Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kernel.org Compromised

Posted by samzenpus on from the everyone-is-doing-it dept.

First time accepted submitter JoeF writes "There is a note posted on the main kernel.org page indicating that kernel.org was compromised earlier this month: 'Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.' The note goes on to say that it is unlikely to have affected the source code repositories, due to the nature of git."

13 of 312 comments (clear)

  1. Oops by drolli · · Score: 4, Insightful

    This is bad. Would the same thing happen to MS i dont think /.ers would skip the possibility to bash them.

    1. Re:Oops by jrbrtsn · · Score: 5, Insightful

      If the same thing happened to Microsoft, Microsoft wouldn't let anybody know.

    2. Re:Oops by MaxBooger · · Score: 4, Funny

      This is bad. Would the same thing happen to MS i dont think /.ers would skip the possibility to bash them.

      Nah. They wouldn't bash them. cmd them, maybe. But not bash them.

    3. Re:Oops by realityimpaired · · Score: 5, Insightful

      But more seriously, the fact of the matter is, most of the tripe spewed against Microsoft hasn't been true since the pre-XP era. This combines with idiots who don't comprehend what security actually is, and buy into the, "LINUX IS TOTALLY SECURE! LOLZ!" crap.

      Ok... I'll bite.... I will concede that Windows is a lot more secure than some folks will have you believe, but there is still one glaringly huge security flaw in Windows that would be ridiculously easy for Microsoft to fix: the accounts created during install time are all administrative accounts.

      To its credit, Windows will allow you to change those accounts to non-administrative, and it will give you the option of creating non-administrative accounts when you later go in to the user cp, but by default, it still makes everybody an administrator unless explicitly told not to.

      Now... the fundamentals of securing a Windows system are exactly the same as the fundamentals of securing a Linux system: don't run any unnecessary daemons, particularly daemons that listen to outside connections, and be careful what you allow to run on your computer. When possible, run anything that executes arbitrary code (like, say, Flash or Silverlight) sandboxed, or not at all. And above all, apply all security updates as soon as they're available. (well, assuming your source of security patches didn't get compromised....)

      It's not hard to lock down a Windows system, and all of the above has been doable since NT3.1 in 1993. But as long as its default setting is for users to have administrative access, and it doesn't require any kind of secondary authentication to run programs with elevated permissions (and don't get me started on the debacle that is UAC), then Windows is *not* as secure as most Linux distros. The average user is simply not going to go out of their way to lock down a system once they have gone through the initial setup, and with that in mind, Windows is defective by design. It's in the name of usability, which is certainly understandable, but don't paint it with rose coloured glasses: you can achieve the same level of security under Windows, but you have to do more to reach it.

  2. Re:Wishful thinking by Anonymous Coward · · Score: 5, Insightful

    And seriously, why else would you hack kernel.org?

  3. Re:How did they hack it? by gchaix · · Score: 4, Informative

    The post on kernel.org states that it was possibly due to a compromised user account. They stated that they discovered it through some errors related to Xnest /dev/mem and that they captured some of the exploit code. I believe they're still looking at everything to figure how how the intruders got in and what they touched.

    Kudos to the kernel.org team for their prompt action and immediate disclosure.

  4. he's talking about tarballs by bill_mcgonigle · · Score: 4, Insightful

    The files are in a git repository. That's what matters, not what you wrap around it to provide for requests.

    So http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.4.tar.bz2 gets pulled dynamically from git?

    the kernel developers Who Matter

    Are you saying users don't?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:he's talking about tarballs by Anonymous Coward · · Score: 4, Insightful

      %Y-%m-%d please! Americans...

  5. Re:Wishful thinking by bzipitidoo · · Score: 4, Interesting

    You know what? Linux users will go right on using plain Linux. Not SE Linux, not OpenBSD, and certainly not Windows. We're not even going to change our root passwords. Why? Because this security breach is not that big a deal.

    Yes, it is embarrassing for kernel.org, but the damage is not that great. Sure, we'd all like to prevent security breaches from ever happening in the first place, but I have always thought detection and recovery is more important than prevention. Kernel.org has that covered in spades. Keep backups. Keep many backups. Keep them in many different locations. A distributed source code revision control system such as git does that automatically. Whoever did this wasn't too smart if they were seriously trying to inject a backdoor into the Linux kernel. Now they've blown their cover. They can't have seriously expected the code modifications they tried to go unnoticed for long, unless they have no idea how large projects handle source code. So either they were dumb, or all they were trying to do was embarrass Linux.

    --
    Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
  6. Re:Wishful thinking by nabsltd · · Score: 5, Informative

    If the attackers were worth their salt, after gaining access they would drop in their own custom replacements for patch, make and gcc.

    Since patch, make, and gcc are all GNU tools and not part of the Linux kernel, the only harm would be to the single copy on the kernel.org machine. If that machine isn't part of the build process (i.e., if it was merely a file repository), then nothing would be compromised.

    It would also be pretty easy to see because builds from other machines wouldn't match.

  7. Re:Wishful thinking by msauve · · Score: 4, Insightful

    "why else would you hack kernel.org?"

    1337 points.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  8. Re:How did they hack it? by inode_buddha · · Score: 5, Informative

    H.P.A. has commit privs and his work laptop was trojanned. That's how. Am I the only one who reads and understands the original e-mails from the admin?

    --
    C|N>K
  9. YMD sorts by perpenso · · Score: 5, Insightful

    Yeah, like I need to be reminded what year it is on a daily basis.

    Actually YMD is useful because it sorts.