[conspire] Important: Security Breach on Linux.com, LinuxFoundation.org
Rick Moen
rick at linuxmafia.com
Tue Sep 13 15:19:26 PDT 2011
Quoting Edward Mokurai Cherlin (mokurai at sugarlabs.org):
> [sigh] Seems like every time you turn around.
>
> http://www.linuxfoundation.org/
> Linux Foundation infrastructure including LinuxFoundation.org,
> Linux.com, and their subdomains are down for maintenance due to a
> security breach that was discovered on September 8, 2011. [...]
A few points about that:
1. As someone with a linuxfoundation.org member login (not a shell
account), I got the e-mailed security advisory you posted. Also
discussed at https://lwn.net/Articles/458414/ . The advisory's
exemplary. It's very clear, it's timely, and they're doing all the
right things.
2. The point about 'if you have reused these passwords on other sites,
please change them immediately' is, if you'll pardon the expression,
key. Practically everyone uses weak passwords / passphrases and reuses
passwords / passphrases for multiple purposes, because human brains are
poorly wired for accurately remembering significant numbers of strong
passwords. Or they write them on PostIts, which is a great deal safer
than reusing them widely (more limited threat model; if someone can get
past locked doors to my work computer, I have bigger problems than
misappropriated passwords -- also, any such PostIt needn't say a
particular scrawl is a password at all, le alone what it's a password
to).
My preferred aide-memoire is Keyring for PalmOS,
http://gnukeyring.sourceforge.net/ , courtesy of which I need remember
only a single master 3DES password, and I can have an arbitrary number
of unique, strong passwords for... whatever I want. _And_, the main
point, that means no cross-site stealing of my credentials when
something like this happens. I don't have to go around in a panic
trying to remember everywhere I used the password 'learnthewords'
(https://secure.wikimedia.org/wikipedia/en/wiki/Havelock_Vetinari#Vetinari.27s_golden_rule).
Some people like 'password vault' applications for their PeeCees,
because they can copy/paste to and from them. I like Keyring because I
can't -- which means nobody can spy on my Keyring database, on account
of it being strictly offline.
Anyway, if you use the same passwords in lots of places, fix that!
3. When using ssh tokens, be aware that they are exposed to possible
theft on the _machine where you use them_, but not on the far end. You
can often decide which end to use them on, reducing your risk.
To pick a random example -- let's say you ssh into
shells.sourceforge.net and need to scp a file back you (or ssh back into
your own machine). You can initiate that scp (or ssh) command from
either end. Doing it on the shells.sourceforge.net end means that your
credential will be stolen if someone has root-compromised
shells.sourceforge.net , whereas doing it on your end means it can be
stolen only if your own machine has been root-compromised (in which
case, you have bigger problems).
Basically, using your ssh password, or private key and passphrase, on
someone else's machine is analogous to trusting someone with your
physical keys. You shouldn't do it if you don't have to.
4. It's still not been clarified (at least in public) how the
escalation to root privilege occurred, but it could have been as easy as
some kernel.org _admin_ user's personal box having been compromised, and
the intruders piggybacking on the admin ssh'ing into kernel.org and then
using sudo.
More information about the conspire
mailing list