whitenoise

technology notes… mobile and embedded.

Posts Tagged ‘kernel.org

Kernel.org has been hacked.

leave a comment »

On Aug31 kernel.org broke the news that many of its servers have been compromised by unknown attackers. They broke in using a compromised user account and installed a rootkit that was silently monitoring user activity among other things. The gory details are best described here

Youve_Been_HackedIt should be pretty embarrassing when when this happens around the 20th anniversary  of Linux.

But the hack has made us all know some very important details about the integrity of kernel source
and the resilience of git itself against such attack.

Resilient Git For each file in the git repository a cryptographically secure hash is generated and the hash uniquely identified the content of that file along with its history.  So any modification into an old commit WITHOUT changing the hash is very difficult.
So from a source code perspective we could be fairly sure that no change could be injected onto it. This blog post at the Linux foundation explains it well.

However Aside from Git, kernel.org also hosts the signatures and some key components used to sign the kernel drops.
See the post here to know how the signing works. If the intruder got the private key ,then he could modify source (outside of git) and make tar archives and sign it.

This may be the reason ALL archives and patches hosted in kernel.org has been pulled down .Even the AOSP project  has pulled down its link ((link: http://android.git.kernel.org/) to the source code .So for now it is advisable not to take any of the archives hosted in the server until we hear an update on this.

I expect that the private key is updated and a new public key is put up here .Only then it would be safe to download the new kernels.

Damage control:
  Swift action has been taken on this .The passwords of all the users of the kernel.org (448 of them) have been reset . The attacker accessed the kernel.org using the credentials of one of the user. While all of this is happening the kernel source has temporarily moved to GitHub.

In the end,this entire episode has let many lay users(like me ) to learn more about git’s integrity and some insight on how the entire kernel.org release happens. Also there is no need for us to  worry about the kernel source being compromised now or even in the foreseeable future.

Advertisements

Written by sujai

September 6, 2011 at 12:17 am

Posted in technology, Uncategorized

Tagged with , , , , ,

%d bloggers like this: