Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

349 comments

Sorry! There are no comments related to the filter you selected.

First post (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15710185)

Finally got it this time.

Oh no (5, Funny)

Anonymous Coward | about 8 years ago | (#15710188)

Oh no, now they have access to all the Debian source!

Re:Oh no (5, Funny)

NadNad (550015) | about 8 years ago | (#15710232)

Maybe it's SCO, trying to find their code buried in linux...

Re:Oh no (5, Insightful)

eeg3 (785382) | about 8 years ago | (#15710263)

More like, now they have to verify that no backdoors or other malicious code were inserted.

Re:Oh no (5, Funny)

Anonymous Coward | about 8 years ago | (#15710382)

Forget running Debian Unstable. Debian Compromised is where it's at.

Re:Oh no (1)

nick this (22998) | about 8 years ago | (#15710524)

Yeah, but with an anonymous maintainer, who do you email patches to?

Re:Oh no (4, Funny)

Aranth Brainfire (905606) | about 8 years ago | (#15710544)

It doesn't matter, just email them to whoever you like and the maintainer will get them anyway.

So what does that mean? (0, Redundant)

TwentyLeaguesUnderLa (900322) | about 8 years ago | (#15710196)

Oh no! They're gonna leak the source code! Debian is screwed now...

Re:So what does that mean? (1, Insightful)

dbcad7 (771464) | about 8 years ago | (#15710302)

Considering the times posted.., not sure if redundant was justified mod. Maybe a "jinks owe me a coke" mod would be more appropriate, when identical posts are within 2 minutes.

oops.. now I'll get modded offtopic.

Once is ok, but twice is too much... (3, Insightful)

ModernGeek (601932) | about 8 years ago | (#15710197)

...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.

Re:Once is ok, but twice is too much... (0)

Anonymous Coward | about 8 years ago | (#15710225)

I agree. Two in this lapse of time is already too much.

Re:Once is ok, but twice is too much... (-1, Troll)

TheDreadSlashdotterD (966361) | about 8 years ago | (#15710227)

Then use Red Hat. You won't be missed.

This has been said before... (2, Insightful)

ModernGeek (601932) | about 8 years ago | (#15710257)

...but with your high UID, I'm going to assume you don't know this already. The attitude that you posses is what used to plague the old open source world to the point that no utility or tool would be used in the enterprise. After a while, the open source maturity matured and everyone came to the realization that these things need to be taken care of, and that even though the open source software is free, you need to treat the users of that software as if they are paying customers. There is reward. Donations and other things can up your credibility to the point of a serious career. Soon enough, a history in the world of open source will guarantee one a job in the enterprise, because university diplomas don't seem to be working when it comes to judging ones capabilities. Change your perspective.

Re:This has been said before... (1)

tomstdenis (446163) | about 8 years ago | (#15710459)

Hehehe, that's cute. Now if only MSFT would treat its customers as paying customers....

Besides I think it's well established that Debian is woefully behind the curve. Use Gentoo. Be done with :-)

Tom

Re:This has been said before... (4, Funny)

kashani (2011) | about 8 years ago | (#15710512)

Ahem.

As a Gentoo user over the age of 30 I'd like to apologize for the under 20 Gentoo user's previous post. I'll slap him around on IRC later. ;-)

kashani

Re:This has been said before... (1)

flacco (324089) | about 8 years ago | (#15710532)

As a Gentoo user over the age of 30 I'd like to apologize for the under 20 Gentoo user's previous post. I'll slap him around on IRC later. ;-)


ahh, good. i was just starting to stand up.

Re:This has been said before... (1)

tomstdenis (446163) | about 8 years ago | (#15710552)

I'm over 20 years old, have used both Debian and Knoppix and hate both. I moved to Gentoo solely because of USE flags [well that and I like the idea of building my own source].

The problem with Debian is that they really have to participate more on the bleeding edge. Think about it. As an OSS developer you have some distro call you "unstable" and makes a default policy to ignore you. How likely are you to keep working on your tool that nobody wants to use? Sure sometimes you get stuck with a broken tool but more often than not reverting is trivial and the "unstable tools" usually work just as well [if not better].

Imagine if Windows disallowed "beta" software. There would be a lot of tools out there that would probably not exist [including a score of video games] due to lack of interest.

Tom

Re:This has been said before... (-1, Troll)

Anonymous Coward | about 8 years ago | (#15710534)

There is reward. Donations and other things can up your credibility to the point of a serious career. Soon enough, a history in the world of open source will guarantee one a job....Change your perspective.

Yeah, create MILLIONS of dollars worth of value for investors you don't even know, for governments that are hostile to your personal freedom and for training of masses that want to lay waste to the IT Industry and somewhere someone might give you a job where you can work your ass off until we lower you into a cold dark grave. Fuck you dumb ass, communist pig shit!

Re:Once is ok, but twice is too much... (5, Insightful)

lawpoop (604919) | about 8 years ago | (#15710240)

You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.

Re:Once is ok, but twice is too much... (4, Insightful)

The Bungi (221687) | about 8 years ago | (#15710261)

That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

Re:Once is ok, but twice is too much... (3, Interesting)

sqlrob (173498) | about 8 years ago | (#15710294)

Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?

Re:Once is ok, but twice is too much... (1)

The Bungi (221687) | about 8 years ago | (#15710334)

If I'm not I can always download the packages manually and check the signature.

Re:Once is ok, but twice is too much... (1)

lawpoop (604919) | about 8 years ago | (#15710394)

Can you really download all of the windows updates as individual executables? I was under the impression that you could only do that for large upgrades, like the service packs.

Re:Once is ok, but twice is too much... (0)

Anonymous Coward | about 8 years ago | (#15710403)

You speak as if this is a "Windows Only" feature.

Pretty much every distro has this functionality.

Re:Once is ok, but twice is too much... (3, Interesting)

Waffle Iron (339739) | about 8 years ago | (#15710453)

If you remember, the incident in question involved someone loose for weeks or months on Microsoft's internal networks before they were discovered. It's wouldn't have been impossible for them to modify the code before it got signed. Microsoft had to spend a great deal of effort to try to verify that such a thing didn't actually happen.

Re:Once is ok, but twice is too much... (2, Funny)

The Bungi (221687) | about 8 years ago | (#15710620)

So? The last time GNU.org was rooted they didn't get wind of the break-in until a month after it happened.

Re:Once is ok, but twice is too much... (0)

Anonymous Coward | about 8 years ago | (#15710575)

Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

What, and Debian's packages aren't? What do you take them for, complete idiots?

Things are chaning... (5, Funny)

ModernGeek (601932) | about 8 years ago | (#15710285)

...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.

Re:Things are chaning... (0)

murdocj (543661) | about 8 years ago | (#15710348)

I so wish I had mod points to mod this "funny"

Re:Things are chaning... (1)

jt2377 (933506) | about 8 years ago | (#15710436)

Jesus F'christ! this ghey post got modded interesting and not funny? Talk about Opensource FUD! look there are some good and bad of both closed source and open source. you should use the best of both world and not spreading this bullshit Opensource FUD with nothing to back it up!

Re:Things are chaning... (0, Redundant)

finity (535067) | about 8 years ago | (#15710490)

Too much cyberpunk for you...

Re:Things are chaning... (0, Redundant)

HotBlackDessiato (842220) | about 8 years ago | (#15710492)

Fess up, who modded this funny?

Re:Once is ok, but twice is too much... (1)

saleenS281 (859657) | about 8 years ago | (#15710299)

if windowsupdate.microsoft.com were hacked, you can bet your ass there'd be a nice big banner stating so because that is the "golden egg" of hacks.

Re:Once is ok, but twice is too much... (1)

lawpoop (604919) | about 8 years ago | (#15710325)

...And a 'golden egg' like that would be shut down almost as soon as it goes up.

Here's an even better prize for a hacker who can get into windowsupdate: a nice big banner across every windows computer that had been updated in the past week, perfectly synchronized across millions of computers all over the world.

Re:Once is ok, but twice is too much... (-1, Troll)

Anonymous Coward | about 8 years ago | (#15710465)

I'll bet that would get your pecker really stiff, wouldn't it?

Really, could you even IMAGINE the collective and simultaneous ejaculation onto the monitors of every open source zealot when they found out the Micro$oft was going to be made to look THAT bad? It would be like christmas, easter, and a bunch of jewish religions all wrapped in a soft totilla and then toasted together.

