Linux B-day celebrations rattled by break-in

Sep 04, 2011 by Nancy Owano report
Linux pinguin

(PhysOrg.com) -- Just days after celebrations marking the 20th birthday of Linux, the operating system revered around the globe as a rock-solid open source triumph, news surfaced that key servers used to maintain and distribute the operating system were hacked. Malware had gained root access. System software had been modified. The attack was confirmed in a note on Wednesday, August 28, posted on the Linux Kernel Archives www.kernel.org , the main distribution site for the Linux kernel. Though discovered on the 28th, the security breach possibly took place some time before, possibly no later than August 12. By Sunday, the 28th, it was obvious to admins of the web site that things had gone wrong. Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified. A trojan startup file had been added to startup scripts.

The initially gained root access on a server called hera, and compromising other servers. The administrators think they may have slipped in with a compromised user account. In an e-mail to kernel.org users, chief administrator John "Warthog" Hawley indicated he was definitely not in a party mood. The subject line: Master back-end break-in. "Afternoon everyone," he wrote,"as you can guess from the subject line, I've not had what many would consider a 'good' day." He said that a had been discovered and he named "some boxes" on kernel.org that had been hit.

With the news of such a break-in, it might easily appear as if the event spells calamity, as this is all about a break-in of a hosting site of source code, and for an that runs the engines of banks, businesses, and governments. What could be worse news than this? In fact, being Linux signifies that the August break-in, while unwelcome, rattling, and burdensome, appears to have also given Linux keepers the opportunity to remind the world that its construct has built-in safeguards.

The strength of Linux, admins quickly pointed out, lies in its change-tracking system, where a secure hash of each of 40,000 files hosted on the site makes signs of tampering transparent. The hashes are stored in multiple servers. On confirmation of the break-in on the 28th, each of the site's 448 users were told to change their passwords and Secure Shell keys. Boxes were promptly taken off-line and re-installs were set in motion. Authorities in the U.S. and Europe were notified and asked to help in the investigation.

Source code does not appear to have been altered, according to the kernel maintainers, but the posting stated the administrators were doing an analysis to confirm that nothing has been modified.

Explore further: Thanksgiving travel woes? There's an app for that

More information: www.kernel.org/

Related Stories

Linux Kernel to Add VMI

Mar 27, 2007

The next stable update to the Linux kernel, Version 2.6.21, is slated to include a new feature submitted by VMware called Virtual Machine Interface.

Nokia announces patent support to the Linux Kernel

May 26, 2005

Nokia Corporation announced today that it allows all its patents to be used in the further development of the Linux Kernel. Nokia believes that open source software communities, like open standards, foster innovation and ...

Ubuntu 7.04 to Arrive April 19

Apr 17, 2007

For Linux business users, the most important Linux release of 2007 so far is Red Hat Enterprise Linux 5. But for most other Linux fans, the upcoming release of Ubuntu Version 7.04 on April 19 demands more attention.

Linux To Be the Fasted Growing Server OS

Dec 17, 2004

The Open Source Development Labs (OSDL), a global consortium dedicated to accelerating the adoption of Linux® in the enterprise, today announced the completion of a global Linux market share and forecast study conducted ...

Recommended for you

Thanksgiving travel woes? There's an app for that

Nov 26, 2014

Traveling by plane, train or automobile can be a headache. Mixing in Thanksgiving can make it a throbbing migraine. Technology provides some pain relief in the form of apps to let you know which roads are ...

Singapore moves to regulate taxi booking apps

Nov 21, 2014

Singapore on Friday announced new rules for mobile taxi booking apps, including US-based Uber, in the latest move by governments around the world to regulate the increasingly popular services.

Protecting personal data in the cloud

Nov 20, 2014

IBM today announced it has patented the design for a data privacy engine that can more efficiently and affordably help businesses protect personal data as it is transferred between countries, including across private clouds.

User comments : 30

Adjust slider to filter visible comments by rank

Display comments: newest first

Vendicar_Decarian
1.4 / 5 (27) Sep 04, 2011
The LinTard OS continues it's spectacular history of failure.
TheQuietMan
4.3 / 5 (10) Sep 04, 2011
The LinTard OS continues it's spectacular history of failure.

I find that statement incredibly juvenile.

Surely you aren't under the impression there is a unbreakable system or OS?

Fact is, Linux is one of the most stable and secure out there, bar none. Perfection does not exist however.

I remember using a chat room set up by a university that lasted many years without a single reboot. It was funny actually, the computer clock would drift off many hours before someone who knew the admin could get into contact to have it reset.

