Announcement states November 11th was when the breach was discovered. First indication from the user community that things were unreachable: November 11th at roughly 07:00 PST
. Statements from FreeBSD Project members as to what the "cause" was, prior to announcement:
-- "working on issues"
-- "known problems"
-- "work being done"
-- "machines physically moved and discombobulated"
-- "problems in the cluster" which impacted third-party ports mirroring sites
freebsd-update was also impacted, as was (and still is as of this writing) GNATS (many PRs when queried aren't being listed, despite the PR numbers supposedly being valid). portsnap is still not providing updates (see last line of "What is the Impact" and last line of 4th bullet item at bottom of breach post).
Questions myself and many others FreeBSD SAs have been asking:
1. If this was truly maintenance (and instead a breach was found during that maintenance), why wasn't this maintenance pre-announced on lists, the RSS feed, forums, website, Twitter (god forbid but still), etc.?
2. More like a subset of #1, who has maintenances that last 5 days? No company or organisation I know of, including me (who ran a free hosting service for 18+ years). I refuse to believe Peter Wemm got up one morning and decided to do all of this on a whim... at least I HOPE that's not the case...
3. During the entire 5-day downtime, nothing was stated until yesterday afternoon
, and it was beyond vague + placed very cleverly on the home page as to be intentionally missed. That message is gone and I do not have an archive of its content, but effectively it said there "were issues being investigated" in "the cluster". It did not say "we're performing scheduled work". So the message here was mixed; so what's the truth, and where can one read about the truth?
4. No information given about what degree of access the person had whose public key was compromised. Root or not? It matters only as a result of the degree of concern cited over the package server repositories being potentially compromised. I can't imagine someone with user-level access would have the ability to write to the central package server directly (and if they did, wow, I guess that's a separate bitch/rant item). When I was a committer the main box used by everyone was user-level access only, but that's (hopefully?) not the same box as used in the "package cluster". (Again: no technical information about "the cluster" means everyone has to keep making guesses)
5. Why did this breach take nearly 2 months to discover? The article implies that illegitimate access was performed on September 19th. I would assume servers that have the ability for someone to update packages on the official ftp package server would have an IDS or be LAN-only + be behind a firewall with IP-level restriction.
I still cease to see what portsnap/svn have to do with this security breach, which is why I'm calling shenanigans on the last page of the breach post. Some FreeBSD Project members
also have the same concerns above that I do, so I'm not the only one.
I'm not surprised that this is being handled in a hush-hush manner, because the impact this could have (PR-wise) with folks like Juniper, Citrix, BlueCoat, NetApp, Netflix (they just moved some bits to FreeBSD), etc. is tremendous.--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.