Slashdot Mirror

← Back to Stories (view on slashdot.org)

Welcome Back Kernel.org

Posted by samzenpus on from the look-who's-back dept.

Hummdis writes "After more than a month of being offline due to a security breach at Kernel.org, they're back! While they were down, they took the time to 're-architect' the site for developers and users. A statement reads: 'As noted previously, kernel.org suffered a security breach. Because of this, we have taken the time to re-architect the site in order to improve our systems for developers and users of kernel.org. To this end, we would like all developers who previously had access to kernel.org who wish to continue to use it to host their git and static content, to follow the instructions here. Right now, www.kernel.org and git.kernel.org have been brought back online. All developer git trees have been removed from git.kernel.org and will be added back as the relevant developers regain access to the system. Thanks to all for your patience and understanding during our outage and please bear with us as we bring up the different kernel.org systems over the next few weeks. We will be writing up a report on the incident in the future.'"

55 of 94 comments (clear)

  1. Lessons for others? by G3ckoG33k · · Score: 1

    Welcome back.

    Which are the lessons for others to learn?

    1. Re:Lessons for others? by Anonymous Coward · · Score: 1

      From TFA: "We will be writing up a report on the incident in the future."

    2. Re:Lessons for others? by Hummdis · · Score: 1

      An article on Ars Technia stated that:

      "The intrusion was reported to kernel.org users earlier this week by site administrator John Hawley. The attack is believed to have occurred on August 12 but wasn't detected until August 28. The attack vector isn't known for certain, but it is thought that the attacker somehow obtained a legitimate user's login credentials and then exploited an unknown privilege escalation vulnerability. The attack was discovered when an Xnest error message was found in the system logs on a server that did not have Xnest installed."

    3. Re:Lessons for others? by diegocg · · Score: 4, Informative

      "The compromise of kernel.org and related machines has made it clear that some developers, at least, have had their systems penetrated. As we seek to secure our infrastructure, it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusions. Here are some helpful hints as proposed by a number of developers on how to check to see if your Linux machine might be infected with something"

    4. Re:Lessons for others? by kthreadd · · Score: 1

      Linux is defective by design, duh!

      No, not really. Linux itself was not responsible for the incident so that would be inaccurate leasson to learn. The leasson would rather be that it doesn't matter how strong a door is if you leave the key on a bar.

    5. Re:Lessons for others? by Runaway1956 · · Score: 1

      I don't think that there is a *nix user anywhere, outside of Apple Phanbois, who think their system is "impenetrable". The common wisdom is, our security is superior to Window's security, but that doesn't translate to "impenetrable".

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    6. Re:Lessons for others? by Lunix+Nutcase · · Score: 1

      All it takes is a simple google search to find numerous claims of Linux being impenetrable. It doesn't matter the claims are wrong, but the claims have been made by write a few people.

    7. Re:Lessons for others? by Jonner · · Score: 1

      It means there are probably quite a few rooted Linux boxes out there and the users don't realize it because they bought into hype that their computer had impenetrable security.

      So how does that explain the far greater number of compromised Windows boxes? It's unlikely their owners thought they had impenetrable security. Compromised machines exist because people take foolish risks and aren't vigilant for malware either out of ignorance or apathy regardless of OS. The average user is still much safer running any non-Windows OS, though they shouldn't be complacent.

    8. Re:Lessons for others? by bonch · · Score: 1

      Such claims have been made about Linux since the creation of this website. The "Apple Phanbois" you refer to are actually a rarity in practice.

    9. Re:Lessons for others? by somersault · · Score: 1

      [citation needed]

      --
      which is totally what she said
    10. Re:Lessons for others? by Microlith · · Score: 1

      The people here who make that claim about Linux are occasional, but by no means representative of the site. Many major Apple focused forums do believe in the impenetrability of OS X as gospel, they are simply rare here.

    11. Re:Lessons for others? by F.Ultra · · Score: 1

      Yeah, nobody stole the Windows 2000 source code now did they?

    12. Re:Lessons for others? by LordLimecat · · Score: 1, Troll

      The common wisdom is, our security is superior to Window's security,

      And on what do you base that assumption? Because scores of users get pwned by Acrobat and Java exploits, but it just happens to be hitting windows machines?

      I have never seen any credible proof that your common Linux server distros (RedHat, CentOS, Debian) are more secure out of the box than Windows Server 2003 or 2008-- and I have seen a LOT to suggest that 2008 (and Win7) are more secure than their *nix counterparts.

