×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Foundation, Linux.com Sites Down To Fix Security Breach

timothy posted more than 2 years ago | from the bringing-back-spanking-might-help dept.

Open Source 101

An anonymous reader writes "All Linux Foundation sites seem to be down due to a security breach, which occured on 8 sep. (according to a notice displayed on the site)." From the email I received this morning, sent to all Linux.com and LinuxFoundation.org users: "On September 8, 2011, we discovered a security breach that may have compromised your username, password, email address and other information you have given to us. We believe this breach was connected to the intrusion on kernel.org. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. ... We have taken all Linux Foundation servers offline to do complete re-installs. Linux Foundation services will be put back up as they become available. We are working around the clock to expedite this process and are working with authorities in the United States and in Europe to assist with the investigation."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

101 comments

SSH keys? (2)

betterunixthanunix (980855) | more than 2 years ago | (#37368026)

Uh...isn't the point of using public keys that you do not have to keep them secret to remain secure? If people uploaded their public keys to the compromised systems...how is that a problem?

Re:SSH keys? (1)

smash (1351) | more than 2 years ago | (#37368116)

Ahh, but if you were a dumb ass and placed your private key for linux.org on say, kernel.org (to log into one from the other), then if kernel.org got hacked, your key is gone.

Re:SSH keys? (1)

kestasjk (933987) | more than 2 years ago | (#37368276)

Why would you do that?.. Usually people sacrifice security for convenience, but that is less convenient..

Re:SSH keys? (1)

ArsenneLupin (766289) | more than 2 years ago | (#37369436)

Why would you do that?

Maybe in case you'd need to scp large files from linux.org to kernel.org and vice-versa, without having to first download them to your home machine, and then upload them to the target (slow, if you've got asymetric DSL)

Of course, dumb users not aware of security implications is also a possible explanation (less likely though, as dumb users would probably not be aware of ssh authorized_keys in the first place...).

In both cases, it is smart of the Linux Foundation to warn their users of this potential issue...

Re:SSH keys? (1)

ArsenneLupin (766289) | more than 2 years ago | (#37369484)

That being said, it's important to use a different private key on each machine where you might ssh from...

However, in case of a compromise, you'd still need to remove trust in the private key of the impacted machine (so if kernel.org got hacked, you need to remove your old kernel.org's public key from your ~/.ssh/authorized_keys on linux.org)

Also, if the hacker got kernel.org's /etc/ssh/ssh_host_rsa_key, then he could theoretically later on mount an MITM attack against kernel.org... so the kernel.org admins better change that one as well (while publishing the new key's fingerprint on an SSL server).

Re:SSH keys? (1)

WindShadow (977308) | more than 2 years ago | (#37377988)

That being said, it's important to use a different private key on each machine where you might ssh from...

Hell yes, and for key management sanity it is good to use a clear comment on keys so you know what they are for.

However, in case of a compromise, you'd still need to remove trust in the private key of the impacted machine (so if kernel.org got hacked, you need to remove your old kernel.org's public key from your ~/.ssh/authorized_keys on linux.org)

You also have to rebuild authorized_keys to check that no new or modified keys have been added. That would allow the hackers right back in at some future time. I keep a copy and cksum of authorized keys for every machine where I use keys, just so I can check. Yes, I'm paranoid.

Also, if the hacker got kernel.org's /etc/ssh/ssh_host_rsa_key, then he could theoretically later on mount an MITM attack against kernel.org... so the kernel.org admins better change that one as well (while publishing the new key's fingerprint on an SSL server).

I don't know if that's the case, but they could certainly set up a fake server if they have your public key and the server host keys. So generating a new host key pair is really required, forcing every user to change the key.

What a mess!

Re:SSH keys? (1)

rastos1 (601318) | more than 2 years ago | (#37369996)

Maybe in case you'd need to scp large files from linux.org to kernel.org and vice-versa, without having to first download them to your home machine, and then upload them to the target (slow, if you've got asymetric DSL)

That's why there is -A option for ssh.

Re:SSH keys? (0)

Anonymous Coward | more than 2 years ago | (#37381938)

From man ssh:

Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's UNIX-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.

Re:SSH keys? (1)

Anonymous Coward | more than 2 years ago | (#37368278)

Dumbass is right. That's why OpenSSH has agents (and the ssh agent does NOT expose your key, it does all crypto and returns just the result). SSH private keys should NEVER leave your own box. You don't reuse openssh keys, either. It is one private key pair per host.

That would not have saved HPA's keys since his laptop was the entrypoint of the kernel.org breach, but if some people were not lazy assholes, there wouldn't be any private keys on kernel.org, except for some automated tasks (which have to be immediately revoked).

Also, you NEVER "hop-jump" SSH, even when using an agent: you do port forwarding through that host instead. If you do "ssh hop-jumping", a compromised system can record anything you type inside that ssh session, such as root passwords. This is exactly why the openssh server and clients were trojaned in kernel.org (and probably linux*.com).

Re:SSH keys? (1)

doublebackslash (702979) | more than 2 years ago | (#37369534)

Why shouldn't I re-use my ssh keys? I'm pretty clear on all your other points so I assume that you've got a good reason for this. What is it?

I feel that I may have mis-understood the proper use of SSH keys and would really like to know the attack vector here.

Re:SSH keys? (1)

ttong (2459466) | more than 2 years ago | (#37374628)

I once had a co-worker who was as stupid to do that, so I immediately blacklisted his key on every machine on the corporate network and told him to generate a new one and keep the private part to himself. I sincerely hope any sane IT dept. will do the same in that event.

It's almost as stupid as emailing the root password in the clear for the new dedicated server you've ordered. Mail me the host key fingerprint, I'll mail you my public key. How hard can it be?

Re:SSH keys? (1)

doublebackslash (702979) | more than 2 years ago | (#37377654)

The statement that I was in disagreement with was "You don't reuse openssh keys, either. It is one private key pair per host."

Bullshit unless there is something that I'm missing. Keep one private key / public key pair and use the public key on all things you want to access. Keep the private key private (read: in a private place, encrypted. As is traditional.)

Is there some problem with re-using your public key on several servers? I think not.

Re:SSH keys? (1)

ttong (2459466) | more than 2 years ago | (#37378296)

Yes, you are correct. Nothing wrong with the same public key on 100+ servers.

Though I can also relate to having a separate key pair for internal servers and another for customer servers. That way, when you use an agent and unlock a key you don't unlock every server you ever have to manage anywhere. Especially when you have a multitude (say, 5 at max) of key pairs for that purpose.

Re:SSH keys? (0)

Anonymous Coward | more than 2 years ago | (#37369778)

It would help to show most people how to do this:

MACHINES:
laptop, serverA, serverB - serverB is only accesible from serverA (for fun)

laptop# ssh -L 7878:serverB:22 mydumbself@serverA

then from another shell:
# connecting to serverB
lapop# ssh -p 7878 mydumbself@localhost

This quickly becomes annoying because of localhost's key constantly changing. Automate it like this in ~/.ssh/config
host serverA
    hostname serverA
    localforward 7878 serverB:22
host serverB
    hostname localhost
    hostkeyalias serverB
    port 7878

Now:
laptop# ssh serverA

and then:
laptop# ssh serverB

Re:SSH keys? (1)

maswan (106561) | more than 2 years ago | (#37368126)

It is an unfortunately common case that people copy/create private ssh keys on servers to login (or scp) from those to another remote host. These keys are of course compromised.

Re:SSH keys? (0)

Anonymous Coward | more than 2 years ago | (#37368398)

It is an unfortunately common case that people copy/create private ssh keys on servers to login (or scp) from those to another remote host. These keys are of course compromised.

What is wrong with using private keys from a server? It is not uncommon that servers need to talk to each other or even are only reachable from each other; in which case private SSH key on the first server makes perfect sense, right?

(obviously, policy should be to never copy your private keys, but run keygen on each client (including the server-turned-ssh-client) and mark them on all other servers with an intelligble mark so they can be removed from authorized_keys as needed.

I don't see why having private keys on a server would be less secure than having these on your laptop/phone, which is much easier to steal or borrow...

Re:SSH keys? (2)

dbrian1 (522049) | more than 2 years ago | (#37368702)

I don't see why having private keys on a server would be less secure than having these on your laptop/phone, which is much easier to steal or borrow...

My laptop is only vulnerable to theft by people I am in physical contact with and is generally my responsibly to secure while connected to the Internet. Placing SSH keys on a server means I'm giving these keys and any access they grant to the admins of said server and am placing my trust in them to keep them secure. This is fine for automated trust relationships between hosts but not generally a good idea for personal keys.

Re:SSH keys? (1)

maswan (106561) | more than 2 years ago | (#37368942)

Well, you'd still need keys on your laptop to get to the server. So now you have two places where your keys can be stolen and used to login everywhere you trust your keys.

For the case where you actually do need direct communication between two servers you probably want to do agent forwarding instead of having more keys in your authorized_keys. Remember that every single entry there is a point of failure, and any one of them getting compromised means that your account is likely to get owned.

Now there are special cases where having more keys is useful, but most of the time they just open up more vectors for someone to steal them and break into other computers.

