Fedora servers hacked - Are signed packages valid? - Linux

This is a discussion on Fedora servers hacked - Are signed packages valid? - Linux ; http://www.tectonic.co.za/?p=2803 August 22 2008 Some of Fedora's servers were "accessed illegally" last week but, the Fedora team said in an email today, the intrusion "was quickly discovered, and the servers were taken offline". "Security specialists and administrators have been working ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 48

Thread: Fedora servers hacked - Are signed packages valid?

  1. Fedora servers hacked - Are signed packages valid?

    http://www.tectonic.co.za/?p=2803


    August 22 2008

    Some of Fedora's servers were "accessed illegally" last week but, the Fedora
    team said in an email today, the intrusion "was quickly discovered, and the
    servers were taken offline".

    "Security specialists and administrators have been working since then to
    analyze the intrusion and the extent of the compromise as well as reinstall
    Fedora systems," the team said in its infrastructure report today.

    One of the compromised Fedora servers was a system used for signing Fedora
    packages which has raised concern over the security of packages. The Fedora
    team says that while they have "high confidence" that the intruder was not
    able to capture the passphrase used to secure the Fedora package signing key
    it has decided to convert to new signing keys.



    ** Posted from http://www.teranews.com **

  2. Re: Fedora servers hacked - Are signed packages valid?

    On Aug 22, 9:25*am, "Ezekiel" wrote:
    > http://www.tectonic.co.za/?p=2803
    >
    >
    > August 22 2008
    >
    > Some of Fedora's servers were "accessed illegally" last week but, the Fedora
    > team said in an email today, the intrusion "was quickly discovered, and the
    > servers were taken offline".
    >
    > "Security specialists and administrators have been working since then to
    > analyze the intrusion and the extent of the compromise as well as reinstall
    > Fedora systems," the team said in its infrastructure report today.
    >
    > One of the compromised Fedora servers was a system used for signing Fedora
    > packages which has raised concern over the security of packages. The Fedora
    > team says that while they have "high confidence" that the intruder was not
    > able to capture the passphrase used to secure the Fedora package signing key
    > it has decided to convert to new signing keys.
    >

    >
    > ** Posted fromhttp://www.teranews.com**


    Not so UNBREAKABLE.
    What does HIGH CONFIDENCE mean?
    That is a Microsoft term.


  3. Re: Fedora servers hacked - Are signed packages valid?

    * Ezekiel peremptorily fired off this memo:

    > http://www.tectonic.co.za/?p=2803
    >
    >
    > August 22 2008
    > Some of Fedora's servers were "accessed illegally" last week but, the Fedora
    > team said in an email today, the intrusion "was quickly discovered, and the
    > servers were taken offline".
    >
    > "Security specialists and administrators have been working since then to
    > analyze the intrusion and the extent of the compromise as well as reinstall
    > Fedora systems," the team said in its infrastructure report today.
    >
    > One of the compromised Fedora servers was a system used for signing Fedora
    > packages which has raised concern over the security of packages. The Fedora
    > team says that while they have "high confidence" that the intruder was not
    > able to capture the passphrase used to secure the Fedora package signing key
    > it has decided to convert to new signing keys.
    >


    More smoke and lack-of-mirrors (get it? get it?) from ol' Zeke.

    Now, who would want to hack Red Hat and Fedora?

    --
    Politician: An eel in the fundamental mud upon which the superstructure of
    organized society is reared. When he wriggles he mistakes the agitation of
    his tail for the trembling of the edifice. As compared with the statesman,
    he suffers the disadvantage of being alive.
    -- Ambrose Bierce

  4. Re: Fedora servers hacked - Are signed packages valid?

    On Aug 22, 9:53*am, Linonut wrote:
    > * Ezekiel peremptorily fired off this memo:
    >
    >
    >
    > >http://www.tectonic.co.za/?p=2803

    >
    > >
    > > August 22 2008
    > > Some of Fedora's servers were "accessed illegally" last week but, the Fedora
    > > team said in an email today, the intrusion "was quickly discovered, andthe
    > > servers were taken offline".

    >
    > > "Security specialists and administrators have been working since then to
    > > analyze the intrusion and the extent of the compromise as well as reinstall
    > > Fedora systems," the team said in its infrastructure report today.

