Slashdot Mirror
Linux.org's DNS Got Hijacked (linux.org)
Linux.org reports:
Wednesday afternoon around 5pm EST someone was able to get into the registrar account for our domain and point DNS to another server -- as well as lock us out from changing it. They pointed the domain name to a pretty rude page for most of the evening until Cloudflare stepped in and blocked the domain for us.
After a lot of back and forth with our registrar, we were able to get things back under our control. I'd like to point out that our server environment was not touched so there are no worries about your data. We've gone over security protocols and are tightening things up that may have slipped through in the past. Thanks for your support!
Linux.org apparently pointed to a page exclaiming "G3T 0WNED L1NUX N3RDZ", which also included a NSFW picture, some abusive language, a shout-out to recently-deceased programmer Terry Davis, and a link to an article about Linus Torvalds' controversial apology for "his hostile behavior towards others in the community."
Long-time Slashdot reader Grady Martin says he also saw the page pointing to "presumably doxed info" about the creator of Linux's code of conduct, a fact confirmed by a report in the Register. "As for how it was hacked, [Linux.org owner Mike] McLagan blames the public Whois displaying his partner's email address -- presumably the hacker worked their way into the Yahoo email account listed as the admin of the site and from there requested a password change in her Network Solutions account to gain access to the domain."
After a lot of back and forth with our registrar, we were able to get things back under our control. I'd like to point out that our server environment was not touched so there are no worries about your data. We've gone over security protocols and are tightening things up that may have slipped through in the past. Thanks for your support!
Linux.org apparently pointed to a page exclaiming "G3T 0WNED L1NUX N3RDZ", which also included a NSFW picture, some abusive language, a shout-out to recently-deceased programmer Terry Davis, and a link to an article about Linus Torvalds' controversial apology for "his hostile behavior towards others in the community."
Long-time Slashdot reader Grady Martin says he also saw the page pointing to "presumably doxed info" about the creator of Linux's code of conduct, a fact confirmed by a report in the Register. "As for how it was hacked, [Linux.org owner Mike] McLagan blames the public Whois displaying his partner's email address -- presumably the hacker worked their way into the Yahoo email account listed as the admin of the site and from there requested a password change in her Network Solutions account to gain access to the domain."
It took 4 days for the hacking of one of the biggest tech community sites on the internet to land on /.? Really? We gunna see a story about the Falcon 9 water landing next Friday?
[Sorry, this signature is unavailable in your country/region]
Looks like social engineering attacks still work in 2018, and Linux / community is not immune to it. There is no organization or company that can't be fooled if they believe the person/email/account is legit. The email address of high access users is capable of lots of damage even if temporary
I'm sorry, if you still have a Yahoo email that controls anything of value, you're an idiot and this is well deserved.
Wow, it's almost as bad as having a hotmail account. I mean seriously, it's 2018. A yahoo email address? Did he get it so he could do email push with the iPhone 1?
Yahoo
Hotmail
Gmail
Which one really is safer?
#DeleteFacebook
Might still be better than gmail. I'm so happy keeping mail servers working is no longer a part of my work duties -- "can't send mail to site X" had X = gmail in at least 80% cases, as they invent a standards-defying policy once than a couple of months. And tossing ham into a spam box without a reject to the sender makes gmail unfit for your kid's kindergarten invites, much less some important stuff.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Slashdot, fix the reply notifications... You won't get away with it...
I just want to give a shout out for Terry Davis, and hope he is working on his TempleOS in the sky. Also, f*ck glow in the dark CIA n1ggers.
Yahoo Hotmail Gmail
Which one really is safer?
Running a number of Sigs, my experience is that if someone is hacked, the odds that they are using a Yahoo email account is pretty overwhelming.
It does say something that the creator of Linux's Code of Conduct is using a Yahoo email address. That is the realm of the computer inept, the land of passwords like password1, or 1234567.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
It wasn't author of the CoC's email address that was used for the DNS records, it was the site owner.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
DNS hijacking has been a problen in the past, resulting in DNS registrars swearing blind that they'll never again change ownership without verfying ownership over the phone.
NS obviously broke that rule.
Easy solution - pull their business license for a year.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Gmail, because it supports really good 2 factor auth. There is even an extra secure mode that blocks some normal Google account use and requires two FIDO keys.
Hotmail also supports 2 factor via a Microsoft account. Yahoo, I don't know.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
It wasn't author of the CoC's email address that was used for the DNS records, it was the site owner.
You are correct. That summary is just plain wrong.
I am a victim of assuming that there would be some relation between the site referenced and the Slashdot summary. But I should know better.
Mike McLagan is the administrator of Linux.org. not the owner as described in the summary.
Michelle McLagan is the owner of Linux.org. Not mentioned anywhere in the summary.
She - although unnamed - is called "his partner" in the summary. Whether this means Significant Other type partner or business partner is not immediately clear. Doesn't matter much, but another example of garbled writing.
But yes, the creator of the CoC is one Coraline Ehmke. Who is trying to get rid of meritocracy which she considers misogynist, and replacing it with credentials based on "humanity."
I was definitely incorrect, except that I stand by my assertion that a Yahoo email address is in itself a security risk. Mea culpas all around.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
G3T 0WNED L1NUX N3RDZ
Why isn't this child being supervised while on the internet?
If you want to see what it looked like, here you go (NSFW)
Is it wrong that I just laughed for 10 mins?
The manhunt is on for the owner of that hairy asshole.
Famous computer guy Ken Thompson said in 1984:
"The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."
So there is the warning issued over 30 years ago, and published, so every computer scientist must know this. Still computers and software can't be trusted. And the trustworthiness is becoming worse, with CPUs willing to leak secrets, and operating systems and application software being designed to collect secrets and report them to others.
In the face of this situation, computers are becoming even more widespread. They have become critically important to critical infrastructure. Pretty much all computers are made in China. There could be a natural disaster or civil war in China, that shuts off the supply of computers to the whole world.
The only people who seem to be taking this seriously is the Russian govt. They stopped using computers for important jobs. They switched to using typewriters and filing cabinets and pieces of paper.
One day such hack will redirect archive.ubuntu.org (or other) to a repository of hacked updates and millions of linux users will get massively hacked with no hope of cleaning up.
As a linux user and admin I hope it won't happen, but I'm surprised it hasn't happened yet.
This is why the software packages are digitally signed by a key pair that the OS verifies against its keystore.
Even if archive.ubuntu.org was hijacked and pointed to a web server setup to serve the same package files, the signature wouldn't match if so much as a single bit was changed in the package, and your OS wouldn't install it.
Hijacking DNS would give the attacker no access what so ever to the real archive.ubuntu.org or whatever machine has their HSM hardware plugged into it, and so no ability to sign packages.