[opensuse] So how did this happen?
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/ (The hack I mean, not the alleged stony silence). -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/
(The hack I mean, not the alleged stony silence).
Wordpress 4.7.1 was compromised, and it took us a little to long to get upgraded to 4.7.2. -- Per Jessen, Zürich (0.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Feb 10, 2017 at 09:52:40PM +0100, Per Jessen wrote:
John Andersen wrote:
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/
(The hack I mean, not the alleged stony silence).
Wordpress 4.7.1 was compromised, and it took us a little to long to get upgraded to 4.7.2.
And Roy Schestowitz is kind of a known troll who hates SUSE. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
...it affected 1.5M wordpress sites too, not just SuSE: http://www.infoworld.com/article/3168848/security/recent-wordpress-vulnerabi...
Marcus Meissner <meissner@suse.de> 02/10/17 2:58 PM >>> On Fri, Feb 10, 2017 at 09:52:40PM +0100, Per Jessen wrote: John Andersen wrote:
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/
(The hack I mean, not the alleged stony silence).
Wordpress 4.7.1 was compromised, and it took us a little to long to get upgraded to 4.7.2.
And Roy Schestowitz is kind of a known troll who hates SUSE. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/10/2017 12:58 PM, Marcus Meissner wrote:
On Fri, Feb 10, 2017 at 09:52:40PM +0100, Per Jessen wrote:
John Andersen wrote:
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/
(The hack I mean, not the alleged stony silence). Wordpress 4.7.1 was compromised, and it took us a little to long to get upgraded to 4.7.2. And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus
Is the report accurate? If so, does it matter if he hates SUSE? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Feb 10, 2017 at 01:46:26PM -0800, Bruce Ferrell wrote:
On 02/10/2017 12:58 PM, Marcus Meissner wrote:
On Fri, Feb 10, 2017 at 09:52:40PM +0100, Per Jessen wrote:
John Andersen wrote:
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/
(The hack I mean, not the alleged stony silence). Wordpress 4.7.1 was compromised, and it took us a little to long to get upgraded to 4.7.2. And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus
Is the report accurate? If so, does it matter if he hates SUSE?
The news.opensuse.org wordpress site was defaced by the recently announced wordpress security issue and it got restored. As it is its own host, nothing related to distribution building was affected. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus
Is the report accurate? If so, does it matter if he hates SUSE? 1 - that opensuse news was hacked - yes its all over the internet since at least (CIO 07-02-2017) 2 - that it was hush hush - no [see 1] + techrights article dated 09-02-2017 + see richard brown interview 3 - the "a known troll who hates SUSE" comment makes no assertion as to the validity of the article. there is therefore no correspondence between "acurate and hates suse" so your question doesnt make any sense. 4 - does slander based on conjecture of a hypotheticle strike you as accurate? "If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does".
did you even read the comment made, or the techrights article before you wrote this? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/10/17 2:19 PM, nicholas wrote:
And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus Is the report accurate? If so, does it matter if he hates SUSE? 1 - that opensuse news was hacked - yes its all over the internet since at least (CIO 07-02-2017) 2 - that it was hush hush - no [see 1] + techrights article dated 09-02-2017 + see richard brown interview 3 - the "a known troll who hates SUSE" comment makes no assertion as to the validity of the article. there is therefore no correspondence between "acurate and hates suse" so your question doesnt make any sense. 4 - does slander based on conjecture of a hypotheticle strike you as accurate? "If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does".
did you even read the comment made, or the techrights article before you wrote this?
I read both several days ago.. And wondered why no mention was made here. I also noted the not so subtle attempt to discount the report under "he hates SUSE" without commenting one way or another on it's accuracy leading to my question. I also note the continuing effort to discount any comments using similar "tone" arguments. The entire thing "feels" like an effort to pretend nothing happened when a simple announcement of the incident might have diffused it. methinks they doth protest too loudly. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/10/17 2:19 PM, nicholas wrote:
And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus
Is the report accurate? If so, does it matter if he hates SUSE?