    >
    > > One of the compromised Fedora servers was a system used for signing Fedora
    > > packages which has raised concern over the security of packages. The Fedora
    > > team says that while they have "high confidence" that the intruder was not
    > > able to capture the passphrase used to secure the Fedora package signing key
    > > it has decided to convert to new signing keys.
    > >

    >
    > More smoke and lack-of-mirrors (get it? *get it?) from ol' Zeke.
    >
    > Now, who would want to hack Red Hat and Fedora?


    Not the point. The point is, IT WAS HACKED.
    Things are happening on linux, like there are Windows.



  5. Re: Fedora servers hacked - Are signed packages valid?

    * Psyc Geek (TAB) peremptorily fired off this memo:

    > On Aug 22, 9:53*am, Linonut wrote:
    >
    > Not the point. The point is, IT WAS HACKED.
    > Things are happening on linux, like there are Windows.


    Yeah, fatal accidents happen in cars, too.

    But the actual numbers tell you which is safest, all else being equal.

    Zeke just wants to put a ding on Red Hat. That's why he never posts it
    when a Windows system gets hacked.

    --
    Eugene d'Albert, a noted German composer, was married six times.
    At an evening reception which he attended with his fifth wife shortly
    after their wedding, he presented the lady to a friend who said politely,
    "Congratulations, Herr d'Albert; you have rarely introduced me to so
    charming a wife."

  6. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 11:47:23 -0400, Linonut wrote:

    > * Psyc Geek (TAB) peremptorily fired off this memo:
    >
    >> On Aug 22, 9:53*am, Linonut wrote:
    >>
    >> Not the point. The point is, IT WAS HACKED. Things are happening on
    >> linux, like there are Windows.

    >
    > Yeah, fatal accidents happen in cars, too.
    >
    > But the actual numbers tell you which is safest, all else being equal.
    >
    > Zeke just wants to put a ding on Red Hat. That's why he never posts it
    > when a Windows system gets hacked.


    The troll also uses the "popular press" word 'hacked', which is wrong.
    It should be "cracked", as in the pirated M$ windoze software & apps that
    some windoze users have on their machines.

    --
    ɐ ɯoɹɟ ʇuǝs sɐʍ ǝƃɐssǝɯ sıɥʇ
    pǝǝʇuɐɹɐnƃ sı ɥɔıɥʍ ɹǝʇndɯoɔ
    ˙snɹıʌ ǝzopuıʍ $ɯ ǝɥʇ ɟo ǝǝɹɟ %00⇂
    -- sɯǝʇsʎs xnuıl/nuƃ --


  7. Re: Fedora servers hacked - Are signed packages valid?

    On 2008-08-22, Psyc Geek (TAB) wrote:
    > On Aug 22, 9:53*am, Linonut wrote:

    [deletia]
    >> > it has decided to convert to new signing keys.
    >> >

    >>
    >> More smoke and lack-of-mirrors (get it? *get it?) from ol' Zeke.
    >>
    >> Now, who would want to hack Red Hat and Fedora?

    >
    > Not the point. The point is, IT WAS HACKED.
    > Things are happening on linux, like there are Windows.


    Yes... "hacked" as opposed to being automatically exploited by
    some virus, worm or trojan.

    --
    If you are going to judge Linux based on how easy
    it is to get onto a Macintosh. Let's try installing |||
    MacOS X on a DELL! / | \

    Posted Via Usenet.com Premium Usenet Newsgroup Services
    ----------------------------------------------------------
    http://www.usenet.com

  8. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 09:53:31 -0400, Linonut wrote:

    > * Ezekiel peremptorily fired off this memo:
    >
    >> http://www.tectonic.co.za/?p=2803
    >>
    >>
    >> August 22 2008
    >> Some of Fedora's servers were "accessed illegally" last week but, the Fedora
    >> team said in an email today, the intrusion "was quickly discovered, and the
    >> servers were taken offline".
    >>
    >> "Security specialists and administrators have been working since then to
    >> analyze the intrusion and the extent of the compromise as well as reinstall
    >> Fedora systems," the team said in its infrastructure report today.
    >>
    >> One of the compromised Fedora servers was a system used for signing Fedora
    >> packages which has raised concern over the security of packages. The Fedora
    >> team says that while they have "high confidence" that the intruder was not
    >> able to capture the passphrase used to secure the Fedora package signing key
    >> it has decided to convert to new signing keys.
    >>

    >
    > More smoke and lack-of-mirrors (get it? get it?) from ol' Zeke.
    >
    > Now, who would want to hack Red Hat and Fedora?


