Open saucers are fuming after a hacker broke into the Fedora Project and an account belonging to a Fedora contributor was taken over by an attacker.
Fedora officials insist that the attacker did not push any changes to the Fedora package system or make any actual changes to the infrastructure. The problem is that no one can be sure and if anyone talks about the hack they are being blasted by the community as a Microsoft pawn .
It looks like the account that was seized had some high-value privileges. The attacker was able to compromise the account externally, and then had the ability to connect remotely to some Fedora systems. The attacker also changed the account’s SSH key.
However it is generally thought that the Fedora community was luck. The hacked account had the ability to push access to the Fedora SCM and perform builds and make changes to Fedora packages.
So far an investigation has not found any changes to the Fedora software itself.
Jared Smith, the Fedora project leader, said in an email to the Fedora Project mailing list that while the user had the ability to commit to Fedora SCM, they did not do it. He said the team “found no evidence that the compromise extended beyond this single account.”
The hack was only discovered when one of the Fedora contributors got an email saying that his account details had been modified. The contributor knew that he had not changed his account settings, so he contacted the Fedora Infrastructure Team.
The team took snapshots of all of the systems that the hacked account had access to, locked down the account itself and then audited the systems the account had privileges on, including SSH and the Fedora Account System.
At the moment the team is performing a more in-depth investigation and security audit. It hopes to discover what, if any damage has been done to Fedora. If it finds nothing, the Open Source operating system is incredibly lucky.