Welcome Back Kernel.org

Hummdis writes "After more than a month of being offline due to a security breach at Kernel.org, they're back! While they were down, they took the time to 're-architect' the site for developers and users. A statement reads: 'As noted previously, kernel.org suffered a security breach. Because of this, we have taken the time to re-architect the site in order to improve our systems for developers and users of kernel.org. To this end, we would like all developers who previously had access to kernel.org who wish to continue to use it to host their git and static content, to follow the instructions here. Right now, www.kernel.org and git.kernel.org have been brought back online. All developer git trees have been removed from git.kernel.org and will be added back as the relevant developers regain access to the system. Thanks to all for your patience and understanding during our outage and please bear with us as we bring up the different kernel.org systems over the next few weeks. We will be writing up a report on the incident in the future.'"

Lessons for others?

[G3ckoG33k]

Welcome back.

Which are the lessons for others to learn?

Re:

[kthreadd]

Linux is defective by design, duh!

No, not really. Linux itself was not responsible for the incident so that would be inaccurate leasson to learn. The leasson would rather be that it doesn't matter how strong a door is if you leave the key on a bar.

Re:

[mug funky]

spend more time listening than talking.

please.

Re:

[galanom]

You've never been to YouTube, right?

Re:

[Anonymous Coward]

From TFA: "We will be writing up a report on the incident in the future."

Re:

[somersault]

From what I've seen in kernel hacking documentation and tutorials so far, that means "we're probably not going to get around to telling you what happened"..

Re:

[mug funky]

wtf are you talking about? you think the kernel.org admins write all the documentation for all of linux?

Re:

[somersault]

I don't think the two are necessarily mutually exclusive, but it was mostly just a joke. The kernel's APIs change quite regularly, and things like the Linux Kernel Module Programming Guide haven't been updated to reflect 3.0.0 yet. Programmers are notorious for enjoying coding, but forgetting to do documentation (myself included).

Re:

[Hummdis]

An article on Ars Technia [arstechnica.com] stated that:

"The intrusion was reported to kernel.org users earlier this week by site administrator John Hawley. The attack is believed to have occurred on August 12 but wasn't detected until August 28. The attack vector isn't known for certain, but it is thought that the attacker somehow obtained a legitimate user's login credentials and then exploited an unknown privilege escalation vulnerability. The attack was discovered when an Xnest error message was found in the system logs

Re:Lessons for others?

[diegocg]

"The compromise of kernel.org and related machines has made it clear that some developers, at least, have had their systems penetrated. As we seek to secure our infrastructure, it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusions. Here are some helpful hints as proposed by a number of developers on how to check to see if your Linux machine might be infected with something" [gmane.org]

Re:

[microbee]

One person in my company had account on kernel.org. He then found out his laptop was compromised, which meant that our company's VPN access was also compromised. The company had to do a whole lot of security auditing.

Re:

[Lunix Nutcase]

It means there are probably quite a few rooted Linux boxes out there and the users don't realize it because they bought into hype that their computer had impenetrable security.

Re:

[Runaway1956]

I don't think that there is a *nix user anywhere, outside of Apple Phanbois, who think their system is "impenetrable". The common wisdom is, our security is superior to Window's security, but that doesn't translate to "impenetrable".

Re:

[Lunix Nutcase]

All it takes is a simple google search to find numerous claims of Linux being impenetrable. It doesn't matter the claims are wrong, but the claims have been made by write a few people.

Re:

[mug funky]

searchreplace "linux" for "OSX" and watch the google hits increase.

Re:

[bonch]

Such claims have been made about Linux since the creation of this website. The "Apple Phanbois" you refer to are actually a rarity in practice.

Re:

[Microlith]

The people here who make that claim about Linux are occasional, but by no means representative of the site. Many major Apple focused forums do believe in the impenetrability of OS X as gospel, they are simply rare here.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LordLimecat]

The common wisdom is, our security is superior to Window's security,

And on what do you base that assumption? Because scores of users get pwned by Acrobat and Java exploits, but it just happens to be hitting windows machines?

I have never seen any credible proof that your common Linux server distros (RedHat, CentOS, Debian) are more secure out of the box than Windows Server 2003 or 2008-- and I have seen a LOT to suggest that 2008 (and Win7) are more secure than their *nix counterparts.

I really dont want to start a flamewar on this (though I probably just did), but its ridic

Re:

[0123456]

It's true. Windows is more secure than Linux so long as you never turn the machine on.

Re:

[Runaway1956]

Least privileged users? On Win7? *chuckles*

On all Linux distros, you actually have to type a password to get root status. On Windows, you still only have to click a box to make it go away.

You make a good point with Adobe and Java. But, more of us on Linux are using more alternatives to the most common Adobe and Java products. Some have similar vulnerabilities, while other have different vulnerabilities, while others simply lack the vulnerable features.

But, it all comes down to computer savvy, in the en

Re:

[knuthin]

There is one, but it is locked. You can reset it however. Using "sudo passwd" or "sudo -i". Since you have rights to execute sudo, you can easily set the root password ;)

Re:

[ancienthart]

couldn't get past the second sentence... ALL linux distros?

The #1 Linux distro, Ubuntu, does not have a root password set at all. Just use sudo

Do you even use Linux?

sudo requires you to enter a password from an account that has been given admin priviliges.
So instead of giving every admin access to the same root password, each admin gets their own password.

Re:

[LordLimecat]

Yes, because windows doesnt have that. Oh wait, it does, its called UAC (GUI) and runas (CLI-- and Ill note that this has been around for absolutely ages).

There IS no "root password" on windows-- as in linux, there are passwords for various accounts with varying privileges. Obviously there is a "default" admin, which is called root on linux / unix, and administrator on windows, but on each system is changeable.

Its like 90% of the people comparing windows to linux have either not used windows, or not used

Re:

[ancienthart]

If the default option for a security system is to not enable it (accounts are created with broad, rather than limited permissions) - guess what 90% of users will do. (And yes, I'm aware this has changed in later versions of Microsoft, but that's like a child-care worker expecting praise for saying "Oh, we don't let the kids play out on the highway ... now.)

Much like the security questions horror in Vista, Microsoft mixes middling to brilliant software engineering, with bloody awful social engineering. And k

Re:

[crutchy]

by default in a debian installation i don't even have access to sudo. i can use "su" and type the root password. there used to be an option during the installation to select either use of sudo or su, but the squeeze installer doesn't include the option and automatically sets the use of su. then after i install i configure the wheel group [http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ap-checklist.en.html] so that only my own local login can access su.

i use win7 at work an

Re:

[Runaway1956]

Holy smokes, AC - you're just a little bit above my head with some of that. I'll have to actually do it all, and see.

And, I have to admit that when and where strict discipline is required, Windows can indeed be pretty danged secure. The military uses Windows all over the place, and it's pretty secure. But - then again - I'm reminded of Great Britain's "Windows for Subs" fiasco, in which the machines were overwhelmed by viruses and malware. I never did stumble across the details of that mess, but I would

Re:

[LordLimecat]

On all Linux distros, you actually have to type a password to get root status. On Windows, you still only have to click a box to make it go away.

Were that universally true, it would be irrelevant. You nevertheless run as an unprivileged user in Windows 7, and your snarky comment doesnt change that. Until you click allow, the a program may not execute anything with full admin privileges.

As for Linux being "less secure", well, I insist that we measure the incidence of penetrations.

I was hoping to compare privilege escalation bugs or a similar category, Server2008 vs a recent kernel, but its quite tricky A) finding usable lists, and B) comparing a full suite (server2008 standard) to a stripped down linux server install (why not compare to 2008

Re:

[drinkypoo]

On all Linux distros, you actually have to type a password to get root status.

Only once. Then you can mess with the pam configs and just have it grant you access. I don't do this, mind you. About the only time I've messed with my pam configs was to enable local login for an account for which I wanted remote passworded login.

Re:

[next_ghost]

Since Vista, everyone runs as least-privileged,

Sorry but I don't believe that for a second. Because I've actually been down that road with XP. I can lock NT-based Windows down almost as much as any UNIX system is locked down by default. But the problem is that when you really do that, you throw a HUGE pile of software out of the window. Software that wants to write to its Program Files directory, software that wants to write to HKEY_LOCAL_MACHINE branch of registry or even worse, software that wants to write to Windows directory itself. Sure, all of tha

Re:

[LordLimecat]

Sorry but I don't believe that for a second. Because I've actually been down that road with XP. I can lock NT-based Windows down almost as much as any UNIX system is locked down by default. But the problem is that when you really do that, you throw a HUGE pile of software out of the window.

Sorry, but you clearly havent actually used Vista or 7. They dont ask you "would you like to run as least privilege?" in vista / 7; they force you into that. You have to do some tweaks to remove that policy (by turning off UAC).

Why do you think Vista was hated so much? Some of it was performance, but the big user gripe was the "allow or deny" prompts, which were due to dropped privileges.

And you clearly are unaware of all the junction points, registry virtualization, etc that was put into place to make s

Re:

[Short Circuit]

You don't know what you're talking about. Seriously.

Starting with Vista, users, even "Power Users" and "Administrators", run least-priviliged to start. For compatibility's sake, writes to %PROGRAMFILES% and friends are virttualized and shunted aside to a per-user store. To get code to run as an Administrator, you need to "Run As Administrator" the program itself, another process (such as cmd or Windows Explorer) tat then launches the program, or you have to code the application to request privilege elevati

Re:

[LordLimecat]

Or am-I just being paranoid ?

Youre being ridiculous. You cannot address memory in windows as you can through the /dev interface on Linux-- the filesystem paradigm is utterly different. And the two kernel designs are utterly incompatible-- Linux sports a monolithic kernel, while Windows has a microkernel. The binary formats of executable data on each is totally different. Etc etc etc.

Or am I just being trolled?

