Oh No, Kernel.org was Hacked

by Susan Linton - Aug. 31, 2011Comments (4)

LinuxA notice appeared on www.kernel.org today informing visitors that the servers housing the Linux kernel source code had been hacked earlier this month. The breach was discovered yesterday and maintainers believe the source code itself is unaffected.

The notice continues with details as they are known at this point. Apparently, intruders gained root access through compromised user credentials. The exact method is still unknown at this time, but it appears that the OpenSSH files were hacked and running live. A trojan was added to the startup files and errors from a referenced program not installed on the server signaled the breach.

In response servers have been pulled and are getting reinstalls. Full audits of the source are being conducted. Users with access to the server are having their credentials and SSH keys changed. Security audits are also being conducted to identify any vulnerabilities and policies are being enhanced.

The unknown poster at kernel.org stresses that the Git system, designed by Linus Torvalds himself, is highly secure and any changes in the code would trigger an alarm immediately. So, in essence, Linux itself is okay. Jon Corbet, talented kernel developer, has an extensive explanation of how and why our beloved kernel is safe and sound. Corbet states:


Kernel.org may seem like the place where kernel development is done, but it's not; it's really just a distribution point. So when we say that we know the kernel source has not been compromised on kernel.org, we really know it.


Shailesh Patel uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?


anybody who's ever used git would know that the source is secure even though kernel.org was compromised

0 Votes

If they were using apache server note that an apache security problem was recenty found so may likely be linux that can be found quickly by considering what the apache patch fixes. the apache patch may even temporarily disable the linux vunerability until another application added can exploit that kernel weakness.

I wonder if when ssh client and ssh server were installed if kernel.org people might have forgotten to delete the encryption keys that came by default with their installation. Note that if you leave those default keys on your server then add private keys you generated then any one who has the default keys on their client system even if they do not have the new private keys can get a login prompt on the so called private system. This is an easy mistake to make that the ssh project has has made us vunerable to. With out the default keys on the server the same client could not get an ssh login prompt. user credentials known login is no longer possible by an imposter. many people have the default keys so many get a login prompt.

suggestion to kernel.org and open source community in general. keep the official copy of source code off of the internet conneted machine. and keep "dmz copies of the of the oficial source on the server. Have contributers deposit only their code changes in their individual server user account so that other dmz code cannot be added to the official source update version instead the project managers insert and test and comment the changes with contributer name and date for each version change. Write a script that automates two tar backups of where one is the server system root and down excluding user contribution folders in the in the home directory and other that is only the contributions. Do this from another linux system and mount the server hard drive so that the server being backed up is not running. Actually an image backup is more user friendly than thana tar backup. Keep the backup version archived. Then my point: have a time period where the users are told is the maintenance period. Restore the installed and configured server periodically and I would do that daily and the reason is that then I dont care if they hack my system beause it is going to be fixed by automated restore automatically malware problem is eliminated daily and if they got in they only had a one day to breach the system and the only thing in danger is the contributers code changes of a given 24 hour period. Actually the code changes ought to be backed up by a script that sends their backup file to Dvd-R burner script that ejects the Dvd upon completion for removal and archiving. So you would have a server system that fixes itself automatically leaving you uneffected by worries like how darn long have we had a system that belongs to someone else when we thought we were the only owners of root and questioning things like which of our system backuprestore files contain a contaminated system? Let the restored ,originally uncrompromised configured system, download automatically security updates after it is restored fresh and goes online. Really linux updates are much slower than microsofe updates so this begs the idea that linux distributions should store highly compressed update files in their repositories and then decompressed after downloading for installing. For extra security after they are downloaded the script could temporarily disable networking until the system installs the downloaded updates. It is my opinion that Linux is weakened now because open source management did not standardize this as a manditory project practice.

0 Votes

^^What an insane long rant. 1) We already know that this isn't where the official copies are kept, as that's what the quote in the article says. 2) I'm sure that kernel.org has a backup solution, but it probably doesn't involve DVDs. 3) Clustering and virtualization remove the need to have downtime for server restoration. Kernel.org is probably not just one physical machine.

0 Votes

You'd have to hack every computer on the internet to have a practical chance of endangering linux kernel source.

Plus, you know, there are always methods to force a computer to lie. Computers suffer from the same problem humans do, they are, essentially, truth-telling machines. There is no perfect hack, just like there is no perfect lie. Just really damn good ones.

0 Votes
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.

Promote Open Source Knowledge by sharing your thoughts, listing Alternatives and Answering Questions!