Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gnome.org Compromised?

Posted by michael on from the somebody-needs-to-get-stomped dept.

Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."

22 of 512 comments (clear)

  1. Blame windows by superpulpsicle · · Score: 5, Funny

    I guess the next version of longhorn will now look like GNOME.

  2. Ahh! by Anonymous Coward · · Score: 5, Funny

    Damn you KDE zealots!! Let us have our release!

  3. Shouldn't that read... by Anonymous Coward · · Score: 5, Funny

    Shouldn't that read Gnome.org Kompromised? No, no, that's KDE. It should read Gnome.org Gnompromised.

  4. Sometimes acronyms are too much... by _Sharp'r_ · · Score: 5, Funny


    Am I the only one who started picturing little lawn ornament men being caught in embarrassing positions?

    Shades of Toy story....

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  5. text copy by Anonymous Coward · · Score: 5, Informative

    We've discovered evidence of an intrusion on the server
    hosting www.gnome.org and other gnome.org websites.
    At the present time, we think that the released gnome
    sources and the gnome source code repository are unaffected.

    We are investigating further and will provide updates
    as we know more. We hope to have the essential services
    hosted on the affected machine up and running again as soon
    as possible.

    The GNOME sysadmin team
    23 March 2003

  6. At least now by Ethernet_Jedi · · Score: 5, Insightful

    At least they caught it now, instead of after the release. Now the code can be checked before it goes out, instead of everyone worrying about whether they downloaded compromised code

  7. Just Wrong by SlydogSZ · · Score: 5, Funny

    A Compromised Gnome. The image is just wrong.

  8. Bad news... by Erwos · · Score: 5, Insightful

    But, just like in previous break-ins to other systems (Gentoo, Debian, Savannah), they're taking the correct actions by shutting everything down and BEING CAREFUL. I often wonder if commercial companies are always this fastidious.

    You can't beat all the crackers, but handling a bad situation correctly should be commended. Good job, GNOME team!

    I'm eagerly awaiting 2.6, too, I may add! :)

    -Erwos

    --
    Plausible conjecture should not be misrepresented as proof positive.
  9. Oh no!! by cluke · · Score: 5, Funny

    Oh my God! I hope they didn't steal any source code!!

  10. Linux security by 0x0d0a · · Score: 5, Insightful

    You know...honestly...

    There have been serveral major, high profile compromises of numerous FOSS servers in the past twelve months. Including a compromise of the GNU source repository.

    Microsoft has not made a big deal out of these (at least as far as I've seen). Whereas every security flaw at Microsoft is treated by Slashdot as if someone got access to the crown jewels (well, admittedly the Windows source is running around all over the place...)

    Microsoft has really been acting a lot nicer towards FOSS folks about security lapses.

    That being said, I'm just *waiting* for a sourceforge compromise. That would be a *huge* hit, and it just plain has to happen sooner or later.

    It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.

    --
    May we never see th
  11. Re:Blame windows it already looks like Gnome by Anonymous Coward · · Score: 5, Insightful

    You can't compare a Linux distribution with hundreds of packages to Windows, which is basically a kernel/GUI/browser combo.

    Try using (for Linux) the number of kernel/X11/Mozilla vulnerabilities instead and at least you'll start making sense.

  12. Re:Another Debian Hole? by eloki · · Score: 5, Informative

    must.. resist.. temptation to moderate...

    I wonder if they are running a Debian based or Debian itself, and Debian has another hole in it.

    Funny. Too bad that was just a regular kernel hole, not one special to Debian's kernel. Any other distros can simply count themselves lucky the attackers didn't choose them.

  13. Microsoft vs gnome.org by 0x0d0a · · Score: 5, Funny

    When Microsoft undergoes a security breech, their source code spills out and leaks across the entire Internet.

    When gnome.org undergoes a security breech, their source code is more *difficult* to get.

    Fun, eh?

    --
    May we never see th
  14. Windows joke by bonch · · Score: 5, Insightful

    I fully expect a bunch of lame Microsoft jokes.

