Gentoo Linux Github Organization Repo Hack Was Down To a Series of Security Mistakes (betanews.com)

← Back to Stories (view on slashdot.org)

Gentoo Linux Github Organization Repo Hack Was Down To a Series of Security Mistakes (betanews.com)

Posted by msmash on Friday July 6, 2018 @04:11AM from the closer-look dept.

The team behind Gentoo Linux has revealed the reasons for the recent hack of its GitHub organization account. The short version: shoddy security. From a report: It seems that the hackers were able to gain access to the GitHub organization account by using the password of one of the organization administrators. By the team's own admission, poor security meant that the password was easy to guess. As the Register points out, "only luck limited the damage," but the Gentoo Linux team is keen to let it be known that it has learned a lot from the incident. In an entry on the Gentoo Linux wiki, there is a fairly detailed breakdown of what happened, how it happened, and what is being done to prevent it from happening again. The wiki entry summarizes the hack attack as follows: "An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content."

42 comments

Min score:

Reason:

Sort:

The password? by Anonymous Coward · 2018-07-06 05:00 · Score: 0

Love, sex, secret, god... Or emerge?
Learned a lot! by Anonymous Coward · 2018-07-06 05:03 · Score: 0

New password: 1234567!
2FA? by Bengie · 2018-07-06 05:14 · Score: 4, Insightful

Not using Two factor? Even with a weak password, 2FA helps immensely.
Git saves the day by davide+marney · 2018-07-06 05:15 · Score: 0

... again. Call me crazy, but git is right up there with Linux itself in terms of advancing the art.

--
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
1. Re:Git saves the day by Anonymous Coward · 2018-07-06 05:35 · Score: 0
  
  Git is a pile of shit.
  Someday it will graduate from toy status to industrial scale, but I doubt it.
  Let me know when it can handle 100GB+ repositories with 1000+ commits a day and we'll talk.
  It's a fantastic distributed merge tool, but for source control it's crap.
  While I fully expect to get flamed, distributed merge is exactly the case Linus originally designed it for.
2. Re:Git saves the day by Anonymous Coward · 2018-07-06 05:40 · Score: 1
  
  Github got bought out, not Git, the software it uses. MS is free to alter Git on the new Github now, but probably won't.
3. Re:Git saves the day by Bengie · 2018-07-06 05:44 · Score: 1
  
  Few issues here
  1) Huge repos are many times a symptom. The Linux source code is only a few tens of MiB and it's a kernel with a ton of drivers.
  2) Git is getting constant performance optimizations as people bump into these performance issues
  3) It's more difficult for a large repo to get dropped into git because git is getting incremental performance improvements and it's impractical to make all of the necessary changes in short order.
  
  Git has has some major improvements over the past 3-5 years for a select few common operations that perform poorly with lots of objects. You may want to revisit, and if you have performance issues, document and submit them. I wouldn't doubt that the rollout of further performance improvements have been slowed down for the mountain of work to support SHA3.
4. Re:Git saves the day by Desler · 2018-07-06 05:46 · Score: 1
  
  Git got bought out my microsoft.
  I'm pretty sure the Software Freedom Conservancy would be pretty surprised by this.
  
  This may very well be an attack and not a hack of any kind.
  And what does Microsoft get out of committing this federal crime? This was just a mirror. If Microsoft was gonna commit a federal crime wouldn't they have been smart enough to actually attack the main repositories hosted by Gentoo themselves? What would attack a mirror buy them?
5. Re:Git saves the day by Anonymous Coward · 2018-07-06 05:48 · Score: 0
  
  So Gentoo is lying to cover for Microsoft attacking them? Dude, never go full retard...
6. Re:Git saves the day by Anonymous Coward · 2018-07-06 05:53 · Score: 0
  
  And for source control you're using...?
  CAP === 'diabetes'
7. Re:Git saves the day by Anonymous Coward · 2018-07-06 05:59 · Score: 0
  
