[svlug] kernel.org breach, four years later

Chaiken, Alison alison at she-devel.com
Fri Nov 20 16:11:30 PST 2015


Karen Schaeffer writes:
> One interesting detail
> is that the kernel source code itself was not cracked. The source code
> distribution system was compromized as you aptly document. Linus 
> Torvalds holds
> the gold copy of the kernel source code tree, and he keeps it 
> air-gapped. And
> he uses git hash codes to verify the integrity of the source code 
> against his
> golden copy.

There is no need for air-gap security when source code is managed with 
git.   The reason is that all up-to-date copies of a git repository are 
identical, and all patches submitted to the kernel are signed with the 
developer's cryptographic key, as well usually with the keys of the 
maintainer who merged the patch.   Thus copies of a git repository are 
verifiably correct and there is no need for special safeguards.   That 
is part of the beauty of git, and yes, I really do think git is 
beautiful in its economy and design (if not its UI).

The hitch is that very often a developer has a 'dirty' working directory 
that includes changes that are not committed to his/her local 
repository.   These changes are not in any way safeguarded.   In 
addition, a developer who has committed locally but not pushed changes 
to any remote will suffer loss should the local storage medium be lost.  
  Undoubtedly Linus does not keep his local development repository at 
kernel.org.   There is no reason to do so: that is the point.

> Bottom line, folks were downloading distributed kernel software from a
> compromised server for 17 days. Ouch!

There was little potential for harm, as outlined above.   Anyone working 
on the project (and I do mean *anyone*) could easily determine if the 
repository was compromised.   An intellectually ambitious perpetrator 
could merge his/her own patches into kernel.org's tree, but he/she would 
have no way of signing them with a maintainer private key.

Note that bitcoin and other digital currencies employ distribution and 
verification mechanisms similar to git.   While the history of digital 
currencies has shown that these mechanisms can be hacked, doing so 
requires tremendous sophistication.

None of this is to say that the kernel.org breach may not have been 
serious.  Certainly if people's private keys were compromised, that 
could potentially cause problems.   Plus, the server may have held other 
sensitive information.

By the way, Rick, good work holding Linux Foundation's feet to the fire.

Best wishes,
Alison

---
Alison Chaiken                      alison at she-devel.com, 650-279-5600
http://{ she-devel.com, exerciseforthereader.org }
"There is expressive potential in not being together." -- Mark Volkert,
Assistant Concertmaster, San Francisco Symphony




More information about the svlug mailing list