back to article Fedora servers breached after external compromise

Servers belonging to the Fedora Project were breached over the weekend by an unknown hacker who gained access though a team member's account. The compromise of fedorapeople.org meant that the attacker had the ability, however briefly, to push changes to Fedora's SCM system. There's no evidence any such updates were made or that …

COMMENTS

This topic is closed for new posts.
  1. g e

    By golly, a conspiracy!

    Come, come, Mr Ellison, surely you don't expect me to believe you have the power to hack all Open Source projects on the planet to insert your own code before suing them?

    1. Destroy All Monsters Silver badge
      Alien

      Larry Ellison is .... Fantomas?

      I all makes sense now....

  2. Anonymous Coward
    Anonymous Coward

    Vuln in the two factor auth?

    I thought after the last compromise (see https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html) they'd started requiring Yubikeys (http://fedoraproject.org/wiki/Infrastructure/Yubikey) to access the more sensitive parts of their servers?

  3. ~mico
    FAIL

    Is it so difficult...

    ...to use single use media (good old CD-R or DVD-R) to keep access logs on? This way no attacker can hide his actions, and there would be no way to sneak a backdoor in undetected.

    1. Anonymous Coward
      Anonymous Coward

      Yes.

      Because single use media is single use, meaning that you can't constantly update it as things change. You have to burn a CD/DVD for every single addition to the log unless you use a CD/RW which kind of defeats the object of the exercise.

      I think what you meant is "is it so difficult to use a ye olde style dot matrix printer to print a log line by line to make remote electronic tampering impossible", to which the answer is "Yes. It's expensive, noisy and a pain in the ass to check anything other than it stopping"

      You can tell it's stopped printing when the high pitched TACK, TACK, ZZZZZZZRRRRRRRRAAAAAA!!!!!!!! noises penetrating from the supposedly soundproofed cupboard/server room stops.

      1. ~mico
        Linux

        No

        Single-use media like CD-R, doesn't mean it has to be used in one go. Packet-writing filesystems can be used on CD-Rs, which allows filling them up little by little. Same goes for multi-session CD-Rs with regular iso filesystem.

        I wouldn't suggest such a mechanism, had i not known at least one case where it was used, specifically to catch "hackers".

    2. Anonymous Coward
      Happy

      And how would that help?

      .....who gained access though a team member's account....

      Maybe stop using the same password for this account and his pron site account may help, or perhaps not.

  4. Bilgepipe
    Black Helicopters

    Running Interference...?

    What's Billy-boy Gates doing these days?

  5. AdamWill
    Stop

    bad description

    Suggesting that 'servers were breached' is really pushing it a bit. Someone compromised a contributer's FAS account - https://admin.fedoraproject.org/accounts/ - logged into the user's account, and changed the SSH key associated with the account. This was immediately noticed (because ssh key changes are tracked), and the account locked down. The hacker never at any point had any admin access to any Fedora server; they only had the privileges of the account they compromised. These included pushing changes to some Fedora packages, sure, but all changes are tracked and notified to public lists, so the chances of them making any malicious change which wouldn't be immediately noticed are fairly minimal. And thanks to the logs and filesystem snapshot comparisons Fedora pretty much knows (the word 'believe' is just used for ass-covering purposes) they didn't actually push any changes. Probably couldn't figure out how to use git. =)

    It's a bit like saying 'GMail's servers were breached' when some GMail user's password was compromised; in a sense it's technically accurate, but it's not a very good picture of what actually happened.

    1. Destroy All Monsters Silver badge
      Dead Vulture

      Good to hear that

      Reg. Checks. Not.

This topic is closed for new posts.

Other stories you might like