Slashdot Mirror

← Back to Stories (view on slashdot.org)

GNU Savannah Site Compromised

Posted by CmdrTaco on from the it's-gnu/secure dept.

Trailrunner7 writes "A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material. The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings."

3 of 99 comments (clear)

  1. Re:But Linux is TEH SAFEZORZ! by LWATCDR · · Score: 3, Informative

    It was a GNU project it was running on HURD not Linux.

    Umm.. this wasn't a LINUX issue it was an SQL injection attack on a website. Are just trying to troll or do you really not know the difference?

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  2. Re:Encrypted passwords? by Tacvek · · Score: 4, Informative

    Add to that that gcc is hosted.

    GCC's code respositories are hosted on gcc.gnu.org, a machine also known as sourceware.org, which is owned and operated by Redhat and provides hosting for basically the entire GNU toolchain (automake, autoconf, binutils, GCC, gdb, glibc, and libstdc++)[1].

    This attack therefore would not be able to modify the GCC sources.

    [1] Notably not present are GNU's bison, libtool, m4 and make.

    --
    Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  3. Re:Encrypted passwords? by Anonymous Coward · · Score: 3, Informative

    Various Unixes, including Linux distributions like RHEL / CentOS include a modern algorithm inspired by PHK that uses the later SHA family algorithms, and has variable rounds.

    But keep in mind that despite all the tutting from know-nothings on Slashdot who react to keywords like 'MD5' even the original DES-based Crypt remains remarkably secure. While a Windows password or MD5 rainbow table is something you can get from any Torrent site, crypt tables still don't exist. While Windows brute forcers can chew through eight alphanumerics while you wait for your pizza to cook, crypt will take weeks.

    Basically, other systems spent the early 21st century catching up to where Unix was in the 1970s.

    And none of this helps you when a user picks something dumb like 'linux' or 'opensesame' as a password.