Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Debian Project Servers Compromised

jamie posted more than 10 years ago | from the batten-down-hatches dept.

Debian 666

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

cancel ×

666 comments

Sorry! There are no comments related to the filter you selected.

1st (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7527492)

first! http://rahfish.genesis.mine.nu!

...not the archive. (1, Redundant)

DShard (159067) | more than 10 years ago | (#7527493)

What's the point of doing this if you don't effect the distribution. Seems pretty insipid to me.

Re:...not the archive. (1, Funny)

Anonymous Coward | more than 10 years ago | (#7527518)

You're assuming here that the average script kiddie actually has a reason other than mindless vandalism.

Re:...not the archive. (0, Redundant)

JPelorat (5320) | more than 10 years ago | (#7527524)

The same point as any other type of wanton destruction is committed - for the sake of it.

Re:...not the archive. (2, Insightful)

greechneb (574646) | more than 10 years ago | (#7527527)

Who knows what the motives were at this point. Maybe its just a *BSD user trying to show that linux is insecure, and doesn't want to hurt anyone else. Maybe it's some script kiddie who had an early bedtime and had to go to bed before he got to do any major damage. Maybe it is part of a campaign to discredit linux in general (*cough*SCO). Until more is known, the goal of this break-in won't be known.

Grumble, grumble (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7527624)

What's interesting about your comment is that when a M$ compromise comes to light, the focus is on how big a bozo BillyG is for letting his insecure crap out into the world. When something like this happens, its those nasty little hackers or script kiddies and their deep dark motives or a cabal led by M$/SCO to "discredit" Linux. Face it, the main servers for a major distro was hacked into at a very sensitive time. Ouch. Regardless of the whys of who did it, it was done. Yeah, kudos for them coming public, but if I joe CTO and looking at purchasing some puters, I'm thinking to myself, hey, what's up with this, they told me that M$ stuff sucked and this Linux stuff was secure. This wasn't some ma and pa website that got defaced after all.

Re:...not the archive. (0)

Urkki (668283) | more than 10 years ago | (#7527547)

Perhaps that was the first step of trying to effect the distribution... Luckily (hopefully...) they got caught before they could do any real damage.

Re:...not the archive. (-1)

Anonymous Coward | more than 10 years ago | (#7527553)

I dont think they were intending to be detected this early on.

Re:...not the archive. (1)

Sam H (3979) | more than 10 years ago | (#7527580)

Given how quickly the compromission was discovered, they probably did not have enough time to find an efficient way to compromise the archive. Since several machines were compromised at once, one can speculate that the crackers were not very skilled or they would have tried to hide a bit better, and that would also explain why they were unable to do anything to the archive.

Re:...not the archive. (4, Interesting)

nchip (28683) | more than 10 years ago | (#7527632)

The server that pushes .debs to archive is running debian/sparc (donated by sun btw), so probably the cracker didn't know how to port his leet exploit to sparc (all the comprimised machines were 1386).

SCRUBS!!! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7527501)

I don't want no fuckin' scrubs. Your mommie is a scrub and your daddie is a crum-bumb!

Not on debian-announce archive (3, Informative)

Anonymous Coward | more than 10 years ago | (#7527505)

The debian-announce archive [ http://lists.debian.org/debian-announce/debian-ann ounce-2003/threads.html ] doesn't list this message. Of course with the number of machines affected it's possible that the mailing list archive is somehow affected.

-JohnF

Re:Not on debian-announce archive (5, Informative)

cjwatson (224090) | more than 10 years ago | (#7527516)

Yes, lists.debian.org runs on one of the compromised machines and is, er, not quite running on all cylinders just at the moment.

Re:Not on debian-announce archive (0)

Anonymous Coward | more than 10 years ago | (#7527519)

The list archives are run on master, one of the compromised machines. The archiver will be restarted once the machine is verified to be OK.

Re:Not on debian-announce archive (1)

tfheen (128718) | more than 10 years ago | (#7527521)

master.debian.org, one of the compromised machines is running the list archives.

Re:Not on debian-announce archive (2, Insightful)

Tri (60119) | more than 10 years ago | (#7527530)

This message is not on the archive, as the archive is not currently being updated (It lives on master). You can get a copy of the announcent on other archives of debian mailing lists such as gmane's.

Re:Not on debian-announce archive (4, Informative)

jamie (78724) | more than 10 years ago | (#7527550)

As other readers have pointed out, that machine was apparently affected.

I got the email too, and I checked its Received: headers against a debian-announce message in my mail archives from about a year ago. They both came from the same source. So there's no way this is a hoax ...unless the murphy.debian.org machine that emailed it to me is compromised, in which case it's not an inaccurate hoax :/

Re:Not on debian-announce archive (2, Informative)

cjwatson (224090) | more than 10 years ago | (#7527560)

murphy was compromised, but it's not a hoax (at least if you believe this random poster on slashdot ...).

Re:Not on debian-announce archive (3, Funny)

Tri (60119) | more than 10 years ago | (#7527608)

But when the three other random posters are debian devels... ;-)

Except that anonymous coward person. I've never seen *him* in the keyring...

Where's the confirmation from debian people? (2, Interesting)

mackstann (586043) | more than 10 years ago | (#7527623)

I've seen no confirmation of this by anyone @debian.org. So what's the deal? Real or not?

There was some fuss on the debian-user list, and this was labeled a hoax, yet I saw no official word that it was true.

Re:Where's the confirmation from debian people? (5, Informative)

tfheen (128718) | more than 10 years ago | (#7527646)

At least cjwatson and myself are Debian developers. I wish I could say it's a hoax, but it's not. However, as you've already read: the archive doesn't seem to be compromised at all.

Re:Not on debian-announce archive (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#7527654)

Gee, I wonder if Microsoft is behind this.

SCO Again!... (5, Funny)

isoga (670113) | more than 10 years ago | (#7527507)

Obviously SCO are trying to break in and steal the source to prove once and for all that Linux has stolen their patents!

;)

dave

Tech stuff [homelinux.net]

Re:SCO Again!... (5, Funny)

Urkki (668283) | more than 10 years ago | (#7527577)

No no. They are trying to break in to *insert* patented code into Linux code, so they'd have a leg to stand on in the court ;)

Re:SCO Again!... (-1, Redundant)

greechneb (574646) | more than 10 years ago | (#7527603)

Kinda stupid to do since the source code is freely available. I'd think if it was them, they were trying to insert their own code!

Re:SCO Again!... (0)

grokster (557481) | more than 10 years ago | (#7527621)

Break in and steal the source? When you can just download it from the site? Man, those SCO guys must be clueless.

It's good to see that they are holding everything (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7527510)

back until they are sure.

however, it does remind me of the gnu ftp cracking incident a while back...

(although that was a known exploit, and this seems to be login/password being compromised)

Re:It's good to see that they are holding everythi (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7527574)

What makes you believe that it was a compromised password and not some new or unknown exploit?

-JohnF

Re:It's good to see that they are holding everythi (0)

Anonymous Coward | more than 10 years ago | (#7527631)

other comments i've seen.

debian grapevine.

Re:It's good to see that they are holding everythi (1, Funny)

xscarecrowx (118632) | more than 10 years ago | (#7527656)

because he did it, duh!

That explains (3, Informative)

jav1231 (539129) | more than 10 years ago | (#7527511)

Why my apt-get was failing from people.debian.org last nite. Not to mention why debian.org was down. :(

Re:That explains (4, Funny)

Anonymous Coward | more than 10 years ago | (#7527531)

Thanks for that insightful interpretation of events, Captain Obvious.

OT (-1, Offtopic)

koekepeer (197127) | more than 10 years ago | (#7527597)

regarding your signature:

"All the cool kids quit smoking and are running Linux!"

i fail to see any correlation, let alone causal relationship between any of the next variables
"coolness"
"young age"
"smoking"
"running linux"

would you care to explain? i run linux, and i smoke like a madman! and yes, i am very cool! i am! (grinning like a maniac)

Re:OT (0)

FinestLittleSpace (719663) | more than 10 years ago | (#7527647)

My dear facetious friend, they're strings/words, not variables :-)

apt (4, Interesting)

isorox (205688) | more than 10 years ago | (#7527514)

Of course this raises the whole issue of apt-get. We all rely on apt-get update && apt-get upgrade, all it takes is someone to compromise the servers and insert a backdoor

Re:apt (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7527543)

You can expect better support for checking GPG signatures on packages in the near future...

