Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intrusion Cleanup Forces Delay For GNOME 2.6

Posted by timothy on from the checked-for-stupidity-and-found-malice dept.

An anonymous reader writes "Looks like the GNOME site (both web and FTP) is back up and running again (from a replacement system). The restoration work is still going on, and dynamic content does not work yet. Bugzilla should be up by tomorrow (it is already in testing mode). More details are available in this announcement. Kudos to the GNOME sysadmin team for such a rapid recovery." However, blurzero writes "GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st." Update: 03/24 14:08 GMT by T : An anonymous reader points to this story on the delay at ZD Net Australia.

11 of 170 comments (clear)

  1. Must've been a real bugger by James+A.+M.+Joyce · · Score: 4, Interesting

    Intrustion cleanup is a real bastard to carry out with any degree of success. There's really no way to prove that there isn't just one more subtle little backdoor hiding in the system, in your repository or in your /home area. This is a case where an ounce of prevention is better than a pound of cure. It's too late, here, unfortunately, so they should probably have rolled back to a backup on another set of boxes. (Just my two cents.) How well would TripWire have worked in this kind of situation? Or is that ineffective against an all-out rooting?

    1. Re:Must've been a real bugger by Anonymous Coward · · Score: 3, Interesting

      They have TireWire and it didn't work.
      TripeWire never works.
      I've seen TW failing and being exploited in several installations.
      Since the release of wirecutter TripWire has become fucking useless.

  2. I suppose by AnonymousCowheart · · Score: 3, Interesting

    I suppose this will get modded as a flame bit, but a lot of people were cheering when Bill Gate's credit card number got stolen just wondering how those people felt now? I know there was no "real" damage in that case, and in this case the server was offline, but still something to consider. Maybe these people were also "trying to help" by showing a server insecurity.

  3. Re:It's just a hoax by marcello_dl · · Score: 2, Interesting

    Your hypothesis would be conceivable for a closed source project where bosses get pissed off when the product is not delivered on schedule, I don't think that Gnome developers have this kind of pressure.

    Also, this attack reminds me of the one to the Debian servers, because it occurred just before a Woody release. Let's wait and see what the Gnome team has to say about it.

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  4. Who's responsible by Anonymous Coward · · Score: 0, Interesting

    If we ever find the jerks who keep breaking into free software servers, I hope they get full legislative punishment. Namely pound-in-the-ass prison. Stupid kiddiez.

  5. Re:Awwww man! by bbuchs · · Score: 2, Interesting

    Do you have any notes or tips you could post on the process? I'd like to give it a shot, but haven't had much luck as of yet.

  6. Intrusion Method Same Of Gnu.org Intrusion? by Goo.cc · · Score: 3, Interesting

    From what I have read, intrusion details have not been released yet but I wonder if the Gnome server was compromised the same way the gnu.org server was last year. If so, that would be disappointing.

    Still, I am happy to see that this will not push the next version of Gnome back very much. It is really starting to look nice to me and I am a Mac OS X user.

  7. Re:Dumb Cracker? by stevey · · Score: 3, Interesting

    It would be interesting to learn how the compromise had occurred.

    I'm guessing that all the important services would have been up to date (ssh/rsync/apache/etc) - so that leaves a password/ssh keycompromise, or some scripting flaw..

    I hope we find out once the cleanup has been completed.

  8. Re:Well, there is one difference I appreciate... by Penguinisto · · Score: 4, Interesting
    " What does Microsoft have to do with this? You fucking dumb jackass."

    Well kiddo, it's not just MSFT truth be known (hence my mention of "more importantly, other proprietary companies..." )

    Most proprietary companies are too worried about "customer confidence" to actually be honest with their customers. Back when a group of russians had 3 months' unlimited access to Windows' source code, it took outright proof in public before MSFT would admit to such a thing. ...and that's just MSFT; I wonder how many times Adobe's servers have been compromised? It would be nice to know that P-shop and Acrobat (or worse, the free reader?) wasn't quietly trojaned-up and sleeping on my 'dows boxen.

    Now, what about the break-ins we don't know about? How were they handled? How can a proprietary software company, let alone its customers, be sure that there aren't any nasty suprises hidden in their products?

    ...and therein lies the crux of my argument - open-source companies are specific, honest, and, well, eopn about what goes on security-wise.

    It's damned refreshing to be a customer who is treated like an adult, and not lied to, or kept in the dark about the products I use.

    Does this answer your question?

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  9. Re:Dumb Cracker? by Too+Much+Noise · · Score: 3, Interesting
    Not really. Here's a scenario for you (the debian-style):
    • cracker compromises a 3rd-party machine and gets the ssh tokens for a legitimate user.
    • cracker logs into the server - no particular preference, that server just happened to be one of those he gained access to by sniffing on ssh logins from his initial machine
    • cracker logs in as a legitimate user on the server (impossible to detect at this stage) and acquires, in some way or another, root access (like a nice, untraceable pam exploit)
    • cracker tries to secure root acces and triggers an allert in the logs (this being the 'dumb' step)


    the problem is, you can't trace the initial attack vector. It can be done by any script kiddie who compromises a machine that some developper uses. However, if it's not a mere script kiddie (and covers his tracks successfully), chances are that even a competent sysadmiin can fail to discover it. Yeah, I know about read-only/remote IDS databases, remote logs, backups and so on. It's a nice overhead when you're handling a large farm and you still have to make sure the data is on a secure machine. Do you do it for all your servers? (besides, at this level of complexity you need a full-time job - at least experienced hackers will see it coming and maybe leave you alone).

    that said, whoever was the sysadmin for that box picked it up - kudos for that! And if the 'dumb cracker' line means what it says (from the logs, etc) then here's hoping that it was indeed just a lone incident.
  10. Re:Dumb Cracker? by Anonymous Coward · · Score: 1, Interesting

    I'm a long-time GNOME fan and it strikes me that the infrastructure is often left behind, such as the bugzilla version (definitely not up-to-date), and I imagine now that the same applies to the apache and so on.

    When you are so exposed on the Internet as gnome.org, you also need good sysadmins, not only good programmers. GNU/Linux alone doesn't do the trick. I don't see why people are saying how wise of them to move everything off-line and delay the release. They were idiots in the first place because they obviously left severe vulnerabilities unpatched. I hope that lessons are learned.