Slashdot Mirror
Kernel.org Compromised
First time accepted submitter JoeF writes "There is a note posted on the main kernel.org page indicating that kernel.org was compromised earlier this month: 'Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.' The note goes on to say that it is unlikely to have affected the source code repositories, due to the nature of git."
Scary for us using rolling-release distros.
"[I]t is unlikely to have affected the source code repositories, due to the nature of git" [emphasis added] Yeah, because no one has ever downloaded the kernel any other way than by making a local fork of the git repository. No one has ever used the http, ftp and rsync links on the kernel.org website, or clicked the "Latest Stable Kernel" icon on that very website, right? Also remember that the mirrors don't mirror the git repositories but the http/ftp archives from kernel.org servers, the very same servers that has been compromised. The kernel.org home page encourages visitors to use those mirrors so it is not unreasonable to assume that some people do in fact use them. How many of them could have downloaded a compromised kernel? How many of them could be using it as we speak? Seriously people, this is big. I really mean totally freaking big. Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball. If the attackers were worth their salt then they should do exactly that.
Karma: Positive (probably because of superiour intellect)
security hole?
This is bad. Would the same thing happen to MS i dont think /.ers would skip the possibility to bash them.
Look, its been 20 years, linux has been a total failure, modding me down just means you agree.
The files are in a git repository. That's what matters, not what you wrap around it to provide for requests.
So http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.4.tar.bz2 gets pulled dynamically from git?
the kernel developers Who Matter
Are you saying users don't?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
..to patch their kernels.
Jesus had a UNIX beard.
was interested in Linus' backups.
But I've always been told by the fanboys that Linux is inherently secure, right? So that's not possible.
But Linux has no viruses/trojans/malware, right?
BTW - if you can't take this as the light jabbing it's supposed to be without wanting to rip my spine out, turn the computer off and take a break. :)
Not need to panic. Yet. Most users don't download their kernels from kernel.org. This is a fact. Most users download via the package repositories of their favorite Linux distro, say Ubuntu or Arch. And the kernel maintainers of most distros worth their salt don't use http or ftp to download a fresh copy of the kernel every time Linux decides to update it. They use git.
You are spreading FUD. Sure, it's a serious issue. But not the way you think it is. If the exploit was done through a hole in the kernel, then, and only then, is this a "seriously" "freaking big" issue. If it was done through the usual social engineering channels, then, well, I guess we need a brain patch not a kernel patch. There's simply no fix for that.
I'm running an Arch installation on my laptop that uses ftp.kernel.org as the Pacman mirror. I'd really like to know exactly what was compromised. I hope they figure it out soon.
Who's going to compromise the Linux kernel servers, and leave the linux kernel alone?
I really, really, REALLY hate to say it.... but face it, unless the world decides to police this kind of stuff differently, the bad guys won. Time to take your ball and go home. Between the spam, the malware, the virus's... forget it. We already lost. I've had card accounts hacked 3 times this year and I (like to think I) know what I'm doing. All have been totally random as for me, I just happened to be a customer of a hacked databse each time.. now FRIKNG Disney thinks I owe them something and those asshats won't go away. Even after a court order.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
Yeah, like I need to be reminded what year it is on a daily basis.
Actually YMD is useful because it sorts.
I wrote this post in flash but you can't see it.
Seven puppies were harmed during the making of this post.
Your system's kernel won't be rooted for at least six months.
The kernel.org sources live on OS X Lion boxes - authentication is handled through LDAP.
#DeleteChrome
If you're running a serious server, like the kernel.org servers, your only real option is to use OpenBSD. It may not be perfectly secure, but it's about as close as you're going to realistically get.
You manage to post a link to http://kernel.org/ (where the details of the breach have been described in the news section), and then another one to some third party site (thehackernews.com), where all they do is repost the exact same information?
if the kernel source code has been compromised, then every linux computer updated since the attack could be infected (maybe even set top boxes, corporate database servers, etc).