Re:Once is ok, but twice is too much... (1)

DShard (159067) | about 8 years ago | (#15710598)

Here is the best prize: The hacker has access to some percent of 99 percent of the machines connected to the internet. A rootkit install with a keylogger and file scanner can get you the keys to lots of insignificant machines. Some of them are going to have bank, social security and investment information. A hacker with any sense of greed is going to sell or already have sold this hack. It only requires the window of time from hacked to fixed to grab it all. Hacking windowsupdate would be the biggest heist in history.

Re:Once is ok, but twice is too much... (1)

drsmithy (35869) | about 8 years ago | (#15710652)

Here is the best prize: The hacker has access to some percent of 99 percent of the machines connected to the internet.

I think you're vastly overestimating the proportion of machines that use Windows Update.

Re:Once is ok, but twice is too much... (1)

flacco (324089) | about 8 years ago | (#15710540)

if windowsupdate.microsoft.com were hacked, you can bet your ass there'd be a nice big banner stating so because that is the "golden egg" of hacks.

this is not the kind of hack anyone cares about. i don't care if someone posts a "frodo crew rulez" banner on some site - i do care if someone is putting compromised packages up that find their way onto my machines.

Re:Once is ok, but twice is too much... (5, Informative)

YU Nicks NE Way (129084) | about 8 years ago | (#15710311)

You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

Re:Once is ok, but twice is too much... (3, Funny)

B3ryllium (571199) | about 8 years ago | (#15710369)

Mwuahahahha! Perfect place to ply the first-ever Carrier Pigeon Protocol hack!

Re:Once is ok, but twice is too much... (3, Informative)

SnowZero (92219) | about 8 years ago | (#15710493)

You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right?

Btw, Debian also does digital signatures for every package installed (see here [debian-adm...ration.org] ). I don't think they have gone as far as having an air-gap, but it does mean that a regular hacking won't be able to silently corrupt packages.

Debian's system is actually quite cool, since it can check *every* program installed, and not just core OS updates (courtesy of apt controlling 99% of software installation). In fact, you can add additional keys for other package sources (I run some unofficial packages, but those developers also sign their packages with their own keys, so it is covered as well).

Re:Once is ok, but twice is too much... (4, Informative)

flacco (324089) | about 8 years ago | (#15710556)

but with a compromised dev machine, one could patch in back door code that gets signed as valid.

Re:Once is ok, but twice is too much... (1)

_Sprocket_ (42527) | about 8 years ago | (#15710669)

Alright - so you hack a new version of apt-get. This evil-apt-get accepts a bogus key as legit. Now all you need to do is drop in evil-apt-get in as an update. Oh... and have it signed by the legitimate key less the old (legitimate) apt-get already installed and running on the target's system question the validity of our "updated" apt-get.

Re:Once is ok, but twice is too much... (0, Flamebait)

ModernGeek (601932) | about 8 years ago | (#15710352)

So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway. I think differently. I think that if the debian team proves to be efficient and shows some sort of internal public retribution, that corporations will trust an honest mistake over coverups, exploits and scandals that Microsoft have proven itself. I believe that if we band together, we can educate and push open source forward. The open source community and open source developers are almost over the arrogance that once plagued the idea of open source, and now open source can be taken seriously in the enterprise. If you read the past five years of slashdot, and look back at open source, you will see a lot of matured and a lot has changed since then. It is time that we go to corporations and prove to them that university degrees do not prove intelligence in our field, and that a certification is not worth anything more than the paper it is worth. We have an open system (source forge) that will point a corporation to all the people they need for these IT and CS-related jobs. Lets push the University system down and bring the Open Source system to the top. We are seen as the smartest and best of the best. Lets train and educate our gamer friends, leet friends, geeksquad friends(mmm), and other lower tech people that will in turn teach the masses, and then corporations that open source contribution and involvement is an effective way to measure ones credibility. Maybe we will see more things like MaBell's bell labs where open source developers can be paid to work for a company to contribute to the software they use in the same spirit that Logitech funds Doug Engelbart to pursue his ambitions, but in mass.

Re:Once is ok, but twice is too much... (1)

TrappedByMyself (861094) | about 8 years ago | (#15710421)

You used the example of a Debian server being hacked, with no other supporting facts, to say that Microsoft and corporate America are bad and open source is good.

Thanks for the good propaganda example. Kids, are you paying attention?

Re:Once is ok, but twice is too much... (2, Insightful)

winkydink (650484) | about 8 years ago | (#15710452)

Diverting attention from a problem by pointing out the flaws of others is not really helpful.

Yeah, "we know what's going on", just as soon as somebody diffs a bazillion lines of code against a known-good repository. Until the Debian team announces that tidbit of info, the only security you have is the "false sense of" kind.

Re:Once is ok, but twice is too much... (2, Insightful)

Mathinker (909784) | about 8 years ago | (#15710609)

Your point about non-OSS being more of a "black box" because of commercial disincentives is OK, but you compared a Debian development machine to windowsupdate.microsoft.com which is stupid considering both that Debian and Microsoft sign their releases.

This compromise is more like Microsoft's internal development network being compromised, which has happened.

Unless, of course, the current compromise includes Debian's private key, which I doubt.

Re:Once is ok, but twice is too much... (5, Informative)

Josh Triplett (874994) | about 8 years ago | (#15710266)

first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.

Good thing... (0, Flamebait)

eeg3 (785382) | about 8 years ago | (#15710198)

...everyone has moved to GNU/Ubuntu.

Re:Good thing... (1, Funny)

Simon Simian (694897) | about 8 years ago | (#15710290)

Have they? Fuck! I always miss these mass exoduses. I'm still running Gentoo and Slackware.

Re:Good thing... (0)

Anonymous Coward | about 8 years ago | (#15710401)

I'm sorry.

Re:Good thing... (4, Insightful)

GoRK (10018) | about 8 years ago | (#15710438)

Well I suppose you probably know this but for the others out there who may miss the subtlety ---

Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.

Try an alternative (0, Insightful)

Anonymous Coward | about 8 years ago | (#15710202)

Re:Try an alternative (0, Troll)

Anonymous Coward | about 8 years ago | (#15710628)

Just make sure you pay your "tribute" to Theo or he will withhold security fixes. Remember, kids, OpenBSD is only "free" if you value the time you don't have to listen to developers bitch and whine.

Does that mean... (0)

Anonymous Coward | about 8 years ago | (#15710204)

it's unglücklich?

No fear... (5, Funny)

gravyface (592485) | about 8 years ago | (#15710206)

It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*

Re:No fear... (5, Funny)

the_humeister (922869) | about 8 years ago | (#15710373)

And after recovering the DAT tape from the safe-deposit box at the bank, they went to the ATM machine and entered their PIN numbers to get some money.

Oh lord... (1)

Ayanami Rei (621112) | about 8 years ago | (#15710432)

Please someone moderate up this funny +1. Bonus points if you use a computer with NT Technology.

Re:Oh lord... (0)

Anonymous Coward | about 8 years ago | (#15710530)

ITYM "a computer with new NT technology".

Re:Oh lord... (1)

ArcherB (796902) | about 8 years ago | (#15710553)

What's really sad is that I didn't get it until I read your NT Technology bit.

You have my sympathies (3, Funny)

Anonymous Coward | about 8 years ago | (#15710212)

Aw man, that's too bad. I think we should all wish the Debian team g'luck.

This is why (-1, Troll)

Anonymous Coward | about 8 years ago | (#15710216)

...you dont use open sorce or Linux when you want something secure....

Again? (1)

Mc_Anthony (181237) | about 8 years ago | (#15710223)

Hasn't this happened a few times already? Or am I thinking of a different distro?

Perhaps now. (2, Insightful)

DAldredge (2353) | about 8 years ago | (#15710224)

Perhaps now they will spend less time griping about Ubuntu and more time working on their security.

Re:Perhaps now. (-1, Flamebait)

Anonymous Coward | about 8 years ago | (#15710245)

Perhaps you should spend less time griping and spend more time wondering why your wife yells out other men's names when you fuck her.

Question (4, Interesting)

Frogbert (589961) | about 8 years ago | (#15710243)

I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

Re:Question (0)

Anonymous Coward | about 8 years ago | (#15710280)

Security patches are backported to stable and on some occasions, functionality backports occur, although this is rare. I think something happened with Sarge, samba and Windows XP 64-bit compatibility in the last point release but I could be (very) wrong.

I do remember that woody (the one before sarge) had a version of Gaim by the end that couldn't connect to MSN at all.

Re:Question (5, Informative)

Nutria (679911) | about 8 years ago | (#15710293)

I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

http://www.debian.org/security/ [debian.org]

Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

Re:Question (4, Insightful)

macemoneta (154740) | about 8 years ago | (#15710425)

I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.

