Debian Server Compromised 349
Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."
Oh no (Score:5, Funny)
Re:Oh no (Score:5, Funny)
Re:Oh no (Score:4, Funny)
Re:Oh no (Score:3, Funny)
Re:Oh no (Score:5, Insightful)
Re:Oh no (Score:5, Funny)
Re:Oh no (Score:2)
Re:Oh no (Score:5, Funny)
Re:Oh no (Score:3, Funny)
Once is ok, but twice is too much... (Score:3, Insightful)
Re:Once is ok, but twice is too much... (Score:5, Insightful)
How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?
So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.
Re:Once is ok, but twice is too much... (Score:4, Insightful)
Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.
Re:Once is ok, but twice is too much... (Score:4, Interesting)
Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:3, Informative)
I think they also do monthly iso-images that are just compilations of all the update installers in a given month, for the same reason -- not everyone's got a good net connection at home.
Re:Once is ok, but twice is too much... (Score:3, Interesting)
Re:Once is ok, but twice is too much... (Score:2, Funny)
Re:Once is ok, but twice is too much... (Score:5, Insightful)
And yes - that goes for closed, proprietary software houses as well as the public, open groups.
Re:Once is ok, but twice is too much... (Score:3, Informative)
So are Debian packages. Check "man apt-key" about that.
All releases are signed. (Score:3, Informative)
http://http.us.debian.org/debian/dists/woody/ [debian.org]
http://http.us.debian.org/debian/dists/sarge/ [debian.org]
Then locate the file Release.gpg. That is the signature for the release file.
Re:Once is ok, but twice is too much... (Score:3, Informative)
Things are chaning... (Score:5, Funny)
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:2)
Here's an even better prize for a hacker who can get into windowsupdate: a nice big banner across every windows computer that had been updated in the past week, perfectly synchronized across millions of computers all over the world.
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:2)
I think you're vastly overestimating the proportion of machines that use Windows Update.
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:2)
this is not the kind of hack anyone cares about. i don't care if someone posts a "frodo crew rulez" banner on some site - i do care if someone is putting compromised packages up that find their way onto my machines.
Re:Once is ok, but twice is too much... (Score:5, Informative)
Re:Once is ok, but twice is too much... (Score:3, Funny)
Re:Once is ok, but twice is too much... (Score:2, Funny)
Re:Once is ok, but twice is too much... (Score:4, Informative)
Btw, Debian also does digital signatures for every package installed (see here [debian-adm...ration.org]). I don't think they have gone as far as having an air-gap, but it does mean that a regular hacking won't be able to silently corrupt packages.
Debian's system is actually quite cool, since it can check *every* program installed, and not just core OS updates (courtesy of apt controlling 99% of software installation). In fact, you can add additional keys for other package sources (I run some unofficial packages, but those developers also sign their packages with their own keys, so it is covered as well).
Re:Once is ok, but twice is too much... (Score:5, Informative)
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:2, Insightful)
Re:Once is ok, but twice is too much... (Score:2)
True. I misread the parent's comment. D'oh.
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:2)
Thanks for the good propaganda example. Kids, are you paying attention?
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:3, Insightful)
Yeah, "we know what's going on", just as soon as somebody diffs a bazillion lines of code against a known-good repository. Until the Debian team announces that tidbit of info, the only security you have is the "false sense of" kind.
Re:Once is ok, but twice is too much... (Score:2)
Re:Once is ok, but twice is too much... (Score:2, Insightful)
This compromise is more like Microsoft's internal development network being compromised, which has happened.
Unless, of course, the current compromise includes Debian's private key, which I doubt.
Re:Once is ok, but twice is too much... (Score:5, Informative)
No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
Re:Once is ok, but twice is too much... (Score:5, Insightful)
The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.
The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.
Goodness knows what this one was.
Re:Once is ok, but twice is too much... (Score:5, Insightful)
So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.
it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.
Re:Once is ok, but twice is too much... (Score:5, Insightful)
If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...
Declouding some FUD (Score:3, Informative)
http://www.debian.org/News/2003/20031121 [debian.org]
The vulnerability they were hit by was a previously unknown vulnerability in the kernel [slashdot.org].
