[svlug] kernel.org breach, four years later

Rick Moen rick at linuxmafia.com
Sun Nov 22 08:50:30 PST 2015


grsecurity's Brad Spengler has comented on my analysis on LWN.net, and
says in effect the claim quited by _The Register's_ Dan Goodin citing
'two security researchers who were briefed on the breach' and 'Fellow
security researcher Dan Rosenberg [who] said he was also briefed that the
attackers used Phalanx to compromise the kernel.org machines' was wrong
-- and this was not the means used to compromise the kernel.org machines
back in 2011.  Brad says the Phalanx README actually says merely,
despite scathing comments about kernel security, that the /dev/mem of
contemporary 2.6 kernels could be used to read/modify any physical
memory if they gained root through other means.  (Which makes sense; 
it's what one expects of standard rootkits, as I was saying before.)  In
which case, the public still doesn't know how the intruders escalated to
root.

The rest of what I said remains:  

There was no justification for leaving the compromised systems running
for multiple days after determining they were operating under hostile
control.  It's grossly negligent to not account to the public for the
integrity of the hosted kernel source tarballs.  (Downloaders deserved
to know whether they'd downloaded sabotaged kernel trees.)  Days of
delay before telling the public isn't very impressive either, nor was 
promising a report and then dropping that commitment and no-commenting
the subject.

-- 
Cheers,                           (morganj): 0 is false and 1 is true, correct?
Rick Moen                         (alec_eso): 1, morganj
rick at linuxmafia.com               (morganj): bastard.
McQ! (4x80)                                     -- seen on IRC



More information about the svlug mailing list