[svlug] kernel.org breach, four years later

Chris DiBona cdibona at gmail.com
Sun Nov 22 09:44:22 PST 2015


You're absolutely right, of course. I was surprised that there was no post
mortem published. It's not mine to do, mind you, as I know only the
highlights. I suspect thatbjohn Hawley having left leaves only a few people
who would know enough to write the details down cogently.

Maybe ask Ted T'so? Or HPA?
On Nov 22, 2015 8:50 AM, "Rick Moen" <rick at linuxmafia.com> wrote:

> grsecurity's Brad Spengler has comented on my analysis on LWN.net, and
> says in effect the claim quited by _The Register's_ Dan Goodin citing
> 'two security researchers who were briefed on the breach' and 'Fellow
> security researcher Dan Rosenberg [who] said he was also briefed that the
> attackers used Phalanx to compromise the kernel.org machines' was wrong
> -- and this was not the means used to compromise the kernel.org machines
> back in 2011.  Brad says the Phalanx README actually says merely,
> despite scathing comments about kernel security, that the /dev/mem of
> contemporary 2.6 kernels could be used to read/modify any physical
> memory if they gained root through other means.  (Which makes sense;
> it's what one expects of standard rootkits, as I was saying before.)  In
> which case, the public still doesn't know how the intruders escalated to
> root.
>
> The rest of what I said remains:
>
> There was no justification for leaving the compromised systems running
> for multiple days after determining they were operating under hostile
> control.  It's grossly negligent to not account to the public for the
> integrity of the hosted kernel source tarballs.  (Downloaders deserved
> to know whether they'd downloaded sabotaged kernel trees.)  Days of
> delay before telling the public isn't very impressive either, nor was
> promising a report and then dropping that commitment and no-commenting
> the subject.
>
> --
> Cheers,                           (morganj): 0 is false and 1 is true,
> correct?
> Rick Moen                         (alec_eso): 1, morganj
> rick at linuxmafia.com               (morganj): bastard.
> McQ! (4x80)                                     -- seen on IRC
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.svlug.org/archives/svlug/attachments/20151122/2abfb429/attachment.htm


More information about the svlug mailing list