    Doesn't matter.
    It got hacked.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  9. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 11:22:47 -0500, JEDIDIAH wrote:

    > On 2008-08-22, Psyc Geek (TAB) wrote:
    >> On Aug 22, 9:53*am, Linonut wrote:

    > [deletia]
    >>> > it has decided to convert to new signing keys.
    >>> >
    >>>
    >>> More smoke and lack-of-mirrors (get it? *get it?) from ol' Zeke.
    >>>
    >>> Now, who would want to hack Red Hat and Fedora?

    >>
    >> Not the point. The point is, IT WAS HACKED.
    >> Things are happening on linux, like there are Windows.

    >
    > Yes... "hacked" as opposed to being automatically exploited by
    > some virus, worm or trojan.


    The result is the same.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  10. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 06:44:08 -0700, Psyc Geek (TAB) wrote:

    >> One of the compromised Fedora servers was a system used for signing
    >> Fedora packages which has raised concern over the security of packages.
    >> The Fedora team says that while they have "high confidence" that the
    >> intruder was not able to capture the passphrase used to secure the
    >> Fedora package signing key it has decided to convert to new signing
    >> keys.
    >>
    >> ** Posted fromhttp://www.teranews.com**

    >
    > Not so UNBREAKABLE.
    > What does HIGH CONFIDENCE mean?
    > That is a Microsoft term.



    "One of the compromised Fedora servers was a system used for signing
    Fedora packages. However, based on our efforts, we have high confidence
    that the intruder was not able to capture the passphrase used to secure
    the Fedora package signing key. Based on our review to date, the
    passphrase was not used during the time of the intrusion on the system
    and the passphrase is not stored on any of the Fedora servers."

    https://www.redhat.com/archives/fedo.../msg00012.html


    Follow the link from the original post...

    I expect that the *public* mailing list archives for the developers will have the
    technical detail which you require. Have you at least browsed the user mailing
    list? I'm sure it's a hot topic there.


    -Thufir

  11. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:

    > On Fri, 22 Aug 2008 06:44:08 -0700, Psyc Geek (TAB) wrote:
    >
    >>> One of the compromised Fedora servers was a system used for signing
    >>> Fedora packages which has raised concern over the security of packages.
    >>> The Fedora team says that while they have "high confidence" that the
    >>> intruder was not able to capture the passphrase used to secure the
    >>> Fedora package signing key it has decided to convert to new signing
    >>> keys.
    >>>
    >>> ** Posted fromhttp://www.teranews.com**

    >>
    >> Not so UNBREAKABLE.
    >> What does HIGH CONFIDENCE mean?
    >> That is a Microsoft term.

    >
    >
    > "One of the compromised Fedora servers was a system used for signing
    > Fedora packages. However, based on our efforts, we have high confidence
    > that the intruder was not able to capture the passphrase used to secure
    > the Fedora package signing key. Based on our review to date, the
    > passphrase was not used during the time of the intrusion on the system
    > and the passphrase is not stored on any of the Fedora servers."
    >
    > https://www.redhat.com/archives/fedo.../msg00012.html
    >
    >
    > Follow the link from the original post...
    >
    > I expect that the *public* mailing list archives for the developers will have the
    > technical detail which you require. Have you at least browsed the user mailing
    > list? I'm sure it's a hot topic there.
    >
    >
    > -Thufir


    It doesn't matter.
    The server was hacked.
    The damage has been done and nobody knows the extent to which this damage
    has spread.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  12. Re: Fedora servers hacked - Are signed packages valid?

    In comp.os.linux.advocacy, Moshe Goldfarb.

    wrote
    on Fri, 22 Aug 2008 20:25:19 -0400
    <1w5d2a3cmeo2a.19k9xux61ig94$.dlg@40tude.net>:
    > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >
    >> On Fri, 22 Aug 2008 06:44:08 -0700, Psyc Geek (TAB) wrote:
    >>
    >>>> One of the compromised Fedora servers was a system used for signing
    >>>> Fedora packages which has raised concern over the security of packages.
    >>>> The Fedora team says that while they have "high confidence" that the
    >>>> intruder was not able to capture the passphrase used to secure the
    >>>> Fedora package signing key it has decided to convert to new signing
    >>>> keys.
    >>>>
    >>>> ** Posted fromhttp://www.teranews.com**
    >>>
    >>> Not so UNBREAKABLE.
    >>> What does HIGH CONFIDENCE mean?
    >>> That is a Microsoft term.

