FSF FTP Site Cracked, Looking for MD5 Sums 752
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has
a statement
on the FTP site explaining the matter.
Mirrors? (Score:3, Interesting)
Any word on how the crackers got in? (Score:1, Interesting)
Well that's good and all, but (Score:1, Interesting)
This pisses me off more than it should. (Score:5, Interesting)
They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.
*goes off to dock another point from his faith in humanity*
Re:Can someone please tell me... (Score:2, Interesting)
Only as much as a priest of a false religion is lying.
Microsoft servers _do_ get hacked more than Linux servers, but this is because there are far more MS servers of an identical configuration than there are Linux servers. They also tend to crash more--especially IIS.
So, Linux does get hacked, and there have been viruses written for Linux--but there are far far more hackers and virus-writers aimed at MS Windows as opposed to Linux.
Re:the $64,000 question: (Score:5, Interesting)
LOL!!! (Score:3, Interesting)
Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup) No backups! That's hilarious!! I wanna know what kinda beating the current admin is getting!
Well, hopefully they'll be able to get it pieced back together now. I'm sure it won't take more than a day to do so. Heck, I'll email my LUG and let the Deb folks spin MD5sums for a while to send over to 'em.
Enjoy the chaos! (Least only 1 person has managed to link this to SCO so far)
Re:Wait? I thought Linux was Secure?? (Score:2, Interesting)
but it seems to me that there's no meaningful comparison between an individual linux system being specifically attacked (maybe not even remotely) and brought down... and... every single XP computer with internet connection being susceptible by default to MSBlast... ?
Re:You're Kidding? (Score:1, Interesting)
This being said, I guess we can say that the cliche "the cobbler's children run barefoot" really applies here...
Re:Have a floppy? (Score:3, Interesting)
No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key [gnupg.org].
No you're not (Score:3, Interesting)
The FSF is the Free Software Foundation. They don't exist to help your business, they exist to provide... well... Free Software.
Whatever happens to FSF's own servers is completely irrelevant. Your distributor is the only thing that matters.
how cracker got in (Score:2, Interesting)
Re:Wait? I thought Linux was Secure?? (Score:2, Interesting)
Probably mentioned, but (Score:1, Interesting)
I'm surprised that they're backup scheme was this shoddy. Possibly something where they didn't save back far enough to be sure, or something fairly recent that can't be verified as non-hacked in their backups.
Of course, I'd be wary of any MD5dsums sent in unless sent in from various verified sources. Of course they might not be trusting their own MD5sums and want to verify from the outside as well?
Certainly a black eye for the FSF, but I'm sure they'll learn a lesson from this in any case.
Re:BSD Ports trees should have them (Score:3, Interesting)
Re:You're Kidding? (Score:2, Interesting)
What's unbelievable is the blatant stupidity of that statement.
Sure, this incident demonstrates that the person(s) in charge of the maintenance of ftp.gnu.org is/are incomptent. How you extrapolate from that to reach the conclusion that hundreds of GNU programs written and maintained by thousands of programmers are therefore sub-par, especially since these tools have been continually refined and perfected over the last decade or so and are objectively much better than those from any corporate vendor, is the truly incomprehensible matter.
Enterprise my ass, anyway.
FTP (the protocol) is NOT the problem. (Score:5, Interesting)
Using ssl is good if you have eg. passwords to hide, but other than that it just introduces complexity. more complexity tends to mean more possibility for bugs, which means more possible exploits.
However, don't use bloated, over-complicated stuff like wuftpd etc. something like vsftpd is
FSF systems (Score:5, Interesting)
They do have more than one sysadmin, but none of them are full-time, I believe.
There are also some "interesting" schools of thought regarding security over in gnu.org land, and I'm sure there's tension between them as well. For example, savannah has to have some level of security, but their shell machine (not savannha) has almost zero "sysadmin-added" security: important configuration files are world-writable[*], because RMS doesn't believe in restricting individual actions of users on that machine. The only security is what's provided by the default installation, minus the world-writabilities.
So it should come as no suprise that the shell machine has been compromised multiple times. All from local users exploiting holes. The most recent was done in April, but they didn't find out about it until a few weeks ago. They're still recreating accounts.
I don't know about the ftp machine; I assume it's neither the same system as savannah nor the shell box. But it wouldn't surprise me to find the same situation: some important people gnu.org don't believe in locking down machines, some important people do, but (gripping hand) it almost doesn't matter because none of them have the time to do so.
(If you wonder why the GCC manuals, web pages, etc, on {savannha,www,ftp}.gnu.org are occasionally out of date, it's because gcc.gnu.org (the master) is not admin'd by the same group. Events like this are why it's not admin'd by the same group.)
[*] Backups are done by having little Emacs hooks in comments in the files. When you edit the file -- and of COURSE you're using GNU/FSF Emacs, not XEmacs or any other editor in the world, cuz it's a gnu.org machine -- Emacs knows to make backup copies. I have no idea whether real backups are done, or how.
Re:FSF systems (Score:2, Interesting)
Re:And the internet shall be your tape backup (Score:2, Interesting)
The question isn't whether BSD is dying... (Score:3, Interesting)
Post a reply if you would like me to send you an RPM for a Red Hat compatible PORTS tree...
No really: I have lots of old FreeBSD CDROMs with a veritable history of (the best) GNU software and MD5 sums. I can go back to FreeBSD 2.2.2. Check your timeline. BSD subscribers save the day HA!
Re:Wait? I thought Linux was Secure?? (Score:3, Interesting)
The only reason they got cracked was because they allowed local shell accounts, and due to questionable reporting practices, an exploit was released before linux kernel people had a chance to fix it.
Re:How Long (Score:4, Interesting)
MD5 sums are only secure if they are provided through a secure channel (like within a GPG-signed message). Using a second machine to serve out the MD5 sums is only twice as safe (two machines to crack), and that's still not too safe.
What I wonder is why they didn't sign accepted packages with GPG. I've been doing that for a while (well, since breaking-and-trojaning became fashionable).
I hope when ftp.gnu.org comes back that it's with *.asc files next to all the archives...
Re:the $64,000 question: (Score:2, Interesting)
here. [darktech.org] I'd like people to contribute reasons they think OpenBSD is "the bestest thing for security since the NRA!!!!" and such. Contact information are at the top of the piece, have fun.
I just crawled out of a bad karma slump, and here I go getting myself back into it..