It is known and accepted that part of Linux security is the fact that it is a fraction over 1% of the OSes out there. Another aspect is it probably gets better tech support from the Linux community (because it is open source) than Windows, but ironically it also makes it more vulnerable.
DGBEACH
4.7 / 5 (6) Sep 04, 2011
"an operating system that runs the engines of banks, businesses, and governments"...you call THAT a failure?
"The strength of Linux, admins quickly pointed out, lies in its change-tracking system, where a secure hash of each of 40,000 files hosted on the site makes signs of tampering transparent" I'm sure that Sony Corp wishes they had been using a Linux OS on their servers!
Eikka
1.5 / 5 (8) Sep 04, 2011

It is known and accepted that part of Linux security is the fact that it is a fraction over 1% of the OSes out there.


Ironically, Linux's main mode of security is obscurity. Every instance of Linux running in banks and supermarkets and embedded devices is different, and so breaking in to them depends on you knowing what exactly was put in there and how.

In reality every installation of Linux is something of a custom botch-job and has security holes up the wazoo. The whole thing is so complicated and has so many moving parts, alternative parts that are so poorly documented that you can't really implement it perfectly. The number of possible problems that you can evoke by choosing this network manager over that network manager over this version of that network manager is astronomical. It's like having sex: sometimes the kid turns out to be a retard

The thing that keeps it safe is the fact that nobody else knows what choices you made. There's no patent solution for breaking in
Noumenon
4.6 / 5 (52) Sep 04, 2011
Don't mind Vendicar, he is a well known internet troll/idiot.

He once claimed that PC's would need a maximum of 200mb of ram. He has called the programming language C an "abortion" and a "sick religion", and intimated it was a dying language.
Vendicar_Decarian
1.7 / 5 (12) Sep 04, 2011
"He once claimed that PC's would need a maximum of 200mb of ram." - NoumenTard

Actually, I said that PC's (IBM PC's) would never have a need for Gigabytes of RAM.

And they never did. The IBM PC era is over and even with Windows Vista the average desktop computer at that time had less than 1 gigabyte of RAM installed.

We are now in a multicore era with 64 bit CPU's that can support more than the 4 gigabyte limit of the earlier Pentium class and below CPU's, and even today most machines have less than 2 gigabytes of RAM installed.

That will continue to change slowly.
Vendicar_Decarian
1.6 / 5 (13) Sep 04, 2011
"He has called the programming language C an "abortion" and a "sick religion", and intimated it was a dying language." - NoumenTard

C remains an abortion and is pretty much dead as a language. C has some life left in it but it's popularity is rapidly declining as well.

Both languages remain Abortions that are responsible for over 90 percent of the security exploits used to compromise computers.

Click on a GIF image and have a virus installed on your computer. You can thank C and C and the sick followers of those programming religions for that kind of nonsense.

Vendicar_Decarian
1.9 / 5 (12) Sep 04, 2011
"Fact is, Linux is one of the most stable and secure out there, bar none" - QuietMan

The LinTard OS certainly has improved over the years, and people have managed to hack it into all kinds of operating environments that use to run Unix.

But lets face it, Linux is Unix and the history of Unix is that it eat's it's own rather than gain market share.

Linux is like that. Growing only by eating Unix installs.

If you like command line driven junk, You will love Linux.
Vendicar_Decarian
1.8 / 5 (10) Sep 04, 2011
"I'm sure that Sony Corp wishes they had been using a Linux OS on their servers!" - DGE

Sony's servers were running Linux, Tard Boy.

SONY Play Station Network was running on unpatched Apache server with no firewall

http://www.linuxt...39NWHWSW

scramjetter
5 / 5 (3) Sep 04, 2011
"The administrators think they may have slipped in with a compromised user account."

It appears the attack did not exploit a vulnerability of the OS. This is a case of an administrative account being hacked and we all know that it can happen to any user based software system. The solution is obviously to implement tighter user security protocols around the repository.
Ensa
4.6 / 5 (8) Sep 04, 2011
I rarely criticise others posts on this forum, however here I feel it would be negligent not to.
Ironically, Linux's main mode of security is obscurity.

The opposite is true. Linux is an example of a solid system thet does not rely on security through obscurity.

In reality every installation of Linux is something of a custom botch-job and has security holes up the wazoo. The whole thing is so complicated and has so many moving parts, alternative parts that are so poorly documented that you can't really implement it perfectly.

Again, the opposite is true. Seldom have I read a statement so bizzarely untrue.

The number of possible problems that you can evoke by choosing this network manager over that network manager over this version of that network manager is astronomical.

Linux networking is one of the best documented and simple out there. It has to be to be as secure as it is. The best practices are well understood... TBH I think this poster must be trolling.
LuckyBrandon
1 / 5 (2) Sep 04, 2011
@thequietman - you are mistaken, linux is not the most secure out there...i do agree 100% with you though that no OS is truly secure (especially considering the hardware itself that the OS runs on could potentially be compromised).
unix flavors, much like apple flavors, simply arent the majority and have enjoyed that status for 20 years, so arent attacked as often.

@Ensa-oh man i dont know where to start with that..linux is entirely non-dynamic by comparison to other server systems on the market. it and all unix flavors at best follow RFC guidelines, which is good and all, but they don't go beyond that as some other vendors do (granted, being open source you yourself can take it beyond that). take kerberos for instance...is it capable, sure, but its chocked full of manual interaction unless you code an app to streamline it (been there, done that).
Etreum
4.2 / 5 (5) Sep 04, 2011
I'm no computer expert, I used Windows and Linux (Ubuntu), and let me tell you, I have no problems with Linux, no malware, no crashes, no defragmenting, no weird things, no problems. And it is free. I'm happy with Linux.
Ensa
4 / 5 (3) Sep 04, 2011
@LuckyBrandon - I too have worked with many systems over the last 30 years. My point is not to big-up linux, it is what it is.
I just had to refute those particular statements as being completely untrue. I mean gob-smackingly untrue.
Sure there are insecure implementations, but generally the more insecure they are the more they deviate from the known - very well known, secure implementations.
With security in OS's, transparancy and clarity is very important. You just cannot afford to have unknowns and ambiguous standards/protocols - these are the main dangers. Linux does not suffer from these.
I cannot talk about the pros and cons of various distros, some are a mess, especially the popular ones, though they serve a purpose. I won't touch Ubuntu in any kind of critical situation for example.
But secure is secure. Bottom line. A truly secure system is compiled from audited source and well maintained.
Even some of the hardened Slackware systems I know are as secure as an OS gets.
hard2grep
not rated yet Sep 04, 2011
wow, someone finally hacked Linux.
Eikka
2 / 5 (4) Sep 04, 2011

But secure is secure. Bottom line. A truly secure system is compiled from audited source and well maintained.
Even some of the hardened Slackware systems I know are as secure as an OS gets.


Very few actually bother, because it requires a level of experience and competence with the OS that is missing with the majority of people who do use it.

The result is, that wherever Linux gets used in schools or business, some self-titled "expert" pretends to know what they're doing and the end result is a mess. It's cheaper and faster that way.

And what else can you expect from an operating system where the main mode of business is to ship an incomplete, unassembled system in order to sell commercial support for it.
YawningDog
4.4 / 5 (7) Sep 04, 2011
"The LinTard OS continues it's spectacular history of failure."

Sounds like Bill Gates trolling as "Vendicar Decarian".
Ensa
4 / 5 (3) Sep 04, 2011
@Eikka - too often what you say is true, but don't confuse the operating system with the practice of some commercial distros. They are not the same thing at all. Linux does not have this 'mode of business' you mention. This article is about linux so that is what I am talking about.

Well - I am done ranting.
Until next time.

:)

http://xkcd.com/932/

Aphexcoil
4 / 5 (6) Sep 04, 2011
Vendicar_Decarian,

Your posts are ridiculous. If you have something meaningful to contribute, then do so. Otherwise, save your trolling for a group of people who might fall for it.
Vendicar_Decarian
1.4 / 5 (7) Sep 04, 2011
I look forward to seeing the next 20 years of continued Linux failure.
Eikka
2.5 / 5 (2) Sep 05, 2011
@Eikka - too often what you say is true, but don't confuse the operating system with the practice of some commercial distros. They are not the same thing at all. Linux does not have this 'mode of business' you mention. This article is about linux so that is what I am talking about.


Most of the development going into Linux(es), as in the whole OS and not just the kernel, is actually business to business based work. There's only about 20% independent "free" development left in the whole structure.

The businesses either do the developing for their own purposes, in which case they have in-house knowledge of how it works and so they don't need to make it easy - in fact that's just a bonus; the stuff is too obscure for your competitors to easily adopt.

Or, they are developing the thing for a customer, in which case they have an incentive to make it difficult and incomplete so they could sell more support contracts.

