[conspire] Pending disclosure from Fedora Project

Rick Moen rick at linuxmafia.com
Tue Aug 19 01:08:34 PDT 2008 

There have been a few cryptic announcements on Red Hat's fedora-announce-list 
mailing list about unspecified "issues" with Fedora Project infrastructure 
machines, starting Thursday, Aug. 14
(https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00008.html),
including the telling phrase "as a precaution, we recommend you not
download or update any additional packages on your Fedora systems".  The
story is not yet out, but obviously they're cleaning up some sort of
major security compromise, and they're diligently checking and restoring
to service all of their infrastructure machines in order
(https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00011.html).

I'm reminded very much of the compromise of the entire internal
corporate network of a major Linux company in 2001, caused by an
intruder having stolen a developer's SSH tokens for
shells.sourceforge.net on a security-compromised university machine,
then locally escalating on the shared shells.sourceforge.net host to
root authority, then trojaning the local ssh _client_ to report outbound
usage details, and waiting for an unwary IT staffer from the Linux
company (no, not me!) to ssh from the Linux company's sensitive network
into shells.sourceforge.net and then ssh or scp back _in_ (that
staffer's key error).

The Linux firm in question had to shut down _all_ computing devices and
then wipe and rebuild them, one by one.  It never did say a word
about the incident to the press or public at large.  (Half a decade
later, a few people told parts of the story in public, but the incident
essentially passed under the press's radar.)

By corporate standards, thus, the Red Hat / Fedora Project announcements
-- as far as they've gone -- have been commendably informative.  Back
when the Debian, Gentoo, and Savannah hosts had their security breakdown
in 2003, and more recently when Debian's openssl package maintainer
inadvertantly broke that package's badly written random-number code
(resulting in weak SSH/SSL/TLS keys and certificates), those projects
_did_ produce immediate, full data for the public, but RH/Fedora's
reticence is likely a small sin at worst.  (I'm sure a certain number of
people will castigate them for the delay, so this is just me getting a leg
up on that and saying "No, I don't think so.")

More information about the conspire mailing list