FreeBSD Project Discloses Security Breach Via Stolen SSH Key

Posted by timothy on Saturday November 17, 2012 @02:22AM from the happy-transparency dept.

An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"

2 of 86 comments (clear)

Min score:

Reason:

Sort:

Short answer by wbr1 · 2012-11-17 02:32 · Score: 5, Insightful

"...and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
Short answer:
No, they do not want to scare the stockholders.
and... Yes, they should be because openness allows people to recover or protect themselves faster.

--
Silence is a state of mime.
You cannot secure carelessness by overmoderated · 2012-11-17 02:58 · Score: 5, Insightful

No matter how secure your system is (and SSH is very secure), if the individual using it is careless, the system will end up getting compromized.