Unlike others who make code available for PC's in the operating system arena.

Maybe there is a lesson to be learned here.

there are other ways in to compromise Linux distros, but this is the obvious one.

But, hey on the bright side market share is large enough to warrant such intrusions.

If you notice someone got into your house, I would think changing the locks would be among the first of your moves, too. For once, an article of security done (AFAIK) properly.

... like grown ups.

So a bad thing happened. We can shout and scream about how it shouldn't have happened in the first place but it did and the important thing is the promptness of the reaction and the apparent transparency of the explanations.

I'm not a big fan of RedHat or Fedora personally (nothing really against them either!) but from what I've read, I think this has been handled fairly well.

RedHat

Debian

GNU

???

They should have used Windows Server 2003.

You have to remember Bruce, that it's still news when something like this happens to a linux distro ;o)

yeah and it would be news if they broke into the windows update servers and made them serve up malicious code.

considering its the servers they run themselves and serve binaries on this goes beyond pretty effing serious.

You seem to forget that MS had it's servers hacked too and more than once. For at least one of the hacks MS wasn't sure how long it had gone for.

http://www.theregister.co.uk/2000/11/06/microsoft_hacked_again/

And how many times do you think it's happened and they told nobody? In OSS everyone finds out so you can't hide behind your false smiles.

This is the article I have been waiting for for a week (two fors in a row ?). Thank you.

Linux is the most secure system. The NSA designed SElinux so I know it is the most secure. Linux cannot be hacked. Windows is bad! The NSA helped Windows be secure since Win 95 and they helped Lotus be secure too but Windows is bad. Linux cannot ever be hacked cause it rocks!

I want your bank to use RedHat so I can make a loan!

"They should have used Windows Server 2003."

Let's not get riled up now. Surely Bruce jests.

And no, it wouldn't be news if someone breaks into a Windows server. Everyone has come to expect Windows to be compromised.

all wiped off now.

should make people think twice about defending Linux.

http://it.slashdot.org/article.pl?sid=08/05/13/1533212&from=rss

This is the article for which I have been waiting for a week

Still two fors. The second one is redundant. Try "I've been waiting for this article for a week".

Mmmm. Pedantry. I feel better now.

Now lets just suppose this is a test for you. Do you understand what actually happened there at fedora no no you don't I don't and I use Linux and know quite a bit about it. Your posts show you to be ignorant yahoos if you can explain how the token +signing process works I will eat my hat otherwise your just nitwits and can't be taken seriously. Look go back to sniffing glue or whatever you do in your real life and leave the comments to humans.

I have been waiting a week for this article.

This article, been waiting for a week, have I.

Yoda

Poisoning the software supply chain

Levy, E.

This paper appears in: Security & Privacy, IEEE

Publication Date: May-June 2003

Volume: 1, Issue: 3

On page(s): 70- 73

Abstract

To the indiscriminate and opportunistic attacker, breaking into a software package's development and distribution site and waiting until unsuspecting users install it is more efficient than locating and hacking into users' systems individually. Starting in 2002 and continuing in to 2003, we've seen new emphasis on this type of attack. All the recent activity has showcased the trend that attacks against open-source software distribution sites are increasing. The author looks at how softwares distribution-both open source and proprietary-can invite attacks.

[...]Some open-source vendors have adopted technology comparable to that of proprietary vendors. For example, the RPM Package Manager (www.rpm.org), which RedHat introduced, lets the package creator cryptographically sign the package; Debian’s package format has analogous functionality. Unfortunately, the signatures in these packages merely tell who packaged the software and whether it has been tampered with since then. Because of the nature of open-source software and Linux distributions, in which most of the software is authored by someone other than the packaging vendor, these signatures tell you little about

the packaged software’s integrity.

In fact, many open-source projects fail to provide the minimal information required to verify the software’s integrity. Several projects don’t even provide cryptographic hashes of their software packages. When they do, the hashes usually are stored along with the software packages in the same distribution site, where an attacker easily can replace them while also replacing the software with a

tampered version.[...]

....why there have been no Fedora updates for a few days...

If the bad guys could get in here and cause a trojan ssh to be installed on every actively updated Fedora iinstallation in the world, they would hit a jackpot. :-(

Happy to see that it has been dealt with openly and responsibly!

"They should have used Windows Server 2003."

Quite sure you would never see stories about the MS source being poisoned.

Simply because MS wouldn't let anyone know; probably even if millions of desktops did get pwned in the process.

Just roll out another windows update and noone's the wiser.

"What? Your Windows XP desktop got owned? Must be a virus."

What's the term for that again? Security through obscurity, wasn't it?

Ignorance is bliss...

Paris, 'nuff said.

If the second "for" is redundant as you say, how come you've felt the need to include two in your reworked version as well?

I see your "Mmmm" and raise you an "Aha!".

Is for secure servers. You use redhat if you feel you may need to sue someone in the future, or are just too lazy to manage your upgrades.

Flame on fanboys..

OK John, you told us What. There are a few W's left:

WHO ? Were the systems compromised by a bent RH employee, or from the outside by Ukranian hackers / the NSA / the Martians ? (pick one, or supply a new THEM).

HOW ? If it was an inside job, with a keyboard and a flash drive; from outside, by a known or unknown security hole. Either way, it should have been logged, and the trace should allow finger pointing.

WHY ? Are "THEY" (see above) trying to hack eCommerce to collect credit card numbers, to hack mail servers to further tap our mail and phone calls, or turn the entire googleplex into a bot ?

If it was an inside job, I can understand the lack of information. RH does not background check their employees very well. Very embarrassing.

If their logging and audit are not up to the task, more embarrassing. Remember GrandPa IBM - RASS: reliability, availability, serviceability and security. They have blown at least one.

...for the last several hours. Monday afternoon's a pretty typical time to do routine maintenance. This is standard service in this day and age; no one expects any web site to be up 24x7, after all.

What exactly is wrong with the SSH packages that were signed by the intruder? Do they contain backdoors? Trojans? Logic bombs? What? It seems unbelievable to me that this isn't being discussed.

P.S. FreeBSD's CVS repository got pwned, back in the day.

"WHO ? Were the systems compromised by a bent RH employee, or from the outside by Ukranian hackers / the NSA / the Martians ? (pick one, or supply a new THEM)."

You forgot the obvious candidates for THEM: Al-Queda, illegal immigrants and paedophiles. Personally, my money is on the Martians.

Keep signing in perspective: most of the M$ binaries I have just used this morning are written by Martian employees of SCO's lawyers in Kufic script but in the wrong codepage and saved as 8.3 too. :)

Al Qaeda is way too smart to try to leverage FC/RH, surely. Everyone worth attacking uses MS windows anyways surely?

Now, who else seems to like to plant their own keys in things...erm....lemme think

Altogether now....

"I saw a man upon the stair..."

link:

http://www.theregister.co.uk/2008/08/27/ssh_key_attacks_warning/

and then connect the dots.