for business. So any comparison is not valid.

Re:Windows joke

[Fourier]

When was the last time their servers were compromised?

When's the last time MS hosted their source code on a publically-viewable CVS tree, or offered anonymous FTP access? This is not a fair comparison.

Re:Windows joke

[thenextpresident]

Can you honestly rail on Microsoft?

Yes, I can. When Microsoft ships product with a virus pre-installed, yes, I can very much so.

I don't care if they are broken into. Same thing with Gnome. However, if in the end, Gnome turns around and releases code that is bugged, or otherwise harmful, I will be just as upset as I was with Microsoft.

Re:Windows joke

[Alan+Cox]

Microsoft do all their development internally so the security situation is different. Internal control in MS does not appear to be reliable given the number of large easter eggs that appear in applications. If someone can sneak a mini-flight sim into an app then they can sneak other stuff in.

Re:Windows joke

[DenOfEarth]

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

Compromise is bad for the most part, but I was particularly impressed with the professional conduct of the above parties after their systems had been compromised. It seems like they were very upfront with what had happened, and probably fixed whatever allowed the break-in fairly quickly. If I remember correctly, the debian and gentoo compromises were internal access kinds of breakins, not an excuse, but definitely a lot better then the horrendous amounts of viruses being spread around through outlook.

As for microsoft, it might be possible that they have been compromised before, but due to the financial stakes involved, they were afraid of letting that fact out into the open.

Don't worry though, I get your point about the bias of slashdot. It's kind of frustrating sometimes, but I'm kind of frustrated with the thought of my gnome2.6 being delayed. :)

Re:Windows joke

[merdark]

Well, for one, their servers always seem to be up. www.microsoft.com going down would normally make news. Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

(Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

Re:Windows joke

[Eberlin]

As far as I know, that only applies to security breaches that lead to a leak of personal information. Even then, if disclosure would impede any form of investigation, people did not have to say anything at all.

So technically, even if it DID happen, people can dance around it all they want.

Re:Windows joke

[ferratus]

I am in a position where I currently get to use all three major platforms everyday (Linux, OSX, Windows) ans while I will admit to have a bias against Microsoft, I think there's a few key differences between OSS and Microsoft-like cies.

First, I don't pay to get linux on my servers. Nobody said open source software were flawless, the key is that many here (including me) believe that you can get a more secure server if the source is open.

Second, the Gnome project is not "linux inc." whereas Microsoft *is* Microsoft inc. That is to say, Microsoft controls all the aspect of their security, Gnome doesn't. Did the sysadmin patch everything ? Did they perhaps forget to update apache or some other software ? In microsoft's case, they provice all the security update, so when they are hacked, they are directly responsible.

Thirdly, remember that this is a third party site. If we would get report of all the windows servers that are getting hacked everyday, we'd here much more news like this. We are hearing about this because GNU, Gnome, Debian, etc. are public projects... othewise, this would be just another hacked site.

Considering the amount of software present on a current-day OS, expecting any of them to be flawless and completly secure in a real-world scenario is a bit ridiculous. They point is, I believe you get more for your money with an Open Source OS (of which linux is one alternative) than with a Microsoft OS.

Re:Windows joke

[Pros_n_Cons]

It's starting to look like M$ is taking security more serious than we are. Everytime something happens w/ linux "oh its only debian.org", "oh thats only local", "only 3 kernel advisories this month, that should be all for a while". We _can not_ keep brushing things off and pretending they are not significant. Pretend for just a second if this was MSFT that had been compromised, thier stock would plummet, investors would duck for cover and Tech writers would be spitting out bad press for months. We cannot keep sliding by, sooner or later with the move to the enterprise we WILL be held accountable.
Personally I'd like to see "year of the OSS audit" where NOBODY adds new features we just hammer away at code reviews and optomizations. Course that will never happy, we are too busy trying to play beat the cock (M$) instead of playing beat the rock (BSD).

Re:Windows joke

[red+tiger]

And not only the companies. The Soviet Russians were exactly like that, and they haven't changed much.

For example, Chernobyl:

• The first day they didn't tell anyone.
• The second day they said: "Yes, something little has really happened..."
• .......

