Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gentoo Linux Github Organization Repo Hack Was Down To a Series of Security Mistakes (betanews.com)

Posted by msmash on from the closer-look dept.

The team behind Gentoo Linux has revealed the reasons for the recent hack of its GitHub organization account. The short version: shoddy security. From a report: It seems that the hackers were able to gain access to the GitHub organization account by using the password of one of the organization administrators. By the team's own admission, poor security meant that the password was easy to guess. As the Register points out, "only luck limited the damage," but the Gentoo Linux team is keen to let it be known that it has learned a lot from the incident. In an entry on the Gentoo Linux wiki, there is a fairly detailed breakdown of what happened, how it happened, and what is being done to prevent it from happening again. The wiki entry summarizes the hack attack as follows: "An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content."

20 of 42 comments (clear)

  1. 2FA? by Bengie · · Score: 4, Insightful

    Not using Two factor? Even with a weak password, 2FA helps immensely.

  2. The hackers made themselves known by 140Mandak262Jamuna · · Score: 4, Interesting
    After guessing the password, the hacker blocked access to all other admins. Thus the hack was immediately realized.

    A more savvy hacker would have just used the password to merge unauthorized fraudulent commits. Thus the hack would have remained undetected.

    Must assume: There are more savvy hackers.

    Must assume: There are other repos with weak, guessable password.

    Must conclude: There are well hidden bombs ticking away in many more repositories.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Re:Git saves the day by Anonymous Coward · · Score: 1

    Github got bought out, not Git, the software it uses. MS is free to alter Git on the new Github now, but probably won't.

  4. Re:Git saves the day by Bengie · · Score: 1

    Few issues here
    1) Huge repos are many times a symptom. The Linux source code is only a few tens of MiB and it's a kernel with a ton of drivers.
    2) Git is getting constant performance optimizations as people bump into these performance issues
    3) It's more difficult for a large repo to get dropped into git because git is getting incremental performance improvements and it's impractical to make all of the necessary changes in short order.

    Git has has some major improvements over the past 3-5 years for a select few common operations that perform poorly with lots of objects. You may want to revisit, and if you have performance issues, document and submit them. I wouldn't doubt that the rollout of further performance improvements have been slowed down for the mountain of work to support SHA3.

  5. Re:Git saves the day by Desler · · Score: 1

    Git got bought out my microsoft.

    I'm pretty sure the Software Freedom Conservancy would be pretty surprised by this.

    This may very well be an attack and not a hack of any kind.

    And what does Microsoft get out of committing this federal crime? This was just a mirror. If Microsoft was gonna commit a federal crime wouldn't they have been smart enough to actually attack the main repositories hosted by Gentoo themselves? What would attack a mirror buy them?

  6. Gentoo Linux: NOW you can trust us by xxxJonBoyxxx · · Score: 2

    >> shitty admin password in 2018

    So...Gentoo has assured us this is the only half-assed shortcut they've taken, right? OK, seems legit.

    1. Re:Gentoo Linux: NOW you can trust us by xxxJonBoyxxx · · Score: 1

      You're missing the point: the same kind of person that thinks it's OK to shlep in the area of security quality may also be shlepping in the area of code quality, or architecture, or ???.

    2. Re:Gentoo Linux: NOW you can trust us by Bengie · · Score: 1

      Actually following the rules? I don't see how anyone bypassed 2FA or guessed the right code. Either there's a design flaw that no one is talking about or 2FA was not used in this case.

  7. Re:4 minutes by 93+Escort+Wagon · · Score: 1

    I’m not sure those two examples are even remotely comparable. And while I’m a fan of open source, let’s not pretend there haven’t been vulnerabilities like heartbleed which manage to linger, undiscovered, for months - or even years.

    --
    #DeleteChrome
  8. Re:Git slaves are the day by Desler · · Score: 1

    Gentoo is perpetuating a false flag to cover for Microsoft attacking them? How much glue have you been sniffing lately?

  9. Missing Link from TFS by Anonymous Coward · · Score: 5, Informative

    In an entry on the Gentoo Linux wiki, there is a fairly detailed breakdown of what happened, how it happened, and what is being done to prevent it from happening again.

    You suck M'Smash. Leave.

    1. Re:Missing Link from TFS by WinstonWolfIT · · Score: 1

      Security as an afterthought today is just inconceivable.

    2. Re:Missing Link from TFS by Digital+Avatar · · Score: 1

      inconceivable

      You have used that word again. I do not think it means what you think it means.

    3. Re:Missing Link from TFS by Desler · · Score: 1

      How so? Security costs money and/or time. Hence why people even today neglect good opsec.

    4. Re:Missing Link from TFS by WinstonWolfIT · · Score: 1

      https://www.merriam-webster.co...

  10. Re:Git saves the day by Desler · · Score: 1

    1) Huge repos are many times a symptom. The Linux source code is only a few tens of MiB and it's a kernel with a ton of drivers.

    This is total bullshit. The latest Linux source code snapshot tarball from kernel.org of 4.18-rc3 is 159 MB. Decompressed it clocks it at nearly 800 MB.

  11. Re:Git saves the day by Desler · · Score: 1

    You must work at Google or MS.

    How so? Microsoft uses Git extensively. A while back they even migrated the entire Windows source repository to Git.

  12. Re:Git slaves are the day by F.Ultra · · Score: 1

    It was probably a false CFLAG

  13. Re:4 minutes by F.Ultra · · Score: 1

    The Equifax hack would be far more comparable.

  14. Re:Git saves the day by Bengie · · Score: 1

    Correct. Only a magnitude off. Relative to 100GiB repos, it's meh.