Slashdot Mirror
Debian Project Servers Compromised
Sean was one of many to pass along
the bad news
from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it
will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.
What's the point of doing this if you don't effect the distribution. Seems pretty insipid to me.
The debian-announce archive [ http://lists.debian.org/debian-announce/debian-ann ounce-2003/threads.html ] doesn't list this message. Of course with the number of machines affected it's possible that the mailing list archive is somehow affected.
-JohnF
dave
Tech stuff
back until they are sure.
however, it does remind me of the gnu ftp cracking incident a while back...
(although that was a known exploit, and this seems to be login/password being compromised)
Why my apt-get was failing from people.debian.org last nite. Not to mention why debian.org was down. :(
Of course this raises the whole issue of apt-get. We all rely on apt-get update && apt-get upgrade, all it takes is someone to compromise the servers and insert a backdoor
This is the second time this has happened to a big open-source project (the first being the GNU servers a while ago). All packages by both groups are "md5" signed, which is supposed to protect against malicous hacking. However if the root server is comprimised, this doesn't help. Companies (including at least Microsoft, and the people who make ad-aware) who distribute files over the internet sign them with an RSA (or similar) key, and the computer which does this signing is kept disconnected from the internet. For such large projects which are installed by millions of people, might a similar system not be a good idea?
Combination - fun iPhone puzzling
How long will it take for the few MS fanboys around to say that this why Windows is better? Let me pull a Rumsfield (pre-emptive retaliation, that is...). Everyone gets comprimised once in a while. At least Debian is open about it, and not sitting on an insecure system because it's more profitable to let a bad product go then to risk bad press from releasing a security bulletin.
#define DRM chmod 000
I don't think woody will be postponed that long. Martin's announcement says, While it has not been announced yet, it has been pushed to our mirrors already.
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Sorry, but I had to say it.... a Microsoft release has never been delayed because one of their servers were compromised.
Let's just remember that before we extoll the virtues of how great open source is.
(That's a Half-Life 2 joke)
--- Grow a pair, liberals... stop letting the Republicans bully you!
Errrm, what OS was running on the servers compromised? :)
Saying your OS is the best because more people use it is like saying MacDonalds make the best food
getSexySig();
Are deb's signed? (I'm not that familiar with debian but I'd imagine they are) If so then just tell apt-get to not install debs that don't match a known signature...
Any other company would have sweeped that kind of incident under the rug hoping it had gone unnoticed, or would have cooked up a PR statement to minimize the incident.
Here we can see the strength of such projects, as in this recent kernel story.
What puzzles me most about computer vandals is that they are effectively soiling the nest, ours and also theirs. Some of the crackers are not un-intelligent but somehow seem to miss out on considering consequences.
there seems to be alot of flack hitting the open source world lately,what with the hack attempt on the kernel,the legal battles and the increase in FUD.
could it be a concerted effort or is it coincidence?
It really is impressive for me how honest some organizations have been about admitting system compromises (Debian, ProFTP, GNU.org).
As someone who works with networking security, I know lots of business servers get compromised regularly. Everyone hides it because it's embarassing for a business.
This makes you wonder how often other 'critical systems' get compromised, and get fixed without any public reports. Government computer systems get regularly compromised after all. But I'm sure so do vital Microsoft, IBM, systems, etc. Windows Update, anyone?
I hate to say it, but do the Debian developers use their own product? Were they not kept up to date? Or are all Debian boxes vulnerable? I noticed that nowhere did they mention just *how* they were compromised. Sure, it might be embarassing, but when a major distro's servers get cracked it doesn't help confidence in their distro. Letting us know what service is broken (and hopefully how to fix it) would go a long way towards correcting that.
is probably a violation of the DMCA!
What makes you believe that it was a compromised password and not some new or unknown exploit?
-JohnF
If it was a keylogger and gaining access to someones password, then thats just a case of personal secuirty . The ats how they got onto the GNU servers , someone had a keylogger installed on their windows system.
Now if they manged to get though a service to compromise the machine, that would be more worrying.
