Given recent security discussion.... ----- Forwarded message from Rick Moen <[EMAIL PROTECTED]> -----
Date: Tue, 19 Aug 2008 01:08:34 -0700 From: Rick Moen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [conspire] Pending disclosure from Fedora Project There have been a few cryptic announcements on Red Hat's fedora-announce-list mailing list about unspecified "issues" with Fedora Project infrastructure machines, starting Thursday, Aug. 14 (https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html), including the telling phrase "as a precaution, we recommend you not download or update any additional packages on your Fedora systems". The story is not yet out, but obviously they're cleaning up some sort of major security compromise, and they're diligently checking and restoring to service all of their infrastructure machines in order (https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00011.html). I'm reminded very much of the compromise of the entire internal corporate network of a major Linux company in 2001, caused by an intruder having stolen a developer's SSH tokens for shells.sourceforge.net on a security-compromised university machine, then locally escalating on the shared shells.sourceforge.net host to root authority, then trojaning the local ssh _client_ to report outbound usage details, and waiting for an unwary IT staffer from the Linux company (no, not me!) to ssh from the Linux company's sensitive network into shells.sourceforge.net and then ssh or scp back _in_ (that staffer's key error). The Linux firm in question had to shut down _all_ computing devices and then wipe and rebuild them, one by one. It never did say a word about the incident to the press or public at large. (Half a decade later, a few people told parts of the story in public, but the incident essentially passed under the press's radar.) By corporate standards, thus, the Red Hat / Fedora Project announcements -- as far as they've gone -- have been commendably informative. Back when the Debian, Gentoo, and Savannah hosts had their security breakdown in 2003, and more recently when Debian's openssl package maintainer inadvertantly broke that package's badly written random-number code (resulting in weak SSH/SSL/TLS keys and certificates), those projects _did_ produce immediate, full data for the public, but RH/Fedora's reticence is likely a small sin at worst. (I'm sure a certain number of people will castigate them for the delay, so this is just me getting a leg up on that and saying "No, I don't think so.") _______________________________________________ conspire mailing list [EMAIL PROTECTED] http://linuxmafia.com/mailman/listinfo/conspire ----- End forwarded message ----- _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