Signatures? (4, Interesting)

Sits (117492) | more than 10 years ago | (#7527546)

Are deb's signed? (I'm not that familiar with debian but I'd imagine they are) If so then just tell apt-get to not install debs that don't match a known signature...

Re:apt (3, Informative)

tfheen (128718) | more than 10 years ago | (#7527549)

Which is why using something similar to ajt's apt-check-sigs [66.102.11.104] . (google cache, since people.d.o is down.)

Re:apt (0)

Anonymous Coward | more than 10 years ago | (#7527556)

We all rely on auditing our servers.And possibly someone auditing us.

Re:apt (1)

LilJC (680315) | more than 10 years ago | (#7527562)

I've had similar thoughts - but it appears they're doing the right thing by taking the machines offline for inspection. That way if there is a backdoor they can eradicate any further security holes before they are exploited.

I wish the message was a little more detailed, however. I run a Debian server. If the project machines are compromised, I would like either some assurance that my machine can't be compromised the same way or a fix for it.

I'm sure people running servers with truly sensitive information (that doesn't happen to be on my server) would find this even more nice.

I welcome anyone to reply to this with any further announcements, assuming this won't be a multiple headline story.

Re:apt (0)

Anonymous Coward | more than 10 years ago | (#7527600)

Would you rather have the information that it is compromised now, or later when the assurance / fix is available?

Re:apt (4, Interesting)

Anonymous Coward | more than 10 years ago | (#7527566)

apt-secure [debian.net] uses strong cryptographic methods to verify the authenticity of packages in the archive. It may be the default apt-get for sarge, depending on man-power issues.

Re:apt (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7527584)

Wow, you noticed.

But then, all it ever required was someone to compromise any Debian Developer's sign+upload machine and do something subtle enough that it got into testing. Or worse, unstable, if you're stupid enough to run that.

Re:apt (3, Informative)

psamuels (64397) | more than 10 years ago | (#7527586)

Of course this raises the whole issue of apt-get.

Indeed, that's one of the few areas where the Debian Project has lagged behind other distribution vendors technically - cryptographic signature verification for packages.

This infrastructure has been kind of long in coming, but as of a few months ago, you can now verify Debian package signatures with debsig-verify [debian.org] . Might I suggest everyone install and use that?

Re:apt (1)

shadowpuppy (629329) | more than 10 years ago | (#7527591)

Last I knew apt was able to verify the packages via gpg signatures. So though it's still a concern it should be much less of one.

Though I would like to know how the machines were compromised? If those machines were running Woody then it could affect a number of other people.

Running Debian-Stable? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7527526)

And this because they should be running only "proven software". (Read: Old crap).

I wonder if someone really believes that Debian make the stable releases for stability and security rather than incapacity of releasing and supporting an up to date system.

Re:Running Debian-Stable? (3, Informative)

wouterke (653865) | more than 10 years ago | (#7527589)

Security is much much more than "just keeping your system up-to-date".

- accounts can be compromised
- unknown bugs may have been exploited (although that's unlikely in this particular case)
- crackers could have been cracking a developer's system, and using information they find on that developer's hard disk (ssh key, gpg key, ...) to log in to one of the servers
- also of importance in general is the competence of the administrators (which surely is *not* at the cause of the problem here).

Of course these systems are running debian stable; but that's most likely not the problem.

Digital Signing of Packages? (5, Interesting)

Chris_Jefferson (581445) | more than 10 years ago | (#7527528)

This is the second time this has happened to a big open-source project (the first being the GNU servers a while ago). All packages by both groups are "md5" signed, which is supposed to protect against malicous hacking. However if the root server is comprimised, this doesn't help. Companies (including at least Microsoft, and the people who make ad-aware) who distribute files over the internet sign them with an RSA (or similar) key, and the computer which does this signing is kept disconnected from the internet. For such large projects which are installed by millions of people, might a similar system not be a good idea?