1 - that opensuse news was hacked - yes its all over the internet since at least (CIO 07-02-2017) 2 - that it was hush hush - no [see 1] + techrights article dated 09-02-2017 + see richard brown interview 3 - the "a known troll who hates SUSE" comment makes no assertion as to the validity of the article. there is therefore no correspondence between "acurate and hates suse" so your question doesnt make any sense. 4 - does slander based on conjecture of a hypotheticle strike you as accurate? "If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does".
did you even read the comment made, or the techrights article before you wrote this?
I read both several days ago.. And wondered why no mention was made here.
I also noted the not so subtle attempt to discount the report under "he hates SUSE" without commenting one way or another on it's accuracy leading to my question.
I also note the continuing effort to discount any comments using similar "tone" arguments.
The entire thing "feels" like an effort to pretend nothing happened when a simple announcement of the incident might have diffused it.
methinks they doth protest too loudly. i write a reponse based on fact and you call it a "tone argument" ; wheras you write "The entire thing "feels" like an effort to pretend nothing happened" 1 - "feels" WTF 2 - "an effort to pretend nothing happened" when it all over the internet? when the troll comment IMMEDIATLY follows a declaration of the fact that it did happen and the cause. 3 - "methinks they doth protest too loudly." im an ordinary user, who do you imply is protesting? suse? 4 - "I also note the continuing effort to discount any comments", your arguments are exaggerations, baseless accusations and FUD, and challenging
On Friday, 10 February 2017 14:44:50 CET Bruce Ferrell wrote: them does not imply a "cover up" 5 - im a user challenging your troll like comments - "continuing effort" bit of an exaduration isnt it? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-10 23:19, nicholas wrote:
And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus
Is the report accurate? If so, does it matter if he hates SUSE? 1 - that opensuse news was hacked - yes its all over the internet since at least (CIO 07-02-2017) 2 - that it was hush hush - no [see 1] + techrights article dated 09-02-2017 + see richard brown interview
+++------------------------ http://techrights.org/2017/02/08/links-822017-linuxquestions-members-choice-... * Kurdish Hacker Posts Anti-ISIS Message on openSUSE’s Website, Data Remains Safe -> http://news.softpedia.com/news/kurdish-hacker-posts-anti-isis-message-on-ope... Softpedia was informed by Dr. Roy Schestowitz that the openSUSE News (news.opensuse.org) website got defaced by Kurdish hacker MuhmadEmad on the day of February 6, 2017. It would appear that the server where the news.opensuse.org website is hosted is isolated from the rest of openSUSE’s infrastructure, which means that the hacker did not have access to any contributor data, such as email and passwords, nor to the ISO images of the openSUSE Linux operating system. We already talked with openSUSE Chairman Richard Brown, who confirms for Softpedia that the offered openSUSE downloads remain safe and consistent, and users should not worry about anything. The vigilant openSUSE devs immediately restored the news.opensuse.org website from a recent backup, so everything is operating normally at this time. * OpenSUSE site hacked; quickly restored -> http://www.cio.com/article/3166446/security/opensuse-site-hacked-quickly-res... The openSUSE team acted quickly to restore the site. When I talked to Richard Brown, openSUSE chairman, he said that “the server that hosts ‘news.opensuse.org’ is isolated from the majority of openSUSE infrastructure by design, so there was no breach of any other part of openSUSEs infrastructure, especially our build, test and download systems. Our offered downloads remain safe and consistent and there was no breach of any openSUSE contributor data.” The team is still investigating the reason for the breach so I don’t have much information. The site ran a WordPress install and it seems that WordPress was compromised. This site is not managed by the SUSE or openSUSE team. It is handled by the IT team of MicroFocus. However, Brown said that SUSE management certainly doesn’t want any such incident to happen again and they are considering moving the site to the infrastructure managed by SUSE and openSUSE team. ------------------------++- But I could not locate the interview to R. B. :-? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 02/10/2017 02:19 PM, nicholas wrote:
And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus Is the report accurate? If so, does it matter if he hates SUSE? 1 - that opensuse news was hacked - yes its all over the internet since at least (CIO 07-02-2017) 2 - that it was hush hush - no [see 1] + techrights article dated 09-02-2017 + see richard brown interview 3 - the "a known troll who hates SUSE" comment makes no assertion as to the validity of the article. there is therefore no correspondence between "acurate and hates suse" so your question doesnt make any sense. 4 - does slander based on conjecture of a hypotheticle strike you as accurate? "If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does".
did you even read the comment made, or the techrights article before you wrote this?
