The other big security story

I figure everyone is sick of hearing about Blaster by now. (Quick recap: 1. Apply patches. 2. Install a firewall. 3. Use up-to-date AV software). There’s another, lesser-known story out there that I think is pretty interesting: the master FTP server for GNU was compromised, and now they’re scrambling to assess the damage and repair it. It’s hard to discuss this without sounding like a fear monger, but I’ll try to explain why this is so important.
ftp.gnu.org, the machine that was compromised, is the official central repository for all FSF software. All of the other FSF distribution points (and there are many) mirror its contents. – usually automatically. If you’ve added an FSF package to your system any time in the last 6 months, chances are that it came from ftp.gnu.org or one of its mirrors. Of course, if you’ve built any Linux distro in the last 6 months, odds are that you used multiple packages from ftp.gnu.org. Heck, the gcc compiler, which all free Linux software is built with, is officially distributed from ftp.gnu.org, so one might argue all software compiled with a compiler in the last 6 months is potentially impacted. (i.e. someone put a trojan in the compiler sources, placed those sources on ftp.gnu.org. Now anyone that builds that compiler has a trojaned compiler, one which outputs only trojaned binaries).
To recap: any FSF package downloaded from any FSF mirror might have been compromised. The FSF hasn’t been cryptographically signing their packages (like Windows Update does) so there’s no way to directly verify their integrity other than taking MD5 hashes, but that in turn depends on finding an “original” version of each pacakge and recomputing the hashes. They’re going to start signing their packages, as explained here, but… well, horse, barn door, shut.
If this same compromise had happened to Microsoft, you can imagine the press firestorm that would have followed. The press reporting on this has been pretty mild; no one seems to think it’s exceptional that an important machine, presumably run by competent admins, was compromised and that no one noticed for four months.
Interestingly, the FSF says that they believe that everything on ftp.gnu.org currently is safe, but they haven’t said anything about any piece of software any time in the last 6 months. Their action thus far has been to wipe everything off of ftp.gnu.org and replace stuff that they feel confident hasn’t been tampered with. This is the right thing to do from a security standpoint, but it doesn’t inspire a lot of confidence in the security of the packages on their server and mirrors.