This has been said before... (Score:2, Insightful)
Re:This has been said before... (Score:2)
Besides I think it's well established that Debian is woefully behind the curve. Use Gentoo. Be done with
Tom
Re:This has been said before... (Score:5, Funny)
As a Gentoo user over the age of 30 I'd like to apologize for the under 20 Gentoo user's previous post. I'll slap him around on IRC later.
kashani
Re:This has been said before... (Score:2)
ahh, good. i was just starting to stand up.
Re:This has been said before... (Score:2)
The problem with Debian is that they really have to participate more on the bleeding edge. Think about it. As an OSS developer you have some distro call you "unstable" and makes a default policy to ignore you. How likely are you to keep working on your tool that nobody wants to use? Sure sometimes you get stuck with a broken tool
Re:This has been said before... (Score:5, Informative)
The argument for Gentoo that "I like the idea of building my own source" in the sense of "I like getting down and dirty into my system" is really kind of bull. I ran Gentoo for a while, and I thought they had done some amazing work. Portage/emerge is just amazingly well done, and it's nice to have code that's been optimized for my hardware requirements. It's not exactly scalable (maintaining a large set of diverse hardware is a lot harder), and it can lead to untenable situations and instability, but it's still damn cool. And you know what's really cool about it? It's the convenience of apt, for source packages! Please disabuse yourself of the notion that you are "building your own source" -- the Gentoo maintainers are very diligently, very cleverly packaging the source so that you can specify a set of system parameters and then let it build. If you really want to get nitty gritty, run Slackware (although, I guess they have package management now, too). Gentoo has lots of merits, but the truth is, most Gentoo users know no more or less about how things work than an average Liinux user.
For me, in the end, the speedup I was getting just wasn't making up for the hours it would take each time I ran a system-wide upgrade and the unexpected conflicts because the USE flags that made each package special for MY computer were screwing up MY computer something fierce.
Re:This has been said before... (Score:3, Interesting)
First, USE flags allow precise control of what you want to be installed. If a package supports gnome, and I don't want gnome stuff, I just add "-gnome" in the USE flags. Debian would either force me to install Gnome libraries, or have to provide several versions.
Second, compiling from source means I can get a benefit from things like stack protection in GCC instead of having to wait for Debian to rebuild every package, which may never
Re:This has been said before... (Score:5, Informative)
That, and Gentoo is hardly immune [gentoo.org] to this sort of thing either.
Re:This has been said before... (Score:3, Insightful)
Re:This has been said before... (Score:2)
"...with your high UID"... (Score:3, Informative)
Take it from someone with a waaaaaaayyyyy lower UID as yours!
But to your original point - I'm not too sure you can rule out future break-ins at all. It would only be REALLY stupid, if both breakins happened through the same setup fault.
But I don't think debian has a full time security admin who constantly and ACTIVELY monitors every debian.org box, like other big name companies might be able to afford to.
Secondly, the sheer multitude of packages, and frequent
No fear... (Score:5, Funny)
Re:No fear... (Score:5, Funny)
Re:No fear... (Score:3, Funny)
I know people around here swear by the GPL Licenced Linux Unix or the BSD Distribution, but we must admit we have been defeated. I, for one, welcome our Debian-cracking overlor
Re:No fear... (Score:3, Funny)
Re:No fear... (Score:4, Informative)
How old are you? Gotta be under 25, easy.
4mm helical scan DAT tapes were very, very popular for enterprise data backup. Do a quick google on "dat tape backup" and enlighten yourself.
-Charles
Re:No fear... (Score:2)
Oh craaap! (Score:2)
You have my sympathies (Score:3, Funny)
Perhaps now. (Score:2, Insightful)
Question (Score:5, Interesting)
Re:Question (Score:5, Informative)
http://www.debian.org/security/ [debian.org]
Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.
Re:Question (Score:5, Insightful)
I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.