      I really dont want to start a flamewar on this (though I probably just did), but its ridiculous to continue acting like this is 1995 and Windows is the piece of garbage it once was. Since NT, the filesystem security is better than your most common *nix variants (more granularity, more specificity). Since XP, the system has mechanisms to detect filesystem tampering and to repair it (SFC). Since XP SP3, it comes with a deny-all firewall built in and supports DEP. Since Vista, everyone runs as least-privileged, the browser is sandboxed, the RAM is ASLR'd, the kernel refuses unsigned patches / hooking, and the firewall has been upgraded to something that is on par with iptables. And since 7 x64, all drivers require a digital signature.

      A great many of those features came much later in Linux and OSX, and some are STILL lacking (due to fears about centralization, potential for abuse, etc-- valid reasons, but still resulting in lesser security). As it is now, for the most part, there is no appreciable difference between the security of Linux and that of Windows, and I defy anyone to provide a compelling argument to the contrary.

    13. Re:Lessons for others? by LordLimecat · · Score: 1

      Microsoft.com WAS hacked once, I think it just resulted in a jpg upload though.

      However, thats not a fair comparison, given that Microsoft has a huge budget for a dedicated IT team, which makes far more difference in security than the OS you happen to use.

    14. Re:Lessons for others? by 0123456 · · Score: 1

      It's true. Windows is more secure than Linux so long as you never turn the machine on.

    15. Re:Lessons for others? by Runaway1956 · · Score: 2

      Least privileged users? On Win7? *chuckles*

      On all Linux distros, you actually have to type a password to get root status. On Windows, you still only have to click a box to make it go away.

      You make a good point with Adobe and Java. But, more of us on Linux are using more alternatives to the most common Adobe and Java products. Some have similar vulnerabilities, while other have different vulnerabilities, while others simply lack the vulnerable features.

      But, it all comes down to computer savvy, in the end. And, Windows has courted the ignorant since day one. Make it simple, make it convenient, make it foolproof, but let the fools play with it. Linux? It attracts the geeks, the nerds, the paranoid. We don't need or want convenient. We need, and want, a system that we can control, not a system that Bill Gates and company thinks we should like.

      As for Linux being "less secure", well, I insist that we measure the incidence of penetrations. And, when we start measuring, you have to include all those home users who just click through all their antivirus and system warnings. "Warning: The application you are installing is a disguise for the worst worm that has ever been encountered! Do you wish to continue?" The user just clicks, "Yes". Yep, you gotta count him, 'cause he's a Windows user!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    16. Re:Lessons for others? by mug+funky · · Score: 1

      spend more time listening than talking.

      please.

    17. Re:Lessons for others? by mug+funky · · Score: 1

      wtf are you talking about? you think the kernel.org admins write all the documentation for all of linux?

    18. Re:Lessons for others? by mug+funky · · Score: 1

      searchreplace "linux" for "OSX" and watch the google hits increase.

    19. Re:Lessons for others? by next_ghost · · Score: 1

      Since Vista, everyone runs as least-privileged,

      Sorry but I don't believe that for a second. Because I've actually been down that road with XP. I can lock NT-based Windows down almost as much as any UNIX system is locked down by default. But the problem is that when you really do that, you throw a HUGE pile of software out of the window. Software that wants to write to its Program Files directory, software that wants to write to HKEY_LOCAL_MACHINE branch of registry or even worse, software that wants to write to Windows directory itself. Sure, all of that software was written by idiots but home users will rather give up security than that software. And Microsoft knows that. That's why UAC and other fancy "security" features of Vista/7 don't go anywhere near where they actually have to in order to improve security.

    20. Re:Lessons for others? by LordLimecat · · Score: 1

      Sorry but I don't believe that for a second. Because I've actually been down that road with XP. I can lock NT-based Windows down almost as much as any UNIX system is locked down by default. But the problem is that when you really do that, you throw a HUGE pile of software out of the window.

      Sorry, but you clearly havent actually used Vista or 7. They dont ask you "would you like to run as least privilege?" in vista / 7; they force you into that. You have to do some tweaks to remove that policy (by turning off UAC).

      Why do you think Vista was hated so much? Some of it was performance, but the big user gripe was the "allow or deny" prompts, which were due to dropped privileges.

      And you clearly are unaware of all the junction points, registry virtualization, etc that was put into place to make such programs "just work" even without proper privileges-- for example, programs that try to store settings in %programfiles% will usually be redirected to a folder under %appdata%, transparently. Security is kept in tact, the program keeps on working.

      Obviously you havent been paying attention to the slow shift towards not requiring admin privileges, which has been going on for about 4 years now.

    21. Re:Lessons for others? by LordLimecat · · Score: 1

      On all Linux distros, you actually have to type a password to get root status. On Windows, you still only have to click a box to make it go away.

      Were that universally true, it would be irrelevant. You nevertheless run as an unprivileged user in Windows 7, and your snarky comment doesnt change that. Until you click allow, the a program may not execute anything with full admin privileges.

      As for Linux being "less secure", well, I insist that we measure the incidence of penetrations.

      I was hoping to compare privilege escalation bugs or a similar category, Server2008 vs a recent kernel, but its quite tricky A) finding usable lists, and B) comparing a full suite (server2008 standard) to a stripped down linux server install (why not compare to 2008 core?).
      But I did find this...I see a few Windows hacks on there, and an astonishing number of hacks on things like OpenSSL, SSH, RedHat, etc. Saying hands-down WinServer gets hacked more is ignorant; I would hazard that there is a greater incidence of intrusions on Linux servers than on comparable (year-wise) Windows installs (that is, not comparing kernel 2.6.39 to Windows NT4).

      If you are referring to windows malware, that is utterly irrelevant. There is an article on slashdot earlier discussing where malware installs come from, and the upshot is that at LEAST 87% of those installs are technically doable on OSX and Linux-- they exploit cross-platform plugins. And when you look at Pwn2Own, where year after year OSX (a *nix derivative) is the first to fall, it kind of puts a damper on the whole "lol windows security sucks" mentality.

      If theres anythign to take from all of this, its that relying on your platform in this day and age for security is brain-dead. All of the major platforms have comparable security features, and all sport built-in firewalls. Vulnerabilities these days overwhelmingly come from 3rd party services (Browser plugins, SSH, OpenSSL, LDAP), not the core OS, and from misconfiguration (including bad passwords). Basically, if anyone starts spouting off about how X infections are because Y operating system sucks, you know that person has absolutely no idea what theyre talking about, and should not be trusted to secure any system.

    22. Re:Lessons for others? by galanom · · Score: 1

      You've never been to YouTube, right?

    23. Re:Lessons for others? by galanom · · Score: 1

      I used DOS for nearly 10 years and I've never been hacked!
      Not even when I put a null-modem cable on the serial port!

    24. Re:Lessons for others? by Eil · · Score: 1

      Which are the lessons for others to learn?

      Purchase and install a good antivirus solution.

    25. Re:Lessons for others? by LordLimecat · · Score: 1

      Or am-I just being paranoid ?

      Youre being ridiculous. You cannot address memory in windows as you can through the /dev interface on Linux-- the filesystem paradigm is utterly different. And the two kernel designs are utterly incompatible-- Linux sports a monolithic kernel, while Windows has a microkernel. The binary formats of executable data on each is totally different. Etc etc etc.

      Or am I just being trolled?

    26. Re:Lessons for others? by knuthin · · Score: 1

      There is one, but it is locked. You can reset it however. Using "sudo passwd" or "sudo -i". Since you have rights to execute sudo, you can easily set the root password ;)

      --
      Some apps are WYSIWYG. Some others are WYSIWTF.
    27. Re:Lessons for others? by somersault · · Score: 1

      I don't think the two are necessarily mutually exclusive, but it was mostly just a joke. The kernel's APIs change quite regularly, and things like the Linux Kernel Module Programming Guide haven't been updated to reflect 3.0.0 yet. Programmers are notorious for enjoying coding, but forgetting to do documentation (myself included).

      --
      which is totally what she said
    28. Re:Lessons for others? by ancienthart · · Score: 1

      couldn't get past the second sentence... ALL linux distros?

      The #1 Linux distro, Ubuntu, does not have a root password set at all. Just use sudo

      Do you even use Linux?

      sudo requires you to enter a password from an account that has been given admin priviliges.
      So instead of giving every admin access to the same root password, each admin gets their own password.

    29. Re:Lessons for others? by drinkypoo · · Score: 1

      On all Linux distros, you actually have to type a password to get root status.

      Only once. Then you can mess with the pam configs and just have it grant you access. I don't do this, mind you. About the only time I've messed with my pam configs was to enable local login for an account for which I wanted remote passworded login.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    30. Re:Lessons for others? by DaVince21 · · Score: 1

      Not really. I've seen both kinds of people IRL. Both are wrong, of course.

      --
      I am not devoid of humor.
    31. Re:Lessons for others? by Rysc · · Score: 1

      Microsoft is also not likely to disclose every security breach; they gain nothing by doing so and it harms their image.

      --
      I want my Cowboyneal
    32. Re:Lessons for others? by DaVince21 · · Score: 1

      You *really* should not use any of them if you actually value security. There are actual OSes (and I guess distros, to an extent) that put security before anything else. Windows, most Linux distros and OSX certainly aren't.

      --
      I am not devoid of humor.
    33. Re:Lessons for others? by DaVince21 · · Score: 1

      Have you ever heard of Git, and why it pretty much prevented the actual kernel from being compromised?

      --
      I am not devoid of humor.
    34. Re:Lessons for others? by Short+Circuit · · Score: 1

      You don't know what you're talking about. Seriously.

      Starting with Vista, users, even "Power Users" and "Administrators", run least-priviliged to start. For compatibility's sake, writes to %PROGRAMFILES% and friends are virttualized and shunted aside to a per-user store. To get code to run as an Administrator, you need to "Run As Administrator" the program itself, another process (such as cmd or Windows Explorer) tat then launches the program, or you have to code the application to request privilege elevation, which then triggers the UAC dialog.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    35. Re:Lessons for others? by LordLimecat · · Score: 1

      Yes, because windows doesnt have that. Oh wait, it does, its called UAC (GUI) and runas (CLI-- and Ill note that this has been around for absolutely ages).

      There IS no "root password" on windows-- as in linux, there are passwords for various accounts with varying privileges. Obviously there is a "default" admin, which is called root on linux / unix, and administrator on windows, but on each system is changeable.

      Its like 90% of the people comparing windows to linux have either not used windows, or not used linux. Come on guys, this is basic stuff.

    36. Re:Lessons for others? by LordLimecat · · Score: 1

      Open a zip file in Internet Explorer. Just did that today, and it executed the code.

      I open zip-files from browsers of all shades all the time, and it never automatically executes any content. Possibly you have a crappy, bug-ridden archive handler?

      Norton didn't complain. I did reveal that it had been rooted, but no prevention.

      Add that to the list of problems you need to address-- norton is a pile of garbage, and doesnt reflect well on the state of your computer if you have that installed. It is known to do all sorts of bizarre things. Honestly, its possible that the exploit you experienced-- if legitimate-- was targetted at norton and exploited the way norton performs its scanning.

      If you must use an antivirus, use Microsoft Security Essentials-- there are other good free AVs, but MS's is the only one which has been basically trouble-free over the last 2 years (Avast now causes bluescreens, grrrr).

      "Since XP SP3, it comes with a deny-all firewall built in"
      The fire wall fell and the virus walked right around it.

      Im going to say this as kindly as I can-- the above comment indicates you dont understand what each of those defenses are for. Viruses often enough do not need to contend with ASLR, DEP, or a firewall, because technically their execution was requested by the user (or at least, content was requested, and said content exploited a plugin flaw).

      Each and every year, Mac OSX is exploited before the windows computer in Pwn2Own; its not because Windows is superior, its because most of the OSes share the same types of defense, which still cannot protect against buggy, unsupported 3rd party crapware.

    37. Re:Lessons for others? by LordLimecat · · Score: 1

      ow you might say that the Windows machine gets pwned almost immediately because there's more malware out there targeting it,

      Actually, the WIndows server will never get owned, because out of the box (at least on SBS installs) the firewall rejects all traffic.

      So really, your entire statement falls to pieces.

    38. Re:Lessons for others? by LordLimecat · · Score: 1

      By the way, if anyone doubts this, I would happily take them up on some challenge with VMs, or physical machines. There could even be some stakes, if you desired, though it wouldnt matter-- neither the CentOS box nor the Windows Server box will EVER be hacked except A) by a bruteforcing of the password (assuming you havent set lockout policies up), or B) by enabling services and allowing traffic through the firewall.

      Otherwise, iptables / windows firewall would make any such attempts futile.

    39. Re:Lessons for others? by ancienthart · · Score: 1

      If the default option for a security system is to not enable it (accounts are created with broad, rather than limited permissions) - guess what 90% of users will do. (And yes, I'm aware this has changed in later versions of Microsoft, but that's like a child-care worker expecting praise for saying "Oh, we don't let the kids play out on the highway ... now.)

      Much like the security questions horror in Vista, Microsoft mixes middling to brilliant software engineering, with bloody awful social engineering. And keep in mind this comes from a Linux user. :D

    40. Re:Lessons for others? by crutchy · · Score: 1

      by default in a debian installation i don't even have access to sudo. i can use "su" and type the root password. there used to be an option during the installation to select either use of sudo or su, but the squeeze installer doesn't include the option and automatically sets the use of su. then after i install i configure the wheel group [http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ap-checklist.en.html] so that only my own local login can access su.

      i use win7 at work and we've had three office-wide viruses this year alone. there is no security by default.

  2. Re:clicked on download 3.0.4 by davek · · Score: 1

    Not Found
    The requested URL /pub/linux/kernel/v3.0/linux-3.0.4.tar.bz2 was not found on this server.

    In the process of getting up?

    For some reason the links on the homepage appear to be broken.

    You can still browse to the repos by going to http://git.kernel.org/

    --
    6th Street Radio @ddombrowsky
  3. Bugzilla by diego.viola · · Score: 3

    when is bugzilla.kernel.org coming back as well?

    1. Re:Bugzilla by Eunuchswear · · Score: 1

      MOD THIS UP11!!!!

      --
      Watch this Heartland Institute video
  4. Git documentation lives! by RobNich · · Score: 1

    Yay! I spent the last two weeks learning git, and Google kept pointing me to kernel.org for the documentation. Having the site actually up will be nice, although I've already learned everything possible about Git!

    --
    Hello little man. I will destroy you!
    1. Re:Git documentation lives! by Jonner · · Score: 1

      Yay! I spent the last two weeks learning git, and Google kept pointing me to kernel.org for the documentation. Having the site actually up will be nice, although I've already learned everything possible about Git!

      Perhaps you should have used the git project's actual site.

    2. Re:Git documentation lives! by folderol · · Score: 2

      If your name is not Linus Torvalds you haven't learned everything possible about Git!

    3. Re:Git documentation lives! by Jappus · · Score: 2

      And if your name is Linus Torvalds, you don't have to learn everything possible about Git, as you can just decree whatever you think is right as being right.

    4. Re:Git documentation lives! by RobNich · · Score: 1

      I would have if it had matching documentation, but according to Google, it doesn't.

      --
      Hello little man. I will destroy you!
  5. Re:Maybe they should switch to OpenBSD... by kthreadd · · Score: 1, Troll

    Last time I checked Apple runs their stuff on Windows Azure so maybe Kernel.org should do the same. I mean, Kernel.org have been hacked what now, two or three times? How many times have Windows Azure been hacked? Zero. So, just by looking at statistics moving to that platform could be a good move.

    I mean, since we just went odd-version and have the Visual Basic rewrite imminent, being open towards new hosting platforms should be an option.

  6. Re:Maybe they should switch to OpenBSD... by Eunuchswear · · Score: 1

    woosh...

    --
    Watch this Heartland Institute video
  7. Re:Maybe they should switch to OpenBSD... by bonch · · Score: 1

    "Lot of publicity" = snarky comments on Slashdot

  8. 404 Not found for most of the links on kernel.org by sick_soul · · Score: 1

    sh-3.1$ wget http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.4
    --2011-10-06 12:41:23-- http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.4
    Resolving www.kernel.org... 149.20.4.69
    Connecting to www.kernel.org|149.20.4.69|:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2011-10-06 12:41:23 ERROR 404: Not Found.

  9. Re:It corrects 4 Runaway1956 by Runaway1956 · · Score: 1

    Holy smokes, AC - you're just a little bit above my head with some of that. I'll have to actually do it all, and see.

    And, I have to admit that when and where strict discipline is required, Windows can indeed be pretty danged secure. The military uses Windows all over the place, and it's pretty secure. But - then again - I'm reminded of Great Britain's "Windows for Subs" fiasco, in which the machines were overwhelmed by viruses and malware. I never did stumble across the details of that mess, but I would have assumed that THEY were subject to strict discipline!

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  10. Still looking for 3.0.4 kernel tarballs, etcetera by quarkscat · · Score: 1

    I'm still looking for the 3.0.4 linux kernel tarballs, etcetera. The kernel.org front page lists it, but it isn't available through the usual directory tree via HTTP -- 3.0 yes, 3.0.4 no. And I am one gearhead who actually looks through all the Changelogs. That said, I'm glad you're (kernel.org) back up on-line, well mostly ... ;)