But at least they managed to detect it.
Security is much much more than "just keeping your system up-to-date".
...) to log in to one of the servers
- accounts can be compromised
- unknown bugs may have been exploited (although that's unlikely in this particular case)
- crackers could have been cracking a developer's system, and using information they find on that developer's hard disk (ssh key, gpg key,
- also of importance in general is the competence of the administrators (which surely is *not* at the cause of the problem here).
Of course these systems are running debian stable; but that's most likely not the problem.
here.
r ity-20031121.txt | gpg --verify
To verify it:
$ wget -O- http://cert.uni-stuttgart.de/files/fw/debian-secu
(drop the space, of course)
Assuming you trust the key it was signed with, of course...
I've seen no confirmation of this by anyone @debian.org. So what's the deal? Real or not?
There was some fuss on the debian-user list, and this was labeled a hoax, yet I saw no official word that it was true.
What's interesting about your comment is that when a M$ compromise comes to light, the focus is on how big a bozo BillyG is for letting his insecure crap out into the world. When something like this happens, its those nasty little hackers or script kiddies and their deep dark motives or a cabal led by M$/SCO to "discredit" Linux. Face it, the main servers for a major distro was hacked into at a very sensitive time. Ouch. Regardless of the whys of who did it, it was done. Yeah, kudos for them coming public, but if I joe CTO and looking at purchasing some puters, I'm thinking to myself, hey, what's up with this, they told me that M$ stuff sucked and this Linux stuff was secure. This wasn't some ma and pa website that got defaced after all.
If a password is compromised, it does not matter what system you run. And everything I've read indicated this break-in was the result of a compromised password.
Finkployd
other comments i've seen.
debian grapevine.
.debs should be gpg signed, and should fail to install if the verification fails. In fact, so should all packages from distros. Redhat, +1, Already doing it. -1, not failing to install if the packages don't verify.
Get your own free personal location tracker
nt
My dear facetious friend, they're strings/words, not variables :-)
At this point I would like to see the debian team develop some written policies and procedures for how they intend to prevent this sort of thing in the future. I checked the site and while there's security info for how to secure your box, there's no policies on 'how does the debian project secure itself'.
Lastly, one concept you have to keep in mind, we have no idea how often other OS's key servers are cracked because they'd never tell us.
If Debian ran OpenBSD, this wouldn't have happened! Theo runs a tight ship over there.
I also think that Gentoo would have prevented this tragedy.
Not really. The vast majority of break-ins are through misconfiguration or human error. Gentoo, OpenBSD, nor anything else, can prevent these factors. I would be very surprised if this was due to a security hole or vulnerability. More likely someone wasn't secure enough with their SSH keys or something like that.
OpenBSD prevents stolen passwords from being used to log into a system? How?
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
because he did it, duh!
As Linux becomes more popular this is only natural.
Open-source projects are not immune to attack and they are going to start feeling some of the pain experienced by other big targets like Microsoft. In the beginning it could be really bad because unless you're being attacked seriously all the time then you may not even realize where your vulnerabilities are.
This is a wake-up call to all "open" projects. Systems that are in use by a large number of people need to be protected better. Sure, this may have been a password compromise but the system should have been secure enough that some low-level user account compromise can't cause serious damage. And the high level accounts should never, ever have a password compromise. This needs to be treated in the same way big business does. Protect the customers, otherwise you may lose them.
This made me start thinking... Has Redhat ever been compromised? That'd be a reason for going with a commercial distro if the free distros can't get their act together. (I've been a Debian user for many years by the way)
The ratio of people to cake is too big
Like Mossberg says, Mac's can't be hacked!
In the future, I would want to not be isolated from my friends in the Space Station.
news at 11: bill g4t3z takes credit!
Since when does a compromised password warrant a patch?
Was any code stolen? OH wait...
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
If this were Microsoft it would have been announced by someone who found the vulnerability/compromise and announced it and Microsoft would have released a statement saying they were already aware of the problem, but didn't want to let it be known so it could be exploited and that those who announced it shouldn't have.
