×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Info on Debian.org Security Breach

michael posted more than 10 years ago | from the inspector-clouseau dept.

Debian 545

mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

545 comments

Boxen.. (3, Funny)

WeblionX (675030) | more than 10 years ago | (#7580346)

Here come the comments about the word "boxen..."

Re:Boxen.. (3, Funny)

Chuck Chunder (21021) | more than 10 years ago | (#7580352)

Someone needs their ears boxen.

Re:Boxen.. (0)

Anonymous Coward | more than 10 years ago | (#7580512)

When the finishing moment of the face winds round
When life flows out upon the ground
I'll be the only sliding sound
That turns your brain's remains around.

Re:Boxen.. (0)

Anonymous Coward | more than 10 years ago | (#7580353)

Server: Did you get the dick?

Re:Boxen.. (5, Funny)

Stormie (708) | more than 10 years ago | (#7580386)

If you call your computers "boxen", I hope they get cracked and rootkitted.

Re:Boxen.. (0)

Anonymous Coward | more than 10 years ago | (#7580483)

Hell yea. Nothing is more stupid than people who call their boxes "boxen". But then again I frikking HATE the word "Spam" for junk email. So I guess that's just me.

Re:Boxen.. (1, Funny)

Anonymous Coward | more than 10 years ago | (#7580394)

Yeah, the correct plural is "Debia".

Re:Boxen.. (1, Funny)

Anonymous Coward | more than 10 years ago | (#7580404)

no, that would be Debii

Or Debium? (0)

Anonymous Coward | more than 10 years ago | (#7580416)

The

Re:Boxen.. (5, Funny)

AndroidCat (229562) | more than 10 years ago | (#7580431)

It's a perfectly good middle-english plural. Perhaps they just have rather olde boxen to develop on?

I did it! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580347)

Yep. All me. Cause i'm FP on slashdot.

Debian//? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7580349)

Thats what you get for using debian :P

If security is paramount. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580354)

Be glad you're not a turkey or a piece of my pie in my house.
Happy Thanksgiving.

Re:If security is paramount. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580385)

Should I be glad I'm not a turkey, or just a turkey in your house?

It's turkey time, gobble gobble! *laff*

Uhm anywa happy thanksgiving everybody, even you furrners who don't celebrate "real" holidays (i.e., any of our made-up american holiday where we pretend it has some religious significance but it's just an excuse to stuff our obese faces with yet more food).

KIRK! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580355)

Captain's Log: My Anus is too Fucking Tight

One day Captain Kirk was maiming his cock with a horseshoe when suddenly Mr. Spock ran up to him and shoved his pointy ear up his butt. "What is this for!" the fag captain said. "FAGS FOR YOU AALL!L!!!" the ancient alien howled as suddenly he farted and Captain Kirk twirled around in a daze and his foreskin twisted and his kidney stones turned into wooden beads. He pulled out his pistol and shot lasers at his chastity belt and suddenly he hurdled his dick into Captain Kirk"s bellybutton and it tore his flesh while Spock fucked his stomach. Kirk hollered out loud and Mr. Spock threw his shoes to the floor and wrinkled his penis until Kirk bellowed out to make it stop. A maelstom of shit whizzed around the ship and suddenly a giant fag appeared out side and the U.S.S. Enterprise went up his butt. "Oh what the hell have you gotten us into NOW!" Captain Kirk said as he oozed a condom back on his dick and put his panties back on. "OOH!H!!!!!!" Mr. Spock started fucking him again and shoved his phazer up his butt. He dissolved his glands and exploded his turds and finally a queer klingon hurdled through the door and smashed Kirk with his butt hairs. A maniac sucked his dick and suddenly Mr. Spock fagged Kirk so hard that his intestines burst open and he died.

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
g_______________________________________________g
o_/_____\_____________\____________/____\_______o
a|_______|_____________\__________|______|______a
t|_______`._____________|_________|_______:_____t
s`________|_____________|________\|_______|_____s
e_\_______|_/_______/__\\\___--___\\_______:____e
x__\______\/____--~~__________~--__|_\_____|____x
*___\______\_-~____________________~-_\____|____*
g____\______\_________.--------.______\|___|____g
o______\_____\______//_________(_(__>_\___|_____o
a_______\___.__C____)_________(_(____>_|__/_____a
t_______/\_|___C_____)/______\_(_____>_|_/______t
s______/_/\|___C_____)_KIRK!_|_(___>_/__\_______s
e_____|___(____C_____)\______/__//__/_/_____\___e
x_____|____\__|_____\\_________//_(__/_______|__x
*____|_\____\____)___`----___--'_____________|__*
g____|__\______________\_______/____________/_|_g
o___|______________/____|_____|__\____________|_o
a___|_____________|____/_______\__\___________|_a
t___|__________/_/____|_________|__\___________|t
s___|_________/_/______\__/\___/____|__________|s
e__|_________/_/________|____|_______|_________|e
x__|__________|_________|____|_______|_________|x
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*


I hate you, I hate your niggers, and I hate your niggers.

KIRK REIGNS SUPREME! [nero-online.org]

Brought to you by: KIRK TROLL

Fuck GNAA, TROLLKORE, AND CLIT. You all massivly fail it, you gay homofags.

Re:KIRK! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580447)

This is a pathetic troll attempt, and I hope you remain modded OT as you really don't deserve to be modded Troll. Ooze a condom? Smashed with butt hairs? Dude you're in the junior league, try perfecting your trolling somewhere else before you come here and fight it out with the pros, from the likes of above you haven't even made it in the ring.

at which point (-1, Funny)

gearheadsmp (569823) | more than 10 years ago | (#7580360)

After finding out the suckit rootkit was used, Bill Clinton spontaneously appeared and began saying, "Suck it! Suck on it! Suck it! .."

Re:at which point (1)

t0ny (590331) | more than 10 years ago | (#7580498)

So that means Monica Lewinski wrote the Suckit rootkit?

a sticky situation (0, Offtopic)

gearheadsmp (569823) | more than 10 years ago | (#7580517)

As a matter of fact, Monica Lewinski gave some teenager who lives in his parent's basement oral sex to write the rootkit. It wasn't that hard - Monica showed up wearing a poncho to shield herself from the shower of "milk", and then the script kidde saw the Saturday Night Live rerun on Comedy Central, in which Bill Clinton announces the end of his legacy, says "Suck it! Suck on it!", and Dubya shows up and brags about how he bought a Big Mouth Billy Bass for $1,000. Hence, the name. Now as to how the script kidde got mad at the Debian project, well, I'll leave that to the Gentoo Zealots.

Ask Slashdot (-1, Offtopic)

iamatv (727785) | more than 10 years ago | (#7580361)

Ask Slashdot: Television you would hate kids to watch

This is a revision of the earlier poll: Are Americans and Europeans really like we expect?

State your country, and put in order the things you would most hate your child (or other children) to watch on television.

1. Man being shot (acted)
2. Man being shot (real)
3. Somebody saying "God damn it!"
4. Somebody saying "The fucker's fuckin' fucked."
5. Women's breasts
6. People having sex (not weird porno sex, but not hidden behind sheets either)

Current Results
---------------
America, 2 1 6 4 5 3 [slashdot.org]
America, 6 1 4 2 5 3 [slashdot.org]
America, 1 6 2 5 4 3 [slashdot.org]
America, 6 5 3 4 1 2 [slashdot.org]
Australia, 2 1 4 6 5 3 [slashdot.org]
Australia, 2 1 6 4 5 3 [slashdot.org]
Canada, 2 4 3 1 6 5 [slashdot.org]
New Zealand, 2 1 3 5 6 4 [slashdot.org]

Re:Ask Slashdot (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580391)

US of A

2,6,5,4,1,3

Re:Ask Slashdot (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580501)

2 6 1 4 3 5

from the UK.

Nice concept, btw.

Re:Ask Slashdot (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580533)

The Sovereign State of Nyambi.
I don't care what my kids watch. They've been preconceptively aborted, however, so they ain't watchin much.

I have my erect penis in my hand. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580362)

What should I do now?

Please help!

Re:I have my erect penis in my hand. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580364)

get your hand off it and apologize to the audience!

Re:I have my erect penis in my hand. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580375)

Close your eyes and twist.

Human Error (5, Insightful)

jefbed (666411) | more than 10 years ago | (#7580366)

This incident reminds us of the importance of password security. It is sad to see one weak password responsible for such a breach. I think that it would be a good idea for the future to move away from the traditional unix password. An appropriate replacement would be something similar to RSA passphrase mechanism used by secure shell. A random passphrase with a minimum lenght would be idea. The user is the greatest security hole.

Re:Human Error (5, Funny)

Tyler Eaves (344284) | more than 10 years ago | (#7580384)

Random passphrase?

Repeat after me: The best password is the one that isn't stikie'd to the monitor and/or keyboard.

Re:Human Error (5, Funny)

SugoiMonkey (648879) | more than 10 years ago | (#7580392)

I say we cut out the user.

Re:Human Error (2, Funny)

buffer-overflowed (588867) | more than 10 years ago | (#7580508)

Yea, if it weren't for those users, my network would be perfect. No complaints = no problems. That's how I know my network is perfect, during vacations, no one complains about anything, so it must be perfect.