Re:Windows joke

[mcc]

While I've never managed to find a hard cite for this, it was widely reported that during the original Code Red outbreak, the windows update page was showing "hacked by Chinese Worm".

Let's ignore for a moment the obvious consequences if these reports were true-- that one, the windows update server was for some time susceptable to the idx exploit before Code Red happened to find it by chance, and two, it's possible someone else could have discovered this before code red did, and three, if this happened we would never have known.

If one takes a bit of liberty in applying logic, this seems to imply some rather horrible things. Windows Update is, roughly speaking, the single network facility Microsoft has that it is most important is not compromised; the Code Red worm was roughly the easiest sort of compromise to protect oneself against. Yet it happened. Given Microsoft is under no obligation to disclose internally-discovered breakins, what does this imply about the frequency of more subtle, targeted attacks on lower-profile targets within Microsoft?

Remember to take into account that unlike, say, the GNOME developers-- a disparate, largely disconnected group spread across the world-- Microsoft is a singular network, and thus it is possible that compromising a very low-profile target within the Microsoft internal network is likely to make it vastly easier, both from a technical and a social-engineering standpoint, to have effect on more important targets within the network...

Just a thought.

Re:Windows joke

[Thagg]

Merdark says Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

Note that the compromisers of the debian, GNU, and now Gnome sites did not let it be known. They are either not driven by publicity or have longer term goals. Believing that systems are secure because crackers don't announce themselves is foolish at best, mendacious at worst.

thad

Re:Windows joke

[Dahamma]

Not that I'm defending M$ security, but I wonder how many of their easter eggs are *really* slipped in by programmers without anyone else's knowledge...

I know someone who worked for several weeks on an "easter egg" at Intuit that was scheduled form the start and went through the full QA cycle - though she actually got in a fair bit of trouble for trying to sneak an easter egg in the easter egg... :)

Re:Windows joke

[leandrod]

> their servers always seem to be up

Do you realize how many servers MS has? Free software projects are lucky if they have two.

> it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it

And get black helicopters hovering over your backyard?

> I used hackers instead of crackers

You insensitive.

Re:Windows joke

[Ender+Ryan]

But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

I take your point, however... Wasn't at least one of those not a software exploit, ie. someone "inside" messed up and a password got into the wrong hands? And wasn't the Gentoo exploit just one of the mirrors, said mirror not even running Gentoo?

Can you honestly rail on Microsoft?

Sure! Their business practices are detestable, their software is geared towards vendor lock-in instead of providing customers with what they need, and thier complicity in the SCO fiasco is deplorable and deserving of harsh punishment, possibly jail time. They have engaged in fraud, conspiracy, perjury, and corruption, if not more. Not to mention being a convicted predatory monopoly, and now they are a predatory monopoly that uses political influence to gain near impunity.

When was the last time their servers were compromised?

Really, how the fuck is anyone supposed to know that?

Hotmail just had a huge downtime, we don't know why it was taken offline. Perhaps it got "hacked." There's no reason to take anything they say at face value, they are known liars.

Just funny how things are viewed around here, with a certain bias some people don't even realize they have.

It seems to run both ways these days. Any pro-MS response seems to get modded up without consideration of merit - personally, I think it may be because a lot of the newcomers here are intimidated by the prospect of something different than what they're used to, ie. MS, Windows, Apple, proprietary development, etc.

Re:Windows joke

[leandrod]

> We _can not_ keep brushing things off and pretending they are not significant

Fully agree, but...

Other than going for OpenBSD and lacking some functionality, what else do you propose?

I do happen to think we should use vastly simpler systems: functional programming, perhaps Lisp, certainly all data relationally organised down to kernel level, multisserver microkernel, RISC implementation... but how realistic is this when POSIX simply has so much critical mass? This is not a technically-driven world, not even in free software or academia.

Re:Windows joke

[simonfairfax]

I was just reading Unix Unleashed and they claimed that when a vulneranbility in some sort of TCP/IP stack code that everyone used was discovered a while ago, the Linux community took less than 3 hrs. to release a working patch.

Re:Windows joke

[aardvarkjoe]

Any pro-MS response seems to get modded up without consideration of merit

You have got to be kidding me. I'm in full agreement that unworthy posts are modded up all the time, but if you think that there is an overall pro-Microsoft bias, you must either be blind or you bought your impressive UID and posting history off of somebody else.

Re:Windows joke

[Coryoth]

Other than going for OpenBSD and lacking some functionality, what else do you propose?

How about making SELinux with a good default security policy the standard setup for all distributions using the 2.6 kernel?

The quality and power of SELinux in terms of security is literally light years ahead of any other commonly available Operating system (except, perhaps an obscure BSD fork which I believe was implementing a similar security structure).

Honestly, SELinux really is that good, and has been fully folded into the 2.6 kernel. People just need to start using it.

Jedidiah

Re:Windows joke

[ArekRashan]

I just think it's sad that one way or another, people still make the attempt to rationalize their choice of 'hacker', 'cracker' or somesuch in public. I'm tired of reading these silly little disclaimers, and as the reader my interpretation of the term is what gets used. Putting it at the end is no help at all, and putting it at the beginning is just an invitation for the reader to disagree with you.

The nebulousness of these terms should suggest to you that it would be a good idea to tailor your choice of words to aid ease of comprehension by the audience they are intended for. You may also want to add contextual clues to avoid ambiguity.

Part of the problem stems from the fact that even under the most semantic interpretation of 'hacking isn't cracking', cracking can be hacking. At least, the first time. Then it's just a documented crack, and left to the kidz and crookz.

Re:Windows joke

[Tony]

(Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

By that logic, scientists should start using "theory" instead of "hypothesis," simply because popular culture uses it that way. Or "velocity" when they mean "speed." Or "light years" when they mean "months" (as in time). Or maybe they should start using "pounds" as a unit of mass.

Or in the computer industry, maybe we should start using the word "CPU" when we mean "computer case." Or "RAM" when we mean "hard drive." Or "cup holder" when we mean CD/DVD drive. Or.... getting the idea?

Just because the public uses a word incorrectly does not mean folks in the industry need to follow suit.

Re:Windows joke

[nathanh]

Everytime something happens w/ linux "oh its only debian.org", "oh thats only local", "only 3 kernel advisories this month, that should be all for a while". We _can not_ keep brushing things off and pretending they are not significant.

We are not brushing things off and pretending they are insignificant.

Some people brush it off. Some people do not. This is not a collective. We do not all share the same opinion.

I was never of the opinion that the debian.org incident was something to casually dismiss. Luckily, the Debian sysadmins agreed. They treated it very seriously and took several Debian servers offline to fix it. The gnome.org sysadmins are being equally professional.

Just because you can read /. user-id 702942 saying something stupid like "M$ is dumheds and Lunix Rulze" does not mean that WE are all of the same opinion.

So shut the fuck up.

Re:Windows joke

[incom]

Actually, when a story is new, the modding is in fact decidedly pro-MS. And it later tips the other way as the story gets older. Wierd phenomenon. conspiracy> maybe someone is paying for people to do this /conspiracy

Re:Windows joke

[ClosedSource]

But "hacker" is a word that doesn't even have a single meaning among geeks.

The original MIT meaning was someone who was driven to passionately persue their area of interest as an intense hobby rather than being paid for it (in grades or money). That hobby wouldn't necessary concern computers.

On Slashdot a hacker often means someone who reverse-engineers a computing device and then uses that knowledge to do something that the system wasn't orginally intended to do as in "They hacked the XBox and made it run Linux".

You'll notice that the Slashdot definition fits "cracker" behavior better than the original definition.

Re:Windows joke

"Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame."

The difference is that there really isn't that much of value on the Microsoft websites. They're a corporation and deliver most of their product via sales channels. They are smart enough to keep only information on their websites.

For FOSS, it's different. Everything is available to everybody else because their distribution system is the web.

This is a good reason why distributions should be made available via BitTorrent, which is encrypted to ensure that what the tracker says you're getting, you get. Then users only need to validate the tracker instead of downloading some ISO's and checking the md5sum's (and how many of us always do that?). Of course the intelligent/paranoid would still check their md5sum's, but this way you won't waste time downloading corrupted files. You check beforehand through a secure channel (signed by a private key or the equivalent) so even if the web server or ftp server is compromised, you can still count on the digital signature.

Re:Windows joke

[LittleBigLui]

Idiots using the word forced it to become a word in the dictionary.

How do you think new words get introduced into a language? Does god hand them down from heaven? Are they discovered by wordologists in the sands of the sahara desert? Are they invented by licensed WordInventors in top-secret high-tech laboratories?

Or are they created by people just starting to use them?

Re:Windows joke

[hkmwbz]

I, too, have noticed a trend lately (well, it's been going on for a while), and that is that obvious flamebaits from pro-MS posters are modded up. Ignorant comments praising MS and bashing Linux will frequently get modded up, whether there is merit to it or not.

It looks like there's a kind of backlash from pro-MS people who are sick and tired of hearing about how bad and evil Microsoft is. So they post comments about "why should Apple be allowed to bundle a browser, but MS not" (answer: Apple is not a convicted monopolist), and these get modded up.

Sorry guys

[agent+dero]

My bad, won't happen again.

-KDE

OpenSSL Vulnerabilites

From Netcraft:

Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/3.0.7

Could it have anything to do with the old version of OpenSSL, and the numerous vulns found lately?

Re:OpenSSL Vulnerabilites

[Rich]

Two things:

1. Most distros patch holes in existing versions but do not change the version numbers.

2. The OpenSSL holes recently were a null pointer dereferrence and a DoS - neither would lead to a compromise.

Re:OpenSSL Vulnerabilites

[Pros_n_Cons]

OpenSSL were DoS issues, so its doubtful.
http://www.openssl.org/news/secadv_20040317.txt

Re:OpenSSL Vulnerabilites

[CTho9305]

2. The OpenSSL holes recently were a null pointer dereferrence and a DoS - neither would lead to a compromise.

Remeber the openssl worm? Anything less than 0.9.6e is vulnerable. And they're using 0.9.5a????

Their versions of php and apache are both incredibly old (1.3.27 or 1.3.28 is current for apache, and PHP just released 5 RC1 with 4.3.x being current) - I hope they set up apache to lie about its versions.

Re:OpenSSL Vulnerabilites

[Mike+Hawk]

Wow, I heard a story once where someone said something about attacks only resulting from announced and patched vulnerabilities. Of course, that claim was quickly "debunked" by the slashbots. Weird.

Re:Blame windows it already looks like Gnome

[fforw]

so I followed your link..

ADODB.Parameter error '800a0d5d'

Application uses a value of the wrong type for the current operation.

E:\DATA\INETPUB\WWWROOT\NBR\HOME\../ inc/select_article.asp, line 9

guess next you'll tell us that ASP.NET is the better plattform for web services =)

..

This is getting annoying

[nurb432]

Why cant these idiots find something else to do with their time then screw up systems. ( be it some OSS project or a commercial behemoth )

Perhaps we just need to forget the courts, and find people that do this and take care of the problem.

All it does is make everyone's life harder, it doesn't get 'them' anywhere...

Disclaimer: I'm not even a Gnome fan.. it's the principle.

Re:Blame windows it already looks like Gnome

[Mark+Pitman]

Not to pick nits, but that error didn't come from ASP.Net, it is from classic ASP and is actually an ADO (data access) error.

Re:Should have been running a windows box

[DaHat]

Heaven forbid that someone make a disparaging comment about Linux and make a joke about its stability/reliability/security with regards to windows where Linux looses.

gnowned!

[straponego]

...sorry.

Silliness aside cvs and www are seperate

[Alan+Cox]

The Gnome team didn't mix all the web sites (where user custom shell scripts are always a risk) with the cvs box.

OSS - Security through lack of motivation

[The-Dalai-LLama]

Just a thought, and I haven't been around very long, but if a major software company had reason to suspect their security had been compromised the day before a major release, which is to say sometime after major effort and bucks went into promoting the release, would they publicize it?

It seems to me that since Gnome is open-source, they don't have a lot to lose by delaying the release until they know their product has not been compromised.

