Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 04, 2016, 02:20:48 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Fedora Code-Signing Server Breached  (Read 2402 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Fedora Code-Signing Server Breached
« on: August 25, 2008, 07:53:19 PM »
Fedora has reported a break-in on several of their servers, one of which was used to sign software packages. However, it appears the passphrase used to protect the key was not discovered during the breach.
Quote
Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline.

Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems. We are using the requisite outages as an opportunity to do other upgrades for the sake of functionality as well as security. Work is ongoing, so please be patient. Anyone with pertinent information relating to this event is asked to contact fedora-legal redhat com

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

Full Report

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Fedora Code-Signing Server Breached
« Reply #1 on: August 25, 2008, 08:13:17 PM »
"It appears" - that could mean the attackers have clouded their tracks. And even if the passphrase hasn't been snatched, there's other nasty-stuffTM that could have been done. Pretty nasty when stuff like this happens :o
- carpe noctem

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Fedora Code-Signing Server Breached
« Reply #2 on: August 25, 2008, 08:19:41 PM »
"It appears" - that could mean the attackers have clouded their tracks. And even if the passphrase hasn't been snatched, there's other nasty-stuffTM that could have been done. Pretty nasty when stuff like this happens :o
Indeed f0d man, but had I not phrased it like that, I would have been shot down by anyone other than you for being alarmist :P

Ehtyar.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: Fedora Code-Signing Server Breached
« Reply #3 on: August 26, 2008, 02:13:51 PM »
Quote
Indeed f0d man, but had I not phrased it like that, I would have been shot down by anyone other than you for being alarmist tongue


Not at all. And I'm a Linux diehard.

It's both disturbing and oddly vindicating when something like this happens. It's disturbing for obvious reasons. It's vindicating in that it shows that Linux has reached a big enough installed base that it would make an action like this worth it to somebody.

I guess it's one more sign that NIX is coming of age.

"The wide world is all about you: you can fence yourselves in, but you cannot for ever fence it out."     
(Gildor to the hobbits in: The Lord of the Rings - Fellowship of the Ring)
« Last Edit: August 26, 2008, 02:15:58 PM by 40hz »