[NTLUG:Discuss] Open Source news

rseb rseb at ev1.net
Fri Aug 29 10:45:15 CDT 2003 

I don't know if this is the forum and it may be old news.  If this isn't
the forum for news, please let me know.

However, a friend sent this to me and I thought I should pass it on. 
Also, as a newbie to Linux, I was curious about what we as users of Open
Source s/w could do to minimize the affects of vandalism.  As users of
one or more of the flavors of Linux, how might this attack on the GNU
project affect us?


Here it is:
****************
GNU Servers Hacked, Linux Software May Be Compromised, *Techweb News*
 
<http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=131002
80>

In mid-March 2003, someone hacked the primary file servers hosted by the
GNU Project, the group which supports the development of many of the
components in the Linux operating system, the group acknowledged
Wednesday. It warned that the attacker may have inserted malicious code
into the free software available for download, including Linux, and
posted a set of hashes that users can check against to determine if what
they retrieved is clean.  The CERT Coordination Center noted in an
advisory posted on 13 Aug 2003 that "because this system serves as a
centralized archive of popular software, the insertion of malicious code
into the distributed software is a serious threat." At the same time, it
reported that there isn't any evidence that the source code posted on
the FTP servers was, in fact, compromised.

The Free Software Foundation (FSF), which oversees the GNU Project, has
posted a series of checksums, validation numbers generated by the source
code known not to have been compromised, which users can use to verify
what they've downloaded.

The attack took place in March, but was only discovered in late July. 
It used an exploit that was revealed on March 17, for which a patch
wasn't immediately available. It was during a week's span of
vulnerability that the servers were compromised, the FSF said in a
statement.

A Trojan horse was placed on the system at that time, possibly for
password collection and to use the machine for additional attacks,
according to the FSF.

  [See also <http://zdnet.com.com/2100-1105-5063658.html>
  -- which prompted Keith Rhodes to note the following:
    * The bad news: "The project urged those who have downloaded
software from the server since March to check that the source code has
not been tampered with."
    * The good news: You actually have source you can check.  PGN]

Russ

More information about the Discuss mailing list