On Mon April 1 2019 06:29:10 Evilham via Dng wrote: > Further clarifying things: **to my knowledge**(*) nothing has been
> compromised, but it is indeed a very elaborated prank.
Redirecting a web site is a juvenile and trivial edit that anybody
with access can do in seconds.
But if that was all, why was it not fixed in seconds?
This attack may have been a prank or it may have been a prank as
a cover for an attack or it may have been a prank subsequently
exploited by different black hats to cover an attack. You don't
know.
Any security lapse is serious. There is always the possibility
that logs and checksums were compromised, backdoors installed,
access credentials stolen, etc. You can never know that a
compromised system is secure until it is wiped and rebuilt from
trusted sources. Similarly you cannot trust any other system
to which the admitted attacker had access.
Claiming the incident was not serious does not make it less so,
it just undermines the credibility of anyone who makes such a
naive claim.
There are two very real problems: (1) the untrustworthy person
with access to Devuan's infrastructure and (2) Devuan's thus-far
totally inadequate response to a serious security incident.
Devuan/VUA must (1) remove the attacker and (2) announce a
serious plan to restore security and trust. You will have
to be transparent. You will probably have to replace all your
security tokens and keys. Merely claiming you've examined a few
things and didn't find anything wrong is ridiculous and the
opposite of what any real Veteran Unix Admin would know to do.
I know nothing of Italian law but whether or not the incident
should be referred for criminal prosecution is a question you
should already be discussing with your lawyers or the police.
Anyone using Devuan in production will, like us, have frozen
updates for now. This situation cannot persist long. If
Devuan/VUA cannot quickly prove itself worthy of trust we too
will have to rebuild our systems, and in doing so migrate away
from Devuan.
Devuan/VUA's lame response thus far has been infinitely worse
than anything ever done by SystemD.