lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111001142848.GA27058@kroah.com>
Date:	Sat, 1 Oct 2011 07:28:48 -0700
From:	Greg KH <greg@...ah.com>
To:	akwatts@...il.com
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: kernel.org status: hints on how to check your machine for
 intrusion

On Sat, Oct 01, 2011 at 09:17:51AM -0500, akwatts@...il.com wrote:
> Greg, many thanks for providing these helpful hints for assessing 
> system integrity.
> 
> On Fri, Sep 30, 2011 at 04:59:24PM -0700, Greg KH wrote:
> > The compromise of kernel.org and related machines has made it clear that
> > some developers, at least, have had their systems penetrated.  As we
> > seek to secure our infrastructure, it is imperative that nobody falls
> > victim to the belief that it cannot happen to them.  We all need to
> > check our systems for intrusions.  Here are some helpful hints as
> > proposed by a number of developers on how to check to see if your Linux
> > machine might be infected with something:
> 
> I understand that git repos are protected from ex-post tampering by a
> rolling sha-1 hash. However, is it possible that code submissions were
> faked during the intrusion window and pulled by legitimate subsystem
> or system managers?
> 
> The intrusion on kernel.org has been dated as potentially weeks
> before 8/28 which means many tarballs (that common users rely on more
> than git) were posted after that.
> 
> Can we confirm a few things?

At this time, we are unable to discuss the events that took place due
to an ongoing investigation into the matter.  After that is complete, I
will be working to provide a report of what happened, but that will take
some time.

When www.kernel.org and git.kernel.org come back up, the kernels on them
will have been checked to be verified to be correct.  Everyone involved
is working as hard as they can to make that happen as soon as is
possible.

> c) can someone with verifiably clean code (i.e. not just downloads from
>    kernel.org) post checksums (md5,sha1,rmd160) for official tarball
>    releases since say 3/2011 (both full kernel and patches)?

You can do this today yourself from Linus's git tree if you want to,
it's very easy to script.  Just watch out for the fact that gzip puts
dates into the header, so you need to check the .tar file, not the
compressed ones.

thanks for your patience,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