Re:Human Error (4, Insightful)

ctr2sprt (574731) | more than 10 years ago | (#7580400)

Clearly we need some way to move away from traditional passwords, but RSA keys isn't the way to go. They're impossible to remember, which means you need to store them on a computer. That makes them vulnerable to copying. You can password-protect them, of course, but then you're in the same situation as before (actually worse, for the same reason /etc/passwd is less secure than /etc/shadow).

That's not to say that RSA or some similar system won't be part of a good solution... but there definitely needs to be some other component. (For example, the private key might be encrypted by a biometric signature or keycard or similar. While that still leaves the system vulnerable to physical attacks, it more or less eliminates network-based ones as long as you use secure protocols.)

Re:Human Error (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7580418)

Uhh, I dunno if you noticed, but it wasn't a password alone that did this much damage. The account broken into was unprivellaged, meaning it was just a simple user account.

In theory, a secured system can have this happen to it and the attacker will have fun deleting a single home directory before they run out of damage to do.

In practice, a single local privelage escalation attack is all it takes. Maybe this will end up being a good thing in the end, we get to find a previously unknown local root exploit, fix it and improve the Debian security practices, all in one move.

Password was *sniffed* (5, Informative)

enosys (705759) | more than 10 years ago | (#7580427)

Apparently the password was sniffed [google.com] . This generally implies that it was obtained through monitoring network traffic and seeing it trasmitted in cleartext. A strong password wouldn't help here; only a good protocol would.

This was both user and admin stupidity I guess. Admins who care about security shouldn't permit access through cleartext passwords and users shouldn't send their password in cleartext if they care about their account. Unfortunately many users don't know about this risk.

Re:Password was *sniffed* (4, Insightful)

TheRedHorse (559375) | more than 10 years ago | (#7580443)

Why assume it was a cleartext password? It could of been encrypted, captured and crack via brute force or some other method.

Re:Password was *sniffed* (2, Informative)

Anonymous Coward | more than 10 years ago | (#7580459)

The password was sniffed by the trojaned sshd on an unrelated machine.

Re:Password was *sniffed* (1)

Xzzy (111297) | more than 10 years ago | (#7580528)

"cleartext" implies a situation where the letters a user is typing in on his keyboard are being sent unencrypted over the network, like over a normal telnet connection.

The state of the password being sent really isn't what's being discussed, since once the connection is unencrypted, it doesn't matter.

Re: Human Error (2, Funny)

Black Parrot (19622) | more than 10 years ago | (#7580469)


> This incident reminds us of the importance of password security. It is sad to see one weak password responsible for such a breach.

I'm apologize - I never imagined that they would guess 'mydebian'.

Human Error or faulty security models? (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7580479)

SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.

I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!

This isn't surprising.. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580368)

This kind of exploitation isn't rare at all. It's what the folks at the Debian project get for not running Windows. If they'd been using Microsoft Windows, they'd be much more secure and something like this couldn't possibly happen.

KIRK!!! GOD DAMN, I SAID KIRK! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580369)

Captain's Log: My Anus is too Fucking Tight

One day Captain Kirk was maiming his cock with a horseshoe when suddenly Mr. Spock ran up to him and shoved his pointy ear up his butt. "What is this for!" the fag captain said. "FAGS FOR YOU AALL!L!!!" the ancient alien howled as suddenly he farted and Captain Kirk twirled around in a daze and his foreskin twisted and his kidney stones turned into wooden beads. He pulled out his pistol and shot lasers at his chastity belt and suddenly he hurdled his dick into Captain Kirk"s bellybutton and it tore his flesh while Spock fucked his stomach. Kirk hollered out loud and Mr. Spock threw his shoes to the floor and wrinkled his penis until Kirk bellowed out to make it stop. A maelstom of shit whizzed around the ship and suddenly a giant fag appeared out side and the U.S.S. Enterprise went up his butt. "Oh what the hell have you gotten us into NOW!" Captain Kirk said as he oozed a condom back on his dick and put his panties back on. "OOH!H!!!!!!" Mr. Spock started fucking him again and shoved his phazer up his butt. He dissolved his glands and exploded his turds and finally a queer klingon hurdled through the door and smashed Kirk with his butt hairs. A maniac sucked his dick and suddenly Mr. Spock fagged Kirk so hard that his intestines burst open and he died.

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
g_______________________________________________g
o_/_____\_____________\____________/____\_______o
a|_______|_____________\__________|______|______a
t|_______`._____________|_________|_______:_____t
s`________|_____________|________\|_______|_____s
e_\_______|_/_______/__\\\___--___\\_______:____e
x__\______\/____--~~__________~--__|_\_____|____x
*___\______\_-~____________________~-_\____|____*
g____\______\_________.--------.______\|___|____g
o______\_____\______//_________(_(__>_\___|_____o
a_______\___.__C____)_________(_(____>_|__/_____a
t_______/\_|___C_____)/______\_(_____>_|_/______t
s______/_/\|___C_____)_KIRK!_|_(___>_/__\_______s
e_____|___(____C_____)\______/__//__/_/_____\___e
x_____|____\__|_____\\_________//_(__/_______|__x
*____|_\____\____)___`----___--'_____________|__*
g____|__\______________\_______/____________/_|_g
o___|______________/____|_____|__\____________|_o
a___|_____________|____/_______\__\___________|_a
t___|__________/_/____|_________|__\___________|t
s___|_________/_/______\__/\___/____|__________|s
e__|_________/_/________|____|_______|_________|e
x__|__________|_________|____|_______|_________|x
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*


I hate you, I hate your niggers, and I hate your niggers.

KIRK REIGNS SUPREME! [nero-online.org]

Brought to you by: KIRK TROLL

Fuck GNAA, TROLLKORE, AND CLIT. You all massivly fail it, you gay homofags.

Michael, The Viagra Bitch (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580378)

Hello. My name is Michael. You might know me as the censor at a Geek news site where we pretend to offer news that matters. Or perhaps you remember me as the guy who hijacked an anti-censorship website. Whatever.

Now is your chance to really know me. I'm going to let you in on my personal life, and the secret of how Timothy, Rob, Jeff, and I all "came" together.

I remember that autumn day so well. It was in our dorm room at Hope College, in Holland, Michigan. Timothy stood there by the bathroom sink, totally naked and shaving his face. He didn't recoil when I went into the bathroom which we also shared with Rob and Jeff--the guys next door.

Timothy and I had been roommates for almost three months now and gotten used to seeing each other strip down, dress, and even "hard".

"Hey, Michael" he said.

I had gotten the chance to look Timothy over a few times. But for some reason that evening I just stood there looking at his scraggly unkempt hair, his bare back, his flabby back muscles flowing down into the lumpy mounds of cellulite which composed his saggy buttocks and thick thighs.

Despite his flab, the sexy swastika tattoo on Timothy's right butt cheek gave him an air of hunky manliness.

"Oh I'm sorry, Timothy" I said without him saying anything despite the fact I had been standing there looking at him.

"I was just ..." he turned and smiled through the shaving cream. "it's OK ... I look at you too, Michael" he said.

I didn't know what to say then. I just moved next to him at the sink and stripped off my shirt to wash.

"Got a hot night tonight, Michael?" he asked.

"Naw just thought I'd go for a swim and pizza later. How 'bout you, Timothy?"

"You keep swimming, Michael, and that hot ass of yours will be the talk of the dorm" he said as he patted my butt. He left his hand there and stroked one ass-cheek a bit.

"You keep doing that and you won't be going anywhere, Timothy" I said half joking. My cock had already began to turn my boxer shorts into a small tent.

He didn't move his hand at all. In fact his fingers moved under the boxers and he stroked bare skin.

Timothy said, "Shit, Michael, I'm getting you hard".

"Yea you get it too hard and you'll have to find a way to get it down again" I said spreading the shaving cream on my face.

His fingers moved between my ass-cheeks and stroked. It felt good ... and then he suddenly stopped.

"Can't now ... maybe when I get back. Will you still be up then, Mikey?"

His hand had moved to my tented crotch and he gently felt my boner when he asked.

"Not if you keep doing that, Timothy"

We joked around like that often of course. But that evening his attention was more then the usual goosing or ass grabbing.

I swam hard laps so my effort and the water would make my cock shrink. But my head was full of the memories of his petting as well as his naked body.

I knew that after my pizza and maybe a beer, I'd be in my bed jacking off as many times as I could before he got back to the room.

I was mid-way through my second go round when the door opened. He looked at me and smiled.

"I hoped you'd be waiting, Michael" he said as he stripped off his shirt and jeans. We didn't speak. Timothy moved to my bed and pulled my covers off.

Timothy pushed my hands over my head and to the bed pipe. I held them as he lifted my legs and curled my body over so his fingers, lips and tongue could take total control of my body.

I closed my eyes and swooned as the sensations I had only fantasized about made me shiver and shake. Timothy's fingers stroked the lips of my ass then moved inside to find my prostate and stroked that bringing me to the point of orgasm. The sperm splattered on my face, chest, and stomach.

But he wasn't through and his cock moved into my ass before it could recover and close tight after the orgasm. It hurt and made me beg him to stop. "Shut up Michael. You're my bitch", growled Timothy.

Timothy ignored my pleas as he moved on top and pounded down into me, sliding his thick cock against the walls of my guts ... and turned me slowly into his bitch. My begging for him to stop became moans and pleas for him to fuck me harder.

I had lost control to his will. He fucked me, turned me over and fucked me some more. Timothy brought me to my hands and knees and fucked me even more, his cock didn't want to stop ... and I didn't want him to stop!

I felt the hands on me as the two guys next door--Rob and Jeff--had moved from the bathroom door where they were watching to join us. He pulled out long enough to allow Rob and Jeff each take their turns.

I was on my back with my legs spread and curled to let each of them move inside. Rob's fingers tortured my nipples, while Jeff abused my cock and balls. My lips encircled their cocks, cocks which wanted to be there.

Jeff, Rob, and Timothy kept using me again and again. Eventually I collapsed in exhausted ecstasy. Somehow I slept, and awoke midday the next day.

Timothy was asleep and our two neighbors--Rob and Jeff--were gone. My ass was sore, but deep inside me I felt a calm peace that I hadn't felt in a very long long time, not since the weekend where as a frosh I was introduced to male on male sex by Jamie, our "dorm daddy". That was the last time I could remember such peace.

Suddenly there was the noise of Timothy jumping from his bed. "You ready, Mikey?" he asked. I turned to see he had gotten out of bed and his cock was rock hard. "We decided to let you rest awhile", Timothy purred. My roommate smiled and then went to the bathroom door. He went inside and returned with the Rob and Jeff. They too still had erections, rock solid erections.

"What the fuh ...", I mumbled to myself.

"It's called Viagra, Michael," said Timothy, "and you are our Viagra bitch". Jeff and Rob stood at attention, casually stroking each others cock. They were like soldiers polishing Viagra hardened gun barrels before battle. They were preparing to jump my bones.

I didn't move away. I wanted to see if it was true what they said about Viagra, and I wanted to find out if it was as wonderful as it was the night before.

All three moved to my bed and resumed to use me again and again until finally I was covered in their sperm. The man-smell of Rob, Jeff, and Timothy, mingled with my own sticky musk. Their cocks, ever hard, kept fucking me until my own body had shot three loads of cum.

It took hours but at the end I was as exhausted, calm, peaceful and satisfied as I had been the night before.

My nickname is now "VB" and you know what that stands for. Several of the guys on our dorm floor knew and when others asked, more found out. Yes, I was, and still am, Michael, the Viagra Bitch.

barf (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580388)

T h e G l o b a l Ne t w o rkof Ar a b Ac t i vi s t s ( G N A A ) isa d e m o c r a t i c f o r u m f o r a l l a c t i v i s t s wh o s t r i v e t o pro m o t e A r a bc u l t u r e and a dva n c e t he c i v i l a n d huma n r i g ht s o f a l l Ar a b p e o ple s . U n l es s i ndic a t e d o t h e r w i se , a ll s t a t e m e n t s p u b l i s h e d o n t hi s f o r u m re p r e s e n t t h e v i e w s o f t h e i r a u th o r s a n d n o t n e c e s s a r i l y tho s eo f G N A A.S u b s c r i ptio n a n dre l a t e d i n f orm a t i o n i s o n t h i s p o w . The s t e e r i n g c o mm i t t e e m a y b e r e a c h e d a t G N A A - S C @ y a h o o g r o u ps. c o m .

In a nutshell - somehow (4, Insightful)

evil_roy (241455) | more than 10 years ago | (#7580389)

Quote from the article:

"Somehow they got root on klecker and installed
suckit."

What follows is an interesting read - but the guts are in that 'somehow'.

Re:In a nutshell - somehow (5, Insightful)

Kulic (122255) | more than 10 years ago | (#7580435)

You're absolutely right. For some reason, everyone else seems to be overlooking the fact that there is (or appears to be) an unknown root exploit out there.

Yes, you can probably guess/crack/social engineer a password if you try hard enough. That's why security is about layers, compartmentalisation and multiple types of protection, not just a single password.

If this was your box, would you be more worried that someone had managed to sniff an (unprivileged) password? Or that any one of your users can now root your box? I know which one I would lose sleep over.

Here's to hoping that the root exploit is found and patched nice and quick. Even better if it something else that's been missed and is fixed in the latest patch.

Re:In a nutshell - somehow (0)

placeclicker (709182) | more than 10 years ago | (#7580531)

I was under the impression that there are always undisclosed root exploits for every major OS used, you just don't know about them.

I mean, this is a big crack, i don't expect it to be a well publicized exploit.

Re:In a nutshell - somehow (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580472)

In a nutshell? Seems pretty short for an O'Reilly book. What animal is going to be on the cover?

Re:In a nutshell - somehow (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7580504)

A penguin with its head blown off.

Diebold, take note (5, Insightful)

RealProgrammer (723725) | more than 10 years ago | (#7580390)

All vendors and site administrators should take note of the openness with which the problem was dealt.

When I go to buy a car, a computer, or a stereo, and the saleslizard is cagey about any problems that come up, my trust level goes down. If they tell me all about all the problems with the thing they're selling before I even notice them, my trust level goes up. It's like a cool drink on a hot summer day.

Contrasting with Debian, how long did it take to find out that Diebold ATMs had been hit by the Nachi worm?

I'm now more inclined to trust Debian, and less inclined to trust Diebold.

Re:Diebold, take note (1, Funny)

Anonymous Coward | more than 10 years ago | (#7580413)

So you'll get rooted by someone you trust..what's the difference?

Re:Diebold, take note (0)

Anonymous Coward | more than 10 years ago | (#7580465)

I don't buy new cars that have problems. Perhaps you should stop shopping domestic (or worse, German).

Re:Diebold, take note (0)

Anonymous Coward | more than 10 years ago | (#7580490)

All cars have problems. You choose the ones you can deal with.

Re:Diebold, take note (0)

Anonymous Coward | more than 10 years ago | (#7580518)

I pity you.

Re:Diebold, take note (4, Insightful)

jkrise (535370) | more than 10 years ago | (#7580520)

More importantly, the openness of Debian is a much more important factor here. When I read these lines in the article:
The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.
I got the distinct impression that Slashdot is transformig into a FUD channel for unsuspecting readers.

The fact that a 'clean' Linux system can be backed up and restored from any media, is of more relevance and importance to users. EVERY system connected to the internet has potential unknown vulns, those running Windows are often unpatched and have no disaster control system as well.

Viewed from this perspective, I don't think we need to keep an eye on our boxen just the backup tapes / disks/ CDs.

-

I knew it. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580397)

I know you weenies like to bash M$, but if you think for one moment UNIX or Linux is more secure then you're all dumber than a cage of monkeys in orbit, which I'm not sure but I think must be very dumb. NOTHING in the history of networked computing has been more insecure than UNIX.

Re:I knew it. (-1, Flamebait)

Canadian_Daemon (642176) | more than 10 years ago | (#7580502)

Do you have any info/statistics to back that up? or are you just another monkey? defending your pituful OS like a religion. Show us the facts that UNIX is insecure, and I'll show you the facts that show MS to be insecure

Sexy James (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7580399)

Why is it always young people find these vulnerabilities? Would this story even be on here if an old bearded professor had found it?

On the other hand, I'd do him. I'm definitely switching to Debian if hot dudes like him are working on it. That is, after I've moved to Sweden to be with the math chick.

Linux hacked? Nah it can't be!!! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7580401)

I thought Linux was perfect, unhackable. After all that's what we hear EVERY...FUCKING...DAY...here.

So either 1) the Zealots are wrong, or 2) the above article is a lie, a fantasy.

This attack has obviosly shocked the comunity. (3, Insightful)

GNUALMAFUERTE (697061) | more than 10 years ago | (#7580402)

Since Debian (even for those smart ones out there using slackware, like i do) is really considered one of the real distros, if we hear that redhat has been atacked, we would just say that they diserve it and go on, it would be delivered in the respective mail list, and that was it.
But this attack has a psicological impact. Debian itself has been attacked, and it seems to be a bug exploited just in part, on the other side, there are updates that the compromised machines never got aplied, and other big mistakes like a non-tared backup lying arround, with the original owner / permissions mask. This is really more that enough to get any netadmin running Debian to get paranoid.

One recommendation (5, Insightful)

heironymouscoward (683461) | more than 10 years ago | (#7580408)

Off-site logging of all accesses.

One of the first things that get wiped in an intrusion are the logs. All access logs should be copied in as near real-time as possible to a remote server that is not accessible from the machine being logged, i.e. a drop-box.

Re:One recommendation (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7580429)

or a printer.

Re:One recommendation (0)

Anonymous Coward | more than 10 years ago | (#7580450)

or a tape with no rewind button.

Re:One recommendation (0)

Anonymous Coward | more than 10 years ago | (#7580456)

Yeah. I'd just love to be the person that has to pay for this.

Even then, real haxx0rs used the line printers to print over the old print so it was unreadable.

An electronic drop-box is the obvious best method.

But wait.... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580411)

When has windowsupdate [slashdot.org] ever been compromised? What's that? Never. SUCK IT, fanboys, you make me fucking SICK. Looks like open-sores isn't going to save the world after all...

Re:But wait.... (1, Interesting)

Aussie (10167) | more than 10 years ago | (#7580458)

When has windowsupdate ever been compromised?

Windows Update is served by Akamai ie Linux.
Now what was your point ?

Re:But wait.... (0)

Anonymous Coward | more than 10 years ago | (#7580480)

That is but one of the sites that serves windows update. How typically dishonest for a Linux zealot to assert that they are the sole provider of Windows Update.

Re:But wait.... (0)

Anonymous Coward | more than 10 years ago | (#7580515)

Do you think Microsoft would make a breach like that public? How typically doublethinkful of a Windows lackey.

Re:But wait.... (0)

Anonymous Coward | more than 10 years ago | (#7580516)

windowsupdate was compromised by the ramen worm, and it is not served by akamia, they merely offer proxy/caching services to microsoft in front of the real servers.

Re:But wait.... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580511)

Windows Update was rooted by Code Red, for one.

Great (2, Interesting)

headbulb (534102) | more than 10 years ago | (#7580422)

Right as I am downloading Debian.
I will check the md5sum.

Anyways Something to be said about passwords.. I am getting sick of passwords.. I have looked at the RSA keychains, But they cost too much.

So I ask are there any good one time password systems out there. That are opensource.. I have looked at going with smart cards but again with the money. (not to mention overkill for me)

I have found a few but none with a keychain.. I don't mind paying for a keychain, but I want the software to be opensource.

Re:Great (0)

Anonymous Coward | more than 10 years ago | (#7580471)

Hope they didn't fuxx0r the MD5 on the server.

Check it with a known-good sum from many servers and sources.

Re:Great (0)

Anonymous Coward | more than 10 years ago | (#7580475)

S/KEY is a one time password Open Source system.

Re:Great (3, Informative)

Qzukk (229616) | more than 10 years ago | (#7580492)

Probably the closest you'll get to a "good" system would be something like S/Key or Opie (debian packages: opie-server, opie-client, libpam-opie - Use OTP's for PAM authentication) for generating and using a one-time-pad of password systems. The issue in this is that you must generate the pad in some secure fashion, if someone sniffs your pad because you downloaded it over the network, you've lost.

You could easily keep a pre-generated giant pad itself on a usb drive or something similar.

Root password (4, Interesting)

phorm (591458) | more than 10 years ago | (#7580434)

Once an infiltrator is in a machine, it is often just a matter of time before he acquires root access - unless monitoring or disablement are standard procedure.

Depending on the power of the box and the time from which the lower-level account was compromized, it could just be that a password-cracking procedure gained root access. Of course, it's also possible that the attacker managed to nab control of a process running as root, but again the initial compromise still required cracking a password to gain access to the machine.

First rule, secure your passwords... and it's probably not a bad idea to use a password cracklib to ensure that any semi-privileged (can SSH) users have somewhat secure passwords as well.

The root of the problem (1, Informative)

Anonymous Coward | more than 10 years ago | (#7580497)

The root of the problem is with the root account.

SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.

I would think that it's time for the big players like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines.

It's being incorporated into the stock kernel for a reason. Use it!

Re:Root password (1)

DJ Rubbie (621940) | more than 10 years ago | (#7580514)

Also, make sure those users can SSH *will not* submit passwords as clear, plain text, even for use inside the network! I know places that insists on using SSH, but don't care so much about FTP, even if the FTP account is the same user name AND password as the SSH account. One admin there even told me to telnet(!!!) to another remote machine within the network.

Motto: don't [write|send|communicate] your passwords in plain text, ever! If you do, change it! (always change the password root gives you, which usually arrive in plain text..)

Proof that Windows is more secure (1, Insightful)

Qrlx (258924) | more than 10 years ago | (#7580444)

Not really, just thought it needed to be said.

Security "experts" (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7580448)

Have any other developers here noticed that all "security experts" are non-technical consultant types? At the most, they are system administrators. Yet for some reason, we let these non-techie posers ramble on about "security" when at the most they have Devry degree or a bachelors in something like English (or even worse, in MIS).

Easy solution (4, Funny)

therufus (677843) | more than 10 years ago | (#7580453)

Install windows. You'll never have to wonder if your system is being compromised, you'll know it is.

Oh, and "password" is not really a "password".

Oh great! (0)

Anonymous Coward | more than 10 years ago | (#7580460)

Now I'm wondering how secure the flu-shot I got last week was. What if someone rooted their distro or infected it with one of those V-word things?

#1 on Ten Immutable Laws of Security (4, Insightful)

Saint Stephen (19450) | more than 10 years ago | (#7580464)

I worked at Microsoft, so Microsoft's list [microsoft.com] is my frame of reference:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

Ammended for the rest of us: (5, Funny)

Anonymous Coward | more than 10 years ago | (#7580481)

Law #1: If Bill can persuade you to run his program on your computer, it's not your computer anymore.

Re:#1 on Ten Immutable Laws of Security (1)

Kulic (122255) | more than 10 years ago | (#7580486)

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

Two words: Outlook, IE.

Oh the irony.