Whereas Debian announced this themselves.
Debian has integrity, owning up to the fact that something is wrong. Microsoft would rather cover it up and not fix it if they didn't have to.
Considering everyone is saying this was a password compromise, how the fuck would OpenBSD and Gentoo have prevented this?
If this were Microsoft, it would have been the 142nd time, and you wouldn't know about it.
Someone set us up the bomb, so shine we are!
Then explain the OpenSSH trojan a few years back.
Given the zealotry of some OpenBSD users, I'm sure it wouldn't be hard to find someone claiming that a blowfish-encrypted passwd database prevents that, or something. Maybe even one who actually believes this. There have been more stupid claims be made about OpenBSD's security.
Programming can be fun again. Film at 11.
Cracked from M$
Windows Box Gets Hax0red: "Ha ha ha ! Serves 'em right for running Bill Gates' Satanic OS. Let the jokes begin. Moderators, get ready !"
Linux box gets compromised: "Oh, this is so unfortunate. Oh dear. Can I have a moment of silence ?"
Tired of being "punished" by the Slashdot $rtbl since 2002. I'm now over at http://soylentnews.org/ .
First GNU, then Bitkeeper, now this, whatever shall we do?
Simple, the technology has existed for decades now.
A little something I like to call "Public Key Cryptography"
With this "Public Key Cryptography" you could conceivably sign software in such a way that it could not be altered without breaking the signature, AND ensure that nobody else could forge this digital signature (you are keeping your private key private right?)
MD5 Hashes are a step in the right direction, but by themselves are meaningless. Sort of like improving your home's security by drilling holes in your door to mount a deadbolt but not actually taking the final step and INSTALLING THE DEADBOLT.
So let's take these MD5 hashes and encrypt them with the package maintainer's private key (or distribution maintainer, whatever). Then dpkg (or rpm, emerge, whatever your favorite package tool is) could be written to decrypt this hash with the corresponding public key. Wait, there is more! Then it could generate it's own MD5 hash of the package in question and COMPARE it to the decrypted hash it just created. If they match, the package is unaltered AND came from a trusted source. This my friends is what we like to call a "digital signature"
I don't care how you do it, GPG, x.509, whatever. I'm actually leaning toward x.509 since it seems to me to make more sense to have the distro maintainer run his/her own CA and issue certs to package maintainers. This CA could then be included in whatever package tool is used and viola. No mucking about with the web 'o trust (Which rocks for ad hoc trust relationships like between people emailing each other, but sucks for this kind of hierarchal stuff)
So what do you think everyone? Good idea or should we wait for a few more server compromises before we think about securing software repositories?
Finkployd
In response to the dastardly assault against the twin (mini-)towers, the President of Debian drew a line in the sand and immediately announced the invasion of Slackware.
Oh, OpenBSD, not NetBSD, my bad.
*ducks*
Tom.
Oh arse
Why on earth would you hack the servers of a free/open non-profit project as Debian? The person(s) who did this are really, really sick.
Perhaps a former Valve employee found a new calling with Debian? :)
*grin*
:|
jay! let's burn some more karma!
depends on your point of view i would say. if your abilities in the realm of abstract thought are so minute that you cannot see a (few) word(s) as a description of a variable, that's not my problem.
by the way: using the word 'facetious' is completely out of place here. you cannot read my mind, so how can you tell i was joking? i have no sense of humor whatsoever
Here we have yet another example of how Microsoft's shoddy programming is causing no end of trouble. Microsoft's products are well known throughout the world to have poor security and they get hacked all the time. We should all boycott Microsoft products and sue Bill Gates for false advertising! If Debian were using open source software, this would not have happened!
Huh? What's that you say? Debian was using open source? Linux, you say? Their own product, you say?
Oh, well...then that's all different now, isn't it? This is now an example of why open source is so much BETTER than Microsoft's stuff! Yeah, that's it! Yeah, there's a silver lining to this cloud somewhere...yeah, just give me a minute and I'll come up with a dandy excuse that totally absolves any open source code bug from fault while at the same time finding a way to slam Microsoft.
After all, isn't that the Slashdot way?
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Except that this was due to a password leak, not a software issue. It wasn't rootkitted. Somebody stole/guessed a password.
====
Crudely Drawn Games
Is this supposed to be funny?
Then the next point of failure becomes the keyservers. How do you know you imported a good key, and that the keyserver hadn't been compromised when you did it?
This probably would be no good as a way to sneak backdoors onto more than a few machines, since keys are usually stored once and used often. But it would be good to have some sort of key distribution and verification system. Imagine a key publisher having 7 peers, and where they carry same keys, requiring 5 to 7 matching signatures, and point a nasty finger at the odd one(s). More than two mismatching signatures and the system quits publishing keys.
Of course then the key publishers themselves then become a choke point for a DOS attack, of sorts. Make updates grind to a halt as a new exploit is emerging, widening the window to utilize it. But still, most keys are stored, and the voting fails only stop distribution and verification.
Thorny issues, part of why PKI is considered 'hard'. But at least my suggestion is reasonably decentralized (I didn't say how to get a new key into the system) and has publishers voting on the intersection of their published keys, not requiring every server to publish every key.
The living have better things to do than to continue hating the dead.
Uhm no. You're wrong. If this is MS the world would just try to justify by saying things "it's the administrator's fault" and "security depends on the user". Previous articles have proven time after time that most people try to justify MS's security flaws rather than flame them down.
On the other hand, when there's an article about a security bug in Linux, people will massively mod Linux down for being insecure and insult the entire community for being zealots.
This is a fact: most people are anti-Linux, not anti-MS.
As much as a troll he may be, he does have a point. Windows zealots usually use stories like this to say that Linux is insecure. However, when they do that, we can just say "So what? Open source is still more secure. If you want absolute security then go use OpenBSD."
It's not about Linux vs Microsoft, it's about Open Source vs Microsoft.
Heck, maybe even Unix vs Microsoft. Because then we can use MacOS X to beat all the Windows zealots.
klecker (security, non-us, web search, www-master)
is one of the compromised machines.
Interesting. Wonder if the US neofascists are trying to weaken security of the free world's systems again?
The backdoor attempt on the linux-kernel was NSA-levels of sophistication. This seems a lot cruder. But just because you're paranoid, it doesn't mean they're not out to get you.
I doubt that Microsoft (or any commercial software company) would publically annouce that it had been compromised. The source code processes at Microsoft are opaque -- nobody knows exactly who is putting what into the source code. If hackers, goverment officials, RIAA, etc. are modifying Window's source, nobody would be the wiser. In contrast, the openness of open source development creates an audit trail of who did what to the code (assuming the version tracking and submission system is not compromised).
Transparency is a prerequisite for trust.
Two wrongs don't make a right, but three lefts do.
Just in the interest of full details, BitKeeper was NOT compromised. The CVS bridge to BitKeeper was the software that was compromised. BitKeeper caught the problem and did not let the back door into the kernel source tree.
-- http://www.MindBlowingPhotos.com
Photography inspired by music, nature and life itself.
Looks like you've been bitten by the "-1: Unpopular Opinion" moderation. You hit the nail on the head, and someone with mod points objects.
Without transparency and honesty, how can there be any security at all? If Debian people didn't report it, i'd be more concerned. Now that they've reported it, we can be sure that the damage can be controlled, minimized, and prevented in the future.
Perhaps the password compromise thread can be minimized by strictly limiting the number of people permitted to know the root password of each server. Knowing Debian project, they have already thought of that, and more besides.
WPostma
...that Microsoft will pounce all over this and use it as an example of how much better thier product is as opposed to OSS. Nevermind the almost weekly reports of holes in Microsoft's software, a new virus that threatens IIS and Windows machines every few days, and thier returning to the Bloatware practices with Longhorn that got them into trouble with the DoJ in the first place.
No, this is the perfect event for MS to unleash the FUD machine on. Debian's servers compromised, should have used Microsoft. Whatever. This is a drop in the bucket compared to the deluge of problems Microsoft products have.
Fact is, you just don't hear about problems with *NIX OSes as often as you hear about problems with MS machines. That's because they just don't happen as often. In the last year, I can only think of maybe one or two major virii that I heard about affecting *NIX software. On the other side of the coin, I can come up with at least a baker's dozen that affected Microsoft products.
In the end, the Debian Project will recover nicely, and MS will launch assaults that will fall on deaf ears. But that's just the opinion of one little OSS zealot, I could be wrong...
Blog Prophyts - Right On, Man
Doesn't surprise me when you consider the track record. Microsoft still doesn't get it. Bill can talk about security all he wants, but Microsoft's indifference to security is too ingrained in their culture. Oh ... wait... oops, wrong OS.
I ran apt-get and my machine was converted to Windows 2003!
/* It's amazing the damage someone with a stunted sense of humor and mod points can do to your karma. */
There are ways to make sure that the system you are running cannot be comprised from the outside even if the attacker knows your root password.
Don't offer services that can be used to administer system to the public internet.
-==-
Funny, my apt-get using h4x0r3d.debian.org was working perfectly....
My beliefs do not require that you agree with them.
Variable:
- A quantity capable of assuming any of a set of values.
- A symbol representing such a quantity. For example, in the expression a2 + b2 = c2, a, b, and c are variables.
It ISN'T variable. It's just a string.
You say "everyone gets compromised once in a while." Is that really your views when a Linux server gets compromised? I hate to say it, but Microsoft's haven't been compromised, and they're the bigger target.
Everyone here knows if windowsupdate.microsoft.com had been compromised, people would be droning on about how it's some sort of illustration of Microsoft's security. All the "+5 Funny" trolls would be out in full force, and everyone would try to act like some sort of security expert.
Here, we have another OSS break-in (remember GNU?), and people can only offer excuses and justifications. It's a double standard I can't not notice. Sorry to spoil it, but there is nothing wrong with pointing out that this has yet to happen to Microsoft's server. And you know people try harder against them!
Security to you apparently means "everyone gets compromised once in a while." Wow. If that's the security mentality going around in the Linux community, expect more compromises as Linux grows more popular, and expect more excuses as people try desperately to avoid the "haha, told you so" laughs from people who have pointed out all along that nothing is 100% secure, and that all operating systems--especially Linux--have flaws, holes, buffer overflows, and so forth.
PGP keyservers (unlike, say, Kerberos KDCs) are completely untrusted. Anyone can upload any key to a keyserver. And downloading a key from a keyserver implies nothing about that key.
To verify that you have a valid key, you have to rely on the web of trust. Basically, if a key is signed by someone whose key is signed by someone [recurse through however many levels you are comfortable with] whose key you have personally inspected, then the key can be assigned a trust metric based on how reliable you consider that chain of signatures to be. (Basically, how much you trust the integrity and acuity of the people controlling the chain of signatures.)
PGP and GnuPG have supported this infrastructure from Day 1. Asking people to trust an arbitrary third-party public keyserver was never in the plans.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
When, oh When, will people discover that smoking is an obsolete and dangerous drug delivery method. After all it's not like you see all the big pharmas looking to burning and inhaling the fumes of their next big Viagra replacement!
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
The vast majority of break-ins are through misconfiguration or human error. Gentoo, OpenBSD, nor anything else, can prevent these factors.
Try SELinux. A Misconfiguration in even a highly priviliged application will not lead to a system compromise, provided an appropriate security policy is in place...and an appropriate security policy is easy to write with the tools from tresys
Sticking feathers up your butt does not make you a chicken - Tyler Durden
When you consider that OSX's kernel is Open Source, do you really need to say Microsoft vs. Unix?
You summed up all the posts I've read so far in this article. Nice job.