    >>
    >>
    >> "One of the compromised Fedora servers was a system used for signing
    >> Fedora packages. However, based on our efforts, we have high confidence
    >> that the intruder was not able to capture the passphrase used to secure
    >> the Fedora package signing key. Based on our review to date, the
    >> passphrase was not used during the time of the intrusion on the system
    >> and the passphrase is not stored on any of the Fedora servers."
    >>
    >> https://www.redhat.com/archives/fedo.../msg00012.html
    >>
    >>
    >> Follow the link from the original post...
    >>
    >> I expect that the *public* mailing list archives for the developers
    >> will have the technical detail which you require. Have you at
    >> least browsed the user mailing list? I'm sure it's a hot topic there.
    >>
    >>
    >> -Thufir

    >
    > It doesn't matter.
    > The server was hacked.
    > The damage has been done and nobody knows the extent to which this damage
    > has spread.
    >


    The damage has spread worldwide if re-signed packages got
    fed to the mirrors; this shouldn't be too hard to verify.
    Since the intruders weren't able to use the signing key,
    they probably used one of their own; this shouldn't be
    too difficult to verify either.

    No doubt Fedora is frantically taking inventory, and comparing
    their golden cut with what's out on select mirrors. Presumably
    they have a backup source CD as well -- though it depends on
    when the systems were hacked, and the CD made.

    --
    #191, ewill3@earthlink.net
    Is it cheaper to learn Linux, or to hire someone
    to fix your Windows problems?
    ** Posted from http://www.teranews.com **

  13. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Fri, 22 Aug 2008 09:53:31 -0400, Linonut wrote:
    >
    >> * Ezekiel peremptorily fired off this memo:
    >>
    >>> http://www.tectonic.co.za/?p=2803

    >>
    >> Now, who would want to hack Red Hat and Fedora?

    >
    > Doesn't matter.
    > It got hacked.


    Sure it matters.

    What was the skill level, for example?

    Did it take some pretty savvy crackers, or just script kiddies?

    What were the motives?

    Bragging rights? Random damage? Insidious insertion of trojans?
    Industrial espionage?

    Speaking of hacked, I recovered some data from another Billy Box today.
    The guy's hardware was fine, but Windows XP was tits up. My god, his
    machines was full of dust bunnies, too.

    Billix makes a damn fine recovery system!

    --
    "There is also a thriving independent student movement in
    Poland, and thus there is a strong possibility (though no
    guarantee) of making an EARN-Poland link, should it ever come
    about, a genuine link - not a vacuum cleaner attachment for a
    Bloc information gathering apparatus rationed to trusted
    apparatchiks."
    -- David Phillips, SUNY at Buffalo, about establishing a
    gateway from EARN (Eurpoean Academic Research Network)
    to Poland

  14. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Fri, 22 Aug 2008 11:22:47 -0500, JEDIDIAH wrote:
    >
    >> Yes... "hacked" as opposed to being automatically exploited by
    >> some virus, worm or trojan.

    >
    > The result is the same.


    That's like comparing yourself to Clogwog.

    --
    Boys, you have ALL been selected to LEAVE th' PLANET in 15 minutes!!

  15. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 22:20:52 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Fri, 22 Aug 2008 09:53:31 -0400, Linonut wrote:
    >>
    >>> * Ezekiel peremptorily fired off this memo:
    >>>
    >>>> http://www.tectonic.co.za/?p=2803
    >>>
    >>> Now, who would want to hack Red Hat and Fedora?

    >>
    >> Doesn't matter.
    >> It got hacked.

    >
    > Sure it matters.
    >
    > What was the skill level, for example?
    >
    > Did it take some pretty savvy crackers, or just script kiddies?
    >
    > What were the motives?
    >
    > Bragging rights? Random damage? Insidious insertion of trojans?
    > Industrial espionage?
    >
    > Speaking of hacked, I recovered some data from another Billy Box today.
    > The guy's hardware was fine, but Windows XP was tits up. My god, his
    > machines was full of dust bunnies, too.
    >
    > Billix makes a damn fine recovery system!


    Doesn't matter............

    IOW the same arguments could be used each time the Linvocates squeal with
    delight when a Windows server gets hacked.

    To the people infected it doesn't matter.....

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  16. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    > It doesn't matter.
    > The server was hacked.
    > The damage has been done and nobody knows the extent to which this damage
    > has spread.


    I call bull****. It sounds like Red Hat /does/ know.

    --
    Every living thing wants to survive.
    -- Spock, "The Ultimate Computer", stardate 4731.3

  17. Re: Fedora servers hacked - Are signed packages valid?

    * The Ghost In The Machine peremptorily fired off this memo:

    > In comp.os.linux.advocacy, Moshe Goldfarb.
    >>>
    >>> "One of the compromised Fedora servers was a system used for signing
    >>> Fedora packages. However, based on our efforts, we have high confidence
    >>> that the intruder was not able to capture the passphrase used to secure
    >>> the Fedora package signing key. Based on our review to date, the
    >>> passphrase was not used during the time of the intrusion on the system
    >>> and the passphrase is not stored on any of the Fedora servers."
    >>>
    >>> https://www.redhat.com/archives/fedo.../msg00012.html
    >>>

    >> It doesn't matter.
    >> The server was hacked.
    >> The damage has been done and nobody knows the extent to which this damage
    >> has spread.

    >
    > The damage has spread worldwide if re-signed packages got
    > fed to the mirrors; this shouldn't be too hard to verify.
    > Since the intruders weren't able to use the signing key,
    > they probably used one of their own; this shouldn't be
    > too difficult to verify either.
    >
    > No doubt Fedora is frantically taking inventory, and comparing
    > their golden cut with what's out on select mirrors. Presumably
    > they have a backup source CD as well -- though it depends on
    > when the systems were hacked, and the CD made.


    Untouched mirrors are the key.

    That's why you don't keep all your eggs in one basket.

    Even so, the passage above indicates any attempt to insert a trojan
    failed.

    I'm sure more details (and F.U.D.) will come out.

    --
    A woman without a man is like a fish without a bicycle.
    -- Gloria Steinem

  18. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 22:22:09 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Fri, 22 Aug 2008 11:22:47 -0500, JEDIDIAH wrote:
    >>
    >>> Yes... "hacked" as opposed to being automatically exploited by
    >>> some virus, worm or trojan.

    >>
    >> The result is the same.

    >
    > That's like comparing yourself to Clogwog.


    The result is the same......
    You are either hacked or not....

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  19. Re: Fedora servers hacked - Are signed packages valid?

    On Fri, 22 Aug 2008 22:23:45 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >> It doesn't matter.
    >> The server was hacked.
    >> The damage has been done and nobody knows the extent to which this damage
    >> has spread.

    >
    > I call bull****. It sounds like Red Hat /does/ know.


    If they do know do you expect them to fess up anymore than Microsoft would
    fess up?

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  20. Re: Fedora servers hacked - Are signed packages valid?

    In comp.os.linux.advocacy, Moshe Goldfarb.

    wrote
    on Fri, 22 Aug 2008 22:22:49 -0400
    :
    > On Fri, 22 Aug 2008 22:20:52 -0400, Linonut wrote:
    >
    >> * Moshe Goldfarb. peremptorily fired off this memo:
    >>
    >>> On Fri, 22 Aug 2008 09:53:31 -0400, Linonut wrote:
    >>>
    >>>> * Ezekiel peremptorily fired off this memo:
    >>>>
    >>>>> http://www.tectonic.co.za/?p=2803
    >>>>
    >>>> Now, who would want to hack Red Hat and Fedora?
    >>>
    >>> Doesn't matter.
    >>> It got hacked.

    >>
    >> Sure it matters.
    >>
    >> What was the skill level, for example?
    >>
    >> Did it take some pretty savvy crackers, or just script kiddies?
    >>
    >> What were the motives?
    >>
    >> Bragging rights? Random damage? Insidious insertion of trojans?
    >> Industrial espionage?
    >>
    >> Speaking of hacked, I recovered some data from another Billy Box today.
    >> The guy's hardware was fine, but Windows XP was tits up. My god, his
    >> machines was full of dust bunnies, too.
    >>
    >> Billix makes a damn fine recovery system!

    >
    > Doesn't matter............
    >
    > IOW the same arguments could be used each time the Linvocates squeal with
    > delight when a Windows server gets hacked.
    >
    > To the people infected it doesn't matter.....
    >


    Mirrors are an exception to the Linux insulation from
    viruses; they carry files which are installed as root.
    All binary-based distros are vulnerable if they don't
    implement checking methods (I would hope most do by now),
    or if those checking methods are hacked (as they might have
    been in this case, though it's far from clear whether the
    key's passphrase was compromised or not -- or whether the
    hackers used it if it was).

    Source-based distros are also vulnerable, though the
    viruses would have to be entirely different.

    --
    #191, ewill3@earthlink.net
    /dev/signature: Resource temporarily unavailable
    ** Posted from http://www.teranews.com **

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast