SoylentNews is people
SoylentNews
The Devuan website looks hacked. Given the timing, it's probable that it is an April's Fools Joke, though it's not clear if it's the Devuan devs' April's Fools joke or the hackers' April's Fools Joke. In any case, it's probably better for any Devuan users to avoid updating their packages and keep an eye out for signs of compromise.
If it is a joke by the devs, then they are taking it pretty far since official channels of communication say that the hack is real (but package are not compromised): https://lists.dyne.org/lurker/message/20190331.191104.169aaf9a.en.html
In any case, it's a warning about taking Devuan too seriously; either they don't know how to secure their servers, or they don't know what it means to take a joke too far.
https://www.devuan.org/ redirects to https://www.devuan.org/pwned.html which displays:
_ _ THE WEB SUCKS -- JAVASCRIPT SUCKS -- BROWSERS SUCK
_ ___ ___ ___ ___ | | _ _ | |
/ _`| _| -_) -_) \ | \ / _` || _| GOPHER IS THE WAY -- GOPHER IS THE FUTURE
\__,|_| \___|\___|_|_| |_|_|\__,_| \__|
___/_ _
| | _ _ __ | |_ ___ ___ ___ ********************************************************************
| \ / _` |/ _|| | // -_)| _|(_-< ****** DEVUAN.ORG HAS BEEN PWNED ******
|_|_|\__,_|\__||_\_\\___||_| (___/ ********************************************************************
.................................
...........##...#...#####............ WE TURNED ALL DEVUAN'S SHITTY WEBSITES INTO PROPER GOPHERHOLES
...........###...#.##########............
...........####....###.......##............ ********************************************************************
............#############......##..............
............#######################.............. *** STOP THE MADNESS -- GET YOURSELF A GOPHER CLIENT ***
.............#######################...............
.............#######################................. WWW -> gopher://www.devuan.org
.............#####################.....#............. GIT -> gopher://git.devuan.org
...............###############.........######.......... ISOS -> gopher://files.devuan.org
........######.##############.........#########........ INFO -> gopher://pkginfo.devuan.org
.......######################.......############......... BTS -> gopher://bugs.devuan.org
......########################################........... STATS -> gopher://popcon.devuan.org
.......#####################################.............
........#################################................ *** GOPHER IS STILL ALIVE AND KICKING -- JUST CHECK IT OUT ***
..........###########################....................
.............##################.......................... gopher://gopherproject.org -- gopher://gopher.floodgap.com
......................................#####.............. gopher://bitreich.org - gopher://sdf.org - gopher://gopherpedia.com
...............................###########............. gopher://circumlunar.space - gopher://gopher.quux.org
.............................###########...............
.............########################.....#######.... *** KISS PORT 80 GOODBYE -- JOIN THE REVOLUTION ON PORT 70 ***
.............#####....###############...#########....
............#####.....############################. *******************************************************************
.######.....####################################.
.#######....##################################. WE KNOW YOU -- WE FOLLOW YOU -- WE OWN YOUR COMPUTERS
..#######...###############################..
..######..#############################.. ***** ANY RESISTANCE IS FUTILE *****
...###############################...
...#########################... WE ARE GREEN HAT HACKERS: WE CAME, WE SAW, WE KICKED YOUR ASS
......#############......
..................... *******************************************************************IF YOU LUSER CAN'T USE A GOPHER CLIENT, USE THE PROXY AT:
https://gopher.floodgap.com/gopher/gwBOTH 7779847 AND 1554080659 ARE PRIME NUMBERS
(Score: 5, Funny) by NotSanguine on Monday April 01 2019, @06:14PM (12 children)
Unfortunately? How so?
Would it have been better if it *was* an actual hack?
But gopher? Geez, Louise! I'm not going with that newfangled crap! It's anonymous FTP lists for me!
Next you'll be telling me I need to use Archie [wikipedia.org] or Veronica. [wikipedia.org]
Kids today, I tell ya!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Monday April 01 2019, @08:15PM (10 children)
Uh... It was unfortunate for all of those trying to use the site and do installs at the time, because it went too far (please carefully read the above post to which you responded). Unfortunately, the joke was irresponsibly perpetrated on the site's main page, so that no downloads nor documentation could be found/accessed.
(Score: 3, Informative) by NotSanguine on Monday April 01 2019, @09:57PM (8 children)
That's not true. In fact, all content continued to be available and accessible (and documented as such on the main page) as you can see from TFS:
You want some cheese with that [tenor.com]? Please.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by darkfeline on Tuesday April 02 2019, @04:01AM (7 children)
If a website claims to be hacked, are you seriously going to follow the links on the supposedly hacked page to downloads? That sounds like a great way to download malware, especially since gopher has zero security, zero encryption, etc. Even if the page wasn't hacked you probably shouldn't be downloading executable code through gopher.
I apologize for the snark in the submission; I am only human. But if any of the distros that I use regularly (Arch Linux, Debian, and FreeBSD) appeared to be compromised, I would want to know ASAP, and that's why I submitted this story for the Devuan users. Also, if any of said distros pulled this kind of stunt, I would seriously reconsider using them [1]. There are benign jokes, and there are jokes that are off limits.
Of course, the Devuan devs are only human; mistakes will be made. As an AC noted this turned out to be a April Fool's joke by the devs, not hackers.
There are lots of good distributions without systemd beside Devuan, and since I have heard some negative comments around Devuan I would recommend checking those out. But I don't really have any personal connection with Devuan as I don't use it.
[1]: Comments about systemd being a compromise or stunt are anticipated and unoriginal; if you actually want to have a rational discussion about systemd I welcome it, but emotional reactions to "Unix philosophy" or "Lennart Poettering" are unproductive.
Join the SDF Public Access UNIX System today!
(Score: 2) by NotSanguine on Tuesday April 02 2019, @04:29AM (5 children)
Firstly, I didn't take issue with the snark. I merely wanted to point out that if you connect it to the Internet, you should assume that -- at some point -- it will be hacked. What's more, as I pointed out, the quality of system administration for a website isn't really a good metric for gauging the quality of an OS distribution, or any product/service (unless that service happens to be web hosting) for that matter.
That said, it was pretty dumb for the Devuan folks to fake a site compromise. They could just as easily have done something similar with an "announcement" that access to Devuan would now be through gopher only. That would have been just as amusing to many, and less alarming to those who either use the distribution and/or are comedically challenged.
How is gopher any worse than http in those respects? What "security" is provided by http/s? Https encryption can only (assuming that no one has compromised a transparent proxy along the path) stop MiTM attacks and won't help if there are issues at the endpoints.
You do verify cryptographic signatures [devuan.org] on downloaded code, don't you?
So long as you have a clean mechanism (e.g., cryptographic hashes of the binaries in question) to confirm non-repudiation on anything you download, it shouldn't matter if you use http, gopher, FTP or uuencoded Usenet posts.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by darkfeline on Tuesday April 02 2019, @06:33AM (4 children)
Where will I get the key to verify the cryptographic signature with? Usually it's served alongside the file (ironically, the link you provided is down for me due to a bad cert). Normally, I would verify the key by also checking various other places through HTTPS, since it's unlikely that all of those endpoints are compromised by the same party. In theory you could use the web of trust, but that does not scale to the level for the average person to use effectively.
Basically, trust has to start somewhere, and the best solution we have come up with so far is centralized trust (SSL). gopher doesn't support SSL as far as I know, and I wouldn't trust any gopher client that claims to support it properly, since there's no way it has enough eyes on it probing for bugs.
Join the SDF Public Access UNIX System today!
(Score: 2) by NotSanguine on Tuesday April 02 2019, @07:26AM (2 children)
I assume you mean TLS, as SSL has been deprecated and shouldn't be supported any more by devices using encryption.
TLS == Trust? I don't think so. Unless you're using client certificates all TLS gets you is encryption. And just because it's encrypted doesn't mean it's trusted, or even necessarily secure.
As for gopher over TLS, that wouldn't really buy you anything except degraded performance.
If you're referring to X.509 certificate chains (which isn't, BTW, TLS), then yes, assuming you trust the CA (which can be an iffy proposition) that signed the certificate, there is some small measure of trust you might place in such a certificate chain. However, a site that's been pwned will have that same X.509 cert, yet may be serving up trojaned code.
Which is why the transport mechanism (http/s, FTP, rsync, bittorrent, gopher, usenet or little bits of paper from an RFC1149 network, etc.) is much less important than a *clean* mechanism for confirming data integrity and non-repudiation.
It's not necessarily a bad cert, it's just not a Devuan cert.
I took a look and this is because the link I gave you appears to redirect to a third-party mirror site (one of a whole bunch), which (obviously) don't have devuan certs. This appears to be a problem with the redirect, as the mirror sites (at least the HTTPS ones) have their own certs.
As to whether those certs can be trusted or not, I can't say. And even if I assumed they could be trusted, I'd still verify data integrity via digital signatures.
Just to clarify, I have no connection to Devuan, nor do I use that distribution for personal or professional purposes.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by darkfeline on Tuesday April 02 2019, @10:46PM (1 child)
I use SSL and TLS interchangeably. They are basically the same thing which is why they're almost always referred to as TLS/SSL or SSL/TLS. Yes, I know that they're "technically" different, so you win a point; I don't think it really matters though. Just like GNU/Linux vs Linux, most people know what you're talking about. SSL 3.0 vs TLS 1.0, TLS 1.0 vs TLS 3.0, same difference.
You can't practically confirm data integrity without a transport protocol, so at the end of the day you need a secure transport protocol. You need a secure transport protocol, you can't just hire armed men to escort a USB containing the right public key to check the signature on a file.
> If you're referring to X.509 certificate chains (which isn't, BTW, TLS), then yes, assuming you trust the CA (which can be an iffy proposition) that signed the certificate
As I said, that's the most practical solution thus far. Again, you win a point for technicality; I am talking about TLS with certs which as far as I am aware is how TLS is used 99.99% of the time. Again, the average person would understand.
> However, a site that's been pwned will have that same X.509 cert, yet may be serving up trojaned code.
As I said, I can check multiple sites; it's fairly unlikely all of them are compromised by the same entity at the same time.
Join the SDF Public Access UNIX System today!
(Score: 2) by NotSanguine on Tuesday April 02 2019, @11:17PM
That would be great! Please tell me what qualifies as a "secure transport protocol."
And that negates the first point I quoted, given that even if the main Devuan site had been hacked, there were still more than fifty, presumably unhacked, mirrors [devuan.org].
Given that what are almost certainly valid, unhacked mirror sites, your "secure" transport complained that it was "bad." That sounds more like a denial-of-service than "security" to me. Granted, the problem there appears to be an interaction between the Devuan mirror redirect and your browser. I did not see that issue, even though I'm forcing HTTPS via HTTPS Everywhere [eff.org]. Strange.
Regardless, we're not going to agree on this, so I won't continue to share my decades of InfoSec experience with you, since it's obviously not appreciated. Good luck!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Runaway1956 on Tuesday April 02 2019, @01:47PM
Depends on who you trust more - the NSA or the Kremlin.
(Score: 0) by Anonymous Coward on Friday April 05 2019, @09:14AM
I think the point is that Devuan would not get such a hard time if it was a systemd based distro, and the article came off like you were saying "I knew we shouldn't take Devuan seriously and here is the proof." which can easily be a biased point of view for someone who likes systemd. Arguments against systemd or for it don't come into that, except to say that the same can be levied at systemd based on recent history, but debates about the design of it would never end so I think that's beyond the scope of this thread. Same with Devuan - I think it's merits and cons don't come into it if it's value is based at all on whether or not they allow users to run another init.
(Score: 0) by Anonymous Coward on Tuesday April 02 2019, @08:13AM
--JMS
(Score: 2) by isostatic on Monday April 01 2019, @10:09PM
What amazes me is that Gopher, WAIS and Archie were all from about the same era (I think WAIS was a couple of years earlier), and about the same time that the web came out. It was anyone's net back then, but within a couple of years Mosaic gave way to Netscape and the web was cemented as the protocol of the future.