  Git is a pile of shit.
  Someday it will graduate from toy status to industrial scale, but I doubt it.
  Let me know when it can handle 100GB+ repositories with 1000+ commits a day and we'll talk.
  It's a fantastic distributed merge tool, but for source control it's crap.
  While I fully expect to get flamed, distributed merge is exactly the case Linus originally designed it for.
  You must work at Google or MS. The only reason you will get flamed is that you didn't really provide any details. You are obviously comparing it to some project you are close to, to which git failed, and some other source control that succeeded (Not seeing the alternative, so they are all shit)
  Linux kernel source is a pretty active and large source code repo I would think, the only one I can think of without spending all day looking. Compressed at head today it's 189MB, 3.7gb cloned
  and has on average this year of 125 commits / day.
  https://www.schoenitzer.de/lks/lks_en.html (no idea if this is current or trustworthy)
  It's not even close to your requirements; so to say it is shit when it works perfectly for what I would assume, a great % of all repos out there is pretty arrogant and close-minded. Maybe you are a troll.
8. Re: Git saves the day by Anonymous Coward · 2018-07-06 07:56 · Score: 0
  
  MS put the Windows source into a git repo. Something that more than crushes your requirements.
9. Re:Git saves the day by Desler · 2018-07-06 08:31 · Score: 1
  
  1) Huge repos are many times a symptom. The Linux source code is only a few tens of MiB and it's a kernel with a ton of drivers.
  This is total bullshit. The latest Linux source code snapshot tarball from kernel.org of 4.18-rc3 is 159 MB. Decompressed it clocks it at nearly 800 MB.
10. Re:Git saves the day by Desler · 2018-07-06 08:34 · Score: 1
  
  You must work at Google or MS.
  
  How so? Microsoft uses Git extensively. A while back they even migrated the entire Windows source repository to Git.
11. Re:Git saves the day by Bengie · 2018-07-10 04:58 · Score: 1
  
  Correct. Only a magnitude off. Relative to 100GiB repos, it's meh.
Hh huh... by Anonymous Coward · 2018-07-06 05:20 · Score: 0

So how many backdoors have been implanted in their self-hosted infrastructure that they have yet to find?
The hackers made themselves known by 140Mandak262Jamuna · 2018-07-06 05:23 · Score: 4, Interesting

After guessing the password, the hacker blocked access to all other admins. Thus the hack was immediately realized.
A more savvy hacker would have just used the password to merge unauthorized fraudulent commits. Thus the hack would have remained undetected.
Must assume: There are more savvy hackers.
Must assume: There are other repos with weak, guessable password.
Must conclude: There are well hidden bombs ticking away in many more repositories.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
4 minutes by gillbates · 2018-07-06 05:25 · Score: 0

It took just 4 minutes for someone to notice something was wrong, and less than an hour to begin remediation.
In a closed-source organization, it sometimes takes months for them to figure out they've been compromised, and even longer to fix it; I once bought a Toshiba laptop that shipped with a virus, and didn't get the real fix for a few months afterward.

--
The society for a thought-free internet welcomes you.
1. Re:4 minutes by 93+Escort+Wagon · 2018-07-06 05:53 · Score: 1
  
  I’m not sure those two examples are even remotely comparable. And while I’m a fan of open source, let’s not pretend there haven’t been vulnerabilities like heartbleed which manage to linger, undiscovered, for months - or even years.
  
  --
  #DeleteChrome
2. Re:4 minutes by F.Ultra · 2018-07-06 10:12 · Score: 1
  
  The Equifax hack would be far more comparable.
Re:Git slaves are the day by Anonymous Coward · 2018-07-06 05:51 · Score: 0

You obviously do not know that the "attack" was a false flag...
CAP === 'affable'
Gentoo Linux: NOW you can trust us by xxxJonBoyxxx · 2018-07-06 05:52 · Score: 2

>> shitty admin password in 2018

So...Gentoo has assured us this is the only half-assed shortcut they've taken, right? OK, seems legit.
1. Re:Gentoo Linux: NOW you can trust us by Anonymous Coward · 2018-07-06 06:34 · Score: 0
  
  It is hard to ensure that every developer is doing what he is supposed to do, but here is what is being done right now:
  1. The github organization requires 2FA.
  2. The main repository is on Gentoo's own infrastructure and it requires two factors for commits. The first is a developer's SSH key. The second is that the commits are PGP signed by a known developer key. The complete key fingerprints are checked on each commit.
  3. Instructions have been added to the wiki telling users how to verify their trees have not been subject to tampering when doing updates.
  What more could possibly be done?
2. Re:Gentoo Linux: NOW you can trust us by xxxJonBoyxxx · 2018-07-06 07:03 · Score: 1
  