BUT...
because linux is open source, the kernel developers should be able to just compare the suspected compromised source code with a backup from before the attack (or just go back a year and copy in known fixes) and then every computer with a compromised kernel could just run their update program (which is probably how the infected kernel was installed in the first place) and update the kernel with a fresh clean copy. many computers (especially headless web servers) probably autoupdate critical security updates from their distro repos anyway (mine does).
i've had a squiz at the kernel source code in the past and i would think that something injected to prevent the update programs of every major distro from replacing the infected kernel with a clean one wouldn't be very easy to hide. if it simply puts an extra line of text in the bootup sequence that says "linux now has super cow powers" then that will merely make for more interesting slashdot news.
As a user of linux I'm not worried. I have more faith in the linux kernel developers in getting to the bottom of malware issues than any proprietary software development company (you know who i mean).
i'm not familiar with it, but i'm sure git is a good system that gives linus and his minions the ability to efficiently and effectively track down whatever changes may have slipped into the kernel.org versions.
and since the world relies on linux for more than just surfing the net and playing freecell, if serious damage results then it might give governments/corporations some incentive to give a little more support to keeping linux secure in the future.
after all, what other operating system could act as a drop-in replacement for the linux kernel for what it does? really?
In both Windows Vista and Windows 7*, downloaded files are flagged noexecute and there's a confirmation dialog before any downloaded file can be executed (unless the file has been cryptographically signed by a source the user trusts).
And to be totally clear, these are DEFAULT settings, used by 99% of people.
bmo obviously doesn't have any experience with recent versions of Windows.
(PS since his initial claim was disproven he will probably try to shift goalposts now. Watch and see if now he complains, "Dialog boxes don't work!")
*This might also be present in Windows XP.
it was Kevin Mitnick...
There's nothing like a FreeBSD router with TCPDUMP.
Yes, diff against any of the thosand mirrors is going to be reallly really difficult to run and there is going to be rootkits in my linuxes.
s/police/hackers/ And i quote:
JeffK: "Oh noes, teh police! HIDE TEH LUNIX!!!11"
http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
It IS present in XP, and has been probably since SP2. As you said, bmo doesnt have a clue.
Here's a hint: the developers use git, which identifies all commits by their SHA1 value, so changing the contents of a commit will cause the SHA1 sum to mismatch which would cause git to howl and complain. So they then build a tarball and upload it to the server. They also upload signatures:
patch-3.0.4.bz2 29-Aug-2011 20:57 94K
patch-3.0.4.bz2.sign 29-Aug-2011 20:57 249
patch-3.0.4.gz 29-Aug-2011 20:57 107K
patch-3.0.4.gz.sign 29-Aug-2011 20:57 249
patch-3.0.4.sign 29-Aug-2011 20:57 249
So unless they manage to compromise the Kernel signing key any changes would be immediately noticeable (assuming people check the signatures, which they do).
"rootkit known as Phalanx, variant of which has attacked sensitive Linux systems before."
As from now, its better to think twice before declaring that Linux installations doesn't need anti-virus/malware/trojan because thre's only a few dozen known, of the like.
Imagine the following scenario:
You Download source code from a tarball at kernel.org. You develop against that. You commit to git. You change only 3 files and git tells you there are 20 files changed. This is when you realize that somehow, the tarball differs in 17 files from the git repository.
How many developers actually develop against a freshly downloaded tarball off ftp/http kernel.org mirror, in stead of a checkout/sync from the clean git branch? Because only the ones that do, and also have commit rights to git, would notice.
I was promised a flying car. Where is my flying car?
They get a one time compile of whatever kernel version works on it and then sit in the field with unpatched security leaks until they die, or are replaced with an upgrade. A lot of them still run 2.6.16 or something around that.
I was promised a flying car. Where is my flying car?
Karma: Positive (probably because of superiour intellect)
but not because of superior spelling...
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
"Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live. "
This reminded me of http://bsd.slashdot.org/story/10/12/15/004235/FBI-Alleged-To-Have-Backdoored-OpenBSDs-IPSEC-Stack
passwd [enter]
Changing password for user kernelhack0r.
(current) UNIX password: 2.6.39.4 [enter]
New password: 3.0 [enter]
What does does this tag mean? Where's your ring snow? What the hell is "ring snow"? Sounds kind of nasty...
My other account has a 3-digit UID.
how do i know, does my linux desktop have backdoor?
should i limit outgoing connection on my linux desktop?
It's quite different to "have to go through hoops to make the file executable" and "have to click one big button". First is an action requiring conscious thought the other is automatic for 99% of people. That's why the latter doesn't work.
Second: On Windows it's really hard to disallow users to run any programs but the ones in C:\Windows and C:\Program Files while it's trivially easy in UNIX-like systems.
Second: On Windows it's really hard to disallow users to run any programs but the ones in C:\Windows and C:\Program Files while it's trivially easy in UNIX-like systems.
Ahem.
Start | Administrative tools | Local Security Policy | Software Restriction Policies | New Software Restriction Policy
Was that hard? Btw, an administrator can configure this in a group policy and apply it to select users, groups, computer sets etc. The above was a local policy.
Now you have a policy which by default allows only programs to execute from "program files" and "windows"
You can configure much more, like e.g. whether executables on a given path should be allowed to execute with admin privileges, certificate policies, hash based rules etc.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Should have used OpenBSD for the server!
Kernel panic!
... trying to resurrect the hurd project...
Or has there been an increase in data breaches over these past couple of years? I haven't heard too much in the past, partially because I wasn't lookin for those news stories, but I haven't heard too many on the realm of data breaches even in the news until recently.
What possible problem could result from backdoors in kernel code?
Stupid Linus forgot to install Avast.
Doesn't fucking matter, because theory is not practice.
Windows assigns execute permission based on the last 3 letters by default. It's up to the administrator to change this behavior, which hardly ever happens.
In the world of real computers, execute bits are *completely independent* of the name.
Oh please.
The .exe association is merely a convenience, not a security mechanism which "assigns execute permission" as you put it. It is equivalent to how Linux will attempt to run *anything* when you type the name or double-click it. It is a launching mechanism, not a security mechanism.
Yes, Linux has the x bit. Guess what, Windows ACLs has the Traverse/Execute permission. Remove that permission or set up a deny rule and you will not be able to execute that file or files in that directory. Want to ensure that network shares cannot be used to host executables? Set the permissions on the share to deny execute to everyone and set it to inherit.
Windows has your beloved execute permission. And unlike in Linux you can set up deny rules or allow multiple principals (multiple groups and/or users). Most of us just want it to follow the read permission, because it would never be a security boundary anyway.
And then you completely ignore - no strike that - you try to completely dismiss a very cool security feature in Windows (and OS X): Origin based execution policies. You try to dismiss it because it doesn't look like your x bit. But the fact remains that it works for users: Files downloaded from the internet (through a browser or some other agent) are tainted with the "Internet zone". Files copied from network shares are tainted with "Local intranet zone". And you can set up execution policies to deny or allow execution of such files.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
from the output:
Please credit this data as "generated using David A. Wheeler's 'SLOCCount'."
If someone is going to argue that GPOs are HARDER than their Linux equivalent , theres not really any arguing with them.
But then very few of the people in this thread appear to actually have administered Windows enough to make worthwhile criticisms of its administration.
As to parent's comment about "hoops to make a file executable", its pretty darn trivial in whatever os you use, whether chmod a+x file (which is found in a 3 second google), or rightclick--properties--permissions--allow file to be executed (it is in fact HARDER to grant the executable permission from command line in windows, fwiw).
downloaded files are flagged noexecute and there's a confirmation dialog before any downloaded file can be executed
Let's note that this only applies to methods of downloading which are playing nicely within the bolted-on security framework within Windows. If the user is downloading something in a method other than using a mainstream browser or windows file sharing, this doesn't kick in. Reminds me of all the crapware on KaZaA and similar services.
(unless the file has been cryptographically signed by a source the user trusts)
Given the rash of certificate security issues recently, it's pretty clear that signatures are not security. There are also lots of Windows drivers that aren't signed, so users who plug in hardware that isn't covered under an OS-built-in driver are quite familiar with the process of ignoring signature issues.
*This might also be present in Windows XP.
I do believe that SP2 or SP3 enabled this in XP, but it's been quite some time so I'm not sure.
http://woken.webs.com/
Besides the articles that were linked to, I'd also check out somebody's question of "Trustworthiness of kernel.org post attack" at http://security.stackexchange.com/q/6768/836 (the site is a cousin to stackoverflow.com).
SIG: HUP