I look forward to the proposal from OSU that should be mailed out to
the list shortly. The discussion that just took place in #code4lib
got me thinking.
As I see it, the issue here has two parts. First, the machine was
cracked, and, second, service hasn't been restored following the attack.
The code4lib.org site and its various subdomains have served a community
with a variety of needs, many of which require command line access and
the ability to install programs and services. Maybe some increased
restriction as to who has this access and what may be done with it is
called for, but even with greater restriction and more vigilant
sysadmins it's likely that the machine will get cracked again at some
point.
While I hope we'll have a more secure box for code4lib in the future,
I'm also excited about plans for a system that can bounce back quicker.
In addition to local and remote backups, we could use full mirrors ready
for a dns switch. Several mirror host machines were even offered in the
discussion. Are there other strategies we might employ to make
code4lib.org more resilient?
On Fri, Jul 27, 2007 at 05:18:06PM -0400, Ed Summers wrote:
> As you may have seen or experienced code4lib.org is down for the count
> at the moment because of some hackers^w crackers who compromised anvil
> and defaced various web content and otherwise messed with the
> operating system. anvil is a machine that several people in the
> code4lib community run and pay for themselves.
>
> Given that code4lib has grown into a serious little gathering, with
> lots of effort being expended by the likes of Jeremy Frumkin and Brad
> LaJenuesse to make things happen -- it seems a shame to let this sort
> of thing happen. We don't have any evidence, but it seems that the
> entry point was the fact that various software packages weren't kept
> up to date.
>
> Anyhow, this is a long way of inviting you to a discussion Aug 1st
> @7PM GMT in irc://chat.freenode.net/code4lib to see what steps need to
> be taken to help prevent this from happening in the future.
> Specifically we're going to be talking about moving some of the web
> applications to institutions that are better set up to manage them.
>
> If this interests you at all try to attend!
>
> //Ed
>
|