FSF FTP Site Cracked, Looking for MD5 Sums 752
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has
a statement
on the FTP site explaining the matter.
Correct MD5s (Score:4, Funny)
Re:Correct MD5s (Score:4, Insightful)
Surely, there aren't that many dishonest people, and if there were, then it would be hard for them all to get together and come up with the same MD5.
Re:Correct MD5s (Score:5, Insightful)
Re:Correct MD5s (Score:4, Insightful)
Any use of the checksum to ensure that the file has not beeen altered before the transfer is useless. As a person who crack a server will replace the file and it's checksum.
File checksum should always be signed by someone who can be trusted. If that's not the case, they are worthless.
Re:Correct MD5s (Score:3, Funny)
# grep -i ircflood *.c
gcc.c:#include "ircflood.h"
What's going on here?@!?@!?
ouch, saw this yesterday (Score:4, Informative)
Comment removed (Score:5, Funny)
Pointless (Score:4, Insightful)
Unless of course, the mirror hasn't been updated since sometime in mid-March.
Re: (Score:3, Informative)
UK Mirror Service (Score:4, Informative)
In all seriousness, you have until some time tonight (on BST, which is UTC+1) before we should be fully synced, including any files that have been pulled, with the source site. There are some exceptions, but I don't think they will apply in this case. And if any files were compromised, they are compromised on our servers as well.
WARNING: SHAMELESS PLUG: If you are a fan of the Mirror Service, or even just a user, please note the message on our homepage [mirror.ac.uk], as we are about to be able to serve even more users, at higher speeds.
Mirrors? (Score:3, Interesting)
Comment removed (Score:5, Informative)
Re:Mirrors? (Score:3, Informative)
Looks like they don't know how long ago the break-in was, so they pulled the mirrors to be safe.
Finnishing move (Score:5, Funny)
I know, I clicked on the link :)
SCO (Score:4, Funny)
Obg. (Score:5, Funny)
Re:Obg. (Score:5, Funny)
I have the files (Score:5, Funny)
I will get around to fixing it sometime next week.
Put your glove on (Score:3, Funny)
BSD Ports trees should have them (Score:5, Informative)
Re:BSD Ports trees should have them (Score:5, Informative)
Re:BSD Ports trees should have them (Score:3, Insightful)
They may be verified, but I think in some cases the ports packages will be subtly different than the ones GNU is really looking for.
Re:BSD Ports trees should have them (Score:3, Interesting)
Re:BSD Ports trees should have them (Score:5, Informative)
BSD-specific patches are then applied to the downloaded source, but have no implications for the md5 signature that's on file.
The question isn't whether BSD is dying... (Score:3, Interesting)
Post a reply if you would like me to send you an RPM for a Red Hat compatible PORTS tree...
No really: I have lots of old FreeBSD CDROMs with a veritable history of (the best) GNU software and MD5 sums. I can go back to FreeBSD 2.2.2. Check your timeline. BSD subscribers save the day HA!
Oops! (Score:3, Funny)
Who wants to sell off some MD5 checksums off ebay? Let's make a few dallors!
This is a conspiracy (Score:5, Funny)
the list goes on abd on and...
now, grep for 'vi' : nothing, nada, null.
Of course, what do you think? This is a conspiracy orchestrated by VI lovers, to wipe out EMACS from the face of earth!
Re:This is a conspiracy (Score:3, Funny)
EMACS probably has it's own built in function to wipe itself from the face of the earth. Don't worry though, there is probably another command to dump the source for itself directly from the binary.
Re:And in other news... (Score:5, Funny)
headline (Score:5, Funny)
FSF FTP Site Cracked, Looking for MD5 Sums
You just might be a geek.
Re:headline (Score:5, Funny)
FSF FTP Site Cracked, Looking for MD5 Sums
You just might be a geek.
The headline should have been simply
FSF ftp 0wn3d IM RMS teh md5sum's
Then the mainstream media would be all "OMFG WTF?! STFU
Re:headline (Score:3, Funny)
Rob
This pisses me off more than it should. (Score:5, Interesting)
They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.
*goes off to dock another point from his faith in humanity*
Re:This pisses me off more than it should. (Score:4, Funny)
Re:This pisses me off more than it should. (Score:3, Insightful)
this is way worse than when someone writes a worm that intentionally targets home windows+broadband users to destroy the functionality of the internet. see, when someone is doing that, they're making a political/religious/security statement that windows sux0rs.
on the other hand, when someone owns the primary distribution server for the worlds most important, relevant free software and the maintainers really have no clue how badly they've been stung over a period of 6 months, well, nobody questions th
Re:This pisses me off more than it should. (Score:3, Insightful)
That's by no means a valid assumption. Consider a remote non-root exploit coupled with a local root exploit. Not that uncommon. Figure that at this point, most network services don't run as root, and you can fairly easily envision a situation in which such a series of compromises might have lead to this situation.
noah
You're Kidding? (Score:5, Insightful)
Unbelievable. And I'm supposed to trust their methods and products with my enterprise?
Re:You're Kidding? (Score:5, Insightful)
Re:You're Kidding? (Score:5, Informative)
Re:You're Kidding? (Score:5, Informative)
Re:You're Kidding? (Score:3, Insightful)
Re:You're Kidding? (Score:3, Insightful)
What I do on my server, and what you do on your server is our own problem, but you would think the primary FTP site for all FSF would have a little better security. Yea, its like how mechanics don't take great care of their own cars, but this really is a black eye, and poten
No you're not (Score:3, Interesting)
The FSF is the Free Software Foundation. They don't exist to help your business, they exist to provide... well... Free Software.
Whatever happens to FSF's own servers is completely irrelevant. Your distributor is the only thing that matters.
Re:You're Kidding? (Score:3, Funny)
That's why I liked Picard.
That is awful... (Score:3, Insightful)
Having just read the above, let me add: Let a thousand jokes be posted!
Re:That is awful... (Score:3, Funny)
man dump
If this had been an open source ftp server (Score:5, Funny)
Why no PGP signature? (Score:4, Insightful)
BTW, here is my contribution:
> md5sum sed-4.0.7.tar.gz
005738e7f97bd77d95b6907156c8202
-molo
Complete md5sum (Score:5, Funny)
deadbeefdeadbeefdeadbeefdeadbee
One would think... (Score:4, Insightful)
Sorry, gnu.org team, no icecream tonight.
LOL!!! (Score:3, Interesting)
Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup) No backups! That's hilarious!! I wanna know what kinda beating the current admin is getting!
Well, hopefully they'll be able to get it pieced back together now. I'm sure it won't take more than a day to do so. Heck, I'll email my LUG and let the Deb folks spin MD5sums for a while to send over to 'em.
Enjoy the chaos! (Least only 1 person has managed to link this to SCO so far)
backups (Score:3, Insightful)
i mean, all the posts here are about how insecure FSF is, or OPensource sucks...or windows sucks more...
what about the bloody principle of backing up your own software? let me guess, stallman and his crew has ONE FTP server, and they never back the bloody thing up? they should all be punished for such foolishness. nobody in a corporation would allow this...what would have happened if the harddrive crashed, or the raid crashed hard on that FTP ser4ver? the same thing!!!
asking the world for MD5 sums...
tsk tsk.
oh, and I use OPen Source just about everywhere, except my workstation (manditory windows). I run a chrooted Wu-FTPD, never had too much trouble either...but, we have a tape backup, just incase...
Re:Corrupted Backups (a.k.a. Why request MD5s?) (Score:3, Insightful)
How Long (Score:5, Insightful)
Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.
Re:How Long (Score:4, Interesting)
MD5 sums are only secure if they are provided through a secure channel (like within a GPG-signed message). Using a second machine to serve out the MD5 sums is only twice as safe (two machines to crack), and that's still not too safe.
What I wonder is why they didn't sign accepted packages with GPG. I've been doing that for a while (well, since breaking-and-trojaning became fashionable).
I hope when ftp.gnu.org comes back that it's with *.asc files next to all the archives...
DARL! DARL!! (Score:4, Funny)
Yes mom....
Status update from FSF on GNU FTP site crack (Score:4, Informative)
Hash: SHA1
To the Free Software Community:
Summary
* gnuftp, the FTP server for the GNU project was root compromised.
* After substantial investigation, we don't believe that any GNU
source has been compromised.
* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.
Events Concerning Cracking of Gnuftp
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Historical Integrity Checks
We have compared the md5sum of each source code file (such as
ftp://ftp.gnu.org/before-2003-08-01.md5sums
in the format:
MD5SUM FILE [REASON,
The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.
Remaining Files
The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.
We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.
However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.
Alpha FTP Site
The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.
- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/OnYb53XjJNtBs4cRAqplAJ95PHJhIwRiwjKBqSIx ZH SVlTOtxACgyouK
QAfYhiLJcwPHio6fsk+s2uY=
=DUMO
- ----END PGP SIGNATURE-----
Re:Status update from FSF on GNU FTP site crack (Score:5, Informative)
SCO did it! SCO did it! (Score:4, Funny)
WTF? (Score:4, Informative)
Go easy on 'em... (Score:5, Insightful)
Rather than boast about all of the work they do, they quietly work behind the scenes just so you can play Monday morning quarterback. They have one fulltime systems administrator who is *INCREDIBLY* overworked. They are doing everything they can to keep the boat together. Last year they were over $315,000 in the red. Thanks to the FSF associate program and some skillful fundraising they're back in the black.
Want to help? Go get your FSF associate membership [fsf.org]. It's not that expensive and it goes a long way towards helping to protect your freedoms.
Incidentally, this is also old news. They had MD5 sums verified, and the servers were patched up and back online almost two full weeks ago. None of the software was trojaned.
Who am I? Just another hacker who bothered to pay for an associate membership (#1142)...
What's really sad about this... (Score:3, Insightful)
The FSF don't say (and probably shouldn't say) whether they know who did it. I hope they do, because if they don't the mistrust which will be engendered will cause a lot of unhappiness, and will distract maintainers from looking after the packages we all use.
If the FSF don't know, I hope the culprit has the guts to own up, and own up quickly.
Re:Well that's good and all, but (Score:5, Informative)
Re:Well that's good and all, but (Score:3, Insightful)
They were using wu-ftp? That's a worse security hole magnet than sendmail or bind.
Re:Well that's good and all, but (Score:5, Insightful)
At least they yanked the programs until they could verify that they were correct. That really was the only thing they could do. The lesson to take from this is that with computer security and auditing, nothing less than absolute perfection is necessary. And so long as human beings are doing the admin work, absolute perfection just isn't realistic.
Re:Well that's good and all, but (Score:5, Insightful)
While I agree with the premise of the post, this is sort of thing that would get flamed to hell and back if the thread dealt with a Microsoft security breach (case in point, see yesterday's discussion [slashdot.org] about the RPC worm). According to that thread, being overworked, underpaid, or anything else is not an excuse for having an unpatched machine.
FSF systems (Score:5, Interesting)
They do have more than one sysadmin, but none of them are full-time, I believe.
There are also some "interesting" schools of thought regarding security over in gnu.org land, and I'm sure there's tension between them as well. For example, savannah has to have some level of security, but their shell machine (not savannha) has almost zero "sysadmin-added" security: important configuration files are world-writable[*], because RMS doesn't believe in restricting individual actions of users on that machine. The only security is what's provided by the default installation, minus the world-writabilities.
So it should come as no suprise that the shell machine has been compromised multiple times. All from local users exploiting holes. The most recent was done in April, but they didn't find out about it until a few weeks ago. They're still recreating accounts.