Yes, the Techrights article IS the one I saw of February 9, 2017. No, I did NOT see the breach mention on ANY OpenSUSE lists (I monitor several) and wondered and had it on my agenda to ask about it when I had a few moments. Nicholas, since you're "simply a user", why so heated in both your responses to me and vehemence over all. I too am "just a SUSE user" since SUSE 7.x since before the stupid Novell/MS deal. I'm also an IT professional with over 30 years experience. Modern standard operating practice is to publicly and officially acknowledge such breaches. Seeing an announcement on a third party site of a breach with NO announcements here, even if rapidly corrected, struck me as odd at best and possibly false. The "heat" seen on these lists when the breach was asked about, starts looking like bunker mentality. And that raises the curiosity level even higher... Was the article inaccurate? Was it a troll? Why are official channels NOT making an announcement? All bringing credibility of all parties into question. So I asked... And got even MORE heat! So did others. Marcus, I DO appreciate you taking the time to make the simple statement that it did happen, what happened and that no significant information was compromised. It's a thankless job. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday, 10 February 2017 17:17:15 CET Bruce Ferrell wrote:
On 02/10/2017 02:19 PM, nicholas wrote:
And Roy Schestowitz is kind of a known troll who hates SUSE.
Ciao, Marcus
Is the report accurate? If so, does it matter if he hates SUSE?
1 - that opensuse news was hacked - yes its all over the internet since at least (CIO 07-02-2017) 2 - that it was hush hush - no [see 1] + techrights article dated 09-02-2017 + see richard brown interview 3 - the "a known troll who hates SUSE" comment makes no assertion as to the validity of the article. there is therefore no correspondence between "acurate and hates suse" so your question doesnt make any sense. 4 - does slander based on conjecture of a hypotheticle strike you as accurate? "If someone injected a back door inside SLED and SLES, SUSE would probably say not a thing, only belatedly removing it and then lying about the whole thing, just like Microsoft does".
did you even read the comment made, or the techrights article before you wrote this?
Yes, the Techrights article IS the one I saw of February 9, 2017. No, I did NOT see the breach mention on ANY OpenSUSE lists (I monitor several) and wondered and had it on my agenda to ask about it when I had a few moments.
Nicholas, since you're "simply a user", why so heated in both your responses to me and vehemence over all. I too am "just a SUSE user" since SUSE 7.x since before the stupid Novell/MS deal.
I'm also an IT professional with over 30 years experience. Modern standard operating practice is to publicly and officially acknowledge such breaches. Seeing an announcement on a third party site of a breach with NO announcements here, even if rapidly corrected, struck me as odd at best and possibly false.
The "heat" seen on these lists when the breach was asked about, starts looking like bunker mentality. And that raises the curiosity level even higher... Was the article inaccurate? Was it a troll? Why are official channels NOT making an announcement? All bringing credibility of all parties into question. So I asked... And got even MORE heat! So did others.
Marcus, I DO appreciate you taking the time to make the simple statement that it did happen, what happened and that no significant information was compromised. It's a thankless job.