Were they 'living on the edge'? (Score:2)
That's what you get for running UNSTABLE
Re:Were they 'living on the edge'? (Score:2)
Maybe Debian devs will finally come around (Score:5, Funny)
obligatory: (Score:5, Funny)
Changelogs (Score:2)
Of course an attacker could fake changelogs, though it's an extra step. It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades. Debian's apt (and its descendants, like Ubuntu) seem perfectly suited for automating such authentication without addin
Re:Changelogs (Score:5, Informative)
And apt supports GPG signing of the Release file, which contains an MD5 and SHA-1 hash of the Packages file, which contains MD5 hashes of the packages. (In other words, apt already does package integrity checking.)
Re:Changelogs (Score:2)
The lack of changelogs I mentioned was occasional, in the Ubuntu Update Manager.
And including the signing in the Update Manager GUI would add security to the process.
If you were less smug about the apt features you might be more interested in the lack of their implementation in Ubuntu, where they would do some good. Even if Ubuntu isn't operating on more
Re:Changelogs (Score:3, Informative)
It may be slightly better than nothing, but it isn't that much better that it's worth mentioning. Any attacker who knows enough to build a fake .deb package will know enough to put something in the changelog, and it may add maybe a minute to the attack.
Ubuntu uses apt for update
Re:Changelogs (Score:4, Informative)
Debian has been checking digital signatures on every package installed for almost a year now. See here [debian-adm...ration.org].
Of course, I run testing, so I have no idea when this got into stable.
Re:Changelogs (Score:2)
What was exploited..? (Score:3, Interesting)
Re:What was exploited..? (Score:2, Informative)
Not public information yet. If you're subscribed to debian-devel-announce [debian.org], you'll be the first to know.
Re:What was exploited..? (Score:2, Informative)
We're still investigating exactly what happened and the extent of the damage.
We'll post more info as soon as we reasonably can.
If the ones affected can't say, who can then.
(yeah, yeah... "the ones who attacked the server").
Re:What was exploited..? (Score:2)
This is a machine to which nearly all debian developers have some form of access.
Why? (Score:2)
And, if one is so set on doing some damage - why go after a free service??
Dear Hackers (Score:3, Interesting)
If you manage to hack into the main repository, please fix this bug [debian.org]. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.
If you hack, do it for the right reasons.
WikiDebian? (Score:5, Funny)
Maybe we need WikiDebian? "The free operating system that anyone can edit."
I'm not joking. If it works for Wikipedia, why not Debian??
At risk of stating the obvious... (Score:2, Informative)
Re:At risk of stating the obvious... (Score:2, Insightful)
Yes, at risk of stating the obvious, you stated the obvious. It's unfair to claim that Debian developers are "trying to cover themselves somewhat" just because they didn't state the obvious.
services? (Score:2)
Why all the flak? (Score:5, Insightful)
Re:Why all the flak? (Score:3, Insightful)
Because heros aren't allowed to have flaws. Read your Greek myths. If a hero is found to have a flaw, he will be destroyed. (P.S.: They are all found to be flawed.)
Det som inte dödar, härdar (Score:2)
That which does not kill you, makes you stronger
--Friedrich Nietzsche
It was a local root exploit (Score:3, Informative)
The short version is, it was a privilege-escalation exploit triggered from a compromised user account, the server in question is now restored, but several others are locked down pending inspection. Also, it says the regular and security archives were not in danger. The exploit was a known issue in the 2.6.16.18 kernel running on gluck at the time of the exploit.
Interestingly, the window between the compromise and the lockdown was less than two hours.
Re:It was a local root exploit (Score:4, Informative)
Re:Good thing... (Score:5, Insightful)
Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.
Re:I refuse to belive this (Score:5, Insightful)
No (Score:2, Informative)
Re:RSA auth to blame? (Score:3, Informative)
Re:Again? (Score:2, Insightful)
It happened once in 2003 [debian.org], but I can't recall any other incidents. That time it was a previously unkown Linux kernel hole which was used to gain root along with a sniffed password.
This time it looks like another kernel hole - but we've not had public confirmation. Could have been been an exploit for CVE-2006-2451 [grok.org.uk]...