I don't know about the ftp machine; I assume it's neither the same system as savannah nor the shell box. But it wouldn't surprise me to find the same situation: some important people gnu.org don't believe in locking down machines, some important people do, but (gripping hand) it almost doesn't matter because none of them have the time to do so.
(If you wonder why the GCC manuals, web pages, etc, on {savannha,www,ftp}.gnu.org are occasionally out of date, it's because gcc.gnu.org (the master) is not admin'd by the same group. Events like this are why it's not admin'd by the same group.)
[*] Backups are done by having little Emacs hooks in comments in the files. When you edit the file -- and of COURSE you're using GNU/FSF Emacs, not XEmacs or any other editor in the world, cuz it's a gnu.org machine -- Emacs knows to make backup copies. I have no idea whether real backups are done, or how.
Re:Well that's good and all, but (Score:4, Informative)
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Re:the $64,000 question: (Score:5, Insightful)
Re:the $64,000 question: (Score:5, Informative)
If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money.
Re:the $64,000 question: (Score:3, Informative)
Our backup process is flawed, but that's because we can't afford good backup hardware.
RTFA: There *are* backups, and they *did* patch (Score:5, Informative)
[snip]
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)
Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised.
(emphasis added). So in other words, they were cracked in the brief space between the exploit post and the patch, and didn't find it right away. Now, they are carefully vetting all their backups from that period to remove any possibility that a compromised backup could be redistributed.
So, to answer your poorly-researched questions:
Which part of this would you not consider a disaster recovery plan?
Re:RTFA: There *are* backups, and they *did* patch (Score:3, Insightful)
Easy to point out someone else's mistakes (Score:5, Insightful)
It's very easy to point out other people's "mistakes" like this, but I wonder how many people actually take all these various precautions that they're so quick to accuse others of not implementing?
The fools! They forgot to install a firewall!
The fools! They didn't purge all the old user accounts!
The fools! They didn't install the latest security patch! On all the boxes in the office!
The fools! They didn't require 10 character passwords, to be changed every 15 days!
The fools! They didn't update their virus definition files! Within the last 24 hours!
The fools! They didn't make triple-redundant off site backups!
The fools! They didn't have a plan C!
The fools! They don't know where their towel is!
Now granted, if you're being paid the big bucks to think about nothing but information security all day then all of these things should probably cross your mind... but I would be willing to bet that most people who are so quick and proud to show off their shiny, impenetrable suit of dragon scales have a soft vulnerable spot on their bellies.
Re:the $64,000 question: (Score:4, Insightful)
A mirror is a random (whenever the mirror was made) point in time back up. There is no assurance that at any given point in time in the future that a mirror is available in a particular point in time in the past. As a result, the answer to the question "do we have a backup" resolves to "maybe". Generally this sort of answer makes people squirm.
In this particular situation the problem is exacerbate by the fact that every release from march until NOW needs to reaquired from it's source becuase after march 2003 - the source repository and it's mirrors can no longer be considered safe.
Indeed, a very difficult situation to be in.
In order to answer Yes to the point in time question one must invest considerable cash in hardware and software to provide such backups.
Re:the $64,000 question: (Score:3, Funny)
Re:the $64,000 question: (Score:3, Insightful)
Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.
Re:the $64,000 question: (Score:5, Funny)
That would be OpenBSD.
Re:the $64,000 question: (Score:5, Interesting)
Re:the $64,000 question: (Score:5, Funny)
and patched August 31, 2003
I knew the open source community worked fast but that's just scary.
Re:the $64,000 question: (Score:5, Funny)
leaving out the profanities, this isn't flamebait
Duhhh. "If it wasn't for the flames, this wouldn't be a flame."
Re:the $64,000 question: (Score:3, Informative)
Re:the $64,000 question: (Score:4, Insightful)
If a bug in IIS causes a remote exploit then that's a bug in IIS, and that's it. Now, if there's a bug in the Windows TCP/IP stack, networking components, some kernel call, etc, which causes an exploit then that *is* a bug in Windows.
