Slashdot Mirror
Intrusion Cleanup Forces Delay For GNOME 2.6
An anonymous reader writes "Looks like the GNOME site (both web and FTP) is back up and running again (from a replacement system). The restoration work is still going on, and dynamic content does not work yet. Bugzilla should be up by tomorrow (it is already in testing mode). More details are available in this announcement. Kudos to the GNOME sysadmin team for such a rapid recovery." However, blurzero writes "GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st." Update: 03/24 14:08 GMT by T : An anonymous reader points to this story on the delay at ZD Net Australia.
Perhaps I am the only person getting an odd sense of deja vu...
Intrustion cleanup is a real bastard to carry out with any degree of success. There's really no way to prove that there isn't just one more subtle little backdoor hiding in the system, in your repository or in your /home area. This is a case where an ounce of prevention is better than a pound of cure. It's too late, here, unfortunately, so they should probably have rolled back to a backup on another set of boxes. (Just my two cents.) How well would TripWire have worked in this kind of situation? Or is that ineffective against an all-out rooting?
now I have to go to two geek parties in one week
Why is the MD5SUM for gtk-devel-2.0.1a.tar.gz broken ?
Actually, if you check the GNOME-Announces list, you will see that every package was already updated to work with GNOME 2.6. They just want to double check everything.
"GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st."
That could have been disasterous had they been forced to delay until April 1. Imagine all the jokes that would have ensued.
Yeah, sure, they're gonna make up an elaborate story to delay their release one week. Like it'd not be much easier to just tell the world how they're be a little late with this release.
I mean, let's face it. That would just completely destroy their reputation, contrary to word that their servers have been hacked.
Now we have to wait one WHOLE week?
:)
Maybe the KDE team did this to slow Gnome down...
By the way, I've tried CVS metacity with FD.O's Xserver..... funky stuff. Translucency when you move windows! Although it chews a fair bit of CPU (when moving the window itself, that is, as just holding the window still doesn't chew CPU), it should be fixed when we finally get HW acceleration. I was able to get MPlayer to play a video in the background, hover a window over it and watch it through it. ub3r cool stuff.
Founder of Mirror Moon - Tsukihime Game Trans
If only MSFT (and more importantly, proprietary software companies that aren't so much in the spotlight) were as forthcoming about break-ins.
Quo usque tandem abutere, Nimbus, patientia nostra?
I suppose this will get modded as a flame bit, but a lot of people were cheering when Bill Gate's credit card number got stolen just wondering how those people felt now? I know there was no "real" damage in that case, and in this case the server was offline, but still something to consider. Maybe these people were also "trying to help" by showing a server insecurity.
It makes you nervous about the big megacorps -- when their website is compromised -- do they even know... or care? I've never seen M$ shut down for a day because of a website compromise, although it must have happened several times.
Jay | http://oldos.org
Your hypothesis would be conceivable for a closed source project where bosses get pissed off when the product is not delivered on schedule, I don't think that Gnome developers have this kind of pressure.
Also, this attack reminds me of the one to the Debian servers, because it occurred just before a Woody release. Let's wait and see what the Gnome team has to say about it.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
If we ever find the jerks who keep breaking into free software servers, I hope they get full legislative punishment. Namely pound-in-the-ass prison. Stupid kiddiez.
Hmm slightly convienient, just like the Valve - HL2 delays.
You mean, they'll delay GNOME 2.6 before March 31th to Summer, and before Summer they delay it again and so on?
No please! I want my GNOME!
The IT section color scheme sucks.
A rumor is circulating that Gnome was using an unpatched IIS... I wish they would run Linux, it is much more secure, believe me.
...they're running the new system on OpenBSD
According to Waugh, the GNOME Web servers that are hosted by Red Hat were compromised by "a dumb cracker who probably didn't realise what they got into".
Seems like he was smart enough to hack their system.
Scott Plumlee
hehe, before that someone mods you +1 Informative, gnome.org runs Linux/Apache.
:)
Nice one though
The IT section color scheme sucks.
Kudos to the GNOME sysadmin team for getting owned
Something bad happens to someone we like. Bummer.
Something bad happens to someone we don't like. Haw Haw.
Why do people make such a big fucking deal out of double standards? Should I feel equally angry toward someone who kills a stranger as I would if they'd killed a relative? No.
From what I have read, intrusion details have not been released yet but I wonder if the Gnome server was compromised the same way the gnu.org server was last year. If so, that would be disappointing.
Still, I am happy to see that this will not push the next version of Gnome back very much. It is really starting to look nice to me and I am a Mac OS X user.
Bill Gates' credit card number was just one out of thousands of numbers taken from several servers. There is nothing to compare here. You're just trying to stir up shit with Linux zealots by creating an apparent double standard where none exists (or at least if it does, you're giving a terrible example).
Side note: the vast majority of people who claim to be "trying to help", regardless of what security measure they have circumvented, are actually just messing around for kicks and would rather be seen as a friend than an enemy when the shit hits the fan. This "white hat" and "black hat" nonsense was concocted by corporate computer security consultants, who of course know nothing about computer security and need to do something to justify their salaries. Most of the general public and especially corporate executives are paranoid and have a hard time believing that hackers aren't after their precious profits.
If you're not part of the solution, you're part of the precipitate.
Maybe they did the same thing that Valve did and released a press release about the "intrusion" in order to push back release dates since they were falling back?
As much as not being able to run Gnome 2.6 today makes me want to sit on my bed and weep, I am really grateful that the Gnome team is more concerned with releasing a secure product than with releasing when they said they would. This is one of those advantages of non-commerical software that we always cheer about in action. Rock on.
This event immediately brought thoughts of Half-Life 2 to mind.
I bet in a week the source code for GNOME 2.6 will be all over the Internet, free for anyone to take, read, and use!
"...yes, General? I'd like to buy that slightly used supersonic fighter you have idling in your hangar, please. Payment? No problem, dude; you take Amex, right?"
OTOH, you're right to a point, though wouldn't "trying to help" involve some sort of notice to the victim?
Quo usque tandem abutere, Nimbus, patientia nostra?
With all these break-ins on open source servers, it should finally let people see that just having open source software on a server does not make it more secure. The apache.org site was hacked because of an insecure default install of a web application and MySQL. Even the docs said not to leave it that way. If 1 in 100,000 people make such mistakes, popularity created more places to get in.
I don't believe it true in this particular case, but we really require a term for the general case of attempting to use strange/illegal incidents for advertising.
I submit "Paris Hilton Device" as a candidate.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If you look at the compromised source to GNOME, you may not be able to contribute to uh, well, hmm,
nevermind.
No post with "M$" in the body contains anything of value.
Something's not right here. Does this mean that the Gnome website is hosted on an IIS webserver? I mean, we all know that only IIS servers are insecure.
Or could it be that system security depends more on diligent admins than software?
"Ask not what your country can do for you." --John F. Kennedy
Could it be that having competant, diligent system admistrators is more important than using the "right" server platform?
"Ask not what your country can do for you." --John F. Kennedy
You are absolutely right that the admin has to apply any missing patches and modifications to the system that may not have been in place on the compromised server. My thanks for bringing that up
(although, in some cases, no patch will save you... esp. if it was an inside job, or someone got hold of the passwords. but that's the bitch about security - the paranoia never stops digging deeper :) )
Quo usque tandem abutere, Nimbus, patientia nostra?
You know, you are absolutely right! After all, they gotta make them deadlines or make up stupid excuses so that they can keep people interested and make them buy their product... oh, err, never mind!
Seriously: this part of what I like about OSS - no forced deadlines that are driven by profit concerns. If it takes an extra wreek to make sure it's right, so what?
That MCSE line was a joke, right? Please! PLEASE tall me you were joking. I have 8 years of experiance, and have seen MCSE certs that couldnt install a floppy, install windows, adn had no idea what TCP/IP was used for.
as in someone is trying to at the very last moment before release to sneak some backdoor or trojan into the code? it would be a bit strange to find a part of gnome listening on a high port for traffic. most of that code does not need to work as a server...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
This will all come out as
Gnome webserver security breach + gnome open source => open source insecure...
Another FUD is born
My Karma is so low that even my own postings are beyond my current threshold
They've hacked in and gotten the source code! For free!
careful now, you`ll have to make another "LOL I AM TEH FUNNY BUT I NEVER GOT LAID" karmawhore post if you keep using up your wanky little "mod points"
In the case of proprietary software development, the driving force is generally that promises have been made to (current and future) customers. Breaking those promises can hurt the customer's perception of the reliability of the development organization. Perhaps more importantly, it can hurt the managers' and developers' self-image.
It seems to me that these motives would also apply to an Open Source project. After all, no one wants to be thought of as unreliable.
That said, I also suspect that none of the above applies in the present case. A one-week delay, in a multi-month project, when there is an obvious reason for concern over trojans, seems completely reasonable to me.
I'm surprised that conspiracy theorists on Slashdot didn't blame gnome team of faking the intrusion because they could not meet the deadline for the release.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
There is a differece between more secure and absolutly secure.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Embrace hypocrisy if you want, but then don't whine when nobody takes you or your community seriously.
No, dumbass, the difference is that closed-source companies keep it a secret (or doesn't know in the first place) when their servers are compromised while Gnome and Debian are very up-front about it.
If you think this kind of thing hasn't happened to Microsoft, Oracle, etc., you're wrong. They just like to keep it quiet.
All's true that is mistrusted
Choice quote from the ZDNet article - "a dumb cracker who probably didn't realise what they got into". (it's nice to know redhad linux can be hacked by a dumb cracker.)
Kind of offtopic to the security breach (but not to the release of 2.6 itself), but.. is there a list of changes/updates anywhere?
I'm curious as to what improvements have been made.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
I believe that if anyone has a right to display the monetary greed of Microsoft (M$), it's me.
I run a website (oldos.org) dedicated to old computers. We used to offer downloads of DOS, Windows, etc. Old operating systems no longer available for sale anywhere. Did Microsoft care? No. We recieved a cease-and-desist order -- hence why you see no illegal downloads on the site today.
I don't want to complain, I am glad that the Savannah team (consisting mostly of volunteers) handled the breakin there with great care and responsibility. But still we have to give extra credits to the team handling the gnome servers for bringing up the services so quickly. (At savannah, it took more than a month until CVS write access was reenabled.)
Which one of you dirty bastards couldn't wait 1 day for the source? Whoever is running GNOME 2.6 right now, stand up and speak! Impatient Bastard!
This just fits in with previous /. articles which mentioned that Linux distributions were just as insecure as Windows.
This wouldn't happen if Linux were were more than just a kernel. The majority of these repetitive distributions just need to die..die..die.. There is a need for a real Linux operating system which isn't just a hodge-podge of snips, snails and puppy-dog tails.
Maybe once the linux community gets past their egos some real development in this arena can commence.
Agreed. Microsoft (and any other proprietary company) has nothing to do with this topic. Too bad you're flamebait now...
If this was a IIS server that got hacked, everyone here would be ranting and raving about how insecure MS products are. Instead, they praise the admins for their fast recovery of the server.
It seems that it's not just Microsoft that is getting hacked these days.
I bet this does not show up on slashdot!
This sort of thing is exactly what I'd expect from freedom-hating closed-source advocates. No doubt, some SCO fan went and did this in retaliation for the Linux developers' attempts to preserve their intellectual property rights.
There is a dark side of the commercial software community and now we are beginning to see it emerge.
(Warning: this article contains sarcasm.)
Does anyone have a copy of the code that was taken from the site? Any chance of the KDE developers being able to reverse engineer some of the Gnome features from it?
;-)
Oh right, *open* source software....
So you say that because FOSS projects let us know of security breaches, that means that somehow they are more secure? If their security is breached, it does not matter whether they tell someone or not, the fact remains that their security has been breached. Of course being a FOSS project you will try to spin it that this actually means that they are somehow more secure. But if the MS servers had been compromised, you would be ranting about how that proves commercial software is less secure.
Go back to your temple, zealot. Its people like you with totally implausible arguments that makes all users of FOSS look bad
You should learn to read, or at least practice your comprehension skills, the GP, said nothing like what you said.. you could be a Troll I suppose.
Get modded down for posting a troll, then get modded up for posting a whore 2 posts later.
I salute you sir
My my, we are touchy today! Cannot understand perhaps why people do not switch to Linux while you belt them with your Linux manual? I did not and still do not care what the GP said, otherwise THAT is the post I would have replied to. In this instance, I replied to YOUR post, which was about SERVERS (perhaps you are a troll, the GP was about Linux on the desktop - you were totally off-topic).
If you want people to use Linux, take some advice. Firstly, stop frothing at the mouth, it scares people away. Telling someone they are stupid for not doing something is not a good way to convert them. An unsecured, unpatched *nix box will be just as vulnerable as an unsecured Win box, so get off your high horse. And a big one, never assume someone is less intelligent than you just because they dont agree with everything you think. I can guarantee you there are plenty of people with far higher intelligence who will see the world totally differently.
Oh, and accusing people of trolling just because they dont try to convert the world to FOSS is rather immature.
Ahh, you are a Troll. Have a nice day Troll.