[svlug] kernel.org breach, four years later

Rick Moen rick at linuxmafia.com
Thu Nov 19 17:53:22 PST 2015

Posting with permission.  (Publication date of tomorrow is because 
the author's in Australia.  Views expressed are the author's, except
where he quotes yr. humble servant.) 


How were Linux kernel servers rooted four years ago?
by Sam Varghese
20 November 2015

On August 28, 2011, the servers of the Linux kernel project were
breached[1], a fact that was discovered only 17 days later.[2] News of
this leaked out in September and it became known that the intrusion had
been effected by stealing some user's credentials.  But how this
intrusion was elevated to root status was never revealed.  Indeed, four
years and three months later, we still don't know.

The last time the issue was raised in a technology publication was in
September 2013 [3], when Dan Goodin wrote a piece for Ars Technica
asking the same questions that have been asked over and over again: how
did this hack happen?

More recently, on November 11, Rick Moen, a senior systems administrator
from California and one who has been around the FOSS community for ages,
raised the issue[4] on the forums of the Linux Weekly News website.

Moen made his comments as part of the feedback[5] to an article about
the Washington Post's take on Linux security.

He pointed out that shortly after the compromise on August 28, 2011, a
notice had been put up on the kernel.org site promising a report on the
incident in the future. This notice was removed in May 2013.  Moen added
that in sharp contrast, when the servers of the Debian GNU/Linux project
were broken into in 2007, developer Wichert Akkerman posted what he
(Moen) described as "an excellent report"[6] about what had happened.
Moen added that when the servers of the Apache web server were
compromised, the Apache Foundation did not hold back on detailing[7]
what had taken place.

And when the Debian project released a version of OpenSSL with a serious
vulnerability unwittingly created by one of its own developers, it made
no bones about it and made a full public confession.[8]

The Linux kernel project seems to have its own rules and does not seem
to care about letting the public in on what happens when intrusions take

I have asked senior kernel developer Greg Kroah-Hartman many times about
a detailed explanation but I finally gave up.

A few days back, II wrote to the Linux Foundation which funds the kernel
project asking if any details of the hack could be provided. All I got
was a reply from staffer Jennifer Cloer with nothing in it. This was
promptly pointed out but there has been no response.

The kernel project came under some fire in the Washington Post
recently[9] for the security of its code. It looks like the same
mentality prevails among those who are responsible for keeping it safe
from crackers.

[1] http://www.itwire.com/opinion-and-analysis/open-sauce/49508-linux-kernel-project-servers-compromised
[2] http://www.itwire.com/opinion-and-analysis/open-sauce/49543-kernelorg-breach-does-not-reflect-well-on-admins
[3] http://arstechnica.com/security/2013/09/who-rooted-kernel-org-servers-two-years-ago-how-did-it-happen-and-why/
[4] http://lwn.net/Articles/664123/
[5] http://lwn.net/Articles/663474/#Comments
[6] https://web.archive.org/web/20120223021041/http://www.wiggy.net/debian/explanation/
[7] http://www.theregister.co.uk/2010/04/13/apache_website_breach_postmortem/
[8] http://www.itwire.com/opinion-and-analysis/open-sauce/18376-debians-worst-nightmare-and-how-it-came-about
[9] http://www.itwire.com/opinion-and-analysis/open-sauce/70263-linux-security-circling-the-wagons

Sam Varghese

A professional journalist with decades of experience, Sam for nine years
used DOS and then Windows, which led him to start experimenting with
GNU/Linux in 1998. Since then he has written widely about the use of
both free and open source software, and the people behind the code. His
personal blog is titled Irregular Expression.

More information about the svlug mailing list