[svlug] kernel.org breach, four years later
cdibona at gmail.com
Sun Nov 22 09:44:22 PST 2015
You're absolutely right, of course. I was surprised that there was no post
mortem published. It's not mine to do, mind you, as I know only the
highlights. I suspect thatbjohn Hawley having left leaves only a few people
who would know enough to write the details down cogently.
Maybe ask Ted T'so? Or HPA?
On Nov 22, 2015 8:50 AM, "Rick Moen" <rick at linuxmafia.com> wrote:
> grsecurity's Brad Spengler has comented on my analysis on LWN.net, and
> says in effect the claim quited by _The Register's_ Dan Goodin citing
> 'two security researchers who were briefed on the breach' and 'Fellow
> security researcher Dan Rosenberg [who] said he was also briefed that the
> attackers used Phalanx to compromise the kernel.org machines' was wrong
> -- and this was not the means used to compromise the kernel.org machines
> back in 2011. Brad says the Phalanx README actually says merely,
> despite scathing comments about kernel security, that the /dev/mem of
> contemporary 2.6 kernels could be used to read/modify any physical
> memory if they gained root through other means. (Which makes sense;
> it's what one expects of standard rootkits, as I was saying before.) In
> which case, the public still doesn't know how the intruders escalated to
> The rest of what I said remains:
> There was no justification for leaving the compromised systems running
> for multiple days after determining they were operating under hostile
> control. It's grossly negligent to not account to the public for the
> integrity of the hosted kernel source tarballs. (Downloaders deserved
> to know whether they'd downloaded sabotaged kernel trees.) Days of
> delay before telling the public isn't very impressive either, nor was
> promising a report and then dropping that commitment and no-commenting
> the subject.
> Cheers, (morganj): 0 is false and 1 is true,
> Rick Moen (alec_eso): 1, morganj
> rick at linuxmafia.com (morganj): bastard.
> McQ! (4x80) -- seen on IRC
> svlug mailing list
> svlug at lists.svlug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the svlug