So... Apache.org got hacked...

[kblessinggr]

http://www.apache.org/

The Infrastructure Team of The Apache Software Foundation is currently investigating a
potential compromise of one of our servers. For security reasons most apache.org
services are therefore offline, but will be restored shortly. We apologies for any
inconvenience this may cause.

10:42am UTC: Compromise was due to a compromised SSH Key, not due to any software
exploits in Apache itself.

More details soon.

10:53am UTC: We have restored services on our european mirror machine which was
not compromised. DNS should be shifting you over right about ... now..

For those who don't know, Apache HTTP server is the web server used on like 99.999% of linux web hosts. And I see in the middle of the notice above they're doing damage control to curb possible rumors that the compromise was in Apache HTTPD itself.

Seems while SSH Keys offer a high level of security between the user and server, it appears to have a fatal flaw of being free-for-all if someone happens to steal your laptop or something.

 

[zimok]

Happens all the time, there's holes in everything.

Zone-H.org - Unrestricted information

 

[Bofu2U]

Nothing to see here, move along.

 

[Webferret]

Nothing to see there, moved along.

 

[jenzkc]

OpenSSH Rumors



their sys admins probably don't always run a full update on all their servers.