Red Hat admits to security breach
Red Hat belatedly revealed that its infrastructure servers were hacked into. Packages compromised included those used to sign its Fedora Project packages.
PC World carried the story; one thing to note is the way the announcement was rather unusual – instead of a statement made via press release, it was made on the fedora-announce-list. Subject line? “Infrastructure report”. Hiding it in a list and hoping the press won’t realize it early isn’t much different from hiding your head in the sand like they allegorical ostrich – if ostriches wore fedoras.
Company officials were quick to state ‘high confidence’ that the hackers did not have the passphrase to secure the Fedora package signing key. But it didn’t stop the company from making new ones, you know, just in case. Said officials have also kept rather silent on the whole thing, instead pointing to prior-mentioned announcement.
What exactly happened in the breach? An intruder made his way into some OpenSSH packages for Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).
Red Hat has, to its credit, quickly released updated versions of those packages, a full list of the tampered packages as well as a script to check if those are installed on a user’s box.
Though the updates are there, users are complaining about Red Hat’s lack of transparency – admitting the breach late when users had begun to suspect things were somewhat awry. Why did the company let the speculation stew instead of immediately alerting its customer base?
Perhaps Red Hat decided to focus on getting the fixes out first and not inadvertently call attention to its system vulnerabilities. Though the whole affair could have been handled much better by Red Hat, at least fixes are available. The company is also confident its internal network of relaying out updates has not been compromised but is issuing warnings to users who might be getting their updates from sources outside of Red Hat.
Related Posts:
