Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tue April 2 2019 10:31:11 Antony Stone wrote: > Well, as Jaromil eloquently pointed out, since you have no contract with > Devuan, and it is clearly distributed WITHOUT ANY WARRANTY (I only > capitalise because that's the way it's written in all the notices letting > you know), I don't think you (or anyone else) is going to get a lawyer to > express a professional opinion either way. > > I also fail to see how a lawyer can possibly decide whether it's "safe to > keep a production system on Devuan". What do lawyers know about software? Lawyers apply the law to real world facts of all kinds. You should talk to one. There is far more to the law than warranty disclaimers. DO NOT GO INTO AN AIRPORT AND SHOUT "BOMB", with or without a contract to fly. > Without a contract and an agreement of liability, any lawyer is just going > to say "you want to use this software? Fine, your choice, no backup, no > option to sue." You argue against all production use of F/LOSS. Are you Bill Gates? Fortunately your argument is flawed. I am not your lawyer and I'm not giving you legal advice. I'm giving you the world class gold standard non-legal advice: Talk to your lawyers. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tue April 2 2019 07:30:58 Jaromil wrote: > 1. There was no break-in on any part of Devuan's infrastructure on 1st >April. This was the most skillfull prank I've witnessed in my life. You are easily impressed. And you double down on KatolaZ's irresponsible vandalism with a display of lazy wishful thinking. You are claiming no break-in but you have reported nothing to establish the integrity of your systems and software from the ground up as any real Veteran Unix Admin knows how to do. Your claim comes after KatolaZ wrote: We know. Seems to be quite serious. No access to our infra. We are working on it, and we will post updates. And Evilham wrote: Had it been just about devuan-web, it wouldn't have been as terrible as this is: going the lengths of doing it with gdo and the build system undermines that trust of users towards Devuan. It's been now well over 12 hours and the "joke" is still on, it still hints at all parts of the infraestructure being compromised, it still looks as if gdo and the build system were compromised. While golinux indicated this had not been discussed in advance by the team: I was not aware of any discussion about this action. Nor has there been any explanation of why other core team members were unable to shutdown or redirect DNS, shutdown or repair the compromised systems, or take any other measures to mitigate the attack during the 24 hours it lasted. You simply don't know what happened during those 24 hours or what is still compromised and any reliance on the claims of an admitted attacker is beyond ridiculous. If any of you were the Veteran Unix Admins that you claimed to be you would know that a hand-waving "nothing happened" is utterly inadequate to prove that your systems and software have not been compromised without your knowledge. You have taken zero steps to prove Devuan trustworthy and you seem to think that's the end of the matter. Sysadmins will now each decide for themselves or with their lawyers whether they can continue to use Devuan. I'll be reading this list until our switch is complete. If anyone finds a lawyer who says that it's safe to keep a production system on Devuan I'd love to hear their reasoning. The work now to switch distros is a drag but worst of all is that you have just done more in one day to undermine the viability of alternatives to SystemD than its proponents could ever have dreamed of. > 2. Devuan comes WITHOUT ANY WARRANTY. Bluntly put, if you >want to hold someone liable, you need a contract. That's why people who cause airports to be evacuated by shouting "bomb" can't be both sued for the cost of the delays and prosecuted, right? No contract? How many billable person hours do you think your little stunt is going to end up costing worldwide? --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 22:49:31 Steve Litt wrote: > Mike, please speak for yourself. I get it: This incident caused you to > take evasive action, and now you have serious doubts about using Devuan > further. That's fine: There are other sans-systemd distros and BSDS > that might be more or less secure and reliable than Devuan. > > But you can't dictate that everyone using Devuan in production must > drop Devuan unless a set of further procedures are followed. Move if > you must, but have the respect to allow each of us to handle this our > own way. The surviving Devuan core team members will take zero or more steps to prove Devuan trustworthy and sysadmins will each decide for themselves or with their lawyers whether they can continue to use Devuan. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 15:22:02 Martin Steigerwald wrote: > And give the other core members a moment to give you the reassurance you > need. They haven't issued a statement since this began 30 hours ago. Maybe they haven't finished their forensic analysis but they should at least say whether they're taking it seriously or blowing it off so that sysadmins using Devuan can decide what to do next. Devuan's response is inadequate and unprofessional. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 14:39:28 Martin Steigerwald wrote: > In what way is that not good enough for you? What would be required for > you to forgive a mistake and go on with your life? Hi Martin, What part of Evilham's statement that "it still looks as if gdo and the build system were compromised" [1] did you not believe? Do you think Evilham was mistaken? Why? Do you think it possible an attacker - KatolaZ or another - was in there and later covered his tracks? Why not? I am still hoping the silent core team members are working on this as I really don't want to spend the next few months changing distros. --Mike [1] https://lists.dyne.org/lurker/message/20190401.132910.da02134d.en.html ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 14:41:43 KatolaZ wrote: > You are spreading FUD, since in the email you quoted Evilham never > said the infra was compromised. Here is the complete sentence from Evilham's email [1]. If you didn't see it you didn't scroll down to read the full email. Evilham quotes his earlier private email: > It's been now well over 12 hours and the "joke" is still on, it > still hints > at all parts of the infraestructure being compromised, it still > looks as > if gdo and the build system were compromised. --Mike [1] https://lists.dyne.org/lurker/message/20190401.132910.da02134d.en.html ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 14:18:38 Martin Steigerwald wrote: > For me that is good enough. When core team member Evilham writes "it still looks as if gdo and the build system were compromised" [1] I need a lot more than a limited admission of guilt from KatolaZ before trusting that Evilham was mistaken rather than KatolaZ just managed to hide his tracks better. --Mike [1] https://lists.dyne.org/lurker/message/20190401.132910.da02134d.en.html ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 13:55:28 Antony Stone wrote: > On Monday 01 April 2019 at 22:52:34, Mike Bird wrote: > > None of the other core team members have commented on this fiasco. > > I look forward to hearing that they have taken appropriate action. > > What, in your opinion, would be "appropriate"? I have already offered some suggestions but there is more than one way to prove a theorem. The surviving Devuan core team members will take zero or more steps to prove Devuan trustworthy and sysadmins will each decide for themselves or with their lawyers whether they can continue to use Devuan. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 13:25:15 Martin Steigerwald wrote: > 1) please give any requests for removing one of the core members from the > project or using legal enforcement a rest. KatolaZ apologized already > several times. So please let it go. I have not threatened "legal enforcement" against Devuan. However those of us who use Devuan in production cannot continue to do so if Devuan does not take this issue seriously, least we suffer legal consequences ourselves. > 2) KatolaZ, could you repost your clarifying statement in thread > "devuan.org is back" signed with your gpg key. I bet it may have some > signatures from other devuan core members. Mike, is there anything else you > need to accept this statement as genuine? I do not seriously doubt the authenticity of KatolaZ's admission but there is no point in doubting or believing it as it avails nothing. I'm curious as to the point Daniel Abrecht raised - whether this was an agreed team effort or a lone prankster/attacker whose access can be removed by the surviving core team members. KatolaZ has admitted guilt. Evilham has suggested an offline "discussion" in a few days - a positive but inadequate response. None of the other core team members have commented on this fiasco. I look forward to hearing that they have taken appropriate action. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 12:44:05 Antony Stone wrote: > No, I have complied with my country's laws regarding personal data > protection and taken "appropriate technical and organisational measures" to > ensure the security of the systems. You do not seem to understand security. Once there is the possibility of an attack the security of the system has to be proven or rebuilt. Usually this entails locking out the attacker, generating all new security tokens and keys, wiping, and rebuilding from trusted source. An email claiming it was all a joke does nothing to prove the system secure even if it happens to be true. It could equally well be false. Similarly Evilham's suggestion of a future offline "discussion" is too little too late. Maybe the prankster/attacker left another easter egg or a backdoor. Maybe he stole keys. Maybe a black hat snuck in while the prankster was messing around. Maybe nothing at all bad happened. You can't entrust other people's credit cards to "maybe". And certainly the prankster cannot henceforth be trusted with privileged access to any systems. But don't believe me. Talk to your lawyers. I was just hoping the surviving Devuan four would take responsibility for fixing things before I have to invest a few months in moving a lot of systems to a different distro. But as time passes with no action it's looking increasingly as if they have no interest in keeping Devuan viable. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 12:18:53 Antony Stone wrote: > If this incident has made you distrust the Devuan project, you're probably > better off using a different distro. Are you a sysadmin? Are you responsible for other people's data? Let's say you have the misfortune to have one of your servers hacked one day. Credit card numbers are stolen. Lawsuits are filed. You claim in your defense that you were doing your best to keep the information secure. Plaintiff's lawyers discover that you were using Devuan and Devuan had not responded seriously to this incident. You are now bankrupt, unemployed, and unemployable. Believe me, the other four need to get their acts together and very quickly if they want anyone other than themselves to continue using Devuan. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 11:51:46 Antony Stone wrote: > So, you did not believe one of the primary project contributors when he > admits to having created the hoax? He has proven himself unworthy of trust. The only question is whether the other four choose to fix the problem in a sufficiently transparent manner as to restore trust in their own work. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 11:30:34 KatolaZ wrote: > > I know nothing of Italian law but whether or not the incident > > should be referred for criminal prosecution is a question you > > should already be discussing with your lawyers or the police. > > Yeah, let's tell the Italian police that an administrator with lawful > full access to all our servers put a rewrite on three websites for an > April fool... Authorised access does not make wrongdoing lawful. The other Devuan admins urgently need to remove you, consult a lawyer or the police, replace all authorisation tokens and keys, and rebuild from trusted sources. Or they could let Devuan revert to a toy project used by five people. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 11:12:34 Antony Stone wrote: > On Monday 01 April 2019 at 20:05:11, Mike Bird wrote: > Which part of the following did you not understand? The post was easy to understand. It may be true. Or maybe not. Sysadmins are entrusted with people's data - their bank accounts and credit cards and personal photos and private messages and much more. Any syadmin who thought the posted explanation to be adequate would be sued or fired, and deservedly so. If Devuan does not take security seriously it is worse than worthless. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
On Mon April 1 2019 06:29:10 Evilham via Dng wrote: > Further clarifying things: **to my knowledge**(*) nothing has been > compromised, but it is indeed a very elaborated prank. Redirecting a web site is a juvenile and trivial edit that anybody with access can do in seconds. But if that was all, why was it not fixed in seconds? This attack may have been a prank or it may have been a prank as a cover for an attack or it may have been a prank subsequently exploited by different black hats to cover an attack. You don't know. Any security lapse is serious. There is always the possibility that logs and checksums were compromised, backdoors installed, access credentials stolen, etc. You can never know that a compromised system is secure until it is wiped and rebuilt from trusted sources. Similarly you cannot trust any other system to which the admitted attacker had access. Claiming the incident was not serious does not make it less so, it just undermines the credibility of anyone who makes such a naive claim. There are two very real problems: (1) the untrustworthy person with access to Devuan's infrastructure and (2) Devuan's thus-far totally inadequate response to a serious security incident. Devuan/VUA must (1) remove the attacker and (2) announce