Posted on 08/14/2003 4:50:43 PM PDT by Spruce
And here is the FSF statement on the crack. There are some very interesting facts buried in there:
It is pessimistic to say that nothing can be cracked. It is quite possible to build a secure Linux. And OpenBSD is secure right out of the box. Mac OSX and OSX Server are also very, very difficult to root in the default install, and they do maintain themselves, Windows XP-style.
"Root, God, what is difference?" - Pitr of UserFriendly.
A lot of end users don't understand the difference between the vulnerabilities of OSS systems and the way these vulnerabilities are addressed, and Microsoft's innately single-user systems and their "security through obscurity" approach. Either system is toast if your admins drop the ball, as FSF did here. But the closed-source system is also toast if the crackers discover an exploit that the maintainers have been hiding so as not to "alarm" the users.
People who have spoken for security for one major closed-source vendor have traditionally come from marketing or PR backgrounds, and been extremely weak on security theory. That's probably all you can do if you build on a feeble architecture.
d.o.l.
Criminal Number 18F
- the perpetrator was a local, not net, user
- the presumed target was passwords
- none of the source on the machine has come up compromised
I'd be careful referring to those points as "facts", especially considering the word "presumed" is used in one of them. Some of the most sophisticated attacks first compromise a local workstation before attacking the server, and that very well could have happened here.
We will probably never know the exact details, especially considering it was months ago, an eternity for a talented hack to cover his steps. Your only 100% safe course of action is to rebuild your system if you downloaded any components from the site over the last six months using newly verified source files.
The GNU ftp server hosts the source distributions for the GNU software tools, not the Linux kernel itself, which is hosted at ftp.kernel.org.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.