Kernel.org Compromised

First time accepted submitter JoeF writes "There is a note posted on the main kernel.org page indicating that kernel.org was compromised earlier this month: 'Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.' The note goes on to say that it is unlikely to have affected the source code repositories, due to the nature of git."

Wishful thinking

[Mensa+Babe]

"[I]t is unlikely to have affected the source code repositories, due to the nature of git" [emphasis added] Yeah, because no one has ever downloaded the kernel any other way than by making a local fork of the git repository. No one has ever used the http, ftp and rsync links on the kernel.org website, or clicked the "Latest Stable Kernel" icon on that very website, right? Also remember that the mirrors don't mirror the git repositories but the http/ftp archives from kernel.org servers, the very same servers that has been compromised. The kernel.org home page encourages visitors to use those mirrors so it is not unreasonable to assume that some people do in fact use them. How many of them could have downloaded a compromised kernel? How many of them could be using it as we speak? Seriously people, this is big. I really mean totally freaking big. Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball. If the attackers were worth their salt then they should do exactly that.

Re:Wishful thinking

And seriously, why else would you hack kernel.org?

Re:Wishful thinking

[X0563511]

Are you stupid?

The files are in a git repository. That's what matters, not what you wrap around it to provide for requests. Anyone who happened to have a local git copy will notice VERY QUICKLY what changed when they try to commit... and I'd venture to say that nearly all of the kernel developers Who Matter use git for their development workflow.

Re:Wishful thinking

[Manfre]

If the attackers were worth their salt, after gaining access they would drop in their own custom replacements for patch, make and gcc. For such a large code base, it is not easy to tell if the code going in is yielding the expected instructions.

Re:Wishful thinking

[msauve]

"why else would you hack kernel.org?"

1337 points.

Oops

[drolli]

This is bad. Would the same thing happen to MS i dont think /.ers would skip the possibility to bash them.

Re:Oops

I clicked on this story with the sole intention of posting a smarmy, "HEY GAIZ I THOT LUNIX WAS SEKYOOR?" comment.

But more seriously, the fact of the matter is, most of the tripe spewed against Microsoft hasn't been true since the pre-XP era. This combines with idiots who don't comprehend what security actually is, and buy into the, "LINUX IS TOTALLY SECURE! LOLZ!" crap.

The truth is, if you want a truly secure system, in terms of h4x0rz, you want a system that's not connected to the Internet.

If you want a what-the-hell-are-you-doing-with-that-server-comrade secure system, you'll use OpenBSD.

Linux? Linux isn't as secure as people love to claim. That's not to say it can't be secure - at least in terms of secure for mostly anyone's needs - it simply takes knowledge and, yanno, actual maintenance - but this is no different than Windows, despite the FUD.

Re:Oops

[bmo]

>but this is no different than Windows, despite the FUD.

>no different than windows.

THIS IS WHAT WINDOWS FANBOIS REALLY BELIEVE.

Get back to me when Windows separates execute permission from the filename extension.

--
BMO

Re:Oops

[jrbrtsn]

If the same thing happened to Microsoft, Microsoft wouldn't let anybody know.

Re:Oops

[realityimpaired]

But more seriously, the fact of the matter is, most of the tripe spewed against Microsoft hasn't been true since the pre-XP era. This combines with idiots who don't comprehend what security actually is, and buy into the, "LINUX IS TOTALLY SECURE! LOLZ!" crap.

Ok... I'll bite.... I will concede that Windows is a lot more secure than some folks will have you believe, but there is still one glaringly huge security flaw in Windows that would be ridiculously easy for Microsoft to fix: the accounts created during install time are all administrative accounts.

To its credit, Windows will allow you to change those accounts to non-administrative, and it will give you the option of creating non-administrative accounts when you later go in to the user cp, but by default, it still makes everybody an administrator unless explicitly told not to.

Now... the fundamentals of securing a Windows system are exactly the same as the fundamentals of securing a Linux system: don't run any unnecessary daemons, particularly daemons that listen to outside connections, and be careful what you allow to run on your computer. When possible, run anything that executes arbitrary code (like, say, Flash or Silverlight) sandboxed, or not at all. And above all, apply all security updates as soon as they're available. (well, assuming your source of security patches didn't get compromised....)

It's not hard to lock down a Windows system, and all of the above has been doable since NT3.1 in 1993. But as long as its default setting is for users to have administrative access, and it doesn't require any kind of secondary authentication to run programs with elevated permissions (and don't get me started on the debacle that is UAC), then Windows is *not* as secure as most Linux distros. The average user is simply not going to go out of their way to lock down a system once they have gone through the initial setup, and with that in mind, Windows is defective by design. It's in the name of usability, which is certainly understandable, but don't paint it with rose coloured glasses: you can achieve the same level of security under Windows, but you have to do more to reach it.

he's talking about tarballs

[bill_mcgonigle]

The files are in a git repository. That's what matters, not what you wrap around it to provide for requests.

So http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.4.tar.bz2 gets pulled dynamically from git?

the kernel developers Who Matter

Are you saying users don't?

Re:he's talking about tarballs

%Y-%m-%d please! Americans...

Re:he's talking about tarballs

Apart from the argument that YMD sorts it is also unambiguous. The first 12 days of each month can also be interpreted as month numbers. There are DMY countries and MDY countries. Can you always be sure which convention is being used? There are no YDM countries, so YMD is unambiguous.

Re:How did they hack it?

[recoiledsnake]

The post on kernel.org states that it was possibly due to a compromised user account. They stated that they discovered it through some errors related to Xnest /dev/mem and that they captured some of the exploit code. I believe they're still looking at everything to figure how how the intruders got in and what they touched.

Kudos to the kernel.org team for their prompt action and immediate disclosure.

How did the so called user account compromise result in root access? Care to explain?

YMD sorts

[perpenso]

Yeah, like I need to be reminded what year it is on a daily basis.

Actually YMD is useful because it sorts.

the nature of open source

[crutchy]

if the kernel source code has been compromised, then every linux computer updated since the attack could be infected (maybe even set top boxes, corporate database servers, etc).

BUT...

because linux is open source, the kernel developers should be able to just compare the suspected compromised source code with a backup from before the attack (or just go back a year and copy in known fixes) and then every computer with a compromised kernel could just run their update program (which is probably how the infected kernel was installed in the first place) and update the kernel with a fresh clean copy. many computers (especially headless web servers) probably autoupdate critical security updates from their distro repos anyway (mine does).

i've had a squiz at the kernel source code in the past and i would think that something injected to prevent the update programs of every major distro from replacing the infected kernel with a clean one wouldn't be very easy to hide. if it simply puts an extra line of text in the bootup sequence that says "linux now has super cow powers" then that will merely make for more interesting slashdot news.

As a user of linux I'm not worried. I have more faith in the linux kernel developers in getting to the bottom of malware issues than any proprietary software development company (you know who i mean).

i'm not familiar with it, but i'm sure git is a good system that gives linus and his minions the ability to efficiently and effectively track down whatever changes may have slipped into the kernel.org versions.

and since the world relies on linux for more than just surfing the net and playing freecell, if serious damage results then it might give governments/corporations some incentive to give a little more support to keeping linux secure in the future.

after all, what other operating system could act as a drop-in replacement for the linux kernel for what it does? really?