a serious plan to restore security and trust. You will have to be transparent. You will probably have to replace all your security tokens and keys. Merely claiming you've examined a few things and didn't find anything wrong is ridiculous and the opposite of what any real Veteran Unix Admin would know to do. I know nothing of Italian law but whether or not the incident should be referred for criminal prosecution is a question you should already be discussing with your lawyers or the police. Anyone using Devuan in production will, like us, have frozen updates for now. This situation cannot persist long. If Devuan/VUA cannot quickly prove itself worthy of trust we too will have to rebuild our systems, and in doing so migrate away from Devuan. Devuan/VUA's lame response thus far has been infinitely worse than anything ever done by SystemD. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] *** DEVUAN.ORG HAS BEEN PWNED *** , message
On Sun March 31 2019 12:36:44 Tomasz Torcz wrote: > You are over-reacting on April Fools joke. Whether or not a joke, all admins MUST assume the worst and rebuild from trusted sources. Even if the jokers had not intended a security compromise - which we don't know - we cannot assume that black hats didn't piggy-back on the jokers' efforts. Rebuilding from trusted sources entails a LOT of work. Hopefully the jokers will have a few years in prison to contemplate their immaturity. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] *** DEVUAN.ORG HAS BEEN PWNED *** , message
On Sun March 31 2019 10:55:22 KatolaZ wrote: > We know. Seems to be quite serious. No access to our infra. We are > working on it, and we will post updates. :\ Assuming you still control your DNS you could immediately remove and later replace *.devuan.org to reduce the number of people accessing/downloading potentially compromised material. Here at yosemite.net we have stopped ALL package updates/installs until we know more. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] excessive bounces
On Fri January 4 2019 13:33:57 marc wrote: > Also: This isn't strictly a problem, but the highest priority > mail handler for samba.org doesn't seem to be running a mail server > at the moment: > > samba.org. 7200IN MX 5 ns1.samba.org. > samba.org. 7200IN MX 9 ns1.samba.org. > samba.org. 7200IN MX 7 smtp.samba.org. > > ;; Query time: 441 msec > ;; SERVER: 196.22.160.5#53(196.22.160.5) > ;; WHEN: Fri Jan 4 21:26:52 2019 > ;; MSG SIZE rcvd: 84 > > ~$ telnet ns1.samba.org 25 > Trying 144.76.82.137... > Connection failed: Connection refused > Trying 2a01:4f8:192:486::b0... > telnet: Unable to connect to remote host: Network is unreachable I've got a test message trying to go to Rowland and it's running into the same problem at samba.org. That test message should go through eventually but I don't know the retry and bounce parameters of this list so it's quite possible that a few failures could result in a bounce. Rowland, it looks like you need to ssh in and fix samba.org's MX. --Mike [Rowland cc'd because of bounces] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] excessive bounces
On Fri January 4 2019 13:31:59 Rick Moen wrote: > As I've mentioned upthread, I am a (friendly) _outsider_ to Dyne.org, who > runs and administers Mailman and MTAs elsewhere -- and as such have no > access to Dyne's MTA and MLM logs (nor samba.org's MTA logs). The best > help I could think of to give Rowland was to strongly suggest that he > contact the sysadmin teams (not the listadmns) of the hosts involved. TTBOMK bounce notifications if they happen happen immediately following a bounce. Assuming Rowland has received one or more bounce notifications from Mailman he can "ssh in and read the relevant logs" for a short period of time leading up to each bounce notification, as there should be at least one bounce during that time period. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] excessive bounces
I've been running mail servers and mailing lists for more than two decades. Rick if you can give Rowland specific times (+timezone) of some bounces that would assist Rowland's admins in finding the actual reason for the bounces in his mail server's logs. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Well, this is interesting
On Sun October 28 2018 14:42:21 Steve Litt wrote: > On Sun, 28 Oct 2018 20:58:47 + > > Rowland Penny wrote: > > IBM is buying Red Hat. > > > > https://www.bloomberg.com/news/articles/2018-10-28/ibm-is-said-to-near-de > >al-to-acquire-software-maker-red-hat > > > > Rowland > > To anyone who was in the business when MTV was new, this is scary as > hell. > > SteveT SystemD going the way of OS/2 could bring some sanity back to F/LOSS. --Mike ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng