On Fri, 22 Aug 2008 12:25:38 EDT, Larry Seltzer said: > >> Yes, the fact that Fedora isn't RHEL. > > OK, thanks, I see that. Let me get something straight here: > > >>... the intruder was able to sign a small number of OpenSSH packages > relating only to Red Hat Enterprise Linux... > > So the suspicion is that the intruder inserted malicious code (or maybe > the Debian random number generator?) into the packages and signed them?
I have no news as to what was in the backdoored packages. > Is anyone else as appalled by this as I am? Has there been such a > compromise of a major OS before? I guess you missed when the machine windowsupdate.microsoft.com got pwned by CodeRed a few years ago.. ;) You also probably missed when the openssh and sendmail servers got hacked a few years ago, both had trojan'ed tarballs dropped in that would do an "ET Phone home" when the sysadmin built the kit (*not* when it ran). In neither case did the attacker manage to PGP-sign the tarballs, but few people checked. One could also argue that *way* back when Karger&Schell did their pen-test analysis of Multics, that Multics was a major OS at the time... In other words: "This kind of shit happens all the time". ;) > I also have to say that this is the first I've heard that RH and/or > Fedora sign their distribution packages. Is this common among Linux > distros? I don't know about Debian, but Ubuntu apparently does: % gpg --list-keys --keyring /etc/apt/trusted.gpg /etc/apt/trusted.gpg -------------------- pub 1024D/437D05B5 2004-09-12 uid Ubuntu Archive Automatic Signing Key <[EMAIL PROTECTED]> sub 2048g/79164387 2004-09-12 pub 1024D/FBB75451 2004-12-30 uid Ubuntu CD Image Automatic Signing Key <[EMAIL PROTECTED]>
pgp0UWz5V6UBE.pgp
Description: PGP signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
