Servers belonging to the Fedora Project were breached over the weekend by an unknown hacker who gained access though a team member's account. The compromise of fedorapeople.org meant that the attacker had the ability, however briefly, to push changes to Fedora's SCM system. There's no evidence any such updates were made or that …
By golly, a conspiracy!
Come, come, Mr Ellison, surely you don't expect me to believe you have the power to hack all Open Source projects on the planet to insert your own code before suing them?
Larry Ellison is .... Fantomas?
I all makes sense now....
Vuln in the two factor auth?
I thought after the last compromise (see https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html) they'd started requiring Yubikeys (http://fedoraproject.org/wiki/Infrastructure/Yubikey) to access the more sensitive parts of their servers?
Is it so difficult...
...to use single use media (good old CD-R or DVD-R) to keep access logs on? This way no attacker can hide his actions, and there would be no way to sneak a backdoor in undetected.
Because single use media is single use, meaning that you can't constantly update it as things change. You have to burn a CD/DVD for every single addition to the log unless you use a CD/RW which kind of defeats the object of the exercise.
I think what you meant is "is it so difficult to use a ye olde style dot matrix printer to print a log line by line to make remote electronic tampering impossible", to which the answer is "Yes. It's expensive, noisy and a pain in the ass to check anything other than it stopping"
You can tell it's stopped printing when the high pitched TACK, TACK, ZZZZZZZRRRRRRRRAAAAAA!!!!!!!! noises penetrating from the supposedly soundproofed cupboard/server room stops.
And how would that help?
.....who gained access though a team member's account....
Maybe stop using the same password for this account and his pron site account may help, or perhaps not.
Single-use media like CD-R, doesn't mean it has to be used in one go. Packet-writing filesystems can be used on CD-Rs, which allows filling them up little by little. Same goes for multi-session CD-Rs with regular iso filesystem.
I wouldn't suggest such a mechanism, had i not known at least one case where it was used, specifically to catch "hackers".
What's Billy-boy Gates doing these days?
Suggesting that 'servers were breached' is really pushing it a bit. Someone compromised a contributer's FAS account - https://admin.fedoraproject.org/accounts/ - logged into the user's account, and changed the SSH key associated with the account. This was immediately noticed (because ssh key changes are tracked), and the account locked down. The hacker never at any point had any admin access to any Fedora server; they only had the privileges of the account they compromised. These included pushing changes to some Fedora packages, sure, but all changes are tracked and notified to public lists, so the chances of them making any malicious change which wouldn't be immediately noticed are fairly minimal. And thanks to the logs and filesystem snapshot comparisons Fedora pretty much knows (the word 'believe' is just used for ass-covering purposes) they didn't actually push any changes. Probably couldn't figure out how to use git. =)
It's a bit like saying 'GMail's servers were breached' when some GMail user's password was compromised; in a sense it's technically accurate, but it's not a very good picture of what actually happened.
Good to hear that
Reg. Checks. Not.