Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Steven J. Vaughan-Nichols

Cyber Cynic

To trust or not to trust Red Hat, that is the question

7 comments

TAGS:Fedora, Linux, OpeenSSH, Red Hat, security
IT TOPICS:Linux, Management, Operating Systems, Security, Software

I like Linux. I like Red Hat and Fedora Linux. I use them every day. What I don't like, though, is not knowing what's what with the recent security break-in into the RHEL (Red Hat Enterprise Linux) and Fedora file servers.

What happened, we're told by Paul W. Frields, the Fedora project leader, "some Fedora servers were illegally accessed" during the week of August 11th. OK, fair enough, Web servers are broken into all the time. Frields then added, "The intrusion into the servers was quickly discovered, and the servers were taken offline." OK, that's what they should have done, but then things get more interesting.

As a result of the Fedora break-in, Red Hat checked into its RHEL servers and, Frields wrote, "Detected an intrusion of certain of its computer systems and has issued a communication to Red Hat Enterprise Linux users." Excuse me, your people found out that your community Linux servers had been compromised before they found out that there were problems with the business Linux servers?

In a critical Red Hat security advisory, Red Hat security team, wrote, "While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers."

But, the "intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)." OpenSSH, for those of you aren't administrators or remote users, is an extremely important secure remote connectivity Linux/Unix program. If you use OpenSSH with a known signature, a hacker who knows the signature can easily pick your network locks and gain access to your systems. In others words: Not Good.

Now, Red Hat has issued a way to detect OpenSSH files that have been tampered with. In addition, Red Hat has issued fixed OpenSSH files. There is no evidence, wrote Frields, that any Fedora was compromised, but to stay on the safe side, " we have decided to convert to new Fedora signing keys."

OK, so Fedora and Red Hat have done most of the right stuff. What they haven't done, though -- and I've asked -- is explain how the servers were broken into in the first place. That bugs me.

I hammer on proprietary software companies, like VMware and Microsoft when their systems blow up, so I can't just ignore this situation with Red Hat. So, while I'm very pleased that Red Hat is patching any possibly violated files, I still would like to know 1) How the sites were breeched in the first place and 2) What steps Red Hat will be taking to make sure it doesn't happen again.

This isn't too much to ask for. After all, it's exactly what I ask of proprietary vendors when they blow it. To fully trust Red Hat, I'd really like answers to my questions.

Email this

Digg this

What People Are Saying

Add new comment

Digust

Submitted by Artem S. Tashkinov on August 25, 2008 - 11:30 P.M.

If it were Microsoft, most likely you wouldn't even know any of its servers have been compromised.

There are no absolutely secure [generic purpose sophisticated enough] OSes and if you are pro open source then you have to understand that external access has to be granted to Fedora infrastructure servers.

And I'm sure that the signing process will be changed in order to prevent such a gaffe in the future.

Reply | Report this comment

Attacks

Submitted by Whitespiral on August 25, 2008 - 7:33 P.M.

And remember the Linux Mint site was hacked just days ago. It smells bad... smells like a sneaky campaign by one of the usual suspects...

Reply | Report this comment

"OK, so Fedora and Red Hat

Submitted by Rahul Sundaram on August 25, 2008 - 2:09 P.M.

"OK, so Fedora and Red Hat have done most of the right stuff. What they haven't done, though, and I've asked is explain how the servers were broken into in the first place. That bugs me."

Have you noted that the announcement says this is a ongoing investigation and more details will be provided later? You don't want anyone to giving out wrong information. So why not just wait?

Reply | Report this comment

why not ?

Submitted by carl on August 26, 2008 - 2:18 P.M.

Reply | Report this comment

horse manure!

Submitted by paul_one on August 26, 2008 - 8:19 P.M.

Do you even WORK in IT?

The more pressure you put on the teams investigating this issue, the more likely you will be to get a mixed up, confused image of what has happened mixed with conjecture and of course an incomplete report.
Not to mention it will take LONGER to get the job done.

We tend to get hounded all the time at my workplace, and end up in the exact same situation.
Multiple stories, a lot of conjecture and the whole process taking longer as a result.

Sitting back and asking for status updates in a TIMELY fashion is much more productive.

Reply | Report this comment

Say hi to bubba

Submitted by Anonymous on August 26, 2008 - 7:19 P.M.

Because the more pressure we (you, me, and anyone else who cares) put on RH through the press and newsgroups, the sooner the whole story will come out.
Even if the story makes RH look "bad" - corrupt employees, lax auditing, or unpatched security holes, or other ugly FACTS.
The truth, the whole truth and nothing but the truth.
Then we will decide to continue to use RH or go elsewhere.
>
>
One reason Redhat may not be saying anything is that they're working with the Feds to track you and your script kiddy buddies down. Looks you may soon be getting to know someone named Bubba really,really well....

Reply | Report this comment

We want info not FUD

Submitted by Thomas M Steenholdt on August 26, 2008 - 2:56 P.M.

And FUD could be a very real side effect of this sort of information, released prematurely.

While I fully agree that we are all better of knowing exactly what happened, I'd much rather wait for the info, until the evidence has been properly processed and the information can be trusted.

Also, there is no need to put extra pressure on these guys, when they have already indicated that details will follow. My view of this would have been a whole lot different, had they chosen to try to cover the mess up.

Instead of pressuring, I vote for giving them space to figure out what hit them and to prepare trustworthy info for the community.

/Thomas

Reply | Report this comment

Linux security idiots

Fixing Linux

The difference between Linux and Windows

Linux Incorporated

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

IDC Webcast: Linux Adoption in a Global Recession
Access this webcast, compliments of Novell and HP, for a limited time only!

Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Steven J. Vaughan-Nichols's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

To trust or not to trust Red Hat, that is the question

What People Are Saying

Digust

Attacks

"OK, so Fedora and Red Hat

why not ?

horse manure!

Say hi to bubba

We want info not FUD

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Steven J. Vaughan-Nichols's Archive

IT Topics

Sponsored Links