SoylentNews is people
SoylentNews
The Devuan website looks hacked. Given the timing, it's probable that it is an April's Fools Joke, though it's not clear if it's the Devuan devs' April's Fools joke or the hackers' April's Fools Joke. In any case, it's probably better for any Devuan users to avoid updating their packages and keep an eye out for signs of compromise.
If it is a joke by the devs, then they are taking it pretty far since official channels of communication say that the hack is real (but package are not compromised): https://lists.dyne.org/lurker/message/20190331.191104.169aaf9a.en.html
In any case, it's a warning about taking Devuan too seriously; either they don't know how to secure their servers, or they don't know what it means to take a joke too far.
https://www.devuan.org/ redirects to https://www.devuan.org/pwned.html which displays:
_ _ THE WEB SUCKS -- JAVASCRIPT SUCKS -- BROWSERS SUCK
_ ___ ___ ___ ___ | | _ _ | |
/ _`| _| -_) -_) \ | \ / _` || _| GOPHER IS THE WAY -- GOPHER IS THE FUTURE
\__,|_| \___|\___|_|_| |_|_|\__,_| \__|
___/_ _
| | _ _ __ | |_ ___ ___ ___ ********************************************************************
| \ / _` |/ _|| | // -_)| _|(_-< ****** DEVUAN.ORG HAS BEEN PWNED ******
|_|_|\__,_|\__||_\_\\___||_| (___/ ********************************************************************
.................................
...........##...#...#####............ WE TURNED ALL DEVUAN'S SHITTY WEBSITES INTO PROPER GOPHERHOLES
...........###...#.##########............
...........####....###.......##............ ********************************************************************
............#############......##..............
............#######################.............. *** STOP THE MADNESS -- GET YOURSELF A GOPHER CLIENT ***
.............#######################...............
.............#######################................. WWW -> gopher://www.devuan.org
.............#####################.....#............. GIT -> gopher://git.devuan.org
...............###############.........######.......... ISOS -> gopher://files.devuan.org
........######.##############.........#########........ INFO -> gopher://pkginfo.devuan.org
.......######################.......############......... BTS -> gopher://bugs.devuan.org
......########################################........... STATS -> gopher://popcon.devuan.org
.......#####################################.............
........#################################................ *** GOPHER IS STILL ALIVE AND KICKING -- JUST CHECK IT OUT ***
..........###########################....................
.............##################.......................... gopher://gopherproject.org -- gopher://gopher.floodgap.com
......................................#####.............. gopher://bitreich.org - gopher://sdf.org - gopher://gopherpedia.com
...............................###########............. gopher://circumlunar.space - gopher://gopher.quux.org
.............................###########...............
.............########################.....#######.... *** KISS PORT 80 GOODBYE -- JOIN THE REVOLUTION ON PORT 70 ***
.............#####....###############...#########....
............#####.....############################. *******************************************************************
.######.....####################################.
.#######....##################################. WE KNOW YOU -- WE FOLLOW YOU -- WE OWN YOUR COMPUTERS
..#######...###############################..
..######..#############################.. ***** ANY RESISTANCE IS FUTILE *****
...###############################...
...#########################... WE ARE GREEN HAT HACKERS: WE CAME, WE SAW, WE KICKED YOUR ASS
......#############......
..................... *******************************************************************IF YOU LUSER CAN'T USE A GOPHER CLIENT, USE THE PROXY AT:
https://gopher.floodgap.com/gopher/gwBOTH 7779847 AND 1554080659 ARE PRIME NUMBERS
(Score: 1, Insightful) by Anonymous Coward on Monday April 01 2019, @02:25PM (3 children)
Thst's pretty low. I dislike stupid April Fools jokes myself, but several "serious" projects have done them.
Anyway, if the hack is real, remember that actual devuan package updates are pretty rare, since most packages, except those having SystemD dependencies, are passed through to Debian.
