It's Not Magic
Writings of a techie wizard
Thu, 01 Sep 2011
Linux Kernel Site (Not) Cracked
Unless you're a Linux nerd like me, you probably didn't hear that the kernel.org site, the "home" of the Linux kernel and the "official" place to get a copy of its source code, was recently cracked. As far as I can tell from the Internet oracle, this hasn't made the news outside of the Linux developer and distribution community. If you're a conspiracy theorist, you might be thinking that this not making the news is some kind of nefarious scheme to hide flaws in the security of Linux. When a bank's server gets cracked, everybody finds out in a New York minute. Why should Linux's kernel source be any different?
The answer is in this article on linux.com. Basically, the cracking of the kernel.org server was a non-event, in security terms, because even though the cracker gained root access to the server, he couldn't change any of the kernel source code stored there without immediately raising alarms, because that code is cryptographically signed in a way that cannot be forged. So the damage was limited to having to take the servers offline once the cracking was detected, to reinstall their operating systems and restore the stored code repositories from backups (which were themselves checked against the cryptographic signatures to make sure they were correct).
As a matter of fact, I wish this event would get wide news coverage, but not because it shows any problem with Linux. Quite the opposite: it is a perfect example of how professional software development and distribution, particularly of something as critical as an operating system, is supposed to be done. First, extremely strong security precautions were taken against the possibility of a server being cracked, even though such events are very rare on well-managed servers. Nobody sat back and said, well, we do such a good job of securing our servers against intrusion, we don't have to worry about what would be compromised if somebody did get in. Second, when the compromise did happen, the kernel development community was completely open about it. Even though their server was cracked, they quite literally had nothing to hide; everything was out in plain sight anyway, and the security features that protected the source code have been public knowledge for years. All the site maintainers had to do was point to them.
Oh, by the way: the Linux kernel, and the version control system that protects its source code, git, are both free. And yet their developers set a standard of professionalism that I strongly suspect is unmatched by proprietary systems that users pay good money for. Of course, we don't know if the source code for those has ever been compromised, because it isn't out in the open where anyone can check it. Perhaps that secrecy makes it safe. We don't know. With Linux, we know. Which is one reason for what I showed in my brief nerd interlude on Linux's 20th birthday.
Open Source Development
Open Source Releases
Copyright © 2011-2013
by Peter A. Donis
All Rights Reserved