Of course, even then, they are better than passwords, at least if they have proper passphrases. Not too uncommon to see lots of passphrase-less keys in home directories on multi-user servers though.

Re:SSH keys? (1)

buchner.johannes (1139593) | more than 2 years ago | (#37369322)

It is an unfortunately common case that people copy/create private ssh keys on servers to login (or scp) from those to another remote host. These keys are of course compromised.

There is no requirement to do that. You can just create a tunnel through the first server to the second (ssh -L). Then you connect to the tunnel port on localhost, and you never had to give away your private key. You're even safe if the server in the middle gets compromised.

Re:SSH keys? (0)

Anonymous Coward | more than 2 years ago | (#37373876)

There is also no *requirement* to passphrase protect, your SSH keys, nor any requirement *not* to be lazy and store your keys on your server instead of on a more secure local environment So people will do so out of sheer laziness, and ignorance, and the belief that they can "trust the machine they're working on"

The last time I raised that as a fundamental problem with SSH and suggested that ssh-keygen at least not allow passphrase free keys by default, Theo de Raadt called me names on the mailing list for questioning the underlying decisions of OpenBSD and OpenSSH maintainers. They are stuck in a dangerous mindset, one where they run OpenBSD, the "most secure operating system in the world", therefore the human stupidities of passphrase free keys and hitting "yes" when presented with an unknown hostkey are ignored, and the simple vulnerability of a backup tape or an admin who steals user's keys is simply ignored. They should *stop* playing games with making special, unique, and non-portable hooks to segment off tiny chunks of the operation environment to more secure structures, as they did with OpenSSH 5.9 and with previous "privsep" changes, and *pay attention to basics* such as private key management. Having the best lock in the world is useless when you put a hook on the lock marked "hang the key here!!!!" they way they do with passphrase free key handling.

Re:SSH keys? (0)

Anonymous Coward | more than 2 years ago | (#37369096)

Well since the server was compromised that means someone would have the private key(s) of the server. They could then set up their own ssh server using those keys combined with your public key would allow them to impersonate the real server.

They could then gather your activity or whatever if you logged into it. Not as bad as compromising your private key but still something to think about.

Re:SSH keys? (0)

Anonymous Coward | more than 2 years ago | (#37370254)

The server's host keys may be compromised.

Re:SSH keys? (1)

smash (1351) | more than 2 years ago | (#37376364)

Also - don't forget, if someone has your public key (and has compromised the server's key), they can impersonate the remote end and go for a man in the middle attack.

Inb4 OS Slapfight (0, Troll)

idbeholda (2405958) | more than 2 years ago | (#37368040)

Gentlemen, start your engines.

Re:Inb4 OS Slapfight (0)

Anonymous Coward | more than 2 years ago | (#37368666)

OP is not a troll. This and other 'hacks' are obvious attempts to destroy the infrastructure behind Linux. Since 'hackers' can't attack the installations out in the field themselves, their security is too good, they are searching for ways to poison the code that is being pushed as updates. Breaking into the centralized distribution is the first step in this process.

Normally I would suspect M$ as bankrolling this, but these days I tend to think Apple. With all their cash I'm sure they can hire the best.

Re:Inb4 OS Slapfight (1)

HiThere (15173) | more than 2 years ago | (#37368772)

I don't see any reason to exonerate either of those, but you need to widen your focus. You should include numerous governments (or their agents, perhaps acting without authorization). You should also include groups of criminals, like the Russian Mafia. Then there's folks just out for lulz. etc.

Some of these may be more likely than others, but don't narrow your focus too much. Not without reasonable evidence.

Re:Inb4 OS Slapfight (1)

smash (1351) | more than 2 years ago | (#37369250)

OP is not a troll. This and other 'hacks' are obvious attempts to destroy the infrastructure behind Linux.

I wouldn't go that far. Sounds more like a few attacks on high profile public systems that just happen to host linux projects.

What a CROCK OF CRAP (you're off)... (-1)

Anonymous Coward | more than 2 years ago | (#37369298)

way, Way, WAY OFF, as far as this from you:

"Since 'hackers' can't attack the installations out in the field themselves, their security is too good, they are searching for ways to poison the code that is being pushed as updates." - by Anonymous Coward on Sunday September 11, @11:58AM (#37368666)

Ahem: I strongly suggest you refer to the security vulnerabilities data below in my 'p.s.' then...

I.E.-> 4x the amount of unpatched security vulnerabilities exist in LINUX'S KERNEL ALONE (kernel ONLY mind you, & not including the rest of the bugs introduced in what goes into the rest of a Linux distro), than does in nearly the ENTIRE GAMUT/ARRAY/BODY OF WHAT MICROSOFT GIVES USERS & BUSINESSES FOR USE + DEVELOPMENT!

( LAMP? Gets shredded in attacks, & FAR MORE than Windows, IIS7, SQLServer, VB/C# etc. in dev. tools BY FAR!)

---

"Breaking into the centralized distribution is the first step in this process." - by Anonymous Coward on Sunday September 11, @11:58AM (#37368666)

In case you hadn't noticed above per this article's topic? It's BEEN broken & for a LONG TIME NOW!

APK

P.S.=> This data from respected & reputable sources ought to interest you as well, vs. your statements:

Linux, in its KERNEL ONLY mind you? Has 3.5x the unpatched security vulnerabilities Windows 7 has & 4x that of Windows Server 2008 (which IS a complete "distro" with all of its parts, not just a kernel only as is in the case of LINUX's stats below...)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, AGAIN: Linux's kernel ALONE has 3.5x-4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (08/22/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (08/22/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (08/22/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (08/22/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (08/22/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (08/22/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (08/22/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 7 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (08/22/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (08/22/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (08/22/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (08/22/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (08/22/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(08/02/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 7 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (08/22/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (08/22/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (08/22/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 7% (5 of 80 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (08/22/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 148 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds, or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

---

FACT - THAT'S 3.5x LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (08/22/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (16 of 275 Secunia advisories)

---

AND YES, there is a remotely vulnerable unpatched security problem outstanding in Linux there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 Ã" Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

---

You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope!

... apk

Re:What a CROCK OF CRAP (you're off)... (1)

br4nd0nh3at (1082179) | more than 2 years ago | (#37372002)

I'm new to Linux, and have become quite worried with Linux security.

Looking at your post, I went to the links you provided.
http://secunia.com/advisories/product/6436/?task=statistics_2011 [secunia.com]

Scrolling down reveals this:
"PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products."

If you continue reading it goes goes into further detail.

Then I look at these pages
http://secunia.com/advisories/product/27467/ [secunia.com]
http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

This supports your comment.

Can you explain this?

Answer 2 questions first (0)

Anonymous Coward | more than 2 years ago | (#37374392)

1.) Can you explain why Linux has more unpatched security vulnerabilities in its KERNEL ALONE (minus all the rest of what goes into a Linux distro mind you) than does nearly ALL of what Microsoft gives folks to do business & development with (by 4x as many unpatched security vulnerabilities, which would be MORE if all of a Linux distro was shown, not just the kernel's problems there alone)?

2.) Why does the LAMP stack show that it's being abused in said security vulnerabilities from a valid report, than does Windows Server 2008, IIS7, SQLServer 2008, & Visual Studio 2010??

* "Argue with the numbers..."

APK

P.S.=> Why is that (on both accounts above)??? Even despite all those "Open SORES eyes" allegedly poring over LAMP's code no less (Most of whom couldn't code to SAVE THEIR OWN LIVES)???? apk

ANDROID shows the "security-WEAK" of Linux (0)

Anonymous Coward | more than 2 years ago | (#37451972)

Android (a Linux variant) shows Linux's "True Colors": It's less secure than Windows is. The "security-by-obscurity" (lack of users vs. those using Windows) advantage that Linux has enjoyed faded as an excuse to say "Linux is more secure than Windows is" with the advent of Android's malware explosion as well. No, the lines of pure bullshit you see from the "FUD" spreaders in the "Pro-Penguin camp" have been shown to all what they are: Bullshit artists. Wait until (IF ever) Linux gets more market-share - watch it become "Shredded Wheat" even more than Android's showing it to be, because then? Then, it will become attractive to malware-makers & such (but then again, I've been hearing "this is the year of Linux" for what? Nearly 20 yrs. now?? Funny, that year never comes eh??? Might as well say "The 12th of never when the clock strikes 13").

Re:Inb4 OS Slapfight (0)

Slashdot Assistant (2336034) | more than 2 years ago | (#37369332)

I'm glad we have this opportunity to compare Lunix against what else is out there. I don't doubt that more professional commercial systems can be hacked. What I think though is that seeing Linus erasing and reinstalling his servers is an example of how flawed Lunix is. There's just no way a Windows server with Norton could be compromised in this manner. Even if somehow a trojan virus did get through then I'd run Norton and a registry cleaner and everything would be back to normal. I haven't reinstalled Windows now for months, and apart from running a bit slow it's fine. My ISP claimed that there's unusual traffic coming from my servers - which I explained is probably virii bouncing off of Norton and my Fire Wall.

Lunix users, you should think long and hard about your chosen operating system. If he's this disorganized then what are you going to do when you get sued for using a system proven to built on copyright and patent infringement? Sure you could try MAC (Lunix put in a shiny case). Neither Apple nor Linus will come to your rescue when you're sued for running patent and copyright infringing software. This will be unpopular with the mods but there is only one secure and legal option - Microsoft Windows with Norton.

Re:Inb4 OS Slapfight (0)

Anonymous Coward | more than 2 years ago | (#37369966)

There's just no way a Windows server with Norton could be compromised in this manner.

A Windows server with Norton runs so slowly that you will probably upgrade to the next version of Windows before the malware completely installs, hence a clean system.

More Info, and Announcement Content (4, Informative)

LinuxScribe (158687) | more than 2 years ago | (#37368060)

A few more details of the breach, including the content of the message from the Linux Foundation, can be found on ITWorld [itworld.com] .

LinuxScribe

Re:More Info, and Announcement Content (1)

WindShadow (977308) | more than 2 years ago | (#37378108)

The information I really want to see is a statement clarifying this as either technical as in a failure of the security software somewhere, or administrative, as in someone left something open through error or poor security design choices.

It's important to know if this is a bug which is on all Linux systems, or someone made a human error.

Connection? (1)

CheShACat (999169) | more than 2 years ago | (#37368080)

First Kernel.org and now this? Has someone got it in for FLOSS at the moment?

Re:Connection? (1)

Nerdfest (867930) | more than 2 years ago | (#37368308)

No, someone would like unrestricted, undetected access to make 'modifications' to the most popular server OS.

Re:Connection? (1)

doublebackslash (702979) | more than 2 years ago | (#37369506)

Those are just pubic facing servers, not the dev team's workflow boxes. However, even if they were their source code management tool, git, exposes every change made by anyone for all time. It is simply that nature of git. Check it out if you want details. Even if they didn't use git the maintainers and anyone with clean copies (per-breach) can simply run a diff on the source code vs any new "untrusted" copy they may see.

Since they've made the breach public and the aforementioned steps to detect any modifications are trivial for anyone to perform (Linux is not mirrored on github, a public git repository and absolutely wonderful site) there is a very low risk to anyone and zero risk now.

I'm not going to stand on a soap-box here but I'll just say this:any decent company or organization that is the victim of an attack such as this should have procedures and systems in place that render it as harmless as this one. Think of the impact of this hack compared to others in the recent past and near future. It might provide a wonderful 'dos and don'ts' guide

Mitigation plan? (0)

Anonymous Coward | more than 2 years ago | (#37372780)

The question is did they have one?

Now Linux system administrators are being asked to put their money where their mouth is, as to say.
Personally, I wouldn't trust GIT or the developers. For example:

1. How many times have developers overwritten their work because of a severe mistake?

2. Can GIT seriously backtrack to a date prior to the supposed date the hack took place?

3. Are the developers and system administrators going to invest the time to check all the changes for all the kernels for at least 90 days?

Maybe you all trust Linux kernel source now. But I sure as hell don't.

I'm going back to an unpatched Slackware and old ass Ubuntu.

These losers need to upgrade to Windows! (0)

Anonymous Coward | more than 2 years ago | (#37368122)

FOSS FTL!

Pro-hacker when I want (-1)

Anonymous Coward | more than 2 years ago | (#37368164)

Why are they working with authorities in the United States and in Europe to assist with the investigation? I thought that Linux community was pro-hacker. Or they are pro-hacker only when hackers attack others? If hackers only had luck, as said previously, and did not harm, just leave them.

Re:Pro-hacker when I want (-1)

Anonymous Coward | more than 2 years ago | (#37368302)

They are not pro-hacker. They are leftard, also known as caviar leftists. All for liberties such as wrecking someone elses property, constantly moaning about the big bad corporations or the police state. As soon as they are mugged they scream for police and more security, and turn all conservative. Nothing to see here, folks.

Total Irony (1, Offtopic)

adosch (1397357) | more than 2 years ago | (#37368168)

I am not sure what is gained by breaking into, compromising and exploiting a foundation like The Linux Foundation when the perps were more than likely using a Linux driven OS and tools to do what they did. Seems like some need a re-education in not harming the hand that builds your house...

Re:Total Irony (0)

Anonymous Coward | more than 2 years ago | (#37368742)

Seems like someone needs a re-education about criminals, thieves, and bad guys in general. Giving someone a free OS does not turn that person into a free software advocate. It just means they have an OS now.

Re:Total Irony (1)

phoric (833867) | more than 2 years ago | (#37369146)

Follow the money. Who stands to gain from creating fear, uncertainty, and doubt surrounding Linux and it's related organizations?

