On Wed, Jan 20, 2010 at 11:12:29PM -0500, Peter Thoenen wrote: > > In early January we discovered that two of the seven directory > > authorities were compromised (moria1 and gabelmoo), along with > > metrics.torproject.org, a new server we'd recently set up to serve > > metrics data and graphs. The three servers have since been reinstalled > > with service migrated to other servers. > > While the issue was resolved, could this of had an impact had they known >what they broke into between the time of breach and time of discovery?
Yes, depending on how paranoid you want to get. I don't think they could have done anything particularly devious with the directory authority. We've got that pretty well sorted out with the distributed trust thing -- nothing moria1 does can rig the consensus by itself. So it's really a question of the services running. Moria was running a nameserver for torproject.org (still is), so they could send web requests elsewhere. If people check SSL certs, no problem (modulo the usual points about SSL not being perfect); if they don't check SSL certs, we hope they check package signatures. This risk isn't specific to our machines though -- your local ISP can lie to you about your DNS resolves, or some jerk could redirect our bgp record like how Pakistan stole Youtube for a few hours last year. It was also the mail host for @torproject.org, though most of the mails went off to other mail servers after that. So they could have read my mail. Most of my mail is public (and/or boring) anyway though. I could imagine that they might try to sneak in a commit to the git repository. We have a hook that mails all commits to the mailing list, and we watch that pretty well. But they could disable the hook during their commit. As I mentioned in the earlier mail, the git tree is made up of hashes, so they can't just modify it outright. I've looked over the 'git log' output, and didn't find anything odd. It might be neat to do an automated comparison of "mails that made it to the mailing list" vs "commits to the git repository", if we wanted another layer of checking. Svn is less secure. It's just a database, and people can muck with it how they like. We've compared several of the svn repositories to backups, and nothing looked out of the ordinary. Good thing we moved Tor, Torbutton, BridgeDB, etc to git last year. The website wml files are still in svn and not git though, to make it easier for our volunteer translators; give us a holler if you find "Tor sucks" scribbled in some corner. :) If you want to scale up on the paranoid meter, you could imagine ssh client buffer overflows for the developers when we connected to it. That rabbit-hole goes as far as you like. Speaking of rabbit-holes, my gpg key is nearly a decade old and only 1024 bits. Sometime in the next little while I'm going to switch to a bigger one. > Do we know how they broke in? As I understand it, we have a 450G disk image from one of the machines sitting somewhere in Canada, but not anywhere near any of the Tor people. The attacker(s) were sloppy, so we know some things like the name of the local-to-root exploit they used (which by its name works on a surprisingly wide spread of kernel versions... security is hard). I still don't know how they got in to moria originally, though. Too much was going on on that machine. --Roger *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
