

Who rooted kernel.org servers two years ago? - pranavk
http://arstechnica.com/security/2013/09/who-rooted-kernel-org-servers-two-years-ago-how-did-it-happen-and-why/

======
idupree
From the 2011 kernel summit, "The attack turns out to have been part of a
widespread credential-stealing network that has been operating for some years
now; it is clear that the site had been owned by this network for some time
before it was discovered. What also seems to be clear is that this was not a
targeted attack; kernel.org was just another on a long list of broken
machines."

\- Jon Corbet reporting on a talk by H. Peter Anvin,
[https://lwn.net/Articles/464233/](https://lwn.net/Articles/464233/)

------
nlh
So let's speculate about what the article almost-but-doesn't-quite propose:

The NSA, or related parties, was responsible for the breach. There was an
investigation and postmortem, but because of an NSL or other gag-type order,
they couldn't accurately publish what they discovered. So they figured that
not releasing a report was better than releasing a report that either
intentionally misled or pretended not to have figured out what happened.

I know, this is a pretty big leap. But regardless -- what does it mean? What
are the ramifications if this _is_ what happened?

~~~
rgbrenner
_What are the ramifications if this is what happened?_

I strongly suspect they were able to get a copy of the kernel source code...
They could be doing anything with it.. Porting it to a new platform..
Compiling it with unsafe GCC flags.. Or worse..

~~~
jeresig
There was a discussion about this recently saying that it was highly unlikely.
All the source was in Git and every git commit references the previous commit,
making it highly challenging to modify an old commit without also modifying
the commit id. More details:
[http://archive.is/Khq7R](http://archive.is/Khq7R)

~~~
rgbrenner
Yes, it's unlikely they modified the source in git.. But it's possible they
were able to download a copy and modify it locally... Possibly adding comments
to document certain blocks of code.. Or adding unofficial patches for zfs
support... Or worse..

~~~
adamnemecek
Isn't that against the Geneva Convention?

------
brudgers
A feature of civilian security is that "It was restored from Git" is doesn't
immediately spark a concern that Git could be compromised.

I'm not saying that it is, but compromising Git is certainly the sort of thing
which would occur to a state sponsored espionage agency. And if one were
seeking to compromise the Linux toolchain, it would certainly be a very
attractive link. So attractive that not including it in a multi-vector attack
might be considered grossly unprofessional.

~~~
marcosdumay
Version control systems are a bad target. They are too simple _, too
deterministic, and too networked. You can steal their data, but if you insert
something, you will get caught.

_ Yeah, there are exceptions, all of them proprietrary. There is no reason to
trust GIT less just because some companies can make even version control hard.

~~~
brudgers
Even assuming that Git is unassailable with a billion dollar budget:

How long has the Linux kernel been under development?

How long has it been version controlled using Git?

How long has it been a potential target of state sponsored espionage agencies?

The potential adversaries have been taking cryptography and security seriously
since long before the Linux community. They have larger budgets and
significant expertise backed by patriotism and economic rewards.

Compared to pulling a nuclear submarine wreck from the depths of the Pacific,
Git might not appear so difficult.

------
NelsonMinar
It's a shame this article doesn't have anything new to add, although I'm glad
someone is reminding the world we still don't know what happened. Before the
Snowden revelations this summer I'd assume it was a simple drive-by,
incompetence. Now it's hard to see this as anything other than a deliberate
attack by an Advanced Persistent Threat.

------
ChuckMcM
Weird parallel between the NSA revelations and the Global Warming movement,
every odd weather event is attributed to global warming, every odd security
event it attributed to the NSA.

That said, as I recall the "hack" was a lot less impressive than it seemed
(some folks in Google's Linux team were administrators of kernel.org). I do
wonder about the lack of a definitive online after action report though. Seems
someone dropped the ball on that one.

~~~
anon1385
Could you stop lying about Climate Science please?

~~~
nsashill42334
I think that he (she?) was comparing some extra-alarmists' (Al Gore-type)
tendencies to attribute every abnormal weather pattern to global warming. We
should all agree that crying wolf weakens legitimate claims about climate
change and ocean acidification.

------
emp_
OFF-TOPIC why is that when I hit back in Ars it creates about 10 pages in my
history (didn't click anything in the page itself) this is an UX nightmare and
the 3-4 articles I've looked in the past week made me cringe when trying to
leave the page.

~~~
rb2e
Do you have an extension blocking ads? I found the same problem and disabling
the extension, stopped the problem occurring.

------
outside1234
Until there is a post-mortem, we have to assume the simplest explanation:
gross facepalm, like leaving something 777 open to the world.

~~~
gpvos
Possible. But even then it would be good to know as much as possible on who
actually broke in and what they did.

------
nl
It's worth noting than back in 2003 an attempt was made to introduce a
backdoor into the (CVS mirror of) the Linux kernel[1].

It's never been clear who was behind that attack, either.

[1] [http://lwn.net/Articles/57135/](http://lwn.net/Articles/57135/)

------
eykanal
Promises on important matters are made every day and subsequently broken. Any
reason why Ars is bringing this up now?

~~~
ascendantlogic
Because this was a high profile breach and in light of the recent NSA
revelations the reader is expected to connect the dots. Just my take on it.

------
realy
> While there's no evidence that backdoors or other malicious code were
> surreptitiously inserted

And it's difficult to imagine how changes would have gone unnoticed.

