[plug] Is Red hat truly flawed?

Peter Wright pete at cygnus.uwa.edu.au
Tue May 2 12:59:05 WST 2000


On Tue, May 02, 2000 at 12:20:01PM +0800, Bret Busby wrote:
> 
> I have just found the folowing news item, at
> http://www.australianit.com.au/common/storyPage/0,3811,633573%255E442,00.html
> 
> Does anyone know whther this is genuine, or, just a hoax?

Sounds like bollocks to me.

> I understood that a single version of each release of the Linux kernel,
> existed, and that it had to be approved by Linus Torvalds, before it
> could be officially released. Am I wrong in my understanding?

Not to my knowledge.

> Bret Busby
[ snip ]
> Warnings over Red Hat 'flaw'
>     DOMINIQUE JACKSON
>
> AN Australian Internet consultant says he has found serious flaws in
> Red Hat Linux, just days after reports of another security hole were
> released.

Just days... yes, after he _found_ the alleged "flaw" in 1997.

> Sydney-based Adam Todd said a major security breach in
> the Red Hat kernel
[ snip ]
> "This allows me to gain the highest level of user privileges
> within the kernel itself," he said.
[ snip ]
> But Mr Todd said the flaw was beyond the normal hacker.
>
> He said it was probably created by someone who had worked with Red
> Hat.
[ snip ]
> Mr Todd challenged to members of the "Link" mailing list to put
> their Red Hat servers up for hacking, and has succeeded in hacking
> nine of 17 systems owned by government agencies, ISPs, businesses
> and individuals.

Mr Todd assured this journalist that his word was perfectly sufficient
to prove that he'd done this. "After all, why would I pretend I'd
hacked into something when I hadn't? I'm e1333t d00dz."

> A message also would be sent to the Link list and the AusISP list
> with details of the servers hacked and the security flaw.
[ snip ]

How helpful of him.

> He said he first found the flaw in 1997 when a server running Red
> Hat in the data centre hosted by his company AH Net was hacked. He
> said that Red Hat ignored his warning.

*roll of eyes* Those bastards.

> Red Hat technical alliance director Robert Hart responded, asking
> for proof.

...or just something vaguely approaching information on the alleged
flaw....

> He wrote that Red Hat used the standard Linux kernel, which meant
> the security hole should appear in other distributions of Linux.

Robert Hart shamelessly attempted to use logic in his response, which
was not appreciated by Mr Todd or the journalist writing this article.

> Mr Todd, a Slackware Linux user, responded that there was no
> definition of a standard Linux kernel and that he had not seen the
> problem occur on other versions of Linux.

Translated: "I don't understand the distinction between kernel and
operating system. I am essentially an ignorant, attention-seeking git."

> Grant Bayley, organiser of hackers group 2600 Australia, has also
> called for proof.
[ snip ]
> "I'm sceptical because no information is being released about it."

Seriously now - anyone that had the ability to find such a bug need
only make the details public. If Mr Todd hasn't released the info
publicly... well, I'd have to say he's full of shit.

The number of misleading or just wrong comments attributed to Mr Todd
above lead me to strongly favour the full-of-shit option.


And just for fun, an irrelevant but seeming related point:

> Last week, Internet Security Systems's X-Force team found a backdoor
> in Red Hat Linux.

Pete.
-- 
http://cygnus.uwa.edu.au/~pete/

--
TALL KNIGHT: We are now no longer the Knights Who Say Ni!
ONE KNIGHT:  Ni!
OTHERS:      Sh!
ONE KNIGHT:  (whispers) Sorry.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD




More information about the plug mailing list