Summary: Fedora infrastructure intrusion but no impact on product integrity
On January 22, 2011 a Fedora contributor received an email from the Fedora
Accounts System indicating that his account details had been changed. He
contacted the Fedora Infrastructure Team indicating that he had received
the email, but had not made changes to his FAS account. The Infrastructure
Team immediately began investigating, and confirmed that the account had
indeed been compromised.
At this time, the Infrastructure Team has evidence that indicates the account
credentials were compromised externally, and that the Fedora Infrastructure was
not subject to any code vulnerability or exploit.
The account in question was not a member of any sysadmin or Release Engineering
groups. The following is a complete list of privileges on the account:
SSH to fedorapeople.org (user permissions are very limited on this machine).
Push access to packages in the Fedora SCM.
Ability to perform builds and make updates to Fedora packages.
The Infrastructure Team took the following actions after being
notified of the issue:
1. Lock down access to the compromised account
2. Take filesystem snapshots of all systems the account had access to (pkgs.fedoraproject.org, fedorapeople.org)
3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present. Here, we found that the attacker did:
Change the account's SSH key in FAS
Login to fedorapeople.org
The attacker did not:
Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way
Generate a koji cert or perform any builds
Push any package updates
Based on the results of our investigation so far, we do not believe that any
Fedora packages or other Fedora contributor accounts were affected by this
compromise.
While the user in question had the ability to commit to Fedora SCM, the
Infrastructure Team does not believe that the compromised account was used to
do this, or cause any builds or updates in the Fedora build system. The
Infrastructure Team believes that Fedora users are in no way threatened by this
security breach and we have found no evidence that the compromise extended
beyond this single account.
As always, Fedora packagers are recommended to regularly review commits to
their packages and report any suspicious activity that they notice.
Fedora contributors are strongly encouraged to choose a strong FAS password.
Contributors should *NOT* use their FAS password on any other websites or
user accounts. If you receive an email from FAS notifying you of changes to
your account that you did not make, please contact the Fedora Infrastructure
team immediately via admin@fedoraproject.org.
We are still performing a more in-depth investigation and security audit and we
will post again if there are any material changes to our understanding.
Israel has a huge defense industry, they even make their own tanks (the Merkava, it's huge and carries infantry). The Palestinians are generally doing what they can as well (making their own rockets to fire into Israel, called the Qassam).
Cutting off military imports to these guys won't work, I suspect even if you removed all the weapons they'd still throw rocks at each other... oh wait.. they're already doing that.
Which will result in something like the "X-Pire-copy-to-imgur browser add-on" which automatically decrypts the image and then posts a decrypted copy to imgur or whatever sharing site you want to use.
Not to mention all the large companies trolling facebook for photos and storing them for later use to provide background check style services/etc.
Once you post it, a copy has been made, once someone views it, a copy has been made. Those copies are outside your control. Even if you encrypt it, once someone views it, an unencrypted copy has been made, and it's once more out of your control.
Which is what Americans used to say about Japan after WWII (they just imitate stuff, they can't innovate!). The Chinese are moving up the food chain of manufacturing/R+D/etc. as we speak, pretending otherwise may make you feel better, but it won't alter reality.
The difference is that companies like Shaw/Bell are sometimes directly publicly supported (tariffs/taxes/etc.), and always indirectly supported, i.e. right of ways, gifted infrastructure, etc.
Well technically it wasn't Shaw, this was back when Edmonton was served on one half by Shaw and the other by Videotron, luckily I lived in a Videotron test area so had it several years before it become widespread. (and shortly after that got a P100 which freaking rocked).
I doubt that. I have been a Shaw customer for over a decade (they are slightly less evil than Telus). In the time from when I first got Shaw high speed cable Internet my desktop went from a 486DX2/66 with 8 megs of ram and a 100 meg HD to a quad core AMD with 8 gigs of ram with a 120 gig SSD and a terabyte HD. In other words almost exactly 1000 times faster/more ram/storage/etc.
On the other hand my high speed cable Internet connection (roughly the same cost plan) has gone from 10 megabits download and 1 megabit upload with no caps to... wait for it... 15 megabits download and 1 megabit upload with a cap of 100 Gigabytes/month.
In other words I can use my Internet connection at full speed for about 15.2 hours a month before I hit my cap.
How exactly do you propose that the government tax overseas retailers.
I suppose you could simply tax the packages when they enter the country using something like I dunno... a declared value on the side of the package. Sort of like countries do it now.
Wy not just put the laptop users in the back so no one (but other laptop users) has to see their screens? Seems like a simple solution for the distraction issue. I wonder if posting works (second try).
I find for coding or for my monthly columns/etc. I can't think faster than 60WPM, so I've learned to type at about 65WPM and that's good enough. Show me anyone that can code or write finished product at faster than 60 WPM... and I'd HAPPILY hire them. Seriously: if you can create written product at 60 WPM (or faster), contact me at kurt@seifried.org.
How can you pass something in to law if it has been redacted and is thus not fully disclosed. You could have something in there like "we'll also need everyone to wear pink on Fridays or face the death penalty". How can we follow a law, let alone pass it if it has been redacted?
./arch/ia64/Kconfig: int "Maximum number of CPUs (2-4096)" /arch/powerpc/platforms/Kconfig.cputype: int "Maximum number of CPUs (2-8192)"
In x86 we have:
config MAXSMP
bool "Enable Maximum number of SMP Processors and NUMA Nodes"
depends on X86_64 && SMP && DEBUG_KERNEL && EXPERIMENTAL
And I believe you can crank that dial all the way up
Also consider this: the number of cores in my desktop is doubling every year or two (and this is with a single core chip), 6 and 8 cores are cheap now, so we'll be at 1024 in roughly 7-14 years which makes sense because the GHz war is done and simply making more cores is relatively cheap (once you have the interconnect making a bigger CPU isn't all that hard).
Or you can just install CentOS which is Red Hat minus the artwork and the word "Red Hat" like most of us. I find Linux generally stable/reliable enough that I don't need support (I can't even remember my last Linux server crash, it's been years and stuff "just works").
Slashdot Mirror
The bug was noticed about 2 weeks ago: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
You are licensing the eBook. Not buying it.
Amazon recalls (and embodies) Orwell's '1984'
I think they've "pulled a Digg"
http://lists.fedoraproject.org/pipermail/devel-announce/2011-January/000746.html
Summary: Fedora infrastructure intrusion but no impact on product integrity
On January 22, 2011 a Fedora contributor received an email from the Fedora Accounts System indicating that his account details had been changed. He contacted the Fedora Infrastructure Team indicating that he had received the email, but had not made changes to his FAS account. The Infrastructure Team immediately began investigating, and confirmed that the account had indeed been compromised.
At this time, the Infrastructure Team has evidence that indicates the account credentials were compromised externally, and that the Fedora Infrastructure was not subject to any code vulnerability or exploit.
The account in question was not a member of any sysadmin or Release Engineering groups. The following is a complete list of privileges on the account:
The Infrastructure Team took the following actions after being notified of the issue:
The attacker did not:
Based on the results of our investigation so far, we do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise.
While the user in question had the ability to commit to Fedora SCM, the Infrastructure Team does not believe that the compromised account was used to do this, or cause any builds or updates in the Fedora build system. The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account.
As always, Fedora packagers are recommended to regularly review commits to their packages and report any suspicious activity that they notice.
Fedora contributors are strongly encouraged to choose a strong FAS password. Contributors should *NOT* use their FAS password on any other websites or user accounts. If you receive an email from FAS notifying you of changes to your account that you did not make, please contact the Fedora Infrastructure team immediately via admin@fedoraproject.org.
We are still performing a more in-depth investigation and security audit and we will post again if there are any material changes to our understanding.
--
Jared Smith
Fedora Project Leader
Israel has a huge defense industry, they even make their own tanks (the Merkava, it's huge and carries infantry). The Palestinians are generally doing what they can as well (making their own rockets to fire into Israel, called the Qassam).
Cutting off military imports to these guys won't work, I suspect even if you removed all the weapons they'd still throw rocks at each other... oh wait.. they're already doing that.
Stupid question but what amazing breakthroughs has all that Microsoft R&D resulted in?
Which will result in something like the "X-Pire-copy-to-imgur browser add-on" which automatically decrypts the image and then posts a decrypted copy to imgur or whatever sharing site you want to use.
Not to mention all the large companies trolling facebook for photos and storing them for later use to provide background check style services/etc.
Once you post it, a copy has been made, once someone views it, a copy has been made. Those copies are outside your control. Even if you encrypt it, once someone views it, an unencrypted copy has been made, and it's once more out of your control.
Which is what Americans used to say about Japan after WWII (they just imitate stuff, they can't innovate!). The Chinese are moving up the food chain of manufacturing/R+D/etc. as we speak, pretending otherwise may make you feel better, but it won't alter reality.
The difference is that companies like Shaw/Bell are sometimes directly publicly supported (tariffs/taxes/etc.), and always indirectly supported, i.e. right of ways, gifted infrastructure, etc.
Now that I think about this it was 15 years ago, not 10 years ago. Man time flies.
Well technically it wasn't Shaw, this was back when Edmonton was served on one half by Shaw and the other by Videotron, luckily I lived in a Videotron test area so had it several years before it become widespread. (and shortly after that got a P100 which freaking rocked).
I doubt that. I have been a Shaw customer for over a decade (they are slightly less evil than Telus). In the time from when I first got Shaw high speed cable Internet my desktop went from a 486DX2/66 with 8 megs of ram and a 100 meg HD to a quad core AMD with 8 gigs of ram with a 120 gig SSD and a terabyte HD. In other words almost exactly 1000 times faster/more ram/storage/etc.
On the other hand my high speed cable Internet connection (roughly the same cost plan) has gone from 10 megabits download and 1 megabit upload with no caps to ... wait for it... 15 megabits download and 1 megabit upload with a cap of 100 Gigabytes/month.
In other words I can use my Internet connection at full speed for about 15.2 hours a month before I hit my cap.
I'm sure in ten years it'll be MUCH better.
How exactly do you propose that the government tax overseas retailers.
I suppose you could simply tax the packages when they enter the country using something like I dunno... a declared value on the side of the package. Sort of like countries do it now.
Those two submissions are poorly written and have no real detail compared to this one (which is no gem, but is better).
Wy not just put the laptop users in the back so no one (but other laptop users) has to see their screens? Seems like a simple solution for the distraction issue. I wonder if posting works (second try).
Why not just put the laptop users in the back so they don't distract anyone with their screens? Seems like a simple solution.
I find for coding or for my monthly columns/etc. I can't think faster than 60WPM, so I've learned to type at about 65WPM and that's good enough. Show me anyone that can code or write finished product at faster than 60 WPM ... and I'd HAPPILY hire them. Seriously: if you can create written product at 60 WPM (or faster), contact me at kurt@seifried.org.
Telus up here went to an all IP backbone for everything some years ago (voice, fax, internet, etc.). So up here any call is a VOIP call.
How can you pass something in to law if it has been redacted and is thus not fully disclosed. You could have something in there like "we'll also need everyone to wear pink on Fridays or face the death penalty". How can we follow a law, let alone pass it if it has been redacted?
For example comparing a server's /etc tree with another one, and applying changes.
Ever consider "diff" and "patch"? Seriously....
Web browser security
The article linked actually says they already found them. What is with these craptastic and sensationalist titles today?
Linux can only go to 256 cores.
Uhmm no.
./arch/ia64/Kconfig: int "Maximum number of CPUs (2-4096)"
/arch/powerpc/platforms/Kconfig.cputype: int "Maximum number of CPUs (2-8192)"
In x86 we have:
config MAXSMP
bool "Enable Maximum number of SMP Processors and NUMA Nodes"
depends on X86_64 && SMP && DEBUG_KERNEL && EXPERIMENTAL
And I believe you can crank that dial all the way up
Also consider this: the number of cores in my desktop is doubling every year or two (and this is with a single core chip), 6 and 8 cores are cheap now, so we'll be at 1024 in roughly 7-14 years which makes sense because the GHz war is done and simply making more cores is relatively cheap (once you have the interconnect making a bigger CPU isn't all that hard).
Tell that to a phone book or other assemblage of facts.
Or you can just install CentOS which is Red Hat minus the artwork and the word "Red Hat" like most of us. I find Linux generally stable/reliable enough that I don't need support (I can't even remember my last Linux server crash, it's been years and stuff "just works").