Novell OpenSUSE Server Hacked

abelikoff writes "Both LinuxWorld Australia and SuSE Linux Forums report that OpenSUSE website got hacked last night." This story was submitted quite a number of times.

Don't blame LINUX

[Work Account]

People always try to blame the software right away but usually it's poor administration.

Linux is near-flawless in terms of security.

*sigh*

[the-amazing-blob]

I still will never understand why people do stupid things like hack websites.

How does this help ?

[Anonymous Coward]

How does hacking this website help to put your voice ? Other than geeks, how many people check that website. If they had hacked CNN or BBC, it would have been noticed significantly. Soon this would go into oblivion. Makes me wonder what has nuclear progam to do with open source linux ?

Re:Don't blame LINUX

[Anonymous Coward]

"Linux is near-flawless in terms of security."

so it could have been a linux flaw...
buy you're right, on most pc's the weakest link is the user...

Re:Don't blame LINUX

[grub]

Linux is near-flawless in terms of security.

You don't follow security mailing lists, do you? Most Linux distros have decent security but "near-flawless"?

how rude.....

[The_Candyman]

Of corse this had to happen just a few days before OpenSuSe released the latest version 10.0 final. Now I'm assuming that there will be a delay there to make sure nobody added any "extra" software. I've been waiting for it to come out since I tried beta 1 of 10.0.

Re:Don't blame LINUX

[Anonymous Coward]

Could very well be poor setup/administration, you have a point!

I have to note, I have not read the original article yet, so you may be 'spot-on' & it may note the very thing you point out. It usually is the case.

However, you also cannot fully discount this, or problems like it, might actually be some completely NEW problem found in Linux itself, or rather, this particular distro (this goes for MS &/or Apple wares as well, not just Linux/Unix/BSD etc.)!

(Man, because this happens ALL the time (browsers, apps, OS' & such of all types)... it's a real pain-in-the-A$$, but a fact of life today. One with SOME GOOD SIDES TO IT THOUGH, in that it points out flaws that may exist since someone used some particular method of penetration & it's now known if it was not before!)

APK

P.S.=> What 'spooks me'? Isn't the ones that are known, or found & exposed publicly (to get either MS, apple, or the numerous Linux vendors off their butts to do something about it etc. if needed)... but, the ones that do NOT talk about it period, & utilize vulnerabilities 'secretly', never publicly noting their methods (be they OS vulnerabilities, or apps like browsers etc.)... they're the TRUE danger imo... apk

APK

Don't Blame Windows

[Anonymous Coward]

People always try to blame the software right away but usually it's poor administration.

Re:Don't blame LINUX

[Anonymous Coward]

Yeah.. I guess those various Kernel level vulns I've patched over the years didn't exist.

Near flawless my ass.

Re:Don't blame WINDOWS

[Anonymous Coward]

People always try to blame the software right away but usually it's poor administration.

Windows is near-flawless in terms of security.

That's about as true as your comment, yet I don't hear a lot of that said around here.

Next time you want to post how Linux is "near-flawless", why don't you take a breath, not post it (because somebody else is sure to), and then, the next time a Windows hack story comes up, not post in that story either (because somebody else is sure to)?

The end result will be a greater signal:noise ratio, less hypocrisy, and your abstinence in both cases cancel each other out in terms of bias.

Re:How does this help ?

[WindBourne]

Because, this will make the regular news. That will include CNN, and BBC.

Why? because it does not happen often to a major linux site. It would be like having millions stolen from a site that runs a none Windows such as a unix site. It will make news just because it is none windows.

Re:Don't blame LINUX

[Anonymous Coward]

If the system makes it hard to secure, then it's not particularly effective.

Re:Oh sweet sweet irony...

[$RANDOMLUSER]

The point is, it was a Suse website, running Suse that got hacked.
If a Microsoft windows 2003 site, running Windows 2003 was the victim, then yeah, I think it would make the front page.

Re:ssh scan

[schon]

Why the hell do they allow root logins over SSH in the first place?

Any security admin worth their salt would have turned this off when it was installed - not to reduce break-ins (although it does help mitigate a weak root password), but to provide an audit trail for people who are allowed to use root.

*sigh*

Re:Rights or not

[Halfbaked Plan]

Probably, if he hacks an Arabic site and plans to blather on the pages, he'll have a competent Arabic speaker help compose the text. Really, that's the point.

Re:*sigh*

[jupiter909]

Hacking websites is not stupid. It's proof of concept. It is often good when people hack/crack things, it forces for tighter control and security. If not for people hacking and cracking things we would not have things such as online shopping and ssh encrpytion etc. It is all part of a never ended life cycle. More often than not it is poor management/admin than the software/systems themselves. Human error.

Re:Rights or not

[klykken]

You might have confused the Arabic language with the Persian language (Farsi). They share the same alphabet but are entirely different.

Practical upshot? Am I safe?

[thc69]

Pardon my obvious post-placement, trying to get this near the top and visible, but I suspect this is an important question for people to see, assuming answers are posted:

What is the practical upshot of all this? Is the damage limited to the "Give us nuclear rights" web defacement, or was that just a front to make people think nothing else was damaged?

I'm running SuSe 9.3, and this morning, I let the automated update program do it's thing. Did I download and install any breached files?

TFA don't say anything. One is dead already, and the other is useless.

I mean, I understand that there's a lot to discuss regarding security policies and server operating systems, but there are people who could be immediately affected here.

Not Good for Iran

[KidSock]

Dear Hackers,

If you're going to hack websites, don't try to justify your idiotic hobby by turning it into a political posterboard. It has the opposite effect you're looking for. The thing that scares people most is unpredictable behavior. If Iran were calm, clear in stating there intentions, and followed all the diplomatic protocols with a smile there would be no way for anyone to stop them from builting reactors (wheather it be for processing fuel for weapons or not). But stupid stuff like this make Iranians look like evil subversives. Just look at the graphic they posted. It looks like the shadow of some kind of daemon with horns. This is not a good image for Iran.

Or if it's a different group impersonating iranians, you're just losers.

Re:*sigh*

[the-amazing-blob]

But if nobody hacked anything, there wouldn't be a need for better security.

I'm too idealist for my own good.

near-flawless?

[nurb432]

No modern OS is flawless. Due to feature creep and the massive amounts of code involved, none can really be considered 'near flawless'. ( agreed, some are better then others )

Its the job of the administrators to mitigate and compensate for known, and unknown, security flaws.

Re:Don't blame LINUX

[ScrewMaster]

The problem comes in when you are, yourself, an OS vendor. It's really hard (from a marketing/PR perspective) to have your site run a BSD when you happen to sell a major Linux distro. Or have a major online service you bought run Solaris when you happen to make Windows, for that matter. Customers (and potential customers) will rightfully wonder why you don't have confidence in your own product.

Re:*sigh*

[gowen]

You know, murders are good too, because they encourage us to employ smarter policemen and develop better forensic science.

Re:ssh scan

[VStrider]

and last but not least

3. install a port knocking [portknocking.org] daemon, like fwknop [cipherdyne.org], or knockd [zeroflux.org]

Re:Practical upshot? Am I safe?

[darco]

> Because it is not a good source of energy in its present state.

That would explain why the French and Japanese have abandoned it.

Nuclear power is orders of magnitude safer than it was decades ago. I'd much rather have a source of energy with a waste that I can dispose of in a controlled fashion rather than one which pours pollutants into the air we breathe. The only reason we don't use more nuclear energy here in the US is because of politics, not science or practicality.

Not to say anything about Iran having nuclear capability. I'll pass speculating on that hot-potato.

Re:Don't blame LINUX

[_Sprocket_]

Yes, it is the same flaw. But don't worry. I understand that with all the new work in pricing schemes, DRM, aggressive disregard for industry changes, etc Microsoft will be eliminating a large number of users (and thus Admins), thus creating a much more secure Windows environment.

Re:As you can see

[LnxAddct]

It's a little worse than that. The IHS guys aren't just script kiddies, their lead guy's blog is here [c0d3r.org]. He is apparently very active in writing exploits and gives code to all of them. He was just accepted into a university, but worse, one of his blog entries is about how he likes slackware and is trying to write some code to help the project out. Now I don't know about you, but I find that suspicious as hell. Unless someone goes over every line of code submitted with a magnifying glass than it can be fairly easy to sneak in a little area for a buffer overflow or something. (Preventive measures like SELinux and exec-shield are necessary and even they don't fully solve the problem). I can only hope that the slackware community does decent background checks on submitters, and also good code checking. The last thing we need is for Open Source to start being purposely made vulnerable and attacked from within.
Regards,
Steve

Re:Practical upshot? Am I safe?

[_Sprocket_]

Way to hijack a conversation. :P

Your call for isolationism has a certain appeal. I'm generally a believer that far too many people are overly concerned with whats going on in their neighbor's yard. However, isolationism is not a panacea. Interestingly enough, the US' involvement in the Middle East began within decades of the formation of the US in the form of the Barbary Wars even though the new US Government often expressed a belief in isolationism. Yet they soon discovered that the US interacted in the world around them and could not be separate from it.

That's not to say that the US hasn't managed periods of isolationist policies. US history shows some remarkable stretches of isolationism. But such policies only served to create the hardest lesson in recent US history - World War II. The cost associated with World War II was only increased by attempts to limit direct involvement of the US in what was viewed to be an European affair (although Europeans themselves also contributed with their own reluctance to act).

World War II leads directly in to the Cold War and the US' attempts to curtail Soviet influence. And perhaps that is where the US commits the sins we will be paying for today and tomorrow. Although I find it rather interesting that when critics of US policy point to various fumbles and embarrassments, they fail to note Soviet involvement. Which isn't to say that the US is excused for their actions - but rather some perspective would provide a better understanding of why things were done.

So does the US have a "right" to dictate to others what they can and can not do? Hardly. There is such a thing as a sovereignty. But to claim that the US should have no involvement in the world around it is simply setting up the US to become victim to the day when its people and shores are under attack. I hate to sound anything like the Bush Administration. Yet there are certainly others who have less qualms about rights than the US. And history shows how that turns out for anyone who ignores it.

On Iraq, I mostly agree. The current Administration's handling of the situation is unsettling, to say the least. There seems to be a certain degree of willful ignorance and a lack of understanding and planning that shows itself not only in foreign policy, but domestic policy too.

However, Iraq was bound to happen. While critics of the Bush Administration are, more or less, right to criticize the reasoning given for this war - they tend to gloss over the fact that the Iraq war comes at an end of a CEASE FIRE agreed to in the early '90s. No folks, this is not a new thing; US military personnel have been in the region maintaining vigilance for over a decade without daily CNN coverage. That entire time is under a state of war. And during that time, Saddam willfully defied UN mandates and conditions of that cease fire agreement.

Yet Saddam was probably not intended to stay in power. The Senior Bush was wise enough to not completely dismantle the world's fourth largest standing army, and create a vacuum for neighboring influence (such as Iran). And it was probably wise to try and void the troubles we are facing today by giving the Iraqi people a chance to handle Saddam themselves. But Saddam is exceptionally gifted at survival (and also ruthlessly brutal). It would take direct involvement to remove Saddam's regime after all.

There might be a slim chance that the Iraqi government to be will become a secular democracy, with enough economic power behind it to flourish. There are possible echoes of Germany and Japan. But the reality is that the odds are against this happening. Partly due to external influences. And (arguably) largely due to the planning of the Bush Administration.

What about Iran? I don't find it too surprising that Iran's intentions meet a certain degree of skepticism. It seems odd that Iran's quest for energy would have to involve a process that can be directly applied to acquiring massively powerful weapons when it is itself the World's fourth largest producer of fossil fuel (right behind the US - Iraq is at 14th) as well as having ample opportunity to develop other alternative (and less dangerous) alternative energy systems.

Re:They have a website

[Halvy]

The Bush Administration is working on that

The bush admin days are numbered...

As is anyone who supports their murdering ways.