(Score: 3, Disagree) by zoward on Monday April 01 2019, @07:08PM (2 children)
I wish they hadn't done this. Devuan already gets enough BS from people online treating it as a haven for crackpots. Hacking their own site for April Fool's Day won't help. Even if it's a joke, the last thing they need is people quiestioning their ability to keep their servers secure.
For the record, my home server is running Devuan ASCII, and it's been solid as a rock.
(Score: 3, Interesting) by Anonymous Coward on Monday April 01 2019, @07:58PM (1 child)
Yeah, I wish no site would do April Fools jokes. It already got rather lame in elementary school.
Now that I look at the "pwned" page, it does look like blatant satire. Did anyone try the gopher links?
My infra at work is pretty much all Devuan jessie, my own is Devuan ascii. I'm very happy with it. It is what Debian used to be.
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @07:46PM
OpenBSD had some mailing list April Fools going on - talking about replacing pf with bpf or ipf.
(Score: 3, Insightful) by Runaway1956 on Monday April 01 2019, @02:27PM
Nice, subdued defacement. No vulgarities, no crazy proclamations against $badactor, no real rebellion against authority. Mehhhh, it's almost funny.
(Score: 3, Insightful) by Anonymous Coward on Monday April 01 2019, @02:37PM (2 children)
Are there not enough people on the systemd bandwagon for your liking that you need to create cheap shots with this biased article? More anti choice "be assimilated" crap..
Ok so hows this for securing your servers... REMOVE SYSTEMD.
(Score: 4, Funny) by Anonymous Coward on Monday April 01 2019, @03:28PM (1 child)
In my experience, systemd is a great way to secure your servers, since with it, my servers don't boot past the initramfs stage. No running services == no attack vectors, right?
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @06:01AM
I would say that's an OK opinion to have, my main issue is with the clear bias in comments like "this is just proof Devuan should not be taken seriously" when they could just say "this is either a joke has gone too far or they're having serious problems". Really that flame war is past, so my comments aimed at systemd are just to make a point about that (meaning yes systemd can easily be criticizied too).
(Score: 2, Informative) by Anonymous Coward on Monday April 01 2019, @02:46PM (1 child)
Silly sounding name, the best distro, what Debian should be.
(Score: 1, Funny) by Anonymous Coward on Monday April 01 2019, @10:15PM
it's /dev/1, just slightly better than /dev/zero.
(Score: 3, Informative) by pkrasimirov on Monday April 01 2019, @02:50PM
https://www.devuan.org/ [devuan.org] looks dull now and does not redirect to https://www.devuan.org/pwned.html [devuan.org] but both pages exist so I could see the funny one.
Sloppy job on the pwned.html syntax.
(Score: 2, Funny) by Anonymous Coward on Monday April 01 2019, @03:30PM (6 children)
I just started getting into Linux - it looks like security isn't taken seriously so I'm out
(Score: 0) by Anonymous Coward on Monday April 01 2019, @04:44PM (1 child)
So given your requirements, I'm curious. Are you now locked in a SKIF with an abacus?
(Score: 0) by Anonymous Coward on Monday April 01 2019, @06:36PM
Or a Microseive submarine with a screen door for security and SkyNet as your ISP?
(Score: 5, Informative) by hendrikboom on Monday April 01 2019, @05:06PM (1 child)
Debian got attacked a few years ago, if I recall correctly. Are there any major distros that have never been attacked?
And Devuan is taking this seriously. The package archives were checked for corruption and found clean. They are on different physical machines from the one that got hacked. So there are still some barriers the attacker did not get through.
And the users on the main Devuan mailing list had been informed before the investigation was even much under way.
(Score: 0) by Anonymous Coward on Monday April 01 2019, @06:57PM
the problem is that a more aggressive attacker could make it less obvious and change the main pages to direct people to downloading bad ISOs for days before someone notices
(Score: 0) by Anonymous Coward on Monday April 01 2019, @05:37PM
what a fuckin' noob!
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @05:54AM
I have to tell you that yes this was an april fools joke. Obvious to those in the Devuan community because of the use of gopher, which some people in the community are fond of in a kind of nostalgic way. Remember, take NOTHING seriously on April 1st. Just mark it on your calender as 'ignore the news day'.
And yes Debian were once compromised, four of their servers were totally owned for real. Which should be a valuable lesson to all, that nothing is really secure no matter how obscure it is. At the time you'd call GNU/Linux in general more obscure and it had much less focus by people trying to do nasty things, the other lesson was that upstream kernel developers shouldn't have ignored the critical security issue that had been known about for a long time.
The good news is that whilst not the best and having it's problems, GNU/Linux is not really bad like Windows is.
(Score: 3, Insightful) by Anonymous Coward on Monday April 01 2019, @05:08PM (3 children)
From TFS:
Assuming this isn't an April Fool's joke, I agree that Devuan admins should try their best to secure their web server(s), However, as someone with 25+ years of infosec/operations experience, I'd hesitate to condemn the whole Devuan distribution because their website was hacked.
InfoSec Maxim #24: If it's connected to the Internet, assume that it will, at some point, get hacked.
What's more, in my experience, devs *think* they're the best admins, but in general they're not. I'm not sure if Devuan is eating their own dog food [wikipedia.org], but I'd hesitate tp dismis their whole distribution because someone exploited their site configuration. At least not until we get some sort of post-mortem that details the successful attack vector.
N.B.: I do not use Devuan on a regular basis. I've played around with it a bit, but I have no skin in their game.
(Score: 0) by Anonymous Coward on Monday April 01 2019, @05:40PM (1 child)
i don't use dev-Juan either but i tend to agree. the people who hack on kernels and other system level stuff are not necessarily the same people who are web devs. When one does try to do the other, sometimes they are not so great at it. it doesn't necessarily have shit to do with their other competencies.
(Score: 0) by Anonymous Coward on Monday April 01 2019, @07:12PM
Web devs are even worse than kernel hackers. Kernel hackers don't *think* they know how to secure a website. Web devs generally don't know how to do so either, but they often *think* they do. That's much more dangerous.
Standing up a dev platform is *not* the same thing as setting up a production instance of a web server -- especially if it's exposed to the Internet.
(Score: 0) by Anonymous Coward on Monday April 01 2019, @08:53PM
Agreed. Clearly it's not good, but it may not be that bad.
We are all technically people here. I'm sure many here remember this XKCD [xkcd.com]. Equally applies.
(Score: 5, Informative) by Anonymous Coward on Monday April 01 2019, @06:00PM (16 children)
Unfortunately, it was an April Fools joke that went too far:
https://lists.dyne.org/lurker/message/20190401.070222.844cb081.en.html [dyne.org]
(Score: 5, Funny) by NotSanguine on Monday April 01 2019, @06:14PM (12 children)
Unfortunately? How so?
Would it have been better if it *was* an actual hack?
But gopher? Geez, Louise! I'm not going with that newfangled crap! It's anonymous FTP lists for me!
Next you'll be telling me I need to use Archie [wikipedia.org] or Veronica. [wikipedia.org]
Kids today, I tell ya!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Monday April 01 2019, @08:15PM (10 children)
Uh... It was unfortunate for all of those trying to use the site and do installs at the time, because it went too far (please carefully read the above post to which you responded). Unfortunately, the joke was irresponsibly perpetrated on the site's main page, so that no downloads nor documentation could be found/accessed.
(Score: 3, Informative) by NotSanguine on Monday April 01 2019, @09:57PM (8 children)
That's not true. In fact, all content continued to be available and accessible (and documented as such on the main page) as you can see from TFS:
You want some cheese with that [tenor.com]? Please.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by darkfeline on Tuesday April 02 2019, @04:01AM (7 children)
If a website claims to be hacked, are you seriously going to follow the links on the supposedly hacked page to downloads? That sounds like a great way to download malware, especially since gopher has zero security, zero encryption, etc. Even if the page wasn't hacked you probably shouldn't be downloading executable code through gopher.
I apologize for the snark in the submission; I am only human. But if any of the distros that I use regularly (Arch Linux, Debian, and FreeBSD) appeared to be compromised, I would want to know ASAP, and that's why I submitted this story for the Devuan users. Also, if any of said distros pulled this kind of stunt, I would seriously reconsider using them [1]. There are benign jokes, and there are jokes that are off limits.
Of course, the Devuan devs are only human; mistakes will be made. As an AC noted this turned out to be a April Fool's joke by the devs, not hackers.
There are lots of good distributions without systemd beside Devuan, and since I have heard some negative comments around Devuan I would recommend checking those out. But I don't really have any personal connection with Devuan as I don't use it.
[1]: Comments about systemd being a compromise or stunt are anticipated and unoriginal; if you actually want to have a rational discussion about systemd I welcome it, but emotional reactions to "Unix philosophy" or "Lennart Poettering" are unproductive.
Join the SDF Public Access UNIX System today!
(Score: 2) by NotSanguine on Tuesday April 02 2019, @04:29AM (5 children)
Firstly, I didn't take issue with the snark. I merely wanted to point out that if you connect it to the Internet, you should assume that -- at some point -- it will be hacked. What's more, as I pointed out, the quality of system administration for a website isn't really a good metric for gauging the quality of an OS distribution, or any product/service (unless that service happens to be web hosting) for that matter.
That said, it was pretty dumb for the Devuan folks to fake a site compromise. They could just as easily have done something similar with an "announcement" that access to Devuan would now be through gopher only. That would have been just as amusing to many, and less alarming to those who either use the distribution and/or are comedically challenged.
How is gopher any worse than http in those respects? What "security" is provided by http/s? Https encryption can only (assuming that no one has compromised a transparent proxy along the path) stop MiTM attacks and won't help if there are issues at the endpoints.
You do verify cryptographic signatures [devuan.org] on downloaded code, don't you?
So long as you have a clean mechanism (e.g., cryptographic hashes of the binaries in question) to confirm non-repudiation on anything you download, it shouldn't matter if you use http, gopher, FTP or uuencoded Usenet posts.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by darkfeline on Tuesday April 02 2019, @06:33AM (4 children)
Where will I get the key to verify the cryptographic signature with? Usually it's served alongside the file (ironically, the link you provided is down for me due to a bad cert). Normally, I would verify the key by also checking various other places through HTTPS, since it's unlikely that all of those endpoints are compromised by the same party. In theory you could use the web of trust, but that does not scale to the level for the average person to use effectively.
Basically, trust has to start somewhere, and the best solution we have come up with so far is centralized trust (SSL). gopher doesn't support SSL as far as I know, and I wouldn't trust any gopher client that claims to support it properly, since there's no way it has enough eyes on it probing for bugs.
Join the SDF Public Access UNIX System today!
(Score: 2) by NotSanguine on Tuesday April 02 2019, @07:26AM (2 children)
I assume you mean TLS, as SSL has been deprecated and shouldn't be supported any more by devices using encryption.
TLS == Trust? I don't think so. Unless you're using client certificates all TLS gets you is encryption. And just because it's encrypted doesn't mean it's trusted, or even necessarily secure.
As for gopher over TLS, that wouldn't really buy you anything except degraded performance.
If you're referring to X.509 certificate chains (which isn't, BTW, TLS), then yes, assuming you trust the CA (which can be an iffy proposition) that signed the certificate, there is some small measure of trust you might place in such a certificate chain. However, a site that's been pwned will have that same X.509 cert, yet may be serving up trojaned code.
Which is why the transport mechanism (http/s, FTP, rsync, bittorrent, gopher, usenet or little bits of paper from an RFC1149 network, etc.) is much less important than a *clean* mechanism for confirming data integrity and non-repudiation.
It's not necessarily a bad cert, it's just not a Devuan cert.
I took a look and this is because the link I gave you appears to redirect to a third-party mirror site (one of a whole bunch), which (obviously) don't have devuan certs. This appears to be a problem with the redirect, as the mirror sites (at least the HTTPS ones) have their own certs.
As to whether those certs can be trusted or not, I can't say. And even if I assumed they could be trusted, I'd still verify data integrity via digital signatures.
Just to clarify, I have no connection to Devuan, nor do I use that distribution for personal or professional purposes.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by darkfeline on Tuesday April 02 2019, @10:46PM (1 child)
I use SSL and TLS interchangeably. They are basically the same thing which is why they're almost always referred to as TLS/SSL or SSL/TLS. Yes, I know that they're "technically" different, so you win a point; I don't think it really matters though. Just like GNU/Linux vs Linux, most people know what you're talking about. SSL 3.0 vs TLS 1.0, TLS 1.0 vs TLS 3.0, same difference.
You can't practically confirm data integrity without a transport protocol, so at the end of the day you need a secure transport protocol. You need a secure transport protocol, you can't just hire armed men to escort a USB containing the right public key to check the signature on a file.
> If you're referring to X.509 certificate chains (which isn't, BTW, TLS), then yes, assuming you trust the CA (which can be an iffy proposition) that signed the certificate
As I said, that's the most practical solution thus far. Again, you win a point for technicality; I am talking about TLS with certs which as far as I am aware is how TLS is used 99.99% of the time. Again, the average person would understand.
> However, a site that's been pwned will have that same X.509 cert, yet may be serving up trojaned code.
As I said, I can check multiple sites; it's fairly unlikely all of them are compromised by the same entity at the same time.
Join the SDF Public Access UNIX System today!
(Score: 2) by NotSanguine on Tuesday April 02 2019, @11:17PM
That would be great! Please tell me what qualifies as a "secure transport protocol."
And that negates the first point I quoted, given that even if the main Devuan site had been hacked, there were still more than fifty, presumably unhacked, mirrors [devuan.org].
Given that what are almost certainly valid, unhacked mirror sites, your "secure" transport complained that it was "bad." That sounds more like a denial-of-service than "security" to me. Granted, the problem there appears to be an interaction between the Devuan mirror redirect and your browser. I did not see that issue, even though I'm forcing HTTPS via HTTPS Everywhere [eff.org]. Strange.
Regardless, we're not going to agree on this, so I won't continue to share my decades of InfoSec experience with you, since it's obviously not appreciated. Good luck!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Runaway1956 on Tuesday April 02 2019, @01:47PM
Depends on who you trust more - the NSA or the Kremlin.
(Score: 0) by Anonymous Coward on Friday April 05 2019, @09:14AM
I think the point is that Devuan would not get such a hard time if it was a systemd based distro, and the article came off like you were saying "I knew we shouldn't take Devuan seriously and here is the proof." which can easily be a biased point of view for someone who likes systemd. Arguments against systemd or for it don't come into that, except to say that the same can be levied at systemd based on recent history, but debates about the design of it would never end so I think that's beyond the scope of this thread. Same with Devuan - I think it's merits and cons don't come into it if it's value is based at all on whether or not they allow users to run another init.
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @08:13AM
--JMS
(Score: 2) by isostatic on Monday April 01 2019, @10:09PM
What amazes me is that Gopher, WAIS and Archie were all from about the same era (I think WAIS was a couple of years earlier), and about the same time that the web came out. It was anyone's net back then, but within a couple of years Mosaic gave way to Netscape and the web was cemented as the protocol of the future.
(Score: 4, Interesting) by hendrikboom on Monday April 01 2019, @08:53PM (2 children)
It was an April fool's prank. The two numbers whose primeness are in question turn out, when decoded
date -u -d @7779847
date -u -d @1554080659
turn out to be moments on April 1 on different years.
It's not clear who perpetrated it.
(Score: 3, Informative) by hendrikboom on Monday April 01 2019, @11:16PM (1 child)
The culprit has confessed. He is a core developer who has been with the project from the beginning. He apologized, says the joke went too far, certainly was taken far beyond what he expected. He tells us he has learned from the experience, and will never do anything like it again. He further point out that no critical Devuan infrastructure was tampered with in any way -- all that happened was an html redirect of the main page to an alternative server with the fake page.
I'm told that the gopher links on the fake front page actually did point to valid Devuan infrastructure, though I haven't been able to check this myself.
-- hendrik
(Score: 2) by NotSanguine on Tuesday April 02 2019, @04:31AM
I checked. And they did.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: -1, Troll) by Anonymous Coward on Tuesday April 02 2019, @01:44AM
I'M CALLING YOU! WHAT IS WRONG!!!
(Score: 2) by srobert on Tuesday April 02 2019, @02:45AM (1 child)
Now that headline would be a April Fool's joke.
(Score: 2) by MadTinfoilHatter on Tuesday April 02 2019, @05:00AM
They did that joke a few Aprils ago. It was before Devuan Jessie was even released, they made a post about how they had realized the project wasn't going anywhere, that systemd was the way forward and that they would donate the money the project had recieved to the Pottering Ego Boost Fund (or some such BS). I tried to find a link but couldn't. :-(
That April fools was actually a bit funny, because it sounded quite plausible in the beginning, only to get increasingly wacky toward the end, so odds were that you would get tagged along in an "Oh, shit! Our best hope to get rid of systemd is gone!"-mode only to realize you had been trolled by the time you got to the Pottering fund.
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @03:21AM (2 children)
Oh My Gwarsh! The home page of Devuan was refaced! Wow, they're seriously not taking security seruiously. Unlike those kernel.org guys ( https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [theregister.co.uk] ), they totally know what they're doing! Why, they weren't hacked, they _gave_ the nsa access!!!#!
Or Linux Mint!! https://www.pcworld.com/article/3035682/hackers-planted-a-backdoor-inside-a-compromised-version-of-linux-mint.html [pcworld.com] They were using Systemd, though, so it was probably just someone using a duplicate password somewhere. The damn users, always the problem!
Gnome is a beacon of light! https://www.zone-h.org/news/id/3889 [zone-h.org] They wouldn't ever have been compromised themselves, it's Devuan who is inept! Down with those clowns!
And when the Devuan idiots are sitting there letting their public face be tarnished, the Debian devs have never allowed such malice to affect them. No, the Debian folks suffer https://www.zone-h.org/news/id/4371 [zone-h.org] only breaches on their development servers. The _Debian_ folks know what's worthwhile.
Fucking flamebait article. I hope you like the responses. Dumbasses. (The site admins, especially.)
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @06:54AM
Hopefully taking your loaded sarcasm and irony the right way here.
Anyway, I would agree this isn't quite as bad as people think. This is definitely a joke and the core developer behind it has apologized for getting people in a state about it. For my own part I feel no harm has been done and I'm cutting him a well earned break. All the core developers work really hard to continue delivering releases. It's annoying that it might hurt the image of my favourite distro but I'm letting him off the hook for my part.
(Score: 2) by Bot on Tuesday April 02 2019, @07:33AM
Don't forget an ugly one https://www.debian.org/security/2008/dsa-1571 [debian.org]
IIRC it was a = instead of an == in a test, an Underhanded C Contest material IMHO
Account abandoned.
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @03:47PM
It's nice that there is still a sense of scruffy hacker humour around. There are large parts of the free software community which has become boring, politically correct and corporate like as if we're selling a product. I like the stupid jokes and the sarcasm. I want communities that are fun to be in and not one where I feel like I'm an unpaid slave who works on software. Having fun on IRC and mailing lists is important. If I can't have fun while I program, I want a paycheck.
This joke was great. I fear that people who took offense to the joke, have serious security issues, because it appears like they base their entire sense of security on trust. Security is a method and not one that is based on faith and don't deal with failure.