l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2008 Aug 20 20:50

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] (forw) [conspire] Pending disclosure from Fedora Project
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] (forw) [conspire] Pending disclosure from Fedora Project

Given recent security discussion....

----- Forwarded message from Rick Moen <rick@linuxmafia.com> -----

Date: Tue, 19 Aug 2008 01:08:34 -0700
From: Rick Moen <rick@linuxmafia.com>
To: conspire@linuxmafia.com
Subject: [conspire] Pending disclosure from Fedora Project

There have been a few cryptic announcements on Red Hat's fedora-announce-list 
mailing list about unspecified "issues" with Fedora Project infrastructure 
machines, starting Thursday, Aug. 14
including the telling phrase "as a precaution, we recommend you not
download or update any additional packages on your Fedora systems".  The
story is not yet out, but obviously they're cleaning up some sort of
major security compromise, and they're diligently checking and restoring
to service all of their infrastructure machines in order

I'm reminded very much of the compromise of the entire internal
corporate network of a major Linux company in 2001, caused by an
intruder having stolen a developer's SSH tokens for
shells.sourceforge.net on a security-compromised university machine,
then locally escalating on the shared shells.sourceforge.net host to
root authority, then trojaning the local ssh _client_ to report outbound
usage details, and waiting for an unwary IT staffer from the Linux
company (no, not me!) to ssh from the Linux company's sensitive network
into shells.sourceforge.net and then ssh or scp back _in_ (that
staffer's key error).

The Linux firm in question had to shut down _all_ computing devices and
then wipe and rebuild them, one by one.  It never did say a word
about the incident to the press or public at large.  (Half a decade
later, a few people told parts of the story in public, but the incident
essentially passed under the press's radar.)

By corporate standards, thus, the Red Hat / Fedora Project announcements
-- as far as they've gone -- have been commendably informative.  Back
when the Debian, Gentoo, and Savannah hosts had their security breakdown
in 2003, and more recently when Debian's openssl package maintainer
inadvertantly broke that package's badly written random-number code
(resulting in weak SSH/SSL/TLS keys and certificates), those projects
_did_ produce immediate, full data for the public, but RH/Fedora's
reticence is likely a small sin at worst.  (I'm sure a certain number of
people will castigate them for the delay, so this is just me getting a leg
up on that and saying "No, I don't think so.")

conspire mailing list

----- End forwarded message -----
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.