Re:#1 on Ten Immutable Laws of Security (5, Funny)

prockcore (543967) | more than 10 years ago | (#7580510)

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

That's why I've been saying for years that all my computers are owned by Bill Gates.

A simple disaster-mgmnt starrtegy... (3, Insightful)

jkrise (535370) | more than 10 years ago | (#7580468)

Since Linux has no use for hidden files, registry, active directory, complicated booting procecdures and other useless features that come standard with Windows - I see no point getting worked up about these so-called Security Warnings.

99% of Slashdot readers, I believe, treat viruses, worms and other 'security' attacks as a NUISANCE rather than a PRIVACY hazard. A Service Pack or bug fix a week for Windows merely highlights the fact that data privacy on a 'personal' computer is a joke. The nuisance of reinstalling the Windows OS from CD, and reinstalling each and every app with the zillions of settings OR buying expensive, uunreliable 3rd party s/w for disaster recovery can be intolerable.

With Linux, OTOH, simple tools exist that can take backups of disk data (not disk images, just the files), AFTRER installing the apps. A simple restore of these files gets the system back, with all settings and screen-savers intact.

To sum up, 99% of Slashdot readers do not need to care about these security risks, if they choose Linux for their personal or office systems.Those with Windows - a switch to Linux is cheaper than anti-virus s/w PLUS OS cost PLUS frequent updates PLUS frequent reinstalls PLUS loss of data PLUS nuisance.

-

Re:A simple disaster-mgmnt starrtegy... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7580477)

Whatever, fanboy. Just keep telling yourself this.

Re:A simple disaster-mgmnt starrtegy... (0)

Anonymous Coward | more than 10 years ago | (#7580536)

Ummm... ok. Score one for the jobless wonder.

SELinux (1, Redundant)

Anonymous Coward | more than 10 years ago | (#7580473)

SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done. I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!

What could be done better... (5, Insightful)

rxed (634882) | more than 10 years ago | (#7580499)

Quote: "All the compromised machines were running recent kernels[1] and were
up-to-date with almost all security updates[2]."

Well, it seems that 'almost' just isn't good enough. Perhaps there is more to the break in (like unknown holes)?

Sniffing passwords? They must be using 'almost patched' version of SSHd.

Openness is good (2, Flamebait)

iamdrscience (541136) | more than 10 years ago | (#7580507)

I like how when debian's servers are cracked they tell you about it and furthermore, remind you again later with the details. If a similar thing happened with Microsoft it would be hushed down and certainly no details about it would be publicized later. Come to think of it, even a commercial Linux company like Red Hat might be weary in dealing with a similar issue as well -- I think they'd be likely to be open about it, but you never know what's going to happen when money and stock prices are involved.

local root == remote root (5, Interesting)

Markus Registrada (642224) | more than 10 years ago | (#7580538)

This is a good demonstration that the distinction always made between local privilege-elevation bugs and remote exploits is academic hair-splitting. It's rarely difficult to get unprivileged access through a buggy non-privileged service. (Web-server plug-ins are a reliable source of entry points.) Once you're in, privilege elevation takes you the rest of the way.

Certainly the distinction is useful to security students and analysts, but it's misleading for everybody else. "Oh, that one's just a local exploit; not so bad." The OpenBSD advocates promote the fallacy: "only one remote exploit in this millennium!" (or something like that), encouraging us to ignore almost equally damaging exploits in non-core services that provide access to local accounts and more damaging attacks.

There's a similar fallacy in distinguishing security holes from other bugs. Without a depth of analysis that hardly anybody can ever afford, almost any bug might actually be a security hole, too. The OpenBSD people get this one right -- to them, any bug is a security hole until proven otherwise, and they encourage running latest versions -- but almost everybody else gets it wrong. When I fixed a double-free segfault in lib[mumble], nobody posted security warnings about every program that relies on it. despite that double-free bugs can often be exploited.

Debian gets this wrong, and very selectively backports only proven security holes, ignoring the myriad bugfixes that might just as easily be security holes as well. To find holes in stable-branch services, just look for bug fixes in later versions, particularly in libraries used by those services. Failing that, look at new features added shortly before the library-version used. Chances are the last new feature added has bugs that haven't been noted yet, and that might be exploitable.

This might be a good place to mention that the CVS codebase is almost irreparably insecure. The practical implications are: (1) A remotely-accessible CVS server should never be run on a host that does anything else that matters, or that has access to anything else; (2) An anonymous CVS server should never be the same CVS server that is used for checkins, or even run on the same machine. The pserver should be a slave that only gets read access to a copy of the archive. (3) Checkins on remotely-accessible servers should result in patches logged to another archive kept on another, not-remotely-accessible machine. Patches from that server should be posted to the mailing list.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...