my response is to the style, content and basis of your "arguments", - tying the simple fact of the attack to the "truth" of wider accusations without foundation given in techrights. (the article has zero journalistic credability) - your constant exaggerations. (who are the OTHERS who have recieved HEAT for asking questions?, a website DEFACEMENT is NOT a BREACH, saying my 2 messages are a "continuing effort to discount any comments" from suse) - your constant wink wink style accusations. my vehemence comes from a distinct dislike for unfounded deformations. you could have avoided this by presenting: a) direct questions to establish the facts (e.g. why was the story not published on mailing lists) b) your direct opinion on how the event should have been handled c) any accusations/denunciations based on facts and evidence (i dont count a shit throwing article by a known troll as evidence). i really dont want to waste any more time on this. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/11/17 12:18 PM, nicholas wrote: > On Friday, 10 February 2017 17:17:15 CET Bruce Ferrell wrote: >> On 02/10/2017 02:19 PM, nicholas wrote: >>>>> And Roy Schestowitz is kind of a known troll who hates SUSE. >>>>> >>>>> Ciao, Marcus >>>> Is the report accurate? If so, does it matter if he hates SUSE? >>> 1 - that opensuse news was hacked - yes its all over the internet since at >>> least (CIO 07-02-2017) >>> 2 - that it was hush hush - no [see 1] + techrights article dated >>> 09-02-2017 + see richard brown interview >>> 3 - the "a known troll who hates SUSE" comment makes no assertion as to >>> the >>> validity of the article. there is therefore no correspondence between >>> "acurate and hates suse" so your question doesnt make any sense. >>> 4 - does slander based on conjecture of a hypotheticle strike you as >>> accurate? "If someone injected a back door inside SLED and SLES, SUSE >>> would probably say not a thing, only belatedly removing it and then lying >>> about the whole thing, just like Microsoft does". >>> >>> did you even read the comment made, or the techrights article before you >>> wrote this? >> Yes, the Techrights article IS the one I saw of February 9, 2017. No, I did >> NOT see the breach mention on ANY OpenSUSE lists (I monitor several) and >> wondered and had it on my agenda to ask about it when I had a few moments. >> >> Nicholas, since you're "simply a user", why so heated in both your >> responses to me and vehemence over all. I too am "just a SUSE user" since >> SUSE 7.x since before the stupid Novell/MS deal. >> >> I'm also an IT professional with over 30 years experience. Modern standard >> operating practice is to publicly and officially acknowledge such breaches. >> Seeing an announcement on a third party site of a breach with NO >> announcements here, even if rapidly corrected, struck me as odd at best and >> possibly false. >> >> The "heat" seen on these lists when the breach was asked about, starts >> looking like bunker mentality. And that raises the curiosity level even >> higher... Was the article inaccurate? Was it a troll? Why are official >> channels NOT making an announcement? All bringing credibility of all >> parties into question. So I asked... And got even MORE heat! So did >> others. >> >> Marcus, I DO appreciate you taking the time to make the simple statement >> that it did happen, what happened and that no significant information was >> compromised. It's a thankless job. > my response is to the style, content and basis of your "arguments", > - tying the simple fact of the attack to the "truth" of wider accusations > without foundation given in techrights. (the article has zero journalistic > credability) > - your constant exaggerations. (who are the OTHERS who have recieved HEAT for > asking questions?, a website DEFACEMENT is NOT a BREACH, saying my 2 messages > are a "continuing effort to discount any comments" from suse) > - your constant wink wink style accusations. > > my vehemence comes from a distinct dislike for unfounded deformations. > > you could have avoided this by presenting: > a) direct questions to establish the facts (e.g. why was the story not > published on mailing lists) > b) your direct opinion on how the event should have been handled > c) any accusations/denunciations based on facts and evidence (i dont count a > shit throwing article by a known troll as evidence). > > i really dont want to waste any more time on this. > > Disingenuous at best Nicholas. Tone argument responses are by definition trolling and yes, you've wasted more time and bandwidth for everyone than was necessary for your trolling. go away -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bruce Ferrell composed on 2017-02-11 12:31 (UTC-0800):
...you've wasted more time and bandwidth...
As you, for your zero quote trimming. Bandwidth isn't limited to reaching subscribers, but also to archives storing the waste indefinitely. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-02-10 21:22, John Andersen wrote:
Any clues as to how this was pulled off? http://techrights.org/2017/02/09/microfocus-suse-hush-hush/
(The hack I mean, not the alleged stony silence).
It says: «OpenSUSE has a history of security issues in its sites (see “openSUSE Forum Hacked; 79500 Users Data Compromised” from 2014).» I know that this is simply false: no user data was compromised. Yes, the hackers shown a photo or users data, but it was false. Yes, taken from the server, apparently user data, but simply false data placed there as a trap hook. The real user data was (and is, I believe), on a different platform. This was fully explained at the time. Of the rest of the article I don't know, but seeing how they show a false history as true, I can't trust the rest of the article. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
participants (8)
-
Bruce Ferrell -
Carlos E. R. -
Christopher Myers -
Felix Miata -
John Andersen -
Marcus Meissner -
nicholas -
Per Jessen