Forgot your password?
typodupeerror
GNU is Not Unix Security

FSF FTP Site Cracked, Looking for MD5 Sums 752

Posted by CmdrTaco
from the two-scoops-of-paranoia dept.
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.
This discussion has been archived. No new comments can be posted.

FSF FTP Site Cracked, Looking for MD5 Sums

Comments Filter:
  • by Henry V .009 (518000) on Wednesday August 13, 2003 @12:30PM (#6686911) Journal
    Sure, I've got the "correct" MD5s right here. You trust me, don't you?
    • Re:Correct MD5s (Score:4, Insightful)

      by brechmos (679454) on Wednesday August 13, 2003 @12:34PM (#6686960)
      Yeah, but if enough people send in the same MD5 sums for each file, then it "should be" easy to confirm it is correct or not.

      Surely, there aren't that many dishonest people, and if there were, then it would be hard for them all to get together and come up with the same MD5.

    • Re:Correct MD5s (Score:4, Insightful)

      by javatips (66293) on Wednesday August 13, 2003 @12:53PM (#6687218) Homepage
      Anyway, the only purpose of the MD5 checksum should be to make sure that the file was transfered properly. And with TCP/IP it would be quite uncommon to get bit flipped while traveling from the server to you (unless their is a "man" in the middle).

      Any use of the checksum to ensure that the file has not beeen altered before the transfer is useless. As a person who crack a server will replace the file and it's checksum.

      File checksum should always be signed by someone who can be trusted. If that's not the case, they are worthless.

    • by schulte (642891)
      Hmmm....

      # grep -i ircflood *.c
      gcc.c:#include "ircflood.h"

      What's going on here?@!?@!?
  • by Barbarian (9467) on Wednesday August 13, 2003 @12:31PM (#6686917)
    Did you know that some files are just about impossible to get anywhere else?

    • by gearheadsmp (569823) on Wednesday August 13, 2003 @12:44PM (#6687111)
      Look no further than across the pond [mirror.ac.uk], my friend! Faster downloads than iBiblio, and it's run by this guy [gentoo.org]. So dig [mirror.ac.uk] in [mirror.ac.uk]!
      • Pointless (Score:4, Insightful)

        by isn't my name (514234) <(slash) (at) (threenorth.com)> on Wednesday August 13, 2003 @02:36PM (#6688316)
        The whole idea of a mirror is that it actually mirrors what is on another site. If they've been rooted since March 2003, then it is somewhat unlikely that the www.mirror.ac.uk is actually going to have files any different than FSF.

        Unless of course, the mirror hasn't been updated since sometime in mid-March.
        • Re:Pointless (Score:3, Informative)

          by gearheadsmp (569823)
          True. But they certainly have more bandwidth for "hungry" Slashdotters. From what I understand, many of the missing non-Alpha-stage packages are available at most distro-specific mirrors, such as Debian, Gentoo, and in RPMS form.
      • UK Mirror Service (Score:4, Informative)

        by SamBC (600988) <s.barnett-cormack@lancaster.ac.uk> on Wednesday August 13, 2003 @07:06PM (#6690411)
        Well, I must say that I've never met Mustafa at work... the people who run the UK Mirror Service are, however, there for all to see on the UKMS Crew Page [mirror.ac.uk]

        In all seriousness, you have until some time tonight (on BST, which is UTC+1) before we should be fully synced, including any files that have been pulled, with the source site. There are some exceptions, but I don't think they will apply in this case. And if any files were compromised, they are compromised on our servers as well.

        WARNING: SHAMELESS PLUG: If you are a fan of the Mirror Service, or even just a user, please note the message on our homepage [mirror.ac.uk], as we are about to be able to serve even more users, at higher speeds.
  • Mirrors? (Score:3, Interesting)

    by ryan76 (666210) on Wednesday August 13, 2003 @12:31PM (#6686930)
    Are there no mirrors of this site?
  • by palad1 (571416) on Wednesday August 13, 2003 @12:33PM (#6686948)
    After getting their FTP server rammed in the sockets, I bet the maintainers of ftp.gnu.org will be just more than happy to go through a good ol' slashdotting because someone _has_ to convert urls into hyperlinks for his /. submission.