Re:Digital Signing of Packages? (5, Informative)

stevey (64018) | more than 10 years ago | (#7527544)

MD5 sums are used for the contents of packages, but packages may only be uploaded and processed by the build system if they're correctly signed.

So yes it's not trivial to backdoor a package - unless you're already a Debian Developer...

Re:Digital Signing of Packages? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7527568)

Saner Open Source heads sign with GPG. God alone knows why anyone thinks MD5 alone is adequate in this day and age.

Just don't do it kids.

I do wonder though, what with the "professional" level of the unsuccessful attack on linux Bitkeeper, and so on, whether there are more serious forces than the usual crop of script-kiddie losers currently targetting open-source.

Actually, I think a good code-audit is healthy once in a while. Open Source is made stronger and stronger by attacks. Hopefully this will be the final death knell for md-fucking-5.

Re:Digital Signing of Packages? (3, Interesting)

tfheen (128718) | more than 10 years ago | (#7527601)

The Packages files includes md5 sums of all the .debs, the Release file contains the md5 sum of all the Packages files, and the Release file itself is signed using GPG. Using apt-check-sigs [66.102.11.104] you can automate the checking of the packages you are installing.

Re:Digital Signing of Packages? (5, Insightful)

samjam (256347) | more than 10 years ago | (#7527630)

Don't be certain that digital signing is such a cure.

The person operating the non-networked signing machine still needs to be sure that what-it-is-that-they-are-signing is what-it-is-supposed-to-be.

Now how does digitial signing on a non-connected machine help you know the source wasn't tampered with?

Windowsupdate.microsoft.com (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7527529)

Never gets compromised. Take that, hippies.

How long will it take? (4, Insightful)

cgranade (702534) | more than 10 years ago | (#7527532)

How long will it take for the few MS fanboys around to say that this why Windows is better? Let me pull a Rumsfield (pre-emptive retaliation, that is...). Everyone gets comprimised once in a while. At least Debian is open about it, and not sitting on an insecure system because it's more profitable to let a bad product go then to risk bad press from releasing a security bulletin.

Re:How long will it take? (5, Insightful)

stevey (64018) | more than 10 years ago | (#7527565)

Password stealing is pretty OS independent.

So this compromise, whilst undenyably bad, isn't really going to show much about Debian, or Windows.

Re:How long will it take? (1)

cgranade (702534) | more than 10 years ago | (#7527576)

When I posted, I didn't know it was a password leak... sorry. /me is reminded why to RTFA...

Re:How long will it take? (1)

FooBarWidget (556006) | more than 10 years ago | (#7527604)

What do you mean "few"? There are tons of them, even on Slashdot (heck, they're the majority).

Re:How long will it take? (0)

Anonymous Coward | more than 10 years ago | (#7527614)

Amazing that some people can try to turn every story into MS bashing. Linux vendor's insecurity is ok because they are being 'open' about it.

"Everyone gets comprimised once in a while."

Maybe in your closed world of peecees and macs and linoox. There's a broader world of midranges and mainframes son, that never do - given proper administrative skills.

"Everyone gets comprimised once in a while."

I still can't get over this pathetic, fanboy apologetic remark. Too funny.

Re:How long will it take? (0)

Anonymous Coward | more than 10 years ago | (#7527628)

This was a password leak. Very few systems, even mainframe ones, could fully cope with that.

Re:How long will it take? (1)

ThatDamnMurphyGuy (109869) | more than 10 years ago | (#7527655)


Maybe in your closed world of peecees and macs and linoox. There's a broader world of midranges and mainframes son, that never do - given proper administrative skills.


While I agree with your statement in general, I think the only reason most "midranges" and "mainframes" aren't compromised is that most of them are no where close to being connected directly to the internet. But, I bet with some bored creative internal employees, they're just as crackable, and just as (if not more) behind on patches and security fixes than externall exposed machines.

Re:How long will it take? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7527622)

I don't think the "MS fanboys" are trying to say that windows is more secure than linux (though no doubt some of the trolls are) I think in general what they are saying is "see linux doesn't have the rock solid invincible security the linux zealots would like us to believe it has"

In other words, "here is a taste of your own medicine"... bitter isn't it?

How long for 3.0r2? (1)

Lizard_King (149713) | more than 10 years ago | (#7527533)

I don't think woody will be postponed that long. Martin's announcement says, While it has not been announced yet, it has been pushed to our mirrors already.

Has a Microsoft release ever been compromised? (2, Funny)

Anonymous Coward | more than 10 years ago | (#7527534)

Sorry, but I had to say it.... a Microsoft release has never been delayed because one of their servers were compromised.

Let's just remember that before we extoll the virtues of how great open source is.

Re:Has a Microsoft release ever been compromised? (1, Funny)

Travoltus (110240) | more than 10 years ago | (#7527559)

No, they just release it, virus or hacks and all. :)
(just kidding)

Re:Has a Microsoft release ever been compromised? (1)

hplasm (576983) | more than 10 years ago | (#7527607)

Sorry, but I had to say it.... a Microsoft release has never been delayed because one of their servers were compromised.

Sorry, but I had to say it.... that explains why a Microsoft release is so premature.

Re:Has a Microsoft release ever been compromised? (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7527615)

But how do you know.? They could say "we didn't go gold because we wanted to get the bevelled edges on the windows just right" or crap like that.

MS, unlike Debian, aren't very open about it when they are compromised (remember when the russians were on the MS corporate network for MONTHS? No? That's because MS controls the mainstream press, and played it down. But crackers had access to the Win2k sources for several weeks.)

This is horrendosuly bad security practice - even if you are using closed source stuff and think open source stuff is a load of politically-loaded garbage, you as a sys admin STILL NEED TO KNOW if your upstream source for that closed source stuff is compromised. Disclosure of compromised security to customers is VITAL for the security OF THE CUSTOMERS.

MS worry far more about their reputation for security (not that there's much left...) than security, and it's only because lots of customers are too uneducated to grasp the above that they still get away with it.

Re:Has a Microsoft release ever been compromised? (1)

deadmonk (568008) | more than 10 years ago | (#7527627)

Who knows? You think they're going to stand up and admit they got hacked into? One of the virtues about the Open Source community is that things like this are never secret - people using apt-get can be aware of the situation and make an *informed* choice about how to procceed.

I doubt you'll get the same courtesy from Microsoft.

Quick! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7527536)

Quick! Blame Microsoft!

Will the release be pushed back to April? (1)

Travoltus (110240) | more than 10 years ago | (#7527537)

(That's a Half-Life 2 joke)

Re:Will the release be pushed back to April? (1)

Tri (60119) | more than 10 years ago | (#7527629)

Well someone's leaked all the source code out now!

OS? (1)

thanjee (263266) | more than 10 years ago | (#7527539)

Errrm, what OS was running on the servers compromised? :)

Re:OS? (1)

mrsev (664367) | more than 10 years ago | (#7527572)

Why IIS .... what else?

Hearing the news, (4, Funny)

KoolDude (614134) | more than 10 years ago | (#7527542)


...thousands of slashdotters flocked to Netcraft website to check whether debian.org was running on IIS.

Re:Hearing the news, (2, Funny)

cgranade (702534) | more than 10 years ago | (#7527605)

Better than to debian.org to check to see the news... server comes back up, crippled, sees /. and runs again...

Bonus point for Debian (2, Insightful)

Alcoyotl (157542) | more than 10 years ago | (#7527552)

Any other company would have sweeped that kind of incident under the rug hoping it had gone unnoticed, or would have cooked up a PR statement to minimize the incident.

Here we can see the strength of such projects, as in this [slashdot.org] recent kernel story.

Re:Bonus point for Debian (0)

Anonymous Coward | more than 10 years ago | (#7527652)

"swept"

Muppet

.

Soiling the nest (0)

Anonymous Coward | more than 10 years ago | (#7527554)

What puzzles me most about computer vandals is that they are effectively soiling the nest, ours and also theirs. Some of the crackers are not un-intelligent but somehow seem to miss out on considering consequences.

has someone declared war on FOSS? (1)

Monk[Deviant Form] (189543) | more than 10 years ago | (#7527555)

there seems to be alot of flack hitting the open source world lately,what with the hack attempt on the kernel,the legal battles and the increase in FUD.
could it be a concerted effort or is it coincidence?

Re:has someone declared war on FOSS? (1)

Travoltus (110240) | more than 10 years ago | (#7527578)

No.

Servers get hijacked all the time. Someone just happened to find a way into a sensitive server and did what computer hijackers do.

I see nothing different here than what happens with any hijacking.

Re:has someone declared war on FOSS? (1)

smoking2000 (611012) | more than 10 years ago | (#7527593)

What better software to backdoor that those in the core of the OS?

Backdoor it once, crack half the planet who uses that code!

What was that about Windows servers? (-1, Troll)

goldspider (445116) | more than 10 years ago | (#7527561)

Oh yeah! They're not secure! Good thing we have those air-tight Debian servers, eh Slashdotters?

Re:What was that about Windows servers? (3, Insightful)

finkployd (12902) | more than 10 years ago | (#7527625)

If a password is compromised, it does not matter what system you run. And everything I've read indicated this break-in was the result of a compromised password.

Finkployd

Makes you wonder (5, Insightful)

bigberk (547360) | more than 10 years ago | (#7527567)

It really is impressive for me how honest some organizations have been about admitting system compromises (Debian, ProFTP, GNU.org).

As someone who works with networking security, I know lots of business servers get compromised regularly. Everyone hides it because it's embarassing for a business.

This makes you wonder how often other 'critical systems' get compromised, and get fixed without any public reports. Government computer systems get regularly compromised after all. But I'm sure so do vital Microsoft, IBM, systems, etc. Windows Update, anyone?

How in the world... (1, Interesting)

Jade E. 2 (313290) | more than 10 years ago | (#7527571)

I hate to say it, but do the Debian developers use their own product? Were they not kept up to date? Or are all Debian boxes vulnerable? I noticed that nowhere did they mention just *how* they were compromised. Sure, it might be embarassing, but when a major distro's servers get cracked it doesn't help confidence in their distro. Letting us know what service is broken (and hopefully how to fix it) would go a long way towards correcting that.

Re:How in the world... (5, Informative)

stevey (64018) | more than 10 years ago | (#7527599)

Yes Debian's machines run Debian, this breakin wasn't anything to do with the software installed upon the box, as it was due to a password compromise.

If anything it's more embaressing that somebody lost their password than that the software wasn't up to date.

Re:How in the world... (1)

Edward Faulkner (664260) | more than 10 years ago | (#7527618)

It is unreasonable to assume they would already have completed forensic analysis to identify the exploit.

My guess is they'll announce it when they know.

Re:How in the world... (4, Insightful)

martinde (137088) | more than 10 years ago | (#7527634)

> I noticed that nowhere did they mention just *how* they were compromised.

They will when it's known. They felt it more important to announce what's going on immediately than to wait until there were details to announce. Part of Debian's social contract is "we will not hide problems"; this announcement and those that will follow as more is known demonstrate this policy in action.

password leak (0)

Anonymous Coward | more than 10 years ago | (#7527642)

nt

Being open about the security breach... (0)

svindler (78075) | more than 10 years ago | (#7527573)

is probably a violation of the DMCA!

How did they break in? (0)

FRAKK2 (166082) | more than 10 years ago | (#7527587)

If it was a keylogger and gaining access to someones password, then thats just a case of personal secuirty . The ats how they got onto the GNU servers , someone had a keylogger installed on their windows system.

Now if they manged to get though a service to compromise the machine, that would be more worrying.
But at least they managed to detect it.

And thats why I dont use Debian. (-1, Troll)

Adolph_Hitler (713286) | more than 10 years ago | (#7527595)

Debian takes forever to upgrade their distro and fix bugs, which is why Redhat or Suse are better for servers. The fact that all these servers were hacked and were running Debian might shut up some of the Debian elitist types who want everyone to use Debian for everything from server to desktop and inbetween. Debian is not good at everything, its really no better than slackware or gentoo.

OpenBSD (-1, Troll)

duffbeer703 (177751) | more than 10 years ago | (#7527609)

If Debian ran OpenBSD, this wouldn't have happened! Theo runs a tight ship over there.

I also think that Gentoo would have prevented this tragedy.

Re:OpenBSD (5, Insightful)

Ascender (160684) | more than 10 years ago | (#7527649)

If Debian ran OpenBSD, this wouldn't have happened! Theo runs a tight ship over there.
I also think that Gentoo would have prevented this tragedy.

Not really. The vast majority of break-ins are through misconfiguration or human error. Gentoo, OpenBSD, nor anything else, can prevent these factors. I would be very surprised if this was due to a security hole or vulnerability. More likely someone wasn't secure enough with their SSH keys or something like that.

Re:OpenBSD (2, Interesting)

psamuels (64397) | more than 10 years ago | (#7527650)

If Debian ran OpenBSD, this wouldn't have happened!

OpenBSD prevents stolen passwords from being used to log into a system? How?

Signed announcement (2, Informative)

Anonymous Coward | more than 10 years ago | (#7527611)

here [uni-stuttgart.de] .

To verify it:

$ wget -O- http://cert.uni-stuttgart.de/files/fw/debian-secur ity-20031121.txt | gpg --verify

(drop the space, of course)

Assuming you trust the key it was signed with, of course...

Sign, sign, sign, sign. (4, Insightful)

caluml (551744) | more than 10 years ago | (#7527637)

.debs should be gpg signed, and should fail to install if the verification fails. In fact, so should all packages from distros. Redhat, +1, Already doing it. -1, not failing to install if the packages don't verify.

Debian - maybe not so great (-1, Redundant)

cfkdaddy (723934) | more than 10 years ago | (#7527638)

So it kills me that the Debian servers got hacked. Is apt-get such a great idea? How hard would it be to insert a little something something that gets updated on all the Debian boxes out there?

I wonder if all the Debian freaks will now calm down a little. Of course, it might be like someone peeing in your corn flakes, resulting in massive hysteria, rioting in the slashdot forums, the unwashed masses clamoring for blood and the elimination of the letter "M" from the english alphabet.

Seriously folks, lets look at Windows 2003 server. I'm kidding. I wonder how many people will flame me.

My point is this. Linux is not the be all end all of existence. Its a great OS, with problems just like anything else. Lets keep this in its proper perspective and try to ignore the hysterical ranting of the Debian wackos.

If this were Microsoft... (-1, Flamebait)

mr. mulder (204001) | more than 10 years ago | (#7527640)

...the world would have jumped onto the anti-MS bandwagon proclaiming bug-striken software and the lack of security attentiveness. Instead, this is Open Source...let's just slap their wrists and shrug it off again...

Everything's a tradeoff (5, Interesting)

buddha42 (539539) | more than 10 years ago | (#7527648)

On the one hand stuff like this scare's the hell out of me, but on the other hand I'm very reasurred by how the debian community handles it. Full disclosure, detailed explanations, and very conservative thinking (exibited by the "3.0r2 is fine, but we're not releasing it anyway just to be anally sure").

At this point I would like to see the debian team develop some written policies and procedures for how they intend to prevent this sort of thing in the future. I checked the site and while there's security info for how to secure your box, there's no policies on 'how does the debian project secure itself'.

Lastly, one concept you have to keep in mind, we have no idea how often other OS's key servers are cracked because they'd never tell us.

A sign of things to come (3, Insightful)

Cthefuture (665326) | more than 10 years ago | (#7527660)

As Linux becomes more popular this is only natural.

Open-source projects are not immune to attack and they are going to start feeling some of the pain experienced by other big targets like Microsoft. In the beginning it could be really bad because unless you're being attacked seriously all the time then you may not even realize where your vulnerabilities are.

This is a wake-up call to all "open" projects. Systems that are in use by a large number of people need to be protected better. Sure, this may have been a password compromise but the system should have been secure enough that some low-level user account compromise can't cause serious damage. And the high level accounts should never, ever have a password compromise. This needs to be treated in the same way big business does. Protect the customers, otherwise you may lose them.

This made me start thinking... Has Redhat ever been compromised? That'd be a reason for going with a commercial distro if the free distros can't get their act together. (I've been a Debian user for many years by the way)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?