14 DAY TRIAL // A private mailing list used by Linux and FreeBSD vendors to coordinate responses to critical vulnerabilities was closed down after its server was compromised and destroyed by hackers.
Referred to as Vendor-Sec, the mailing list dated back to 1997 and was maintained by Marcus Meissner at lst.de.
"As moderator of vendor-sec and one of the sysadmins of lst.de I noticed a break-in into the lst.de machine last week, which was likely used to sniff email traffic of vendor-sec," Meissner announced on the OSS Security mailing list on March 3.
"This incident probably happened on Jan 20 as confirmed by timestamp, but might have existed for longer," he added.
Before deciding on what course of action to take regarding the decade-old mailing list, Meissner asked for input from people in the open-source software security industry about its usefulness in the current context.
"To use the threadmill metaphor, v-s does not help us vendors as much with the speed of the patch threadmill as it did 5 - 10 years ago," he said.
But before any meaningful discussion had a chance to start, the hackers realized they were detected, got back in and thrashed the machine.
On Friday, Meissner said that "[...] the attacker read this and reentered the lst.de machine, went amok and destroyed the machine's installation. The machine has now been shutdown."
"So everyone please consider [email protected] is dead and gone at this point, successors (or not) will hopefully result out of this discussion," he added.
The H Security points out that this is not the first break-in at Vendor-Sec. In 2005, hackers managed to steal information about a critical kernel exploit that allowed them to root Linux machines.
Also, since the list had members from both commercial and non-commercial organizations, information about the vulnerabilities being discussed there could have also leaked through personal channels at any time.