Gentoo Linux Github Organization Repo Hack Was Down To a Series of Security Mistakes

The team behind Gentoo Linux has revealed the reasons for the recent hack of its GitHub organization account. The short version: shoddy security. From a report: It seems that the hackers were able to gain access to the GitHub organization account by using the password of one of the organization administrators. By the team's own admission, poor security meant that the password was easy to guess. As the Register points out, "only luck limited the damage," but the Gentoo Linux team is keen to let it be known that it has learned a lot from the incident. In an entry on the Gentoo Linux wiki, there is a fairly detailed breakdown of what happened, how it happened, and what is being done to prevent it from happening again. The wiki entry summarizes the hack attack as follows: "An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content."

2FA?

[Bengie]

Not using Two factor? Even with a weak password, 2FA helps immensely.

Git saves the day

[davide marney]

... again. Call me crazy, but git is right up there with Linux itself in terms of advancing the art.

Re:

[Anonymous Coward]

Github got bought out, not Git, the software it uses. MS is free to alter Git on the new Github now, but probably won't.

Re:

[Desler]

Git got bought out my microsoft.

I'm pretty sure the Software Freedom Conservancy would be pretty surprised by this.

This may very well be an attack and not a hack of any kind.

And what does Microsoft get out of committing this federal crime? This was just a mirror. If Microsoft was gonna commit a federal crime wouldn't they have been smart enough to actually attack the main repositories hosted by Gentoo themselves? What would attack a mirror buy them?

Re:

[Desler]

Gentoo is perpetuating a false flag to cover for Microsoft attacking them? How much glue have you been sniffing lately?

Re:

[F.Ultra]

It was probably a false CFLAG

Re:

[Bengie]

Few issues here
1) Huge repos are many times a symptom. The Linux source code is only a few tens of MiB and it's a kernel with a ton of drivers.
2) Git is getting constant performance optimizations as people bump into these performance issues
3) It's more difficult for a large repo to get dropped into git because git is getting incremental performance improvements and it's impractical to make all of the necessary changes in short order.

Git has has some major improvements over the past 3-5 years for a sele

Re:

[Desler]

1) Huge repos are many times a symptom. The Linux source code is only a few tens of MiB and it's a kernel with a ton of drivers.

This is total bullshit. The latest Linux source code snapshot tarball from kernel.org of 4.18-rc3 is 159 MB. Decompressed it clocks it at nearly 800 MB.

Re:

[Bengie]

Correct. Only a magnitude off. Relative to 100GiB repos, it's meh.

Re:

[Desler]

You must work at Google or MS.

How so? Microsoft uses Git extensively. A while back they even migrated the entire Windows source repository to Git.

The hackers made themselves known

[140Mandak262Jamuna]

After guessing the password, the hacker blocked access to all other admins. Thus the hack was immediately realized.

A more savvy hacker would have just used the password to merge unauthorized fraudulent commits. Thus the hack would have remained undetected.

Must assume: There are more savvy hackers.

Must assume: There are other repos with weak, guessable password.

Must conclude: There are well hidden bombs ticking away in many more repositories.

4 minutes

[gillbates]

It took just 4 minutes for someone to notice something was wrong, and less than an hour to begin remediation.

In a closed-source organization, it sometimes takes months for them to figure out they've been compromised, and even longer to fix it; I once bought a Toshiba laptop that shipped with a virus, and didn't get the real fix for a few months afterward.

Re:

[93 Escort Wagon]

I’m not sure those two examples are even remotely comparable. And while I’m a fan of open source, let’s not pretend there haven’t been vulnerabilities like heartbleed which manage to linger, undiscovered, for months - or even years.

Re:

[F.Ultra]

The Equifax hack would be far more comparable.

Gentoo Linux: NOW you can trust us

[xxxJonBoyxxx]

>> shitty admin password in 2018

So...Gentoo has assured us this is the only half-assed shortcut they've taken, right? OK, seems legit.

Re:

[xxxJonBoyxxx]

You're missing the point: the same kind of person that thinks it's OK to shlep in the area of security quality may also be shlepping in the area of code quality, or architecture, or ???.

Re:

[Bengie]

Actually following the rules? I don't see how anyone bypassed 2FA or guessed the right code. Either there's a design flaw that no one is talking about or 2FA was not used in this case.

Missing Link from TFS

[Anonymous Coward]

In an entry on the Gentoo Linux wiki [gentoo.org], there is a fairly detailed breakdown of what happened, how it happened, and what is being done to prevent it from happening again.

You suck M'Smash. Leave.

Re:

[WinstonWolfIT]

Security as an afterthought today is just inconceivable.

Re:

[Digital Avatar]

inconceivable

You have used that word again. I do not think it means what you think it means.

Re:

[WinstonWolfIT]

https://www.merriam-webster.co... [merriam-webster.com]

Re:

[Desler]

How so? Security costs money and/or time. Hence why people even today neglect good opsec.