"Wow, Debian is so great because they're openly saying that the compromise happened! I'm so proud of Debian for its honesty, as other companies wouldn't have done the same. Wait, we were discussing the compromise itself? No, I don't want to think about it..."
Huh? Why the patch if it's just a compromised password? Something fishy going on...
Then the only thing needed is a script which warns people when the files they download are trojaned. This could be built into Mozilla, Nautilus, or simply be a file system crawler built into an OS distribution.
I've actually written a proof-of-concept in Python (called HashDB) that works rather well, and released it under the GPL, but for something like this to get going, it needs to be supported by RedHat or some other large corporate entity.
Dave Aitel Immunity, Inc.
There seem to be a lot of high-profile scary-seeming attacks on Linux pressure points in the news lately, and just after MS' Linux Security FUD kick and right after MS has announced that it will be making its OSes more secure than Linux...
Did it decide to do so by making Linux less secure by devoting resources to getting backdoors planted, etc.?
Judging by past business practices would this be beyond them?
One thing is clear here: the pathetic administrative model of Debian is 100% at fault.
No, the only thing that is clear is that you are an idiot.
Uhm no. You're wrong. If this is MS the world would just try to justify by saying things "it's the administrator's fault" and "security depends on the user". Previous articles have proven time after time that most people try to justify MS's security flaws rather than flame them down.
What Slashdot are you reading? Most people would write "+5 Funny" trolls and "I told you so" heresy. Anybody pointing out the obvious--that the flaws were patched already a month before, that it's a result of users running the attachment, whatever else--gets modded down, because this site is not pro-Linux but anti-Microsoft.
On the other hand, when there's an article about a security bug in Linux, people will massively mod Linux down for being insecure and insult the entire community for being zealots.
Not what's going on here. People, as usual when this sort of thing happens, are making excuses and trying to point out silver linings. I wish more people possessed the ability to look at themselves.
I must say I'm quite impressed that so much conversation has been generated from a sig. Or is that cig? Anyway, hey, I used to smoke but quit. I'm not one of those fanatical ex-smokers or non-smokers. If you smoke, cool. I hope you excersize or something to counteract the negative effects. I chose to quit because when I get older I'll have a better chance at survival. Granted, I'll die anyway but hey, you gotta cut the odds. If you smoke, enjoy! If you're smokin' weed, you already do enjoy. Either way, good luck!
Ignore this sig...
I wonder if someone really believes that Debian make the stable releases for stability and security rather than incapacity of releasing and supporting an up to date system.
I hate that excuse! Oh well to make it stable we release slowly. No, you release slowly because you don't have enough devs to get it done at a reasonable time.
Even the so-called "unstable" distro that you are supposed to run to get "up to date" software is always 3 months to a year behind depending on the package.
If FreeBSD can stay up to date and be stable then its obvious debian is offering its users an excuse made of false choices...Be up to date and unstable or unstable and old. That's their group think mantra. They don't even realize no one but a true believer buys it. Sure a distro has to be sort of old to be stable...BUT NOT THAT FREAKIN' OLD.
MD5 is not a digital signature, it is simply a "hash" or "message digest". By itself it is utterly useless.
:)
However, if the package maintainer were to encrypt this MD5 hash with a private key, then release that with the package it would be loads more useful.
Then a lowly end user could decrypt this encrypted hash with the package maintainer's public key, then create their own MD5 hash of the downloaded software, and last compare their hash with the unencrypted hash, then we have some security.
We could call it....ummm.......oh yeah, a "digital signature"
Finkployd
I don't think it's about vs. Microsoft; I think it's about vs. proprietary. We sometimes have "allies" in other proprietary software vendors, but that model is what created Microsoft in the first place, and taking the economic benefits out of that model through the creation and improvement of Free software is what interests me.
Secession is the right of all sentient beings.
Fact is, you just don't hear about problems with *NIX OSes as often as you hear about problems with MS machines. That's because they just don't happen as often. In the last year, I can only think of maybe one or two major virii that I heard about affecting *NIX software. On the other side of the coin, I can come up with at least a baker's dozen that affected Microsoft products.
Actually this argument is meaningless due to the timing. The Debian servers were, apparently, hit at a VERY SPECIFIC time. This is frightening to some CTO trying to figure out what really is the best system to go with. That someone just "casually" broke into their servers at the exact time they wanted to gives me no fuzzy little feelings inside WHATSOEVER. Had this been some isolated incident at some random time, then yes, one can make it a pure numbers game.
Funny how when something like this comes up, M$ gets beat up anyway, yet most people here feel it's ok to beat them up wantonly any time any little security issue comes up on their side. Harp on them == ok, errors on linux, shame on them for saying anything.
"Gentoo server" ... ... were you being serious?
Oh, sorry
Gentoo isn't even stable enough for my desktop.
Put identity in the browser.
As you can see in this comment, it wasn't a bug in the software, but the wetware. :-)
The Official Steve Ballmer Webpage
Ummm, let's not forget the OpenBSD sites have been hacked so...
Good point, that.
Finkployd
All three of my Linux boxes run Debian; this latest security breach will not change that.
However, I hope this type of incident tempers the often-strident elitism of the free software camp. My faith in Debian continues because they caught this problem and openly announced it; my concern is that the lack of consequences will make people assume that this was a false alarm or unimportant incident.
Free software suffers from "victory disease" -- an assumption that, based on past success, future success is guaranteed. Because free software has proven reliable and secure, the concensus seems to be that it will always be so.
Pride comes before the fall, as they say. Attempted infiltrations of the Linux source code control system and breaches of security at Debian suggest that we need to be cautiously optimistic, not naively myopic.
All about me
If FreeBSD can stay up to date and stable, it's because their "ports" aren't part of the operating system proper. If they release much more often, it's because they don't have to release as much as Debian has. Their '-STABLE' is not even remotely as stable as Debian's stable distribution.
Sure, stable is getting old. But it's got its reasons; and if you don't like it, you're welcome to use any other distribution.
With the upcoming FUDstorm, this is just what M$ needs, I am willing to bet that either a overzealous M$ employee, or a purpose paid consultant did this.
Get a free ipod.
...what does it take to become a Debian coder? I mean, if the process of becoming one is "easy" for a good programmer, what does it stop big corps like Microsoft from hiring people to sabotage linux distributions?
If it was possible for this to happen, and it was possible for a Debian coder to add malicious code without other coders noticing, this could be a very serious problem about open source distributions of software.
Please take note that I am favorable to the open source initiative.
Diego Rey
diegoT
Precisely as hard as it would be on any other system, excluding those Debian boxes which actually verify the signatures before installing packages (where it would be impossible).
However, it would be noticed rapidly and suitable announcements made.
218 posts and some rare appropriate reactions.
- I thought Linux was secure... Guess not. Who told you that Linux was secure ? Your grandma ? Linux is more secure than Windows, of course. But it's not immunized against cracker. The computer world is based on a set of rules that can be broken. The better you are mastering these rules, the more secure your boxes are. But these rules can be broken, which means that, given human nature, they are bound to be broken occasionnaly. Furthermore, you will have noticed that if often relies on human use mistakes (password cracking for instance).
- Free software sucks, Microsoft rules. Here I can almost physically feel the frustration of advocates of the proprietary world that can do nothing but bash any free software flaw they might encounter. However they deserve a clear, sound, and honest answer. My dears fellows, the free software world never proclamed himself the embodiment of security. We do our best to ensure it. And don't mix things up : our main problem with Redmond handling of security is about post-treatment. We do not appreciate the culture of hiding ; you can see here how coherent we are with ourselves.
- Gentto is better than Debian ; oh no it's Redhat ; oh no it's Slackware. Hey guys, are you really part of the free software world ? Can you just realize these are the precise sentences that led to proprietary software/world ? And don't you think that you should adopt a more conservative stance ? Don't you think that the moral of this sad story is that nobody is preserved from crackers ? Wake up men, this is the very crucial moