https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

Kernel.org folks never provided the postmortem they promised in 2011 after finding their infrastructure had been rooted. They also didn't bother to respond to my email earlier this week seeking comment on new information that, in fact, their servers had been rooted 2 years earlier by a 2nd, even more sophisticated piece of malware.

While no one responded to me, here's Linux Foundation member Konstantin Ryabitsev responding elsewhere to my post that the breach was the subject of an FBI investigation, and later of a lawsuit. This says lots about the obligation kernel.org, an organization entrusted with huge responsibility, feels toward transparency. If Microsoft did this, people would be apoplectic.

Notice, too, how Ryabitsev mischaracterizes my article as saying there was "some kind of shadowy 'circle of silence'" instead of what I really did, which was to air information about a very concerning security breach that had never before been made public.

@dangoodin With respect to you, I think that was a reference to kernel.org not responding to you not releasing the details, not the article as a whole.

@dangoodin @monsieuricon 👀

@triskelion @dangoodin Dude, I don't know what I did to make you hostile to me. I wasn't there when any promises were made by previous k.org admins and I've certainly made transparency the core principle of our work. /o\

@monsieuricon @triskelion @dangoodin yeah also thought it was unfair to you. AFAIK not just transparency but also making the infra itself less important in the trust model etc, as you talked about last year LSS.

@monsieuricon @triskelion

Hi Konstantin. I am not trying to be hostile at all. I'm trying to call out the cavalier attitude the LF folks have to transparency. When a threat actor has root on your system for two years, that is a major event. Not only that, but the threat actor had decrypted half of the password hashes in etc/shadow. Does that mean email of certain members was monitored? Does it mean their devices were compromised? There should have been a detailed disclosure providing a timeline and precisely what the threat actors did and did not do. The LF shouldn't get a free pass to keep these matters private. I would be equally vocal and critical if Microsoft, Apple or any other trusted software maker swept a breach with this magnitude under the carpet.

I called you out because I found your nothing-to-see-here comment too hard to take. It Also seemed unfair that you publicly claimed I gave LF only two hours to respond when in fact it was 19.

I just want to reiterate: I have no hostility toward you and I'm sorry I made it sound that way.

@dangoodin @triskelion Dan, thank you for following up. I do not speak for the Linux Foundation, so I cannot address any of the items you highlighted in any official way. However, two important facts to keep in mind: 1) at the time of the break-in, k.org infrastructure was NOT managed by LF. It was managed by a team of volunteers from the kernel development community. LF only took the stewardship of k.org infrastructure several months after the incident. I believe I was the first actual LF employee to get access to k.org infrastructure, and that was in November of 2011, when I started at the Foundation. 2) the findings in the paper about "2 years" were as new to me as to everyone else, and I have no idea about the source on which they base this claim. I believe that all hardware involved in the compromise was turned over to the FBI as part of the investigation and I didn't get to touch any of it -- physically or otherwise.

For the transparency aspect of things, I want to direct you to my talk I gave to the Linux Security Summit last year: https://youtu.be/K3SVt1WCheY?si=KbbCWTGCypfFTdSy

In it, I go over a lot of things, including how we try to make ourselves more resilient to any repeat compromises, should they happen (or if they already have and we just don't know it yet).

HTH.