Re:Total Irony (1)

Anonymous Coward | more than 2 years ago | (#37369582)

Follow the money. Who stands to gain from creating fear, uncertainty, and doubt surrounding Linux and it's related organizations?

Exactly! The folks at BeOS!!!!

Re:Total Irony (1)

PNutts (199112) | more than 2 years ago | (#37370018)

Follow the money. Who stands to gain from creating fear, uncertainty, and doubt surrounding Linux and it's related organizations?

Exactly! The folks at BeOS!!!!

BeOtcheS. BeOtcheS love FUD.

linux security is a joke (-1)

Anonymous Coward | more than 2 years ago | (#37368172)

Ill be recommending all my clients dump Linux ASAP and migrate to a more secure Windows based system.

Re:linux security is a joke (1)

hcs_$reboot (1536101) | more than 2 years ago | (#37368728)

Breaches: Linux 1, Windows 2317
Still some margin...

Re:linux security is a joke (0)

Anonymous Coward | more than 2 years ago | (#37368972)

Linux 1? Have you heard about bug reports, patches, updates and that stuff on Linux?

Re:linux security is a joke (1)

PNutts (199112) | more than 2 years ago | (#37370068)

Breaches: Linux 1, Windows 2317

That's the problem. Complacency? Ignorance? Denial? Or just another bash on Windows?

Re:linux security is a joke (1)

hcs_$reboot (1536101) | more than 2 years ago | (#37370924)

That's the problem. Complacency? Ignorance? Denial? Or just another bash on Windows?

Bash on Linux, actually.

Re:linux security is a joke (1)

smash (1351) | more than 2 years ago | (#37369264)

No OS is secure. Take precautions. Having random members of the public from around the world with abilities to get shell access on your systems makes it hard.

Re:linux security is a joke (0)

Anonymous Coward | more than 2 years ago | (#37369748)

Same here! It's not worth the risk of using software that has opened its source so that every hacker out there can find it vulnerabilities. How do we know that Linux can be trusted? It's developed by a foreigner who could be a socialist like Wiki Leaks. We don't trust Catholics and their foreign masters so why do we trust Linux?

UNPOSSILE !! OPEN SORES RESULT IN ALL SECURE !! (-1)

Anonymous Coward | more than 2 years ago | (#37368306)

This is unpossible in the least, to say !! I dowt this people knows any thing on about this topic material at hand !! I holehardly belief this trick play on by Micro$haft !!

This wouldn't have happened with OpenBSD! (1)

Anonymous Coward | more than 2 years ago | (#37368372)

Having said that, reasonable people may conclude that the occasional security breach is an acceptable price to pay to avoid dealing with Theo. :-)

Re:This wouldn't have happened with OpenBSD! (0)

Anonymous Coward | more than 2 years ago | (#37370022)

... but dealing with Linus in order to avoid Theo? *rolls eyes*

This is the right way to do it (2)

Pop69 (700500) | more than 2 years ago | (#37368380)

Not like when a CA gets its webserver compromised, has a quick self audit and then declares everything is OK, really, honest....

Assume everything is compromised unless you can prove otherwise and get the staff in on overtime to reinstall from scratch.

Re:This is the right way to do it (0)

Anonymous Coward | more than 2 years ago | (#37370092)

I totally agree. They should get credit for being responsible.

Re:This is the right way to do it (0)

Anonymous Coward | more than 2 years ago | (#37372176)

Exactly what I came here to say.

Nothing is perfect. There is no shame is something going wrong from time to time. The shame is in denying it and not learning from it.
With the former, the server was untrustworthy for a time. With the latter, it will stay untrustworthy forever.

About the overtime: No. I want them to have slept well, eaten well, and generally be mentally and emotionally at their best level, when working on doing it better this time!
As a boss, I'd sell it positively: As a unique opportunity to learn and improve. And I'd offer rewards for improvements.
Kicking your employees' asses and punishing them only works for dumb and spineless people. I don't know about you, but I don't hire such people in the first place. ^^

hahahahah (0, Interesting)

Anonymous Coward | more than 2 years ago | (#37368394)

ahahahaha. And dozens more where that came from.

http://www.exploit-db.com/platform/?p=linux

I wonder what would happen if slashdot ran a front page story for every single linux security bug like they do for windows.

Re:hahahahah (0)

Anonymous Coward | more than 2 years ago | (#37370184)

Unfortunately, Linux security is pretty pathetic these days, especially when you compare it to some of the more secure closed source operating systems (not OS X or Windows). Remote vulnerabilities are far too common, and the number of privlege escalation exploits is downright shameful.

Re:hahahahah (1)

aztracker1 (702135) | more than 2 years ago | (#37370856)

They don't post every Windows security bug. There tends to be a posts on automated exploits/worms/virii in the wild and major encroachments such as this. MS has a tendency, for better or worse, to patch security exploits in their regular release cycles, unless compromised by an automated exploit. MS has made some very poor security choices over the years in favor of their development cycles, and release schedules. Don't get me wrong, I happen to like a lot of things that have come out of MS, but that doesn't absolve them of anything.

Today, just about the most unforgivable sin is not using parameterized queries with database access. It still happens though, and there's lots of cruft code out here written by those who didn't know any better. I would suspect there's more than a handful of areas in systems that weren't truly given a thorough code security audit. It happens, the best you can do is fix what you find, and handle known exploits in the most transparent, and expedient way possible.

Something's not right.... (0)

Anonymous Coward | more than 2 years ago | (#37368456)

For years I've been told by /. trolls that Linux can't be hacked, only Windoze.

Re:Something's not right.... (0)

Anonymous Coward | more than 2 years ago | (#37369122)

For years you've misunderstood security. The most secure vault in all the world won't protect much if you leave the vault door wide open. If you're stupid enough to leave the door wide open and your valuables are compromised it says nothing about the relative security of the vault.

Re:Something's not right.... (0)

Anonymous Coward | more than 2 years ago | (#37370476)

For years you've misunderstood the trolls. Windows is bashed in every story regardless of the topic (Insecure by design). A Windows compromise is Windows flaw. A Linux compromise is a "dumb user" to quote someone above. Linux is touted to the unwashed as bulletproof. Well, guess what? You're right for the wrong reason. All you can do be is fully patched, take precautions, and make good decisions. The exploits are everywhere.

Fedora just pushed a kernel update.. (0)

Anonymous Coward | more than 2 years ago | (#37368686)

Should I be concerned?

I hate how the software log viewer doesn't show any information other than the package names. A history with the release notes for each update would be MUCH more useful.

Breach on Linux=GASP! Breach on Win=meh (0)

Anonymous Coward | more than 2 years ago | (#37368690)

Really people? No one criticizes the Linux Foundation for leaking who knows what to hackers, but if it happened on a Windows site or machine, suddenly, that's just laughable. As if they 'deserved' it for running a Windows server.

Hypocrisy at its finest.

You don't get it. (1)

Anonymous Coward | more than 2 years ago | (#37369090)

You don't get it. The difference is Microsoft is a giant multi-billion dollar corporate machine with an insane marketting and advertising arm that helps them get into places that Linux simply can't because of lack of finances. If a well-funded corporation slips up its schadenfreude because 'even with all that' they still couldn't get it right. While Linux enjoys SOME corporate backing, its still largely a labour of love by independant developers. Most people side with the little guy. ;-)

 

Re:You don't get it. (1)

cavreader (1903280) | more than 2 years ago | (#37370274)

Linux enjoys more than SOME corporate backing. Look at the shear number of web servers and all of the Linux derived operating systems currently being used in the mobile device market and you will see quite a few big corporations supporting the platform even if they don't distribute their applications or make their changes available to the OS community. Your little guy labor of love argument disappeared about 10 years ago.

Re:You don't get it. (0)

Anonymous Coward | more than 2 years ago | (#37370944)

Yeah people use linux, but how many pay for its development (other than a few main projects like the kernel)? I was talking about the development part. The development of the vast majority of tools that come with a typical desktop linux distro is done by developers for free.

Re:You don't get it. (0)

Anonymous Coward | more than 2 years ago | (#37371356)

Nope. Basically everything that's not complete garbage is developed and maintained by Redhat, SUSE, IBM, Google etc.

Re:You don't get it. (1)

kiwimate (458274) | more than 2 years ago | (#37372238)

I think you're the one who doesn't get it. Linux is ubiquitous, and has been for several years, in the enterprise server world. Granted, the post you responded to was a bit of a troll, but you've missed an important point.

You can bark all you like about the marketing strength of Microsoft, but the CSO doesn't much care about marketing if the FBI comes visiting because you just self reported a hack and your company is an enormous financial institution, has millions of health records on file, or is part of the critical infrastructure.

Whatever the reality of who is behind Linux, the end user isn't going to be swayed by an argument that boils down to "people shouldn't hack us because, wow, golly gee, Linux is the show we can put on in our own back yard, mister". And all the arguments about costs aren't that strong; the licensing costs are obviously in favor of Linux, but the support costs are usually about the same between deploying Microsoft and deploying Red Hat.

I know it's conventional on Slashdot to run down the stereotypical technically illiterate bean counter with an MBA, but my experience has been that most companies have fairly hard nosed and at least somewhat technically astute people in positions of responsibility. They may not understand the ins and outs of SQL injection, but they are going to be less than receptive to the argument that "people won't hack us on Linux; it'd be rude".

SSH Keys Compromised? (1)

swillden (191260) | more than 2 years ago | (#37368790)

How could an attacker getting hold of the public key "compromise" anything? It doesn't contain any personal information, and -- barring an earth-shattering breakthrough in cryptanalysis of RSA (or DSA, if you chose a DSA key pair) -- it can't be used to gain access to anything, not even the system it was stolen from.

That's the whole point of using asymmetric cryptography for authentication!

Re:SSH Keys Compromised? (1)

smash (1351) | more than 2 years ago | (#37369272)

You're assuming only public keys were compromised. If they had private keys enabling login to other hosts stored on said systems (yes, retarded, but...) then those keys are compromised.

Re:SSH Keys Compromised? (1)

swillden (191260) | more than 2 years ago | (#37372126)

You're assuming only public keys were compromised. If they had private keys enabling login to other hosts stored on said systems (yes, retarded, but...) then those keys are compromised.

A little more than retarded... in order for someone to do that they'd have to have never heard of ssh-agent.

Re:SSH Keys Compromised? (1)

Antique Geekmeister (740220) | more than 2 years ago | (#37373912)

ssh-agent leaves an active and unlocked ssh-key available on the relevant server. Many of my colleagues refuse to run their ssh-agent as part of their own persoanl host's working environment, and prefer to host them on their most used server, despite my warnings. Others find ssh-agent burdensome and simply use passphrase-free keys, and there is not yet any graceful way to prevent that except to audit for them on the client hosts, which is awkward and intrusive.

Hardware??? (0)

Anonymous Coward | more than 2 years ago | (#37368808)

I hope they are using all new hardware too! Hardware rootkits, though unlikely, are too great a risk for something so critical.

corporate espionage? (0)

Anonymous Coward | more than 2 years ago | (#37369104)

Just some speculation, but I haven't seen anyone talking about the elephant in the room: Just who would stand to profit from manufacturing FUD surrounding Linux as a result of security breaches? A large software company comes to mind, one that happens to have a very outspoken hatred of free software.

Re:corporate espionage? (1)

smash (1351) | more than 2 years ago | (#37369286)

...And, here's your hat.

Microsoft doesn't need to resort to this sort of thing to demonstrably kick linux's arse in the market place (i've been waiting for year of the linux / unix desktop since 1995).

More likely, its some random spammer / organised crime group looking for either a well connected site to launch DDOS from, or to insert malware into the linux kernel for spambot purposes.

Or a script kiddie doing it for bragging rights.

The Joker In The Deck (1)

westlake (615356) | more than 2 years ago | (#37369328)

I haven't seen anyone talking about the elephant in the room: Just who would stand to profit from manufacturing FUD surrounding Linux as a result of security breaches?

Alfred Pennyworth: A long time ago, I was in Burma...working for the local government. ... One day I saw a child playing with a ruby the size of a tangerine. The bandit had been throwing them away.

Bruce Wayne: Then why steal them?

Alfred Pennyworth: Because he thought it was good sport. Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn.

Security? (0)

Anonymous Coward | more than 2 years ago | (#37369482)

Some of these open source people should really put some work in to the security side of this linux thing.

ssh keys compromised? (1)

madbavarian (1316065) | more than 2 years ago | (#37369832)

"you should consider the passwords and SSH keys that you have used on these sites compromised."

How the heck can ssh keys compromised by this breakin? Doesn't the site just have access to the developer's public key? With a sufficiently large ssh key (say 1k or 2k) how is anyone going to derive the ssh private key from the public key? The fact that if is effectively impossible is supposed to be the whole point of public key encryption.

OMG OMG (0)

Anonymous Coward | more than 2 years ago | (#37374632)

OMG OMG so Linux is not secure? Oooppps!

Thus hacks Zarathustra (0)

Anonymous Coward | more than 2 years ago | (#37374728)

In London horse bureaus betting already started that the Linux.com perpetrator is the iranian IchSunX2 aka. the "1000 talent" hacker of Comodo fame, it now stands at 1:2.5. It is of regret to note that bets quickly fell to 1:7 regarding his longevity beyond the end of 2011, after he openly threatened Israel in the latest Pastebin rant on Friday.

(You can bet money on everything in London, not just horse races, but the number of Raspberrys which Emmerich will win next time or the number of days the newly appointed japanese PM spends in office before stepping down, etc.)

a sure sign (0)

Anonymous Coward | more than 2 years ago | (#37386748)

linux is mainstream

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...