Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
GNOME GUI Security Software

Intrusion Cleanup Forces Delay For GNOME 2.6 170

Posted by timothy
from the checked-for-stupidity-and-found-malice dept.
An anonymous reader writes "Looks like the GNOME site (both web and FTP) is back up and running again (from a replacement system). The restoration work is still going on, and dynamic content does not work yet. Bugzilla should be up by tomorrow (it is already in testing mode). More details are available in this announcement. Kudos to the GNOME sysadmin team for such a rapid recovery." However, blurzero writes "GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st." Update: 03/24 14:08 GMT by T : An anonymous reader points to this story on the delay at ZD Net Australia.
This discussion has been archived. No new comments can be posted.

Intrusion Cleanup Forces Delay For GNOME 2.6

Comments Filter:
  • by James A. M. Joyce (764379) on Wednesday March 24, 2004 @09:06AM (#8655412) Journal
    Intrustion cleanup is a real bastard to carry out with any degree of success. There's really no way to prove that there isn't just one more subtle little backdoor hiding in the system, in your repository or in your /home area. This is a case where an ounce of prevention is better than a pound of cure. It's too late, here, unfortunately, so they should probably have rolled back to a backup on another set of boxes. (Just my two cents.) How well would TripWire have worked in this kind of situation? Or is that ineffective against an all-out rooting?
    • I am personally disappointed in having to wait another week, however I completely respect the Gnome team on their tireless efforts. :)

      I definatly agree with the idea of rolling back to a backed up copy of their site, but perhaps they do not know how long someone was able to access their systems?

      Gnome team, take all the time you need. :)

    • by Anonymous Coward
      They have TireWire and it didn't work.
      TripeWire never works.
      I've seen TW failing and being exploited in several installations.
      Since the release of wirecutter TripWire has become fucking useless.

    • Intrustion cleanup is a real bastard to carry out with any degree of success.

      Reinstallation is the only tried and true method. Cleaning up to the point where you're satisfied will usually take a lot longer and will leave nagging doubt.
      • Of course even a reinstall still leaves the original hole open that the attacker used in the first place.
    • by Penguinisto (415985) on Wednesday March 24, 2004 @09:24AM (#8655589) Journal
      It takes some work, but there is one way to insure a completely clean system: Re-installation of the OS from media, or a backup from a time known before the break-in.

      Either way, you only have to check the backup server data itself against (externally backed-up) MD5 checksums, and ask developers to re-commit any changes made during the suspect time.

      Now try and do that to a mail server, and the fecal matter hits the air-handler. But, with data that is relatively static by comparison, it takes work, but isn't too much of a trial.

      $0.98 in change, please :)

      • by Anonymous Coward

        The caveat with that scenario is that you have to a) know exactly how the break-in occured in order to b) know that you can fix the system from the pre-break in state to remove the vulnrability before bringing the system back online.

        Just re-imaging the server and putting it back online will result in the server being comprimised again.
        • (re: knowing when the break-in occurred)This is true, but you can guess fairly well if going to backup (just look for the same things in the backup that alerted you to the compromise in the first place.)

          You are absolutely right that the admin has to apply any missing patches and modifications to the system that may not have been in place on the compromised server. My thanks for bringing that up

          (although, in some cases, no patch will save you... esp. if it was an inside job, or someone got hold of the pa

          • -----
            but that's the bitch about security - the paranoia never stops digging deeper :)
            -----
            I started out college in '93 as a comp. eng. major. I switched to chemistry because I wanted to keep computers as a hobby and not pollute them with the need to make money. While I sadly watched the Amiga die and the world move to Microsoft I accepted it as a result of giving up computers as an academic pursuit. I never learned C, I never built any *nix/*bsd OS for my home PC, I wistfully used NeXT in the school labs
      • Re-installation of the OS from media

        What if the OS has a vulnribility and the attacker can get back in without issues?

        a backup from a time known before the break-in

        What if the attacker had installed the back door months before hand? You may not have a valid backup.

      • That only prevents problems on this machine. The real problem is going to be coders using other less secure machine or insecure protocols (such as telnet or ftp to access Windows boxes which are now loaded with key stroke loggers).
      • > Now try and do that to a mail server, and the fecal matter hits the air-handler.

        Surely, much easier with a mail server, as there would be no real data on there.. All the mail is transitional, and besides even if it wasn't, you can easily restore mail queues and users pop3 boxes from a compromised server - it's the system files that matter, and surely a running mailserver has hardly any of those recently updated
    • Intrustion cleanup is a real bastard to carry out with any degree of success. There's really no way to prove that there isn't just one more subtle little backdoor hiding in the system, in your repository or in your /home area.

      Basically, what you generally do is to rebuild from scratch, then carefully check and restore your repository.

      How well would TripWire have worked in this kind of situation? Or is that ineffective against an all-out rooting?

