Found a programmer who hacked kernel.org in 2011

On August 28, 2011, the Linux community was slightly shocked to learn about the hacking of kernel.org, the main server for distributing the source code for the Linux kernel, the main hosting site for the kernel repositories, and various Linux distributions. On kernel.org, a trojan with root access was discovered that went unnoticed for 17 days . It was discovered thanks to error messages in Xnest /dev/mem on machines without the X Window system installed.

Trojan recorded passwords, kept a log of user actions, provided root access and modified software on the kernel.org server.
')
The system administrator kernel.org reported that ssh-related files (openssh, openssh-server and openssh-clients) were modified, and the Trojan downloader was added to the standard rc3.d service load script. Sites kernel.org and git.kernel.org have gone offline for 35 days .



The servers have been cleaned, the software has been reinstalled. Only after that they opened access to the repositories.

Some time later, it became known also about the hacking of the LinuxFoundation.org and Linux.com websites with the leakage of user credentials, including user passwords. It was suggested that this was the first stage of the attack, at which the attacker learned the password of one of the developers who had root access to kernel.org.

The Git version control system guarantees the authenticity of the source code, which is available for verification to millions of users. Thousands of servers around the world keep copies of the kernel code. If someone tried to modify it, the Git version control system would immediately report this. All 40,000 kernel files are signed by SHA-1 and cannot be changed.

Thanks to open source and such a control system, the Linux kernel is reliably protected from the introduction of extraneous Trojans into old files. If the attacker had such a goal, then he failed to complete the task. At least at this stage of the operation. It is not known what exactly he planned to do next, after the spread of his Trojan on the computers of developers. Who knows, maybe he wanted to launch a commit with a trojan from the computer of Linus Torvalds?

One way or another, but the attacker's handwriting did not look like the working methods of the special services, which have more advanced tools, they do not need to steal passwords on the forums. Although this version is not excluded.



Kernel.org was back online by November 2011, with the exception of a few minor services. The investigation of the incident with the participation of FBI agents lasted for several years, but they finally managed to get on the trail of the attacker.

On September 1, 2016, the US Department of Justice issued a press release announcing that a programmer from South Florida was being detained on suspicion of illegal access to computers belonging to the Linux Kernel Organization and the Linux Foundation.

The suspect, 27-year-old Donald Ryan Austin, was detained on August 28, 2016 by police officers from the Miami Shores village who stopped his car on the road. The arrest warrant was issued on June 23 and declassified after the arrest of the suspect.

Judging from the records in the database of residents of Florida, Donald Ryan Austin was born on April 20, 1989, home address: 3425 Collins AVE # 518 Miami Beach FL 33140, voter ID 116597683.


Austin apartment is located 300 meters from the coast. Photo of an apartment building made in June 2015, when it was being completed

At the time of the crime, the guy was 22 years old.

Donald Ryan Ostin has been charged with four incidents of “intentional acts that caused damage to a protected computer” under article 18 of USC § 1030 (a) (5) (A) . This article provides for a fine of up to $ 250,000 and / or imprisonment for up to 10 years, plus compensation for damage to the injured party. In four cases, Donald may receive a fine of $ 1 million, a prison term of 40 years and the requirement to compensate for the damage to the victims.

In court documents, the prosecutor’s office accuses a programmer of installing the Ebury Trojan and the Phalanx rootkit on the Odin1, Zeus1 and Pub3 servers, which were leased from the Linux Foundation and used to support the work of the kernel.org site. The malicious program ran from August 13, 2011 to September 1, 2011. Austin is also blamed for infecting a personal email server with Linux kernel developer Peter H. Anvin at the same time.



Given the seriousness of the crime, it can be assumed that the programmer will not get off with one fine. Still, the absolute majority of servers and about two percent of desktop computers in the world work under Linux.

On the other hand, Donald is unlikely to be accused of gaining commercial gain, because free software is available on kernel.org and is generally available free of charge.

Prosecutors will have to work a lot to determine the motives of the attacker and explain his actions. Probably, there was no self-serving motive in these actions. The forums suggest that the guy just wanted to "hack everyone" and show his superiority. Obviously, he was not indifferent to the Linux operating system, although he did not send a single patch. His name is also not on the Linux Kernel Mailing List .

After the arrest, Austin was presented before the court and was released on bail of $ 50,000, which his family paid for the girl .

Austin is ordered not to approach computers, not to use the Internet, any kinds of social networks and e-mail. The prosecutor’s office indicates that the defendant “may be a threat” because of a “substantial history of abuse.”

The following hearings on his case are scheduled for September 21, 2016, 9:30 am, in the San Francisco Court.