Were they 'living on the edge'? (1)

Peter Cooper (660482) | about 8 years ago | (#15710260)

The "unstable" distribution is where active development of Debian occurs. Generally, this distribution is run by developers and those who like to live on the edge.

That's what you get for running UNSTABLE :)

Re:Were they 'living on the edge'? (1)

uhoreg (583723) | about 8 years ago | (#15710471)

That's what you get for running UNSTABLE :)
According to db.debian.org [debian.org] , gluck is running sarge.

Not to worry (-1)

Anonymous Coward | about 8 years ago | (#15710282)

Once you get that server re-installed and battened down, you should protect it with a laser bubble shield from http://www.grumman.com./ [www.grumman.com] Nothing is too good for code named after Toy Story characters.

PS Never mind, I thought that was glock.debian.org. My bad.

Maybe Debian devs will finally come around (5, Funny)

b3x (586838) | about 8 years ago | (#15710338)

and move that source repository to a more secure Windows 2003 Server platform.

They should have been running linux (-1)

Anonymous Coward | about 8 years ago | (#15710346)

What kind of idiots run a microsoft server anyway, everyone knows that linux/opensource is more stable and secure and never gets hacked!

Oh wait, I apparently misread. *slashdot explodes*

obligatory: (5, Funny)

Anonymous Coward | about 8 years ago | (#15710347)

I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.

Changelogs (1)

Doc Ruby (173196) | about 8 years ago | (#15710374)

That's one reason why I like Ubuntu's Update Manager: it shows the changelog for each package it's offering to upgrade. And one reason why the recent lack of changelogs is troubling.

Of course an attacker could fake changelogs, though it's an extra step. It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades. Debian's apt (and its descendants, like Ubuntu) seem perfectly suited for automating such authentication without adding any user complexity.

Re:Changelogs (4, Informative)

uhoreg (583723) | about 8 years ago | (#15710454)

Changelogs don't provide any form of security, and package changelogs have been standard in Debian since many, many years ago. (Long before Ubuntu was a gleam in Mark Shuttleworth's eye.) Changelogs should only be treated as a convenience to the user.

And apt supports GPG signing of the Release file, which contains an MD5 and SHA-1 hash of the Packages file, which contains MD5 hashes of the packages. (In other words, apt already does package integrity checking.)

Re:Changelogs (1)

Doc Ruby (173196) | about 8 years ago | (#15710528)

There is no explicit security in the changelogs. As I pointed out, faking changelogs is just an inconvenience to an attacker, but it is more than "nothing".

The lack of changelogs I mentioned was occasional, in the Ubuntu Update Manager.

And including the signing in the Update Manager GUI would add security to the process.

If you were less smug about the apt features you might be more interested in the lack of their implementation in Ubuntu, where they would do some good. Even if Ubuntu isn't operating on more hosts than Debian already, that relative popularity won't last.

Re:Changelogs (3, Informative)

SnowZero (92219) | about 8 years ago | (#15710457)

It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades.

Debian has been checking digital signatures on every package installed for almost a year now. See here [debian-adm...ration.org] .

Of course, I run testing, so I have no idea when this got into stable.

Re:Changelogs (1)

Doc Ruby (173196) | about 8 years ago | (#15710582)

Does Ubuntu? Its GUIs like Update Manager allow extra features without extra user complexity, as I mentioned. But I don't see signing features - yet.

What was exploited..? (3, Interesting)

paulmer2003 (922657) | about 8 years ago | (#15710379)

Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.

Re:What was exploited..? (2, Informative)

Anonymous Coward | about 8 years ago | (#15710476)

Does anyone know what in particular was exploited?

Not public information yet. If you're subscribed to debian-devel-announce [debian.org] , you'll be the first to know.

Re:What was exploited..? (2, Informative)

keeboo (724305) | about 8 years ago | (#15710483)

The announcement says:

We're still investigating exactly what happened and the extent of the damage.
We'll post more info as soon as we reasonably can.


If the ones affected can't say, who can then.
(yeah, yeah... "the ones who attacked the server").

I refuse to belive this (-1, Redundant)

Anonymous Coward | about 8 years ago | (#15710391)

I mean, we all know that Linux is super-duper-duper secure and impossible to hack. Probably just FUD from Micro$oft, am I right or am I right guys.

