At least they are taking security seriously!
Unlike others who make code available for PC's in the operating system arena.
Maybe there is a lesson to be learned here.
Red Hat has warned that hackers were able to commandeer its systems and tamper with code - but said that since its content distribution was not hit, it is confident that polluted code has not served up to users. The first hint that something was wrong came last week when Fedora rebuilt its systems, a reconstruction that was …
... like grown ups.
So a bad thing happened. We can shout and scream about how it shouldn't have happened in the first place but it did and the important thing is the promptness of the reaction and the apparent transparency of the explanations.
I'm not a big fan of RedHat or Fedora personally (nothing really against them either!) but from what I've read, I think this has been handled fairly well.
You seem to forget that MS had it's servers hacked too and more than once. For at least one of the hacks MS wasn't sure how long it had gone for.
http://www.theregister.co.uk/2000/11/06/microsoft_hacked_again/
And how many times do you think it's happened and they told nobody? In OSS everyone finds out so you can't hide behind your false smiles.
Linux is the most secure system. The NSA designed SElinux so I know it is the most secure. Linux cannot be hacked. Windows is bad! The NSA helped Windows be secure since Win 95 and they helped Lotus be secure too but Windows is bad. Linux cannot ever be hacked cause it rocks!
I want your bank to use RedHat so I can make a loan!
Now lets just suppose this is a test for you. Do you understand what actually happened there at fedora no no you don't I don't and I use Linux and know quite a bit about it. Your posts show you to be ignorant yahoos if you can explain how the token +signing process works I will eat my hat otherwise your just nitwits and can't be taken seriously. Look go back to sniffing glue or whatever you do in your real life and leave the comments to humans.
Poisoning the software supply chain
Levy, E.
This paper appears in: Security & Privacy, IEEE
Publication Date: May-June 2003
Volume: 1, Issue: 3
On page(s): 70- 73
Abstract
To the indiscriminate and opportunistic attacker, breaking into a software package's development and distribution site and waiting until unsuspecting users install it is more efficient than locating and hacking into users' systems individually. Starting in 2002 and continuing in to 2003, we've seen new emphasis on this type of attack. All the recent activity has showcased the trend that attacks against open-source software distribution sites are increasing. The author looks at how softwares distribution-both open source and proprietary-can invite attacks.
[...]Some open-source vendors have adopted technology comparable to that of proprietary vendors. For example, the RPM Package Manager (www.rpm.org), which RedHat introduced, lets the package creator cryptographically sign the package; Debian’s package format has analogous functionality. Unfortunately, the signatures in these packages merely tell who packaged the software and whether it has been tampered with since then. Because of the nature of open-source software and Linux distributions, in which most of the software is authored by someone other than the packaging vendor, these signatures tell you little about
the packaged software’s integrity.
In fact, many open-source projects fail to provide the minimal information required to verify the software’s integrity. Several projects don’t even provide cryptographic hashes of their software packages. When they do, the hashes usually are stored along with the software packages in the same distribution site, where an attacker easily can replace them while also replacing the software with a
tampered version.[...]
....why there have been no Fedora updates for a few days...
If the bad guys could get in here and cause a trojan ssh to be installed on every actively updated Fedora iinstallation in the world, they would hit a jackpot. :-(
Happy to see that it has been dealt with openly and responsibly!
"They should have used Windows Server 2003."
Quite sure you would never see stories about the MS source being poisoned.
Simply because MS wouldn't let anyone know; probably even if millions of desktops did get pwned in the process.
Just roll out another windows update and noone's the wiser.
"What? Your Windows XP desktop got owned? Must be a virus."
What's the term for that again? Security through obscurity, wasn't it?
Ignorance is bliss...
Paris, 'nuff said.
OK John, you told us What. There are a few W's left:
WHO ? Were the systems compromised by a bent RH employee, or from the outside by Ukranian hackers / the NSA / the Martians ? (pick one, or supply a new THEM).
HOW ? If it was an inside job, with a keyboard and a flash drive; from outside, by a known or unknown security hole. Either way, it should have been logged, and the trace should allow finger pointing.
WHY ? Are "THEY" (see above) trying to hack eCommerce to collect credit card numbers, to hack mail servers to further tap our mail and phone calls, or turn the entire googleplex into a bot ?
If it was an inside job, I can understand the lack of information. RH does not background check their employees very well. Very embarrassing.
If their logging and audit are not up to the task, more embarrassing. Remember GrandPa IBM - RASS: reliability, availability, serviceability and security. They have blown at least one.
"WHO ? Were the systems compromised by a bent RH employee, or from the outside by Ukranian hackers / the NSA / the Martians ? (pick one, or supply a new THEM)."
You forgot the obvious candidates for THEM: Al-Queda, illegal immigrants and paedophiles. Personally, my money is on the Martians.
Keep signing in perspective: most of the M$ binaries I have just used this morning are written by Martian employees of SCO's lawyers in Kufic script but in the wrong codepage and saved as 8.3 too. :)
Al Qaeda is way too smart to try to leverage FC/RH, surely. Everyone worth attacking uses MS windows anyways surely?
Now, who else seems to like to plant their own keys in things...erm....lemme think
Altogether now....
"I saw a man upon the stair..."