Fedora Reboots Updates After Hack
Linked by David Adams on Thu 11th Sep 2008 16:11 UTC, submitted by Renai LeMay
Privacy, Security, Encryption The Red Hat-supported Fedora Project has started issuing updates to its Linux distribution again, after a hiatus of several weeks caused by a hacker break-in. Late yesterday, Fedora emailed its users to let them know that it would soon issue updates for its most recent Fedora 8 and 9 operating systems.
E-mail Print r 0   9 Comment(s) http://osne.ws/fna
Order by: Score:
Add Comment Post a Comment
emailing?
by Parry Hotter on Thu 11th Sep 2008 17:08 UTC
Parry Hotter
Member since:
2007-07-20

Fedora emailing its users? Sounds simple, but how do they get hold of the email addresses of the Fedora users? Trojan? (j/k)

Reply Score: 0

RE: emailing?
by ctl_alt_del on Thu 11th Sep 2008 18:07 UTC in reply to "emailing?"
ctl_alt_del Member since:
2006-05-14

Pretty simple actually, they sent an email to fedora-announce-list@redhat.com.

The announcement is here:

https://www.redhat.com/archives/fedora-announce-list/2008-September/...

Reply Score: 3

That sounds like a bad idea.
by Bill Shooter of Bul on Thu 11th Sep 2008 19:36 UTC
Bill Shooter of Bul
Member since:
2006-07-14

From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.

Isn't that a golden opportunity for whoever stole the key to inflict further damage?

Plus, all Malory needs to do is intercept the new key and replace it with his own and use it to sign malicious updates with it.

If I'm missing some key detail that makes all of the above mute please let me know.

Reply Score: 1

RE: That sounds like a bad idea.
by Finalzone on Thu 11th Sep 2008 19:54 UTC in reply to "That sounds like a bad idea. "
Finalzone Member since:
2005-07-06

From what I make of it, a GPG key was compromised, so they have to transition to a new one. In order to do that, they are asking their users to trust the compromised key one more time.

Isn't that a golden opportunity for whoever stole the key to inflict further damage?


That compromised key is useless given the fact Fedora infrastructure already generated a new version. That cracker would have to pretend to be fedora-announce-list but that will put him/her on criminal action.
https://www.redhat.com/archives/fedora-announce-list/2008-September/...

Reply Score: 3

Bill Shooter of Bul Member since:
2006-07-14

I'm not familiar with the update process in fedora, but if its not done over ssl, they could man in the middle and replace the good packages signed with the old key with bad packages signed with the old key.

Reply Score: 2

Lennie Member since:
2007-09-22

Pretending to be someone else by email isn't really all that complicated. Actually it is really easy.

Reply Score: 1

RE: That sounds like a bad idea.
by Rahul on Thu 11th Sep 2008 19:54 UTC in reply to "That sounds like a bad idea. "
Rahul Member since:
2005-07-06

The project does not believe that the keys are compromised. Neverthless, it is being changed as a precautionary measure. The couple of transitionary packages are still signed with the old key since Fedora does not allow unsigned packages by default and then everything from then onwards will use the new key.

Reply Score: 3

RE: That sounds like a bad idea.
by buff on Thu 11th Sep 2008 22:35 UTC in reply to "That sounds like a bad idea. "
buff Member since:
2005-11-12

If I'm missing some key detail that makes all of the above mute please let me know.

I think you meant to say moot. For a second there I was confused and thought you were telling your details to quiet down. ;-)

Reply Score: 2

v slackware!
by 2501 on Fri 12th Sep 2008 00:33 UTC
Add Comment Post a Comment