The Dalai Llama
Just thinking out loud, try not to get any on your shoes

Re:OSS - Security through lack of motivation

[The-Dalai-LLama]

Sorry, should have been more explicit.

This story highlights the fact that the Gnome folks went out of their way to actively inform the community that their product may have been compromised.

My point is this: proprietary vendors have an incentive to hide from their customers security compromises; OSS software makers have an incentive to alert their customers to potential security compromises.

The idea is related to the "more eyes examining it" argument, but also subtly different.

The Dalai Llama
willing to create a cute metaphor or analogy, if that will help

Re:Bad news(not)... distributed code comparison

[G4from128k]

With OSS, an intrusion, even a full bore compromise of the code base is more likely to be caught. I would hope that there are diligent OSS people that cross-compare their copies of the source to the CVS copies and look for disrepancies. A distributed analysis of all changes (including the officially sanctioned ones) would help uncover malicious code.

In contrast, the users of proprietary code have only the manufacturer's word on what changes occured, who made them, and what those changes do. We users have no easy way (short of reverse engineering the code deltas on the binaries) of determining what happened between version X and version X.1. The security of non-OSS code is in nontransparent hands and that makes it insecure.

Re:Blame windows it already looks like Gnome

[Bull999999]

If windows came with SQL and Exchange server, Office suite and various other add-ons and softwares, it'll be easily as big. But that doesn't matter since you cannot download non-trial version of Windows from MS in the first place.

Lucky Anyhow...

[oacis]

Lucky anyhow that the server is unavailable 'before' it got slashdotted.

Re:Should have been running a windows box

"I've got nothing against Linux... it's just its fan club I can't stand."

You've never "discussed" Windows on Usenet, have you? Windows supporters outside of Slashdot are just as obnoxious and idiotic as the worst anonymous cowards here.

safe system for submitting code

[Graphyx]

Here is what the devolopers should do.
Each time they submit a file that they have made changes to in the cvs archive, then also hmac it and sign it with their private key. Then later on if the system was compromized you could go back and computer the hmac of the file to make sure it matches that which the programmer submitted it to be.

And then even if the system was compromised you wouldn't have to question which ones were changed or not since it can be checked just by confirming the hmacs.

The best design for security have perfect forward security. And a signed hmac would prove the validity of the file unless the signing key was compromised.

Most the security breaches are the fault of....

[SmallFurryCreature]

Most the security breaches are the fault of bad installs. Basically the admins left a hole and someone made use of it. At worst it is an application like the ftp server that should have been patched or wasn't.

At least as far as I been aware it never been a a OS that was at fault.

nitpicking? Well yes. But just ask yourselve this. Gnome runs Red Hat. If there was a hole in Red Hat then why is only gnome under attack and not every Red Hat box in the world? Are linux hackers more easily satisfied and think 1 box is enough?

So what do you think has happened here. Someone found a fault with Red hat or did someone find a fault with the Gnome setup of their Red Hat server?

Only fools blaim MS for users who download a "keygen" that turns out to be a virus. However we do blaim MS for making holes in their software that affects every damn installation of windows out there.

That is the difference.

As for your howto suggestion. They exist. They just are a lot of work and most people don't bother. Hell if you follow such howto's then Windows can be made secure (rule 1 Windows is not an internet OS, run it behind a firewall that means not a firewall ON windows but windows BEHIND a firewall). I follow them. My windows/dos box has never been compromised. Neither has my linux box.

Then again neither of my machines is supposed to do what gnomes machines are supposed to do. It is easy to secure to the outside world when nobody is supposed to access it. Fort Knox is secure because nobody is allowed in there. The highstreet bank is a lot harder to secure.

GNOME code

[endrek]

I'd actaulyl think the code might have been touched. The timing of the hack is interesting because it is so close to a release. If I was going to try and plant something I'd wait until just before it goes out the door in a mssive release. Less chance of getting caught and biggest dispersal oppurtunity. Sigh

Re:Bad news(not)... distributed code comparison

[a_n_d_e_r_s]

His paper is a good example of how hard it is too change a open source projekt of today - since the compiler nowadays is separate from the rest of the code.

It's mucher harder today since one need to crack the security on soo many webbsites because of the distibuted development that is done in free and open software today on the Internet.

His example also shows that it only works if the same developer makes both the OS and the compiler.

Linux are not developed that way - however a large competetitor to Linux is....

FBI Task Force

[theCoder]

So, when is the FBI going to accounce their special task force to track down these dangerous hackers? After all, isn't that what they did when the Microsoft code was leaked? Something tells me this won't even make the FBI's radar, though...

Kudos to the Gnome team for their timely reaction

[RichiP]

We have to remember that most of the people working on Gnome and/or maintaining the servers are volunteers. That said, I have to tip my hat to these people for the very professional action they provided post the compromise. Taking down the compromised server, informing the community, and, most importantly, not releasing premature statements of blame or excuses (which is more than what I can say for a lot of professional companies).

GNOME 2.6 is out...

Just check the ftp server and its mirrors. All of the 2.6 components are out (nautilus included) with the version bumped up to 2.6.

You can get it and run it now...

Re:Should have been running a windows box

[Tandoori+Haggis]

AFAIK both Windows and Linux have their vulnerabilities, strengths and weaknesses. I've made my choice and you've made your's. That's cool.

I've got nothing against windows fans it's just their operating system I can't stand

Re:Blame windows it already looks like Gnome

[Foolhardy]

First it's "Microsoft bundles too many things with Windows" and now it's "You can't compare Windows to a Linux distro because it only has 3 packages: kernel/GUI/browser"

Pick one.

Re:Yet more proof in the security fallacy of OSS

[ArekRashan]

Even if I accept that as true, Windows still isn't nearly as good in this area as just about anything that tries a little harder for POSIX compliance.

If you are comparing OSS code to Solaris or AIX or something, you might have a point. But not much of one.

Re:Should have been running a windows box

[wampus]

Dunno when the last time it was hacked. They didn't tell anyone.

+ * Copyright 2002,2003,2004 SCO

[openmtl]

Ah, so thats what all those

+ /* Copyright 2002,2003,2004 (C) SCO */

were when I did a cvs diff last !

It's Back

[benguru]

Hi, I just noticed it is back online. I guess it wasn't anything too serious, hope it doesn't delay Gnome 2.6

Attempt != success

[cookie_cutter]

I'd actaulyl think the code might have been touched. The timing of the hack is interesting because it is so close to a release

The fact that this would be a good time to TRY to touch the code does not mean that they had any success.

Re:Blame windows it already looks like Gnome

There's a lot of that around here. Every time a program in a Linux distro has a problem we're reminded that it isn't really part of Linux. Every time someone says Linux doesn't have as many features, suddenly those flawed programs are reclassified as part of Linux again.

And I predict:

[freeweed]

A metric assload of posts talking about how all (800,000ish and counting) Slashdot readers are one person (the infamous Slashbot).

A bunch of "hey, Linux has problems, so stop saying anything negative about Microsoft" posts getting moderated to +5.

At least 100 people posting "Linux projects have been hacked many times in the past year, Microsoft none", while ignoring the complete and utter lack of Code Red, Slammer, Blaster, or any Warhol-type worm ever appearing for a *nix-based system, even though the majority of the internet is run off *nix. And no, the Morris worm doesn't count - Microsoft didn't even have a TCP/IP stack back in those days :)

A fair number of posts by > 500,000 UIDs, coincidentally almost always as a Microsoft apologist. Hmm, wonder who the new people are :)

Oh yeah, and (give or take) 20 different moderations to this post, varying between -1, Flamebait to +1, Insightful. I'd kill to see the UIDs of the moderators on something like this, because I'd bet a lot of money that I could guess the UID based on the moderation.

Obvious

[pxnoll]

Isn't it pretty obvious that they're pulling a Valve(tm) ? ;/

GNOME 2.6 Rescheduled for March 31st

[twener]

As seen on gnome-announce

Re:Should have been running a windows box

[wtrmute]

Now, now... There's no such thing as an uncrackable machine. Linux boxes can be compromised just as Windows boxes can. I think it's actually a good sign when the GNOME security team voluntarily takes steps to minimize damage even if it causes bad press. After all, they're trying to build good software, and shutting up about problems is not the way things get fixed.