

Linuxfoundation.org also hacked - KonradKlause
http://www.linuxfoundation.org/

======
keenerd
My bet is we are going to see more and more of this, as fallout from the
kernel.org crack.

Kernel.org said "Don't worry about linux, the source tree is in git and
tamper-proof. All they messed with was SSH. It was amateur, really." (Some
paraphrasing.)

Well, a modified SSH could easily log interesting details that pass through
it. So if you used [ed: gpg] private key forwarding, the crackers have your
private key. [ed: See [http://www.unixwiz.net/techtips/ssh-agent-
forwarding.html#se...](http://www.unixwiz.net/techtips/ssh-agent-
forwarding.html#sec) for the SSH vulnerabilities.]

The only question is how fast the attackers have moved. Blitz all the servers
at once, or try to carefully lay something individually tailored and
undetectable. It's been long enough for either.

edit: Erroneous simplification, sorry. The attacker could imitate you on the
remote system. This is not the same as having your ssh private key (my bad)
but the result is the same. The third party server you connected to through
kernel.org is compromised.

edit edit: But check your gpg keys! Gpg signing does require the full private
key on the remote system. If you signed any files on kernel.org with
forwarding, they could have your gpg private key. (Though this might need
modification to gpg, which was not mentioned by kernel.org.)

~~~
eli
Is that true? I didn't think private key forwarding was vulnerable to a MITM
like that.

~~~
keenerd
Sort of. See [http://www.unixwiz.net/techtips/ssh-agent-
forwarding.html#se...](http://www.unixwiz.net/techtips/ssh-agent-
forwarding.html#sec) for more details.

I left out a few steps, but at the very least the system you connected to
through kernel.org could be compromised.

------
veyron
Who stands to gain from an attack on linuxfoundation.org and kernel.org?

~~~
eli
My guess is the same people who stand to gain from knocking over mailboxes.

~~~
mkopinsky
Driver's ed students?

~~~
burgerbrain
He's probably referring to people who purposely whack mail boxes with baseball
bats out car windows.

So presumably drunk highschool football players.

------
16s
kernel.org has been down now for three or four days now. Seems there is more
to this hack than we've been told. For awhile kernel.org just didn't respond
to requests, then they put up this maintenance page:

<http://kernel.org/>

------
nimrody
Quote: "...you should consider the passwords and SSH keys that you have used
on these sites compromised. If you have reused these passwords on other sites,
please change them immediately"

Did they really store clear text passwords? Or perhaps I'm misinterpreting the
announcement?

~~~
TheEskimo
It's unlikely they stored plaintext passwords. That doesn't mean that the
attacker couldn't crack the hash.

More importantly, if the hacker modified the ssh binary then they could make
it retransmit passwords before hashing them. Once the attacker has such a high
level of access to the system it doesn't matter if the system has otherwise
sound security; that security can simply be removed or altered.

I think the announcement is made as it is because it's far safer to assume the
worst than the most likely or best. Even if your keys and passwords aren't
compromised it doesn't hurt to change them.

------
recoiledsnake
Linux.com is also down with the same message.

