Intrusion Cleanup Forces Delay For GNOME 2.6
An anonymous reader writes "Looks like the GNOME site (both web and FTP) is back up and running again (from a replacement system). The restoration work is still going on, and dynamic content does not work yet. Bugzilla should be up by tomorrow (it is already in testing mode). More details are available in this announcement. Kudos to the GNOME sysadmin team for such a rapid recovery." However, blurzero writes "GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st." Update: 03/24 14:08 GMT by T : An anonymous reader points to this story on the delay at ZD Net Australia.
Intrustion cleanup is a real bastard to carry out with any degree of success. There's really no way to prove that there isn't just one more subtle little backdoor hiding in the system, in your repository or in your /home area. This is a case where an ounce of prevention is better than a pound of cure. It's too late, here, unfortunately, so they should probably have rolled back to a backup on another set of boxes. (Just my two cents.) How well would TripWire have worked in this kind of situation? Or is that ineffective against an all-out rooting?
now I have to go to two geek parties in one week
Actually, if you check the GNOME-Announces list, you will see that every package was already updated to work with GNOME 2.6. They just want to double check everything.
"GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st."
That could have been disasterous had they been forced to delay until April 1. Imagine all the jokes that would have ensued.
Now we have to wait one WHOLE week?
:)
Maybe the KDE team did this to slow Gnome down...
By the way, I've tried CVS metacity with FD.O's Xserver..... funky stuff. Translucency when you move windows! Although it chews a fair bit of CPU (when moving the window itself, that is, as just holding the window still doesn't chew CPU), it should be fixed when we finally get HW acceleration. I was able to get MPlayer to play a video in the background, hover a window over it and watch it through it. ub3r cool stuff.
Founder of Mirror Moon - Tsukihime Game Trans
If only MSFT (and more importantly, proprietary software companies that aren't so much in the spotlight) were as forthcoming about break-ins.
Quo usque tandem abutere, Nimbus, patientia nostra?
I suppose this will get modded as a flame bit, but a lot of people were cheering when Bill Gate's credit card number got stolen just wondering how those people felt now? I know there was no "real" damage in that case, and in this case the server was offline, but still something to consider. Maybe these people were also "trying to help" by showing a server insecurity.
It makes you nervous about the big megacorps -- when their website is compromised -- do they even know... or care? I've never seen M$ shut down for a day because of a website compromise, although it must have happened several times.
Jay | http://oldos.org
Your hypothesis would be conceivable for a closed source project where bosses get pissed off when the product is not delivered on schedule, I don't think that Gnome developers have this kind of pressure.
Also, this attack reminds me of the one to the Debian servers, because it occurred just before a Woody release. Let's wait and see what the Gnome team has to say about it.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
A rumor is circulating that Gnome was using an unpatched IIS... I wish they would run Linux, it is much more secure, believe me.
According to Waugh, the GNOME Web servers that are hosted by Red Hat were compromised by "a dumb cracker who probably didn't realise what they got into".
Seems like he was smart enough to hack their system.
Scott Plumlee
Something bad happens to someone we like. Bummer.
Something bad happens to someone we don't like. Haw Haw.
Why do people make such a big fucking deal out of double standards? Should I feel equally angry toward someone who kills a stranger as I would if they'd killed a relative? No.
From what I have read, intrusion details have not been released yet but I wonder if the Gnome server was compromised the same way the gnu.org server was last year. If so, that would be disappointing.
Still, I am happy to see that this will not push the next version of Gnome back very much. It is really starting to look nice to me and I am a Mac OS X user.
As much as not being able to run Gnome 2.6 today makes me want to sit on my bed and weep, I am really grateful that the Gnome team is more concerned with releasing a secure product than with releasing when they said they would. This is one of those advantages of non-commerical software that we always cheer about in action. Rock on.
This event immediately brought thoughts of Half-Life 2 to mind.
I bet in a week the source code for GNOME 2.6 will be all over the Internet, free for anyone to take, read, and use!
No post with "M$" in the body contains anything of value.
Could it be that having competant, diligent system admistrators is more important than using the "right" server platform?
"Ask not what your country can do for you." --John F. Kennedy
How do you know the MD5 wasn't made after the intruder got in? It wouldn't be very valuable then, would it?
The point is, after a breakin you must determine when the breakin occured, because everything after that is suspect. The problem is it can sometimes be very difficult -- or impossible -- to determine when the breakin happened. Then you're really, really screwed.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
No, dumbass, the difference is that closed-source companies keep it a secret (or doesn't know in the first place) when their servers are compromised while Gnome and Debian are very up-front about it.
If you think this kind of thing hasn't happened to Microsoft, Oracle, etc., you're wrong. They just like to keep it quiet.
All's true that is mistrusted
Which one of you dirty bastards couldn't wait 1 day for the source? Whoever is running GNOME 2.6 right now, stand up and speak! Impatient Bastard!
This sort of thing is exactly what I'd expect from freedom-hating closed-source advocates. No doubt, some SCO fan went and did this in retaliation for the Linux developers' attempts to preserve their intellectual property rights.
There is a dark side of the commercial software community and now we are beginning to see it emerge.
(Warning: this article contains sarcasm.)