A bug in wu-ftpd doesn't just affect Linux. It will also affect the other supported platforms: BSD/OS 1.1, and 3.1, FreeBSD 2.2.6, SCO OpenServer 5.x, SCO UnixWare 2.1, Solaris 2.4, 2.5.1 and 2.6, Sun Sparc Platforms, Solaris 2.6, Solaris 2.5.1, SunOS 4.1.4
The only real security vulnerabilities in Linux are the ones that affect only the kernel and Linux specific tools. Everything else is just a vulnerability in some other program.
Re:the $64,000 question: (Score:3, Insightful)
Which is why syslog should be on another secure computer, and dumped to paper in a locked room for high-security sites.
It won't help the recovery, but helps pinpoint the intrusion
Re:Can someone please tell me... (Score:3, Informative)
apache? (Score:3, Insightful)
But no, Apache isn't 100% secure. There is no such 100% server, except one unplugged from the net, encased in titanium, and buried beneath the Pacific seabed.
Re:So apache no invulnerable then... (Score:3, Insightful)
As is the case with most installations of MS Windows, other operating systems and pretty much any user level software, the security of the system is only as strong as the
Re:So apache no invulnerable then... (Score:3, Funny)
That myth existed? Seems fairly unlikely to me...
Re:Wait? I thought Linux was Secure?? (Score:3)
I'll wait while the "wind0ze suX0rs!" 1337 Hackors try to make this sound insignificant to linux, but can blow up on MS when a virus is released.
This is not at all insignificant. Of course more detail is really needed to asses the situation.
Here are two possible scenarios:
1. Some idiot with lots of access rights does something dumb like log in in the clear. I think this is unlikely, but if it did happen this guy (or girl) should be soundly beat about the head and shoulders.
2. The software they
Re:Wait? I thought Linux was Secure?? (Score:3, Insightful)
However, the next time a virus is released that takes down 90% of Linux installs, and toasts most of the internet, let me know. Until then, your point isn't exactly valid.
Re:Wait? I thought Linux was Secure?? (Score:5, Insightful)
Though don't bother if it only toasts about 50% of Windows installs and bring down only a significant portion of the internet. That's becoming too common place.
Re:Wait? I thought Linux was Secure?? (Score:4, Insightful)
Last time I checked, it was wu_ftpd that had the vulnerability, not Linux. It doesn't matter if you were running it on Cygwin, *BSD, HURD, or Linux. Geesh. Stop calling everything OS Linux, because it isn't.
Re:Wait? I thought Linux was Secure?? (Score:3, Interesting)
The only reason they got cracked was because they allowed local shell accounts, and due to questionable reporting practices, an exploit was released before linux kernel people had a chance to fix it.
Re:Have a floppy? (Score:3, Interesting)
No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key [gnupg.org].
Re:Have a floppy? (Score:3, Insightful)
Since the server was hacked sometime in March, even the backups have the possibility of being compromised. I doubt they keep 5+ months of nightly or even weekly backups sitting around.
Re:Full backups (Score:3, Insightful)
They have to recompile the stuff from the developers who hopefully have had better success in maintaining the integrity of their systems and data.
Re:Any word on how the crackers got in? (Score:4, Funny)
FTP (the protocol) is NOT the problem. (Score:5, Interesting)
Using ssl is good if you have eg. passwords to hide, but other than that it just introduces complexity. more complexity tends to mean more possibility for bugs, which means more possible exploits.
However, don't use bloated, over-complicated stuff like wuftpd etc. something like vsftpd is
Re:ftp? (Score:3, Informative)
Re:Of course, if this was a MS site that was (Score:3, Informative)
It goes to show that listening to Anonymous Cowards isn't very wise; if you read the article, they have backups, but any backups of the system after it was hacked are nigh worthless.