GNU Servers Hacked, Linux Software May Be Compromised

Your comments, I presume, were sarcastic... but in case anybody wonders, here is what www.fsf.org is running. (Linux and Apache -- no surprize there). Thanks to NetCraft where you can learn what any webserver is running. You can also do that, in fact, learn what software net-connected system is running (and many more useful things), with NMap, from insecure.org.

And here is the FSF statement on the crack. There are some very interesting facts buried in there:

the perpetrator was a local, not net, user.
the presumed target was passwords
none of the source on the machine has come up compromised.

It is pessimistic to say that nothing can be cracked. It is quite possible to build a secure Linux. And OpenBSD is secure right out of the box. Mac OSX and OSX Server are also very, very difficult to root in the default install, and they do maintain themselves, Windows XP-style.

"Root, God, what is difference?" - Pitr of UserFriendly.

A lot of end users don't understand the difference between the vulnerabilities of OSS systems and the way these vulnerabilities are addressed, and Microsoft's innately single-user systems and their "security through obscurity" approach. Either system is toast if your admins drop the ball, as FSF did here. But the closed-source system is also toast if the crackers discover an exploit that the maintainers have been hiding so as not to "alarm" the users.

People who have spoken for security for one major closed-source vendor have traditionally come from marketing or PR backgrounds, and been extremely weak on security theory. That's probably all you can do if you build on a feeble architecture.

d.o.l.

Criminal Number 18F

There are some very interesting facts buried in there:
- the perpetrator was a local, not net, user
- the presumed target was passwords

- none of the source on the machine has come up compromised

I'd be careful referring to those points as "facts", especially considering the word "presumed" is used in one of them. Some of the most sophisticated attacks first compromise a local workstation before attacking the server, and that very well could have happened here.

We will probably never know the exact details, especially considering it was months ago, an eternity for a talented hack to cover his steps. Your only 100% safe course of action is to rebuild your system if you downloaded any components from the site over the last six months using newly verified source files.

Just because the Linux source code is stored there doesn't mean thte servers are running it.

The GNU ftp server hosts the source distributions for the GNU software tools, not the Linux kernel itself, which is hosted at ftp.kernel.org.

This begs that question of whether the GNU CVS repository could have been compromised in such a way that the diffs could be hidden. I guess that since CVS actually keeps changes to, rather than complete copies of each version, this might be hard to do.

They could have hacked the diffs so that the changes appeared to always have been present in the sources.