Search My Blog

Thursday, September 1, 2011

The Cracking of |

The Cracking of

As has recently been announced on the main page, the main server (known as “hera”) was recently compromised by an unknown intruder. This person was able to gain “root” access, meaning they had the full run of the system. Speaking as just one of many members of the kernel development community, I can say that this episode is disturbing and embarrassing. But I can also say that there is no need to worry about the integrity of the kernel source or of any other software hosted on the systems. is, of course, the home for the Linux kernel. Many other projects live there as well. On the face of it, that would make a tempting target for an attack. What self-respecting cracker wouldn’t want an opportunity to place some special code into the Linux kernel? Such code would, over time, find its way into millions of machines worldwide. The injection of backdoors or other malware is a concern for any software maintainer - open source or otherwise - but it turns out that we are well protected against that sort of attack.

If kernel developers worked by shipping simple files of source code around, they might well be vulnerable to malware added by an intruder. But that is not how kernel development is done. The code for the kernel (and for many other projects) is managed with the “git” source code management system. And git does not allow the code to be modified by third parties without people knowing about it. It’s worth taking a moment to look at how that works.

A cryptographic “hashing function” is a mathematical formula which boils the contents of a file down to a small number. “Small” is relative; git’s hash function produces 160-bit numbers, which are quite big by normal standards - it is roughly equal to the number of atoms in the Earth. The key to the hash function is that, if the contents of the file change, the hash will change too. Creating any new file matching the hash of an existing file is not really possible; if you want that new file to look like the old one with the exception of a bit of hostile code, the challenge is even bigger. So an attacker would be unable to change a file without changing its hash as well. Git checks hashes regularly, so a simplistic attempt to corrupt a file would be flagged almost immediately.

The hashing does not stop there.


The Linux Kernel Archives

Welcome to the Linux Kernel Archives. This is the primary site for the Linux kernel source, but it has much more than just Linux kernels.
Frequently Asked Questions

Site News

  • Security breach on

    Earlier this month, a number of servers in the infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the infrastructure.

    What happened?

    • Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
    • Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
    • A trojan startup file was added to the system start up scripts
    • User interactions were logged, as well as some exploit code. We have retained this for now.
    • Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don't have Xnest installed, please investigate.
    • It *appears* that 3.1-rc2 might have blocked the exploit injector, we don't know if this is intentional or a side affect of another bugfix or change.

    What Has Been Done so far:

    • We have currently taken boxes off line to do a backup and are in the process of doing complete reinstalls.
    • We have notified authorities in the United States and in Europe to assist with the investigation
    • We will be doing a full reinstall on all boxes on
    • We are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified

    The Linux community and take the security of the domain extremely seriously, and are pursuing all avenues to investigate this attack and prevent future ones.

    However, it's also useful to note that the potential damage of cracking is far less than typical software repositories. That's because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds. For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed.

    Those files and the corresponding hashes exist not just on the machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of Any tampering with any file in the repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.

    We are currently working with the 448 users of to change their credentials and change their SSH keys.

    We are also currently auditing all security policies to make more secure, but are confident that our systems, specifically git, have excellent design to prevent real damage from these types of attacks.

  • On Aug 25, 2011 Happy 20th Birthday Linux!
    For everyone who doesn't know, on this day 20 years ago, a Helsinki Grad student named Linus declared he had a little hobby OS to share with everyone. That original e-mail can be found here.
    The rest, as they say, is history!

  • On June 8, 2011 starting at midnight UTC the Linux Kernel Archives will participate in World IPv6 Day; we will enable IPv6 on as many of our services as possible on that date. At that time the test address (see below) will be removed.

    Currently our e-mail is offline, due to the primary mail server being one of those infected.


Very Interesting... I have always just downloaded my Updates from which ever Distro's Repository that I'm running. Never stopped to think about the main Linux Kernel Site...


No comments: