Help!

Honesty and openness in Open Source: apache.org incident r..

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Advocacy RSS
Next:  2.6.31-rc6: WARNING: at mm/page_alloc.c:1805 __al..  
Author Message
Richard Rasker
External


Since: Jul 27, 2005
Posts: 199
PostPosted: Fri Nov 06, 2009 8:10 pm    Post subject: Honesty and openness in Open Source: apache.org incident report
Archived from groups: comp>os>linux>advocacy (more info?)
As even the most avid Open Source and Linux advocate knows, nothing is
perfect. And even though Linux is a vastly more secure choice of OS than
Windows -- for whatever reason -- it still has its share of bugs and
exploits. So what happens when things go wrong? Well, you explain exactly
what happened, why it happened, and how you think you stop it from happening
again:

https://blogs.apache.org/infra/entry/apache_org_downtime_report

Compare this to the "explanations" of commercial entities when their closed-
source-based infrastructure gets compromised or simply drops dead, such as
the London Stock Exchange's monstrous crash 14 months ago: First, it was
said to be caused by "connectivity issues" (sure, someone must have tripped
over an untidy UTP cable), and later "It was software-related, a
coincidence, due to two processes we couldn't have foreseen." And in an
attempt to restore trust, they could add that "We've introduced a fix and
we're confident it will not happen again."
Ah, great, that clears it up, then. Not.

(But at least they chose a very thorough fix: dump their $65 million Windows
infrastructure after a mere two years, and get a superior Linux solution for
less than half the cost. Well, that tells us quite enough about what to
trust and what not. And what was most probably the /real/ cause of the
crash.)

Richard Rasker

[NetWctLaaal]
--
http://www.linetec.nl/
Back to top
Ruel Smith
External


Since: Apr 16, 2005
Posts: 503
PostPosted: Sat Nov 07, 2009 1:10 am    Post subject: Re: Honesty and openness in Open Source: apache.org incident report [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Richard Rasker <spamtrap.DeleteThis@linetec.nl> said on 2009-11-07:
> As even the most avid Open Source and Linux advocate knows, nothing is
> perfect. And even though Linux is a vastly more secure choice of OS than
> Windows -- for whatever reason -- it still has its share of bugs and
> exploits. So what happens when things go wrong? Well, you explain exactly
> what happened, why it happened, and how you think you stop it from happening
> again

Quite right! The OSS community is not shy of accepting responsibility
for failure or issues. Joomla, Drupal and Wordpress have also made
efforts to notify subscribers whenever their software has issues that
need immediate intervention. Closed source owners cannot release as
much information as do OSS otherwise the meaning of closed-source will
be lost.
Back to top
TomB
External


Since: Feb 08, 2009
Posts: 76
PostPosted: Sat Nov 07, 2009 4:10 am    Post subject: Re: Honesty and openness in Open Source: apache.org incident report [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On 2009-11-07, the following emerged from the brain of Richard Rasker:
> As even the most avid Open Source and Linux advocate knows, nothing is
> perfect. And even though Linux is a vastly more secure choice of OS than
> Windows -- for whatever reason -- it still has its share of bugs and
> exploits. So what happens when things go wrong? Well, you explain exactly
> what happened, why it happened, and how you think you stop it from happening
> again:
>
> https://blogs.apache.org/infra/entry/apache_org_downtime_report

Great read. Thanks for the link. It's very nice to see a detailed
incident report of a breach like this.

--
You are farsighted, a good planner, an ardent lover, and a faithful friend.
Back to top
Chris Ahlstrom
External


Since: Jan 08, 2009
Posts: 486
PostPosted: Sat Nov 07, 2009 7:37 am    Post subject: Re: Honesty and openness in Open Source: apache.org incident report [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
TomB pulled this Usenet boner:

> On 2009-11-07, the following emerged from the brain of Richard Rasker:
>> As even the most avid Open Source and Linux advocate knows, nothing is
>> perfect. And even though Linux is a vastly more secure choice of OS than
>> Windows -- for whatever reason -- it still has its share of bugs and
>> exploits. So what happens when things go wrong? Well, you explain exactly
>> what happened, why it happened, and how you think you stop it from happening
>> again:
>>
>> https://blogs.apache.org/infra/entry/apache_org_downtime_report
>
> Great read. Thanks for the link. It's very nice to see a detailed
> incident report of a breach like this.

The lack of initial root access is to be noted, too, though the remote shell
access for the "create-backups" user was bad enough, and they were able to
achieve root on one of the machines.

Also of note is the fact that mirroring (rsync) helped expose the planted
scripts, and the variety of systems kept some of them more safe.

--
Never look up when dragons fly overhead.
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Advocacy All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum