Linux B-day celebrations rattled by break-in

Linux pinguin

(PhysOrg.com) -- Just days after celebrations marking the 20th birthday of Linux, the operating system revered around the globe as a rock-solid open source triumph, news surfaced that key servers used to maintain and distribute the operating system were hacked. Malware had gained root access. System software had been modified. The attack was confirmed in a note on Wednesday, August 28, posted on the Linux Kernel Archives www.kernel.org , the main distribution site for the Linux kernel. Though discovered on the 28th, the security breach possibly took place some time before, possibly no later than August 12. By Sunday, the 28th, it was obvious to admins of the web site that things had gone wrong. Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified. A trojan startup file had been added to startup scripts.

The initially gained root access on a server called hera, and compromising other servers. The administrators think they may have slipped in with a compromised user account. In an e-mail to kernel.org users, chief administrator John "Warthog" Hawley indicated he was definitely not in a party mood. The subject line: Master back-end break-in. "Afternoon everyone," he wrote,"as you can guess from the subject line, I've not had what many would consider a 'good' day." He said that a had been discovered and he named "some boxes" on kernel.org that had been hit.

With the news of such a break-in, it might easily appear as if the event spells calamity, as this is all about a break-in of a hosting site of source code, and for an that runs the engines of banks, businesses, and governments. What could be worse news than this? In fact, being Linux signifies that the August break-in, while unwelcome, rattling, and burdensome, appears to have also given Linux keepers the opportunity to remind the world that its construct has built-in safeguards.

The strength of Linux, admins quickly pointed out, lies in its change-tracking system, where a secure hash of each of 40,000 files hosted on the site makes signs of tampering transparent. The hashes are stored in multiple servers. On confirmation of the break-in on the 28th, each of the site's 448 users were told to change their passwords and Secure Shell keys. Boxes were promptly taken off-line and re-installs were set in motion. Authorities in the U.S. and Europe were notified and asked to help in the investigation.

Source code does not appear to have been altered, according to the kernel maintainers, but the posting stated the administrators were doing an analysis to confirm that nothing has been modified.


Explore further

Linux Kernel to Add VMI

More information: www.kernel.org/

© 2011 PhysOrg.com

Citation: Linux B-day celebrations rattled by break-in (2011, September 4) retrieved 20 August 2019 from https://phys.org/news/2011-09-linux-b-day-celebrations-rattled-break-in.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

User comments

Sep 04, 2011
The LinTard OS continues it's spectacular history of failure.

I find that statement incredibly juvenile.

Surely you aren't under the impression there is a unbreakable system or OS?

Fact is, Linux is one of the most stable and secure out there, bar none. Perfection does not exist however.

I remember using a chat room set up by a university that lasted many years without a single reboot. It was funny actually, the computer clock would drift off many hours before someone who knew the admin could get into contact to have it reset.

It is known and accepted that part of Linux security is the fact that it is a fraction over 1% of the OSes out there. Another aspect is it probably gets better tech support from the Linux community (because it is open source) than Windows, but ironically it also makes it more vulnerable.

Sep 04, 2011
"an operating system that runs the engines of banks, businesses, and governments"...you call THAT a failure?
"The strength of Linux, admins quickly pointed out, lies in its change-tracking system, where a secure hash of each of 40,000 files hosted on the site makes signs of tampering transparent" I'm sure that Sony Corp wishes they had been using a Linux OS on their servers!

Sep 04, 2011

It is known and accepted that part of Linux security is the fact that it is a fraction over 1% of the OSes out there.


Ironically, Linux's main mode of security is obscurity. Every instance of Linux running in banks and supermarkets and embedded devices is different, and so breaking in to them depends on you knowing what exactly was put in there and how.

In reality every installation of Linux is something of a custom botch-job and has security holes up the wazoo. The whole thing is so complicated and has so many moving parts, alternative parts that are so poorly documented that you can't really implement it perfectly. The number of possible problems that you can evoke by choosing this network manager over that network manager over this version of that network manager is astronomical. It's like having sex: sometimes the kid turns out to be a retard

The thing that keeps it safe is the fact that nobody else knows what choices you made. There's no patent solution for breaking in

Sep 04, 2011
Don't mind Vendicar, he is a well known internet troll/idiot.

He once claimed that PC's would need a maximum of 200mb of ram. He has called the programming language C an "abortion" and a "sick religion", and intimated it was a dying language.

Sep 04, 2011
"The administrators think they may have slipped in with a compromised user account."

It appears the attack did not exploit a vulnerability of the OS. This is a case of an administrative account being hacked and we all know that it can happen to any user based software system. The solution is obviously to implement tighter user security protocols around the repository.

Sep 04, 2011
I rarely criticise others posts on this forum, however here I feel it would be negligent not to.
Ironically, Linux's main mode of security is obscurity.

The opposite is true. Linux is an example of a solid system thet does not rely on security through obscurity.

In reality every installation of Linux is something of a custom botch-job and has security holes up the wazoo. The whole thing is so complicated and has so many moving parts, alternative parts that are so poorly documented that you can't really implement it perfectly.

Again, the opposite is true. Seldom have I read a statement so bizzarely untrue.

The number of possible problems that you can evoke by choosing this network manager over that network manager over this version of that network manager is astronomical.

Linux networking is one of the best documented and simple out there. It has to be to be as secure as it is. The best practices are well understood... TBH I think this poster must be trolling.

Sep 04, 2011
I'm no computer expert, I used Windows and Linux (Ubuntu), and let me tell you, I have no problems with Linux, no malware, no crashes, no defragmenting, no weird things, no problems. And it is free. I'm happy with Linux.

Sep 04, 2011
@LuckyBrandon - I too have worked with many systems over the last 30 years. My point is not to big-up linux, it is what it is.
I just had to refute those particular statements as being completely untrue. I mean gob-smackingly untrue.
Sure there are insecure implementations, but generally the more insecure they are the more they deviate from the known - very well known, secure implementations.
With security in OS's, transparancy and clarity is very important. You just cannot afford to have unknowns and ambiguous standards/protocols - these are the main dangers. Linux does not suffer from these.
I cannot talk about the pros and cons of various distros, some are a mess, especially the popular ones, though they serve a purpose. I won't touch Ubuntu in any kind of critical situation for example.
But secure is secure. Bottom line. A truly secure system is compiled from audited source and well maintained.
Even some of the hardened Slackware systems I know are as secure as an OS gets.

Sep 04, 2011
wow, someone finally hacked Linux.

Sep 04, 2011

But secure is secure. Bottom line. A truly secure system is compiled from audited source and well maintained.
Even some of the hardened Slackware systems I know are as secure as an OS gets.


Very few actually bother, because it requires a level of experience and competence with the OS that is missing with the majority of people who do use it.

The result is, that wherever Linux gets used in schools or business, some self-titled "expert" pretends to know what they're doing and the end result is a mess. It's cheaper and faster that way.

And what else can you expect from an operating system where the main mode of business is to ship an incomplete, unassembled system in order to sell commercial support for it.

Sep 04, 2011
"The LinTard OS continues it's spectacular history of failure."

Sounds like Bill Gates trolling as "Vendicar Decarian".

Sep 04, 2011
@Eikka - too often what you say is true, but don't confuse the operating system with the practice of some commercial distros. They are not the same thing at all. Linux does not have this 'mode of business' you mention. This article is about linux so that is what I am talking about.

Well - I am done ranting.
Until next time.

:)

http://xkcd.com/932/


Sep 04, 2011
Vendicar_Decarian,

Your posts are ridiculous. If you have something meaningful to contribute, then do so. Otherwise, save your trolling for a group of people who might fall for it.

Sep 05, 2011
@Eikka - too often what you say is true, but don't confuse the operating system with the practice of some commercial distros. They are not the same thing at all. Linux does not have this 'mode of business' you mention. This article is about linux so that is what I am talking about.


Most of the development going into Linux(es), as in the whole OS and not just the kernel, is actually business to business based work. There's only about 20% independent "free" development left in the whole structure.

The businesses either do the developing for their own purposes, in which case they have in-house knowledge of how it works and so they don't need to make it easy - in fact that's just a bonus; the stuff is too obscure for your competitors to easily adopt.

Or, they are developing the thing for a customer, in which case they have an incentive to make it difficult and incomplete so they could sell more support contracts.

That's the only way to make money off of Linux.

Sep 05, 2011
@Noumenon He has called the programming language C an "abortion" and a "sick religion", and intimated it was a dying language.
C IS a dying language among humans. It's the assembly language of the 21st century.
If anyone actually had to pay for the garbage OS, it would never have seen the light of day.
Linux isn't an OS, but just the kernel usually bundled with GNU code for the OS.

Sep 05, 2011
@LuckyBrandon free PKI, no additional license necessary...not to mention EFS, BitLocker (whole disk encryption), NTFS/Share securuty (although someone knowledgeable enough can bypass this), etc. etc. etc.
Free PKI is even freer on *NIX, because you get the source code alongside. How is windoze PKI "free" when you pay for it? NTFS insecurity model is re-implemented by *NIX ACLs, which come in both POSIX and NTFS-style flavors. Whole disk encryption is available with linux LUK and BSD geli layers, as well as the superior opensource truecrypt. http://ivoras.net...sd9.html

Sep 05, 2011
Ya, Linux has one of everything. But it's all just command line driven crap, or graphical front ends that hide the command line driven crap by typing it for you behind the scenes.
Um, AFAIK those are the only productivity interfaces ever commoditized, alongside a smattering of secondlife. Granted the written [typed] word leaves a lot to be desired, but it has the advantage of being hard-wired into both user and computer. Probably quantum computers will usher in a new interface, like a hall of mirrors audio-feedback fractal explorer or quantum consciousness entangler. But after humanity nukes itself the few plucky survivors will probably rely on some *NIX cds to hack their way back to civilization. After all windows is a monolithic heap of stolen CPM/*NIX code and the Mac is running BSD under the hood.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more