    But let's be real, here. Last year in the span of six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME.

    Can you honestly rail on Microsoft? When was the last time their servers were compromised? I only vaguely recall something in 2000 about alleged stolen source code, and a real good that has turned out all these years later. As for this year's stolen source code, Slashdot never reported this but it was taken from a Linux computer at MainSoft.

    Just funny how things are viewed around here, with a certain bias some people don't even realize they have.

    1. Re:Windows joke by krlynch · · Score: 5, Insightful

      I understand your point, but to be fair you should have noted that Microsoft is under no obligation, as far as I am aware, to tell anyone when they have been compromised. Microsoft's servers could have been cracked once a day, once a week, or once a month, and you would never know.

    2. Re:Windows joke by brokenwndw · · Score: 5, Insightful

      Let me offer some pseudo-arithmetic here:

      (number of server compromises you hear about) = (number of servers in existence) * (relative vulnerability of servers) * (willingness of those running servers to reveal compromises)

      I realize there are some people who have biases they don't appreciate. But data, taken at face value, is famous for having those same biases. No?

    3. Re:Windows joke by merdark · · Score: 5, Insightful

      Well, for one, their servers always seem to be up. www.microsoft.com going down would normally make news. Also, it's more than likely that someone cracking the MS site would do SOMETHING to let it be known that they did it. Few hackers are purely malicious, most want some sort of fame.

      (Yes, I used hackers instead of crackers, get over it, the work hacker is used by popular culture that way)

    4. Re:Windows joke by ferratus · · Score: 5, Insightful

      I am in a position where I currently get to use all three major platforms everyday (Linux, OSX, Windows) ans while I will admit to have a bias against Microsoft, I think there's a few key differences between OSS and Microsoft-like cies.

      First, I don't pay to get linux on my servers. Nobody said open source software were flawless, the key is that many here (including me) believe that you can get a more secure server if the source is open.

      Second, the Gnome project is not "linux inc." whereas Microsoft *is* Microsoft inc. That is to say, Microsoft controls all the aspect of their security, Gnome doesn't. Did the sysadmin patch everything ? Did they perhaps forget to update apache or some other software ? In microsoft's case, they provice all the security update, so when they are hacked, they are directly responsible.

      Thirdly, remember that this is a third party site. If we would get report of all the windows servers that are getting hacked everyday, we'd here much more news like this. We are hearing about this because GNU, Gnome, Debian, etc. are public projects... othewise, this would be just another hacked site.

      Considering the amount of software present on a current-day OS, expecting any of them to be flawless and completly secure in a real-world scenario is a bit ridiculous. They point is, I believe you get more for your money with an Open Source OS (of which linux is one alternative) than with a Microsoft OS.

      --
      IP Therefore I am.
  15. Sorry guys by agent+dero · · Score: 5, Funny

    My bad, won't happen again.

    -KDE

    --
    Error 407 - No creative sig found
  16. Re:More info by Alan+Cox · · Score: 5, Informative

    More info will appear as the forensics are done.

    But to emphasize: cvs.gnome.org is a seperate system

  17. safe system for submitting code by Graphyx · · Score: 5, Interesting

    Here is what the devolopers should do.
    Each time they submit a file that they have made changes to in the cvs archive, then also hmac it and sign it with their private key. Then later on if the system was compromized you could go back and computer the hmac of the file to make sure it matches that which the programmer submitted it to be.

    And then even if the system was compromised you wouldn't have to question which ones were changed or not since it can be checked just by confirming the hmacs.

    The best design for security have perfect forward security. And a signed hmac would prove the validity of the file unless the signing key was compromised.

  18. FBI Task Force by theCoder · · Score: 5, Insightful

    So, when is the FBI going to accounce their special task force to track down these dangerous hackers? After all, isn't that what they did when the Microsoft code was leaked? Something tells me this won't even make the FBI's radar, though...

    --
    "Save the whales, feed the hungry, free the mallocs" -- author unknown