Re:I refuse to belive this (4, Insightful)

CaptainTux (658655) | about 8 years ago | (#15710551)

Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.

zazazaza (-1, Flamebait)

Anonymous Coward | about 8 years ago | (#15710392)

debian sucks my penis booncodskcs are gay for me
im gay
debian sucks my penis booncodskcs are gay for me
debian sucks my penis booncodskcs are gay for me
.

i have se with yuor mother and sister at teh saem time

Why? (1)

ATAMAH (578546) | about 8 years ago | (#15710430)

Why is it "cooler" to compromise a server than it is to find and report a vulnerability?
And, if one is so set on doing some damage - why go after a free service??

Re:Why? (-1, Offtopic)

jt2377 (933506) | about 8 years ago | (#15710463)

why do U.S. soliders rape a 15yrs old Iraq girl and gun down her entire family included a her 4 yrs old sister and try to cover it up and how many unreported rape/kill/murder are there? kinda retarded question, no?

Re:Why? (-1, Troll)

Anonymous Coward | about 8 years ago | (#15710496)

Because they are filthy animals and deserve no better? Really, you have a whole group of people on that side of the world who respond to absolutely nothing except the systematic application of extreme violence. They were never worth saving and deserved the goverment they had.

Re:Why? (0)

Anonymous Coward | about 8 years ago | (#15710466)

Oh nothing. What's that over there?
*sound of a chair sliding across the ground*
*thump as chair hits /.-er's head*
phone call: "Don't worry, Bill. We got this one. Our secret is safe."
"OK. How about you take a long weekend, Steve? You've certainly earned it."

Re:Why? (0)

Anonymous Coward | about 8 years ago | (#15710472)

Yeah why would anyone want to attempt to compromise software that is used by thousands (hundreds of thousands?) of people. I definately see no real benefit there. /sarcasm

Dear Hackers (3, Interesting)

SnowZero (92219) | about 8 years ago | (#15710522)

Dear Hackers,

If you manage to hack into the main repository, please fix this bug [debian.org] . A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.

If you hack, do it for the right reasons.

At risk of stating the obvious... (2, Informative)

MostAwesomeDude (980382) | about 8 years ago | (#15710525)

...Anybody who didn't understand the real meaning of "compromise" needs to re-read the article, substituting "compromised" with "rooted." The attackers didn't kill the server or knock out a service. They rooted the box, and the Debian devs are trying to cover themselves somewhat by ambiguating the exact nature of the attack.

Re:At risk of stating the obvious... (2, Insightful)

Anonymous Coward | about 8 years ago | (#15710607)

Yes, at risk of stating the obvious, you stated the obvious. It's unfair to claim that Debian developers are "trying to cover themselves somewhat" just because they didn't state the obvious.

services? (1)

planckscale (579258) | about 8 years ago | (#15710531)

So is it reasonable to assume that the services that were running: (cvs, ddtp, lintian, people, popcon, planet, ports, release), and are no longer available on debian's machines are to blame for the compromise? Can I feel safe if these services aren't running on my box and only port 80 is exposed?

Funny, considering... (0)

Anonymous Coward | about 8 years ago | (#15710557)

Security support for Debian 3.0 to be terminated [debian.org] . Coincidence? *duck*

Why all the flak? (5, Insightful)

Dryanta (978861) | about 8 years ago | (#15710572)

Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!

RSA auth to blame? (0, Offtopic)

twistah (194990) | about 8 years ago | (#15710629)

They said:
"...we've locked down
most other debian.org machines, limiting access to DSA only, until
they can be fixed for what we suspect is the exploit used to
compromise gluck."

Are they saying they think the exploit is in the RSA functionality of SSH? If so, it might be prudent to turn it off for now, but this could be a knee-jerk reaction. (To turn it off, change RSAAuthentication to "no" in /etc/ssh/sshd_config and restart SSHD, though I don't know if it's worth it.)

Re:RSA auth to blame? (0)

Anonymous Coward | about 8 years ago | (#15710655)

DSA = Debian Security Admins

Re:RSA auth to blame? (2, Informative)

uhoreg (583723) | about 8 years ago | (#15710667)

DSA = Debian Security Admins
Actually, it's Debian System Administrators. (Not to be confused with Debian Security Advisory.)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>