  You're missing the point: the same kind of person that thinks it's OK to shlep in the area of security quality may also be shlepping in the area of code quality, or architecture, or ???.
3. Re:Gentoo Linux: NOW you can trust us by Bengie · 2018-07-06 07:53 · Score: 1
  
  Actually following the rules? I don't see how anyone bypassed 2FA or guessed the right code. Either there's a design flaw that no one is talking about or 2FA was not used in this case.
4. Re:Gentoo Linux: NOW you can trust us by Anonymous Coward · 2018-07-06 08:40 · Score: 0
  
  What more could possibly be done?
  Pee in my butt?
Re:Git slaves are the day by Desler · 2018-07-06 05:54 · Score: 1

Gentoo is perpetuating a false flag to cover for Microsoft attacking them? How much glue have you been sniffing lately?
Re:Git slaves are the day by Anonymous Coward · 2018-07-06 06:12 · Score: 0

6/28 was an inside job!
Missing Link from TFS by Anonymous Coward · 2018-07-06 06:24 · Score: 5, Informative

In an entry on the Gentoo Linux wiki, there is a fairly detailed breakdown of what happened, how it happened, and what is being done to prevent it from happening again.
You suck M'Smash. Leave.
1. Re:Missing Link from TFS by WinstonWolfIT · 2018-07-06 07:21 · Score: 1
  
  Security as an afterthought today is just inconceivable.
2. Re:Missing Link from TFS by Anonymous Coward · 2018-07-06 09:54 · Score: 0
  
  Security has and always will be an afterthought. Just look at Windows past and present.
3. Re:Missing Link from TFS by Digital+Avatar · 2018-07-06 11:56 · Score: 1
  
  inconceivable
  You have used that word again. I do not think it means what you think it means.
4. Re:Missing Link from TFS by Desler · 2018-07-06 12:32 · Score: 1
  
  How so? Security costs money and/or time. Hence why people even today neglect good opsec.
5. Re:Missing Link from TFS by WinstonWolfIT · 2018-07-06 15:05 · Score: 1
  
  https://www.merriam-webster.co...
Run Around Scream And Shout by Anonymous Coward · 2018-07-06 06:32 · Score: 0

What you're doing is using lots of scare words to make the case there are bogeymen in them thar cyberwebz.
Just like anyone still using "hack" and "hackers" in security context.
Here's some news: This approach is entirely useless.
1. Re: Run Around Scream And Shout by Anonymous Coward · 2018-07-06 06:41 · Score: 0
  
  What? He is staying a hypothetical scenario that SHOULD have happen.
  A real hacker would have covered his tracks and not alerted any authorities.
Assume this was a diversionary tactic. by Anonymous Coward · 2018-07-06 07:58 · Score: 0

And that the main gentoo repos have been compromised in a more subtle manner with this public fuckup meant to cover it up by making it look like they were too incompetent to make changes to the primary repos.
If anyone has a git repo of portage or any other gentoo related projects that was synced prior to the hack, back it up, then have it step through the history looking for changes. I would wager at least $10 usd there are a few if anyone bothered to look. git has a number of history rewriting features, and despite claims it would throw off commit history, I have seen more than a few pulls delete history without notifying me unless I looked for the specific commit hashes.
1. Re:Assume this was a diversionary tactic. by Anonymous Coward · 2018-07-06 09:39 · Score: 0
  
  Yes, pull possibly could potentially delete history. Do people actually use git pull though?
  I stopped using about a week after first using git for exactly this reason.
  Now I always do fetch followed by merge.
Re:Git slaves are the day by F.Ultra · 2018-07-06 10:07 · Score: 1

It was probably a false CFLAG
I wonder what's next for the attacker... overlays? by Anonymous Coward · 2018-07-06 10:16 · Score: 0

This attack was aimed at fairly mainstream repositories (albiet not the master portage tree), hence why it was quickly thwarted, but let's address the elephant in the room: Gentoo users frequently install programs using third-party ebuilds provided by portage overlays. If the attacker were to attack certain stale overlays, they might affect users with less scrutiny from the trees' maintainers. After this news, I'll be taking another look at the overlays I allow to potentially taint my system. Perhaps more stringent security measures should be required for an overlay to belong on the layman index as well.
According to Gentoo's wiki page on the subject, the attacker has not been identified, and made at least one more (failed) attempt to access the repos after they were repaired. I'm anxious to hear how much we know about the attacker and efforts to find/prosecute them.