This story was originally published on Sept. 12, 2011, and is brought to you today as part of our Best of ECT News series.
Security scares are so commonplace in the tech industry today that it’s virtually impossible to keep track of them all. Security scares in the Linux world, however, are still rare enough as to cause at least a small collective gasp of consternation.
That, indeed, is just what happened recently when it was discovered that the Kernel.org site had been breached last month.
“Earlier this month, a number of servers in the kernel.org infrastructure were compromised,” read the note that was later posted on Kernel.org. “We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.”
It’s since become pretty clear that the site’s source code repositories remained intact, thanks largely to Linus Torvalds’ Git distributed revision control system. Nevertheless, Torvalds himself last week temporarily moved Linux development to GitHub, and Linux fans around the globe are still shaking off the slight chill that resulted from the scare.
Not a Huge Deal
“Seriously people, this is big,” wrote Mensa Babe on one of several Slashdot threads on the topic. “I really mean totally freaking big. Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball. If the attackers were worth their salt then they should do exactly that.”
On the other hand, “this security breach is not that big a deal,” countered bzipitidoo. “Yes, it is embarrassing for kernel.org, but the damage is not that great. Sure, we’d all like to prevent security breaches from ever happening in the first place, but I have always thought detection and recovery is more important than prevention. Kernel.org has that covered in spades.”
Indeed, according to another Slashdot post, the kernel attackers apparently didn’t even really “know what they had.”
Whatever the case, however, discussion of the event has extended to blogs and forums around the globe; Linux Girl’s Quick Quotes Quill has never been so tired.
Not the End of the Linux World
“Cause for concern? Yes, but there’s no reason to believe that kernel sources were compromised; such a change would be easily detected with diff,” Hyperlogos blogger Martin Espinoza asserted, for example.
“I’d sure like someone to show me a 100 percent secure, internet-connected computer…,” Espinoza added.
Similarly, “of course this is a serious concern but it’s not the end of Linux by any means,” agreed blogger Robert Pogson.
“I expect procedures on the servers will be tightened up to prevent/detect a recurrence,” Pogson added. “Sometimes it takes a failure to provoke positive changes.”
Meanwhile, “the ability of Linus to switch to GitHub running software that he wrote shows the tremendous adaptability of FLOSS,” Pogson said.
Barbara Hudson, a blogger on Slashdot who goes by “Tom” on the site, took a similar view.
“A developer’s remote machine co-located on the same network was compromised, their password sniffed, and used to do some monkey business on the kernel servers,” Hudson told Linux Girl. “In the end, it looks like no permanent damage was done, and that the existing people, procedures and infrastructure are robust enough to recover cleanly.”
In fact, “this should improve, not reduce, confidence in the Linux development process,” Hudson opined.
While some are “using the occasion to go into histrionics by characterizing this as a ‘surprising failure,’ it’s not surprising,” Hudson added. “It’s the nature of networks, and especially of the Internet.”
The fact is that “all security is a balancing act, not an absolute,” she explained. “The only way to completely avoid these sorts of things is to implement so many security measures that nothing else ever gets done.
“Or unplug the computers … which defeats the whole purpose of using computers in the first place, unless you like owning an expensive doorstop,” Hudson concluded.
“Perfect security is impossible,” agreed Chris Travers, a Slashdot blogger who works on the LedgerSMB project. “A determined attacker who is knowledgeable and capable cannot be stopped by any sorts of defenses.”
Security, then, “is about risk management, not about preventing all conceivable attacks,” Travers explained. “The fact that this has happened is a big deal but it is also to some extent something that will happen from time to time. The downloads need to be checked, etc., and this may be ongoing.”
Ultimately, “what is important here is that there are layered defenses against the source code repos themselves being tampered with,” he added. “Linux has good multilayered defenses here, and so this is not a major issue for Git-based projects.
“So, without knowing more, I don’t see a reason to be concerned at present,” Travers concluded.
The Time Factor
“There is NO SUCH THING as a perfectly secured site, period,” echoed Slashdot blogger hairyfeet. “If you can get to it from the net it can be hacked; the only question is how much time will it take and will the admins notice the attempt before they get in.”
The past year, in fact, has seen attacks on organizations “from governments to security firms,” hairyfeet noted, so “what makes the kernel guys any better? Linux isn’t magical, it is an OS. All OSes are extremely complex and nobody knows every inch of them.”
The bottom line, then, is that “it all comes down to time, what software they are running, and a little luck,” hairyfeet concluded. “It doesn’t make them bad, or make the OS lousy, it is just a flaw, flaws get fixed. I’m sure they minimized the damage and restored from a good backup as is sound security practice.”