Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD Project Discloses Security Breach Via Stolen SSH Key

Posted by timothy on from the happy-transparency dept.

An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"

1 of 86 comments (clear)

  1. Let this be a lesson to the SSH key advocates! by Anonymous Coward · · Score: 0, Troll

    Whenever the topic of password security comes up, there's always a few people who will go on and on about how SSH keys are so much more secure than passwords.

    Yet these people rarely acknowledge that SSH keys are basically no different than the old password-on-a-sticky-note-behind-the-monitor technique. In fact, SSH keys may even be worse, as they are already in a digital form ripe for stealing. Some of them even portray SSH keys as the solution to almost every authentication and security woe that exists.

    I sincerely hope that these SSH key advocates take this incident as a humbling experience. I hope they realize that the claims they're making just aren't valid. Perhaps the smart ones will apologize for their past transgressions, and will vow not to spread their nonsense in the future.

    The FreeBSD developers are among the best there have ever been. They know software and computer security inside and out. But if something like this can happen to one of them, it can happen far more easily to any lesser computer user.

    So, please, SSH key advocates, take this as a lesson. Let some good come out of it, and mend your ways. Please.