      This is why the authors of the host-based IDS recommend t

    • widget.gnome.org (the machine that was cracked) has been reinstalled. That's part of the reason why things aren't all up again yet.

    • Cleaning up after a root compromise is about the most time-consuming and psychologically demanding thing that one can do. Let's face it: the guy who's a wizard at writing GUI apis isn't necessarily going to be a security hacker. The biggest issue to deal with when rebuilding a system after a root compromise is the paranoia. 99% of even diligent *nix/*bsd users skip the paranoia step and reinstall using the closest available media. The paranoid among us, however, consider much more than "how do I get th
    • I don't want to complain, I am glad that the Savannah team (consisting mostly of volunteers) handled the breakin there with great care and responsibility. But still we have to give extra credits to the team handling the gnome servers for bringing up the services so quickly. (At savannah, it took more than a month until CVS write access was reenabled.)
  • Dammit... (Score:3, Funny)

    by thames (558443) on Wednesday March 24, 2004 @09:07AM (#8655428)
    now I have to go to two geek parties in one week
  • by El Cubano (631386) <robertoNO@SPAMconnexer.com> on Wednesday March 24, 2004 @09:09AM (#8655449) Homepage

    "GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st."

    That could have been disasterous had they been forced to delay until April 1. Imagine all the jokes that would have ensued.

  • Awwww man! (Score:4, Informative)

    by chendo (678767) on Wednesday March 24, 2004 @09:11AM (#8655463)
    Now we have to wait one WHOLE week?

    Maybe the KDE team did this to slow Gnome down... :)

    By the way, I've tried CVS metacity with FD.O's Xserver..... funky stuff. Translucency when you move windows! Although it chews a fair bit of CPU (when moving the window itself, that is, as just holding the window still doesn't chew CPU), it should be fixed when we finally get HW acceleration. I was able to get MPlayer to play a video in the background, hover a window over it and watch it through it. ub3r cool stuff.
    • Re:Awwww man! (Score:2, Interesting)

      by bbuchs (551229)
      Do you have any notes or tips you could post on the process? I'd like to give it a shot, but haven't had much luck as of yet.
      • First of all, you have to grab the latest version of metacity. Untar into a folder, and make sure you configure with composition support. If you specify it, and it still says 'no' at the end of the configuration, you will need to copy some header files to the proper directories from /opt/fdo, but I can't remember which. Then, build, install, run FD.O's Xserver, and login to Gnome. If it all worked out, when you click on the titlebar of a window, it should become translucent.
    • They put in translucent move, but have they added wireframe yet? Opaque movement looks horrid on my machine, and is currently stopping from using Gnome with metacity.
  • by Penguinisto (415985) on Wednesday March 24, 2004 @09:11AM (#8655466) Journal
    With GNOME and most other F/OSS projects, at least you get honest, up-front answers and timely announcements of intrusion attempts and such.

    If only MSFT (and more importantly, proprietary software companies that aren't so much in the spotlight) were as forthcoming about break-ins.

    • by Anonymous Coward
      If you look at the compromised source to GNOME, you may not be able to contribute to uh, well, hmm,

      nevermind.
  • I suppose (Score:3, Interesting)

    by AnonymousCowheart (646429) on Wednesday March 24, 2004 @09:12AM (#8655470) Homepage
    I suppose this will get modded as a flame bit, but a lot of people were cheering when Bill Gate's credit card number got stolen [slashdot.org] just wondering how those people felt now? I know there was no "real" damage in that case, and in this case the server was offline, but still something to consider. Maybe these people were also "trying to help" by showing a server insecurity.
    • Something bad happens to someone we like. Bummer.
      Something bad happens to someone we don't like. Haw Haw.

      Why do people make such a big fucking deal out of double standards? Should I feel equally angry toward someone who kills a stranger as I would if they'd killed a relative? No.
      • by dasmegabyte (267018)
        Well, it depends. Do you purport to be a moral and logical person? Do you believe in the protection of personal freedoms?

        If so, then even if you don't KNOW or LIKE the victim, you should still support punishment of the criminal. Otherwise, you're encouraging elitism. Or do you want to live in a world where crimes against the unpopular are cheered and go unpunished?

        I lived in a similar world called "Middle School," and I wouldn't want to go back.
        • -----
          Or do you want to live in a world where crimes against the unpopular are cheered and go unpunished?
          -----
          News Flash! Today's top headlines!

          American Society Verified to Function as a Communist Pyramid Scheme
          -----
          Using complex statistical models, mathematicians at MIT, RIT, RHIT, and Harvey Mudd have confirmed that the flow of money and power in the United States seems to follow the exact same patterns as a systems (commonly known as "pyramid schemes") in former communist USSR.

          "We're seeing a lot of fa
        • Or do you want to live in a world where crimes against the unpopular are cheered and go unpunished?

          hope you'll stand that position when it comes to "unpopular" guantamo bay prisoners.

      • Embrace hypocrisy if you want, but then don't whine when nobody takes you or your community seriously.
        • Nope. Hypocrisy is professing to believe in something in which you do not believe. Inconsistency is a necessary but not sufficient condition for hypocrisy.

          This isn't hypocrisy, it's just inconsistency.

      • Should I feel equally angry toward someone who kills a stranger as I would if they'd killed a relative? No.

        Doesn't make either one less wrong.

        • I wasn't under the impression that right and wrong was under discussion, his (weak) point was.."ah ha ha ha...you all liek seeing badd things happen to people you dislike, but when it happens to someone you like you are unhappy!!" Well no fucking shit sherlock.

          Agreed, both "perps" in these cases are deserving of fair punishment, but this has no bearing on how I feel...
    • Bill Gates' credit card number was just one out of thousands of numbers taken from several servers. There is nothing to compare here. You're just trying to stir up shit with Linux zealots by creating an apparent double standard where none exists (or at least if it does, you're giving a terrible example).

      Side note: the vast majority of people who claim to be "trying to help", regardless of what security measure they have circumvented, are actually just messing around for kicks and would rather be seen as a

    • ...not to cheer on another man's misfortune or anything, but having the CC# of a guy who has more disposable income than the GDP of most countries?

      "...yes, General? I'd like to buy that slightly used supersonic fighter you have idling in your hangar, please. Payment? No problem, dude; you take Amex, right?"

      OTOH, you're right to a point, though wouldn't "trying to help" involve some sort of notice to the victim?

  • Ya know... (Score:2, Insightful)

    by oldosadmin (759103)
    It makes you nervous about the big megacorps -- when their website is compromised -- do they even know... or care? I've never seen M$ shut down for a day because of a website compromise, although it must have happened several times.
    • a) Quit it with the "M$" stuff. It is simply infantile.

      b) Most professional commercial operations have redundant systems and don't go down when their single Althon gets hacked.
    • A megacorp that will be losing enormous amounts of money for every minute of web site downtime will not be running their site on a single server. They most likely have a physically distributed cluster which can't all be compromised in the same attack, and hot swaps ready to go in case they all somehow get compromised as well. They don't have to take their site down because of an attack, whereas a comparatively small nonprofit effort has no choice.
    • MOD PARENT DOWN (Score:2, Insightful)

      by Anonymous Coward
      No post with "M$" in the body contains anything of value.
    • I don't think M$'s website goes down much cause their administrators are probably MSCE certified, and those guys know *everything*.

      I bet they have tripwire rigged up to a cluster server so when an intrusion is detected, it downs the affected server and brings another, fresh one online. They probably even auto-ghost the affected machine and bring it back online when reset. It's the Gatling Gun method of system security.
    • You do know it's possible to move a web server instantaneously, don't you? You can even switch locations instantly (across town/country/continent/world). Server break-ins and uptime are only a problem if you don't have the resources and equipment in place to facilitate a speedy transition to a redundant system.
      • -----
        Server break-ins and uptime are only a problem if you don't have the resources and equipment in place to facilitate a speedy transition to a redundant system
        -----
        A speedy and redundant transition of your web-server only proves one thing: it's just as speedy and redundant for the intruder to be on nearly every box on the network.

        Maybe you have three rack systems for webspace and the intruder is only caught on that one PC that belongs to the secretary down the hall. What assurance do you have that tha
    • I've never seen M$ shut down for a day because of a website compromise, although it must have happened several times.

      Perhaps it's because MS is able to afford redunancy and the hardware and personnel to do frequent backups. They don't rely on a machine someone donated, funds given through a PayPal tip jar, and whatever free time contributors have to give.

      You assume that because sites dedicated to open source, free software, whatever, disappear from time to time they are more secure. Taking a site offl
  • by Peter_Pork (627313)
    A rumor is circulating that Gnome was using an unpatched IIS... I wish they would run Linux, it is much more secure, believe me.
  • Dumb Cracker? (Score:4, Insightful)

    by gscott (187733) on Wednesday March 24, 2004 @09:25AM (#8655600)

    According to Waugh, the GNOME Web servers that are hosted by Red Hat were compromised by "a dumb cracker who probably didn't realise what they got into".

    Seems like he was smart enough to hack their system.

    • Re:Dumb Cracker? (Score:3, Interesting)

      by stevey (64018)

      It would be interesting to learn how the compromise had occurred.

      I'm guessing that all the important services would have been up to date (ssh/rsync/apache/etc) - so that leaves a password/ssh keycompromise, or some scripting flaw..

      I hope we find out once the cleanup has been completed.

    • "a dumb cracker who probably didn't realise what they got into"


      They meant a white guy from Alabama - he was looking for 'gnome-porn'. ?!

    • Re:Dumb Cracker? (Score:3, Informative)

      What Jeff meant is that the cracker didn't seem to be targetting Gnome specifically. They'd have just as likely broken into any other vulnerable box.
    • According to Waugh, the GNOME Web servers that are hosted by Red Hat were compromised by "a dumb cracker who probably didn't realise what they got into".

      Seems like he was smart enough to hack their system.

      So the dumb cracker was really a smart cookie?
    • Re:Dumb Cracker? (Score:1, Interesting)

      by Anonymous Coward
      I'm a long-time GNOME fan and it strikes me that the infrastructure is often left behind, such as the bugzilla version (definitely not up-to-date), and I imagine now that the same applies to the apache and so on.

      When you are so exposed on the Internet as gnome.org, you also need good sysadmins, not only good programmers. GNU/Linux alone doesn't do the trick. I don't see why people are saying how wise of them to move everything off-line and delay the release. They were idiots in the first place because they
  • by Goo.cc (687626) * on Wednesday March 24, 2004 @09:31AM (#8655644)
    From what I have read, intrusion details have not been released yet but I wonder if the Gnome server was compromised the same way the gnu.org server was last year. If so, that would be disappointing.

    Still, I am happy to see that this will not push the next version of Gnome back very much. It is really starting to look nice to me and I am a Mac OS X user.
    • I wonder if the Gnome server was compromised the same way the gnu.org server was last year. If so, that would be disappointing.

      GNU website attack used a kernel local security flaw in do_brk() which allowed a normal user to get root privileges. This flaw was quickly fixed, and I think it is more than unlikely that the Gnome project website is still running an unpatched kernel.

      Gnome being closely related to the GNU project, I wonder if there could be a relation between the two attacks ?

  • As much as not being able to run Gnome 2.6 today makes me want to sit on my bed and weep, I am really grateful that the Gnome team is more concerned with releasing a secure product than with releasing when they said they would. This is one of those advantages of non-commerical software that we always cheer about in action. Rock on.
    • Do you remember the Half Life 2 source code leak? They pushed back their release for exactly the same reasons, and they're closed source.

      Just because an open source company does something "nice" doesn't mean to say they did it because they're open source. It means absolutely nothing.

  • Deja Vu (Score:5, Funny)

    by Anonymous Coward on Wednesday March 24, 2004 @09:39AM (#8655740)
    This event immediately brought thoughts of Half-Life 2 to mind.

    I bet in a week the source code for GNOME 2.6 will be all over the Internet, free for anyone to take, read, and use!
  • by Anonymous Coward
    With all these break-ins on open source servers, it should finally let people see that just having open source software on a server does not make it more secure. The apache.org site was hacked because of an insecure default install of a web application and MySQL. Even the docs said not to leave it that way. If 1 in 100,000 people make such mistakes, popularity created more places to get in.
  • "GNOME 2.6 was scheduled to be released sometime today, however after evidence of possible intrusion on the web server, the release has been delayed by one week, until March 31st."

    Something's not right here. Does this mean that the Gnome website is hosted on an IIS webserver? I mean, we all know that only IIS servers are insecure.

    Or could it be that system security depends more on diligent admins than software?

    • Or could it be that system security depends more on diligent admins than software?

      Can't be. We all know that anyone who runs Linux has perfect security!

      What's funny is the lame self delusion - if there were 5 Linux compromises a week to one IIS they woudl simply claim that the IIS ones are unreported :)
  • Oh no! (Score:1, Redundant)

    by Throtex (708974)
    They've hacked in and gotten the source code! For free!
  • I'm surprised that conspiracy theorists on Slashdot didn't blame gnome team of faking the intrusion because they could not meet the deadline for the release.
  • Kind of offtopic to the security breach (but not to the release of 2.6 itself), but.. is there a list of changes/updates anywhere?

    I'm curious as to what improvements have been made.
  • by Anonymous Coward
    Which one of you dirty bastards couldn't wait 1 day for the source? Whoever is running GNOME 2.6 right now, stand up and speak! Impatient Bastard!
  • by cgreuter (82182) on Wednesday March 24, 2004 @03:15PM (#8659926)

    This sort of thing is exactly what I'd expect from freedom-hating closed-source advocates. No doubt, some SCO fan went and did this in retaliation for the Linux developers' attempts to preserve their intellectual property rights.

    There is a dark side of the commercial software community and now we are beginning to see it emerge.

    (Warning: this article contains sarcasm.)

  • by ajs (35943)
    Does anyone have a copy of the code that was taken from the site? Any chance of the KDE developers being able to reverse engineer some of the Gnome features from it?

    Oh right, *open* source software.... ;-)

We will have solar energy as soon as the utility companies solve one technical problem -- how to run a sunbeam through a meter.

Working...