Forgot your password?
typodupeerror
Security Unix IT BSD

FreeBSD Project Discloses Security Breach Via Stolen SSH Key 86

Posted by timothy
from the happy-transparency dept.
An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
This discussion has been archived. No new comments can be posted.

FreeBSD Project Discloses Security Breach Via Stolen SSH Key

Comments Filter:
  • Forthcoming... (Score:5, Insightful)

    by QuietLagoon (813062) on Saturday November 17, 2012 @10:31AM (#42011789)

    and we are left wondering, would proprietary companies that get broken into so forthcoming?

    I suspect most would not be so forthcoming.

    Should they be?"

    Yes.

  • Short answer (Score:5, Insightful)

    by wbr1 (2538558) on Saturday November 17, 2012 @10:32AM (#42011797)
    "...and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
    Short answer:
    No, they do not want to scare the stockholders.
    and... Yes, they should be because openness allows people to recover or protect themselves faster.
  • You don't seem to be aware that SSH keys are typically encrypted, and still require a password to unlock. Yes, some people foolishly enable passwordless use of SSH keys, but that does not reflect on the principle of SSH key login in general.
  • by overmoderated (2703703) on Saturday November 17, 2012 @10:58AM (#42011939)
    No matter how secure your system is (and SSH is very secure), if the individual using it is careless, the system will end up getting compromized.
  • by icebike (68054) * on Saturday November 17, 2012 @05:37PM (#42014671)

    [t]here still is an unanswered question: how did the ssh key get stolen? While its nice to see that FreeBSD wasn't breached due to a vulnerability in *its* systems, someone obviously had a vulnerability in their system.

    The explanation is simple enough, and provided on the compromise notice:

    The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD.

    It only takes one instance of walking away from your workstation leaving it running to have a co-worker slip into your chair and email your .ssh directory to some obscure off shore email address, then remove the outgoing email from the "sent" list. A stolen phone, a purloined laptop, the possibilities are endless, although in the latter two instances you would expect revocations to be issued (assuming you had a backup copy somewhere)..

    Once someone has your private key they ARE you, and it it was done without being immediately discovered, the key could linger in the wild for months or years.

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...