ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Fedora Code-Signing Server Breached

(1/1)

Ehtyar:
Fedora has reported a break-in on several of their servers, one of which was used to sign software packages. However, it appears the passphrase used to protect the key was not discovered during the breach.
Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline.

Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems. We are using the requisite outages as an opportunity to do other upgrades for the sake of functionality as well as security. Work is ongoing, so please be patient. Anyone with pertinent information relating to this event is asked to contact fedora-legal redhat com

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

--- End quote ---

Full Report

Ehtyar.

f0dder:
"It appears" - that could mean the attackers have clouded their tracks. And even if the passphrase hasn't been snatched, there's other nasty-stuffTM that could have been done. Pretty nasty when stuff like this happens :o

Ehtyar:
"It appears" - that could mean the attackers have clouded their tracks. And even if the passphrase hasn't been snatched, there's other nasty-stuffTM that could have been done. Pretty nasty when stuff like this happens :o
-f0dder (August 25, 2008, 08:13 PM)
--- End quote ---
Indeed f0d man, but had I not phrased it like that, I would have been shot down by anyone other than you for being alarmist :P

Ehtyar.

40hz:
Indeed f0d man, but had I not phrased it like that, I would have been shot down by anyone other than you for being alarmist tongue
--- End quote ---


Not at all. And I'm a Linux diehard.

It's both disturbing and oddly vindicating when something like this happens. It's disturbing for obvious reasons. It's vindicating in that it shows that Linux has reached a big enough installed base that it would make an action like this worth it to somebody.

I guess it's one more sign that NIX is coming of age.

"The wide world is all about you: you can fence yourselves in, but you cannot for ever fence it out."     
(Gildor to the hobbits in: The Lord of the Rings - Fellowship of the Ring)

Navigation

[0] Message Index

Go to full version