That's the only way to make money off of Linux.
Vendicar_Decarian
2 / 5 (4) Sep 05, 2011
The advantage of Linux of course is that it is free. If anyone actually had to pay for the garbage OS, it would never have seen the light of day. As it stands, because it is free, people just hold their nose and use it.

It is a shame really that the LinTards chose to recreate every failure of the perpetual failure that was the Unix OS, which couldn't even compete against DOS.

kochevnik
5 / 5 (1) Sep 05, 2011
@Noumenon He has called the programming language C an "abortion" and a "sick religion", and intimated it was a dying language.
C IS a dying language among humans. It's the assembly language of the 21st century.
If anyone actually had to pay for the garbage OS, it would never have seen the light of day.
Linux isn't an OS, but just the kernel usually bundled with GNU code for the OS.
Vendicar_Decarian
2.3 / 5 (3) Sep 05, 2011
"C IS a dying language among humans. It's the assembly language of the 21st century." - Koch

Is that why Java is more popular than C?

http://www.tiobe....dex.html

"Linux isn't an OS" - Koch

You've got that right.
LuckyBrandon
1 / 5 (1) Sep 05, 2011
@Ensa - I got what you were saying :) All I was saying was given even a choice of Mac server version or Linux, I'd probably choose the Mac (Windows would win hands down EVERYTIME though), just because the operation of UNIX flavors is extensively limited (again, I refer to my Kerberos example, which is a big part of my day to day job).

I know alot of you folks just love your UNIX flavors, but in all seriousness, if you sit down and look at them, although Windows has to be paid for, the is MUCH more bang for the buck in all scenarios. For security, hell, free PKI, no additional license necessary...not to mention EFS, BitLocker (whole disk encryption), NTFS/Share securuty (although someone knowledgeable enough can bypass this), etc. etc. etc.
What do UNIX flavors have...the PAM and other iterations of it (depending on the version)...a MANUALLY configured KRB5.conf file adding MUCH pain into any kind of kerberos realm/domain rollout....the lack of a dynamic nature alone is enough...
kochevnik
not rated yet Sep 05, 2011
@LuckyBrandon free PKI, no additional license necessary...not to mention EFS, BitLocker (whole disk encryption), NTFS/Share securuty (although someone knowledgeable enough can bypass this), etc. etc. etc.
Free PKI is even freer on *NIX, because you get the source code alongside. How is windoze PKI "free" when you pay for it? NTFS insecurity model is re-implemented by *NIX ACLs, which come in both POSIX and NTFS-style flavors. Whole disk encryption is available with linux LUK and BSD geli layers, as well as the superior opensource truecrypt. http://ivoras.net...sd9.html
Vendicar_Decarian
2.3 / 5 (3) Sep 05, 2011
Ya, Linux has one of everything. But it's all just command line driven crap, or graphical front ends that hide the command line driven crap by typing it for you behind the scenes.

Filth.

kochevnik
not rated yet Sep 05, 2011
Ya, Linux has one of everything. But it's all just command line driven crap, or graphical front ends that hide the command line driven crap by typing it for you behind the scenes.
Um, AFAIK those are the only productivity interfaces ever commoditized, alongside a smattering of secondlife. Granted the written [typed] word leaves a lot to be desired, but it has the advantage of being hard-wired into both user and computer. Probably quantum computers will usher in a new interface, like a hall of mirrors audio-feedback fractal explorer or quantum consciousness entangler. But after humanity nukes itself the few plucky survivors will probably rely on some *NIX cds to hack their way back to civilization. After all windows is a monolithic heap of stolen CPM/*NIX code and the Mac is running BSD under the hood.
Vendicar_Decarian
2.3 / 5 (3) Sep 06, 2011
Skynet doesn't use a text interface to communicate between applications, and Skynet isn't held together with a spaghetti of scripts.

Long live Skynet
LuckyBrandon
1 / 5 (1) Sep 24, 2011
Free PKI is even freer on *NIX, because you get the source code alongside. How is windoze PKI "free" when you pay for it? NTFS insecurity model is re-implemented by *NIX ACLs, which come in both POSIX and NTFS-style flavors. Whole disk encryption is available with linux LUK and BSD geli layers, as well as the superior opensource truecrypt. http://ivoras.net...sd9.html


You don't pay for PKI, its a free service on top that can issue millions of certificates from a single server without tanking it with no CALs necessary. This DOES include issuance to non-microsoft operating systems.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.