    I know, I clicked on the link :)

  • SCO (Score:4, Funny)

    by Amon Re (102766) on Wednesday August 13, 2003 @12:33PM (#6686952)
    Hmm odd...one day they speak of taking sco support out of gcc, the next their ftp server gets comprised, interesting.
  • Obg. (Score:5, Funny)

    by Rosonowski (250492) <rosonowski@gmail.TEAcom minus caffeine> on Wednesday August 13, 2003 @12:34PM (#6686964)
    "Real men don't use backups, they post their stuff on a public ftp server and let the rest of the world make copies." - Linus Torvalds
  • by Zabu (589690) on Wednesday August 13, 2003 @12:34PM (#6686973)
    But do to some sort of wierd computer problem my machine keeps on restarting...


    I will get around to fixing it sometime next week.
  • by lactose99 (71132) on Wednesday August 13, 2003 @12:35PM (#6686986)
    Taking a brief glance over my FreeBSD server, all of the entries in the Ports tree have the MD5SUMs in the "files" file. The Ports tree includes many many FSF software package installs.
    • by lactose99 (71132) on Wednesday August 13, 2003 @12:38PM (#6687010)
      Oops... its the "distinfo" file that contains the MD5SUMs, not "files".
    • Those archives might be decent as an absolute last resort, but I think GNU is looking for the pure source from the maintainer. Similar to Debian packages [debian.org], don't the ports package contain distro-specific modifications and patches?

      They may be verified, but I think in some cases the ports packages will be subtly different than the ones GNU is really looking for.

      • As I'm not a port maintainer (just an active user) so I cannot authoritatively answer this question, but based on my experience with the ports I have installed, the MD5SUMs are for the actual packages downloaded from ftp.gnu.org. BSD- or package-specific patches are applied to the software compilation after the MD5SUMs are checked, as the patches themselves generally have a seperate MD5SUM that they are checked against.
        • by mph (7675) <mph@freebsd.org> on Wednesday August 13, 2003 @01:48PM (#6687891)
          As a port maintainer and committer, I can confirm what you say. The recorded md5 signatures are for the distributed source archive (e.g. from ftp.gnu.org, or Sourceforge, or whatever). They are there to ensure that the source has not been tampered with.

          BSD-specific patches are then applied to the downloaded source, but have no implications for the md5 signature that's on file.

    • The question isn't whether BSD is dying but whether people keep going back and realizing/appreciating all the elegance and cleverness in BSD's evolution. Sure, its dying, but it's constantly reincarnating too, isn't it!

      Post a reply if you would like me to send you an RPM for a Red Hat compatible PORTS tree...

      No really: I have lots of old FreeBSD CDROMs with a veritable history of (the best) GNU software and MD5 sums. I can go back to FreeBSD 2.2.2. Check your timeline. BSD subscribers save the day HA!
  • Oops! (Score:3, Funny)

    by TypoNAM (695420) on Wednesday August 13, 2003 @12:37PM (#6686996)
    Hate it when that happends...

    Who wants to sell off some MD5 checksums off ebay? Let's make a few dallors! :D
  • by palad1 (571416) on Wednesday August 13, 2003 @12:37PM (#6687004)
    When looking at the missing files: gnu/windows/emacs/21.2/leim-21.2-src.tar.gz gnu/windows/emacs/21.2/emacs-21.2-barebin-i386.tar .gz gnu/windows/emacs/21.2/emacs-21.2-bin-i386.tar.gz gnu/windows/emacs/21.2/emacs-21.2-fullbin-i386.tar .gz gnu/windows/emacs/21.2/emacs-21.2-leim.tar.gz gnu/windows/emacs/21.2/emacs-21.2-lisp.tar.gz gnu/windows/emacs/21.2/emacs-21.2-src.tar.gz gnu/windows/emacs/21.2/emacs-21.2-undumped-i386.ta r.gz

    the list goes on abd on and...
    now, grep for 'vi' : nothing, nada, null.

    Of course, what do you think? This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!

  • headline (Score:5, Funny)

    by Lxy (80823) on Wednesday August 13, 2003 @12:39PM (#6687022) Journal
    if you understand the headline

    FSF FTP Site Cracked, Looking for MD5 Sums

    You just might be a geek.
    • Re:headline (Score:5, Funny)

      by wfberg (24378) on Wednesday August 13, 2003 @01:14PM (#6687487)
      if you understand the headline

      FSF FTP Site Cracked, Looking for MD5 Sums

      You just might be a geek.


      The headline should have been simply

      FSF ftp 0wn3d IM RMS teh md5sum's

      Then the mainstream media would be all "OMFG WTF?! STFU /. I'm writing another MS Blaster story, bi0tch!"
    • Re:headline (Score:3, Funny)

      by landley (9786)
      What does it mean if you wrote it, then?

      Rob
  • by Deadbolt (102078) * on Wednesday August 13, 2003 @12:39PM (#6687029)
    Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.

    They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.

    *goes off to dock another point from his faith in humanity*
    • by DaveAtFraud (460127) on Wednesday August 13, 2003 @02:29PM (#6688249) Homepage Journal
      If they catch the perp, the punishment should be something really heinous like locking them up with a computer that has Microsoft "Bob" installed and have continuous "Barney" tunes piped into their cell. That'll teach 'em.
    • yeah

      this is way worse than when someone writes a worm that intentionally targets home windows+broadband users to destroy the functionality of the internet. see, when someone is doing that, they're making a political/religious/security statement that windows sux0rs.

      on the other hand, when someone owns the primary distribution server for the worlds most important, relevant free software and the maintainers really have no clue how badly they've been stung over a period of 6 months, well, nobody questions th
  • You're Kidding? (Score:5, Insightful)

    by System Control (690846) on Wednesday August 13, 2003 @12:39PM (#6687036)
    The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups.

    Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

    • Re:You're Kidding? (Score:5, Insightful)

      by Lxy (80823) on Wednesday August 13, 2003 @12:48PM (#6687154) Journal
      While your post is somewhat trollish, I have to agree that this is an interesting prediciment for the FSF. To save face, I hope they post a detailed account of how they were cracked, and own up to their mistakes so they can all teach us what not to do. That's the power of openness :-)
      • Re:You're Kidding? (Score:5, Informative)

        by pongo000 (97357) on Wednesday August 13, 2003 @02:00PM (#6687992)
        You mean, an accounting like this [gnu.org]? Seems pretty detailed to me...
      • Re:You're Kidding? (Score:5, Informative)

        by NoOneInParticular (221808) on Wednesday August 13, 2003 @03:10PM (#6688553)
        As some other posters in other threads noticed, the FSF does not have full backups because all backups made after early 2003 can be compromised. The crack happened in March, and what they miss is all the stuff that was uploaded after the crack. Backups from before March are available. In this situation no backup strategy at all would leave you with total security after March. The fact that the site was cracked five months ago is a bit scary though.
      • Re:You're Kidding? (Score:3, Insightful)

        by Pharmboy (216950)
        Actually, its the fact that the server was owned back in March and they just now figured it out that bothers ME. One good thing about FSF is they don't dick around once they do find out, it becomes public fast, which is pretty honest.

        What I do on my server, and what you do on your server is our own problem, but you would think the primary FTP site for all FSF would have a little better security. Yea, its like how mechanics don't take great care of their own cars, but this really is a black eye, and poten
    • No you're not (Score:3, Interesting)

      by FooBarWidget (556006)
      No you're not. You're not supposed to trust the FSF, you're supposed to trust commercial distributors like RedHat.
      The FSF is the Free Software Foundation. They don't exist to help your business, they exist to provide... well... Free Software.

      Whatever happens to FSF's own servers is completely irrelevant. Your distributor is the only thing that matters.
  • That is awful... (Score:3, Insightful)

    by Badanov (518690) on Wednesday August 13, 2003 @12:41PM (#6687050) Homepage Journal
    I run a coupla Linux boxes at work and a couple at home, and I swear I don't even take a dump unless I am certain I have backups.

    Having just read the above, let me add: Let a thousand jokes be posted!

  • by Stalemate (105992) on Wednesday August 13, 2003 @12:48PM (#6687161)
    We would already be flooded with posts about how if this were a Microsoft server we would already be flooded with posts bashing Microsoft and talking about....oh, right, my bad.
  • by molo (94384) on Wednesday August 13, 2003 @12:50PM (#6687183) Journal
    Why does the FSF not use a OpenPGP signature on the files and md5sum lists in their archives? Unless the key is kept on the same (compromised) host, then it becomes easy to figure out what files are valid, and what isn't.

    BTW, here is my contribution:

    > md5sum sed-4.0.7.tar.gz
    005738e7f97bd77d95b6907156c8202a sed-4.0.7.tar.gz

    -molo
  • by Penguin (4919) on Wednesday August 13, 2003 @12:52PM (#6687209) Homepage
    $ md5sum complete-gnu.tgz
    deadbeefdeadbeefdeadbeefdeadbeef complete-gnu.tgz
  • One would think... (Score:4, Insightful)

    by Qbertino (265505) on Wednesday August 13, 2003 @12:54PM (#6687241)
    ...that the cream of IT people would do regular revolving backups, securing sessions and have a standalone staging enviroment for all their stuff should the connected setup get compromised. Especially files which are distributed into the entire world to run on bazillions of computers once released. That's all a big fat hairy bad-ass no-brainer.
    Sorry, gnu.org team, no icecream tonight.
  • LOL!!! (Score:3, Interesting)

    by Dysan2k (126022) on Wednesday August 13, 2003 @12:56PM (#6687261) Homepage
    I have to admit, it's kinda funny. Firstly, NO one has posted what the heck FTP server they were using (which might be helpful to determine if it was a security hole.) Secondly, 'bout time this happened to one of the distributer sites. Though, a Linux bigot I may be, no OS (that I've seen) is 100% secure.

    Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup) No backups! That's hilarious!! I wanna know what kinda beating the current admin is getting!

    Well, hopefully they'll be able to get it pieced back together now. I'm sure it won't take more than a day to do so. Heck, I'll email my LUG and let the Deb folks spin MD5sums for a while to send over to 'em.

    Enjoy the chaos! (Least only 1 person has managed to link this to SCO so far)
  • backups (Score:3, Insightful)

    by chef_raekwon (411401) on Wednesday August 13, 2003 @12:57PM (#6687279) Homepage
    maybe im missing something here...but don't most people backup their stuff?

    i mean, all the posts here are about how insecure FSF is, or OPensource sucks...or windows sucks more...

    what about the bloody principle of backing up your own software? let me guess, stallman and his crew has ONE FTP server, and they never back the bloody thing up? they should all be punished for such foolishness. nobody in a corporation would allow this...what would have happened if the harddrive crashed, or the raid crashed hard on that FTP ser4ver? the same thing!!!
    asking the world for MD5 sums...

    tsk tsk.

    oh, and I use OPen Source just about everywhere, except my workstation (manditory windows). I run a chrooted Wu-FTPD, never had too much trouble either...but, we have a tape backup, just incase...
  • How Long (Score:5, Insightful)

    by jpmorgan (517966) on Wednesday August 13, 2003 @01:19PM (#6687540) Homepage
    How long was the server compromised and serving out possibly trojan-horse software before it was detected?

    Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

    • Re:How Long (Score:4, Interesting)

      by volkerdi (9854) on Wednesday August 13, 2003 @06:01PM (#6689989)
      Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

      MD5 sums are only secure if they are provided through a secure channel (like within a GPG-signed message). Using a second machine to serve out the MD5 sums is only twice as safe (two machines to crack), and that's still not too safe.

      What I wonder is why they didn't sign accepted packages with GPG. I've been doing that for a while (well, since breaking-and-trojaning became fashionable).

      I hope when ftp.gnu.org comes back that it's with *.asc files next to all the archives...
  • by pair-a-noyd (594371) on Wednesday August 13, 2003 @01:20PM (#6687555)
    Turn that pee-cee thing off and go to bed RIGHT NOW!

    Yes mom.... /pull covers over head and laptop/
  • by bkuhn (41121) on Wednesday August 13, 2003 @01:32PM (#6687695) Homepage
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    To the Free Software Community:

    Summary

    * gnuftp, the FTP server for the GNU project was root compromised.

    * After substantial investigation, we don't believe that any GNU
    source has been compromised.

    * To be extra-careful, we are verifying known, trusted secure
    checksums of all files before putting them back on the FTP site.

    Events Concerning Cracking of Gnuftp

    A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
    the FTP server of the GNU project. The machine appears to have been
    cracked in March 2003, but we only very recently discovered the crack.
    The modus operandi of the cracker shows that (s)he was interested
    primarily in using gnuftp to collect passwords and as a launching point to
    attack other machines. It appears that the machine was cracked using a
    ptrace exploit immediately after the exploit was posted on bugtraq.

    (For the ptrace bug, an root-shell exploit available on 17 March 2003, and
    a working fix was not available on linux-kernel until the following week.
    Evidence found on the machine indicates that were cracked during that
    week.)

    Given the nature of the compromise and the length of time the machine was
    compromised, we have spent the last few weeks verifying the integrity of
    the GNU source code stored on gnuftp. Most of this work is done, and the
    remaining work is primarily for files that were uploaded since early 2003,
    as our backups from that period could also theoretically be compromised.

    Historical Integrity Checks

    We have compared the md5sum of each source code file (such as .tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file,
    ftp://ftp.gnu.org/before-2003-08-01.md5sums .asc, contains a list of files
    in the format:

    MD5SUM FILE [REASON, ... REASON]

    The REASONs are a list of reasons why we believe that md5sum is good for
    that file. The file as a whole is GPG-signed.

    Remaining Files

    The files that have not been checked are listed in the root directory as
    "MISSING-FILES". We are in the process of asking GNU maintainers for
    trusted secure checksums of those files before we put them in place.

    We have lots of evidence now to believe that no source has been
    compromised -- including the MO of the cracker, the fact that every file
    we've checked so far isn't compromised, and that searches for standard
    source trojans turned up nothing.

    However, we don't want to put files up until we've had a known good source
    confirm that the checksums are correct.

    Alpha FTP Site

    The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
    us, but we plan to follow the same procedure there.

    - --
    Bradley M. Kuhn, Executive Director
    Free Software Foundation | Phone: +1-617-542-5942
    59 Temple Place, Suite 330 | Fax: +1-617-542-2652
    Boston, MA 02111-1307 USA | Web: http://www.gnu.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE/OnYb53XjJNtBs4cRAqplAJ95PHJhIwRiwjKBqSIx ZH SVlTOtxACgyouK
    QAfYhiLJcwPHio6fsk+s2uY=
    =DUMO
    - ----END PGP SIGNATURE-----
  • by aggieben (620937) <aggieben@[ ]il.com ['gma' in gap]> on Wednesday August 13, 2003 @02:04PM (#6688043) Homepage Journal
    I'll sick my cat on them....
  • WTF? (Score:4, Informative)

    by MasTRE (588396) on Wednesday August 13, 2003 @02:39PM (#6688341)
    Neither the OP _nor_ the moderator think it important to note in front-page post that the box was compromised in _March_ 2003? Jeez, is this /. or -.?
  • Go easy on 'em... (Score:5, Insightful)

    by chuckw (15728) <chuckw@quantumlinux.com> on Wednesday August 13, 2003 @03:34PM (#6688755) Homepage Journal
    Yeesh guys, go easy on these people. They bust their asses every day for us. Their GPL enforcement queue is usually about 50 cases deep. They're on the phones and on capital hill every day educating and lobbying industry groups and politicians. Say what you will about the GPL, you don't even have to like it or agree with it and perhaps you even think RMS is a narrow minded prick (for the most part RMS isn't even involved in the day to day operations at the fsf). They are making life easier for all of us.

    Rather than boast about all of the work they do, they quietly work behind the scenes just so you can play Monday morning quarterback. They have one fulltime systems administrator who is *INCREDIBLY* overworked. They are doing everything they can to keep the boat together. Last year they were over $315,000 in the red. Thanks to the FSF associate program and some skillful fundraising they're back in the black.

    Want to help? Go get your FSF associate membership [fsf.org]. It's not that expensive and it goes a long way towards helping to protect your freedoms.

    Incidentally, this is also old news. They had MD5 sums verified, and the servers were patched up and back online almost two full weeks ago. None of the software was trojaned.

    Who am I? Just another hacker who bothered to pay for an associate membership (#1142)...
  • by Simon Brooke (45012) * <stillyet@googlemail.com> on Wednesday August 13, 2003 @04:08PM (#6689050) Homepage Journal
    Is that it was an inside job. Someone trusted with a shell account on the server. Someone who was seen as part of the team, but betrayed it. A pretty shitty thing to do, in my opinion.

    The FSF don't say (and probably shouldn't say) whether they know who did it. I hope they do, because if they don't the mistrust which will be engendered will cause a lot of unhappiness, and will distract maintainers from looking after the packages we all use.

    If the FSF don't know, I hope the culprit has the guts to own up, and own up quickly.

Whoever dies with the most toys wins.

Working...