Re:

[galanom]

I used DOS for nearly 10 years and I've never been hacked!
Not even when I put a null-modem cable on the serial port!

Re:

[LordLimecat]

Open a zip file in Internet Explorer. Just did that today, and it executed the code.

I open zip-files from browsers of all shades all the time, and it never automatically executes any content. Possibly you have a crappy, bug-ridden archive handler?

Norton didn't complain. I did reveal that it had been rooted, but no prevention.

Add that to the list of problems you need to address-- norton is a pile of garbage, and doesnt reflect well on the state of your computer if you have that installed. It is known to do all sorts of bizarre things. Honestly, its possible that the exploit you experienced-- if legitimate-- was targetted at norton and exploited the way norton perfor

Re:

[LordLimecat]

ow you might say that the Windows machine gets pwned almost immediately because there's more malware out there targeting it,

Actually, the WIndows server will never get owned, because out of the box (at least on SBS installs) the firewall rejects all traffic.

So really, your entire statement falls to pieces.

Re:

[LordLimecat]

By the way, if anyone doubts this, I would happily take them up on some challenge with VMs, or physical machines. There could even be some stakes, if you desired, though it wouldnt matter-- neither the CentOS box nor the Windows Server box will EVER be hacked except A) by a bruteforcing of the password (assuming you havent set lockout policies up), or B) by enabling services and allowing traffic through the firewall.

Otherwise, iptables / windows firewall would make any such attempts futile.

Re:

[Jonner]

It means there are probably quite a few rooted Linux boxes out there and the users don't realize it because they bought into hype that their computer had impenetrable security.

So how does that explain the far greater number of compromised Windows boxes? It's unlikely their owners thought they had impenetrable security. Compromised machines exist because people take foolish risks and aren't vigilant for malware either out of ignorance or apathy regardless of OS. The average user is still much safer running any non-Windows OS, though they shouldn't be complacent.

Re:

[somersault]

[citation needed]

Re:

[F.Ultra]

Yeah, nobody stole the Windows 2000 source code now did they?

Re:

[LordLimecat]

Microsoft.com WAS hacked once, I think it just resulted in a jpg upload though.

However, thats not a fair comparison, given that Microsoft has a huge budget for a dedicated IT team, which makes far more difference in security than the OS you happen to use.

Re:

[Rysc]

Microsoft is also not likely to disclose every security breach; they gain nothing by doing so and it harms their image.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Eil]

Which are the lessons for others to learn?

Purchase and install a good antivirus solution.

Re:

[Eunuchswear]

woosh...

Re:

[bonch]

"Lot of publicity" = snarky comments on Slashdot

Re:

[kthreadd]

Last time I checked Apple runs their stuff on Windows Azure so maybe Kernel.org should do the same. I mean, Kernel.org have been hacked what now, two or three times? How many times have Windows Azure been hacked? Zero. So, just by looking at statistics moving to that platform could be a good move.

I mean, since we just went odd-version and have the Visual Basic rewrite [lkml.org] imminent, being open towards new hosting platforms should be an option.

Re:

[davek]

Not Found
The requested URL /pub/linux/kernel/v3.0/linux-3.0.4.tar.bz2 was not found on this server.

In the process of getting up?

For some reason the links on the homepage appear to be broken.

You can still browse to the repos by going to http://git.kernel.org/ [kernel.org]

Bugzilla

[diego.viola]

when is bugzilla.kernel.org coming back as well?

Re:

[Eunuchswear]

MOD THIS UP11!!!!

Git documentation lives!

[RobNich]

Yay! I spent the last two weeks learning git, and Google kept pointing me to kernel.org for the documentation. Having the site actually up will be nice, although I've already learned everything possible about Git!

Re:

[Jonner]

Yay! I spent the last two weeks learning git, and Google kept pointing me to kernel.org for the documentation. Having the site actually up will be nice, although I've already learned everything possible about Git!

Perhaps you should have used the git project's actual site [git-scm.com].

Re:

[RobNich]

I would have if it had matching documentation, but according to Google [google.com], it doesn't.

Re:

[folderol]

If your name is not Linus Torvalds you haven't learned everything possible about Git!

Re:

[Jappus]

And if your name is Linus Torvalds, you don't have to learn everything possible about Git, as you can just decree whatever you think is right as being right.

404 Not found for most of the links on kernel.org

[sick_soul]

sh-3.1$ wget http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.4 [kernel.org]
--2011-10-06 12:41:23-- http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.4 [kernel.org]
Resolving www.kernel.org... 149.20.4.69
Connecting to www.kernel.org|149.20.4.69|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2011-10-06 12:41:23 ERROR 404: Not Found.

Still looking for 3.0.4 kernel tarballs, etcetera

[quarkscat]

I'm still looking for the 3.0.4 linux kernel tarballs, etcetera. The kernel.org front page lists it, but it isn't available through the usual directory tree via HTTP -- 3.0 yes, 3.0.4 no. And I am one gearhead who actually looks through all the Changelogs. That said, I'm glad you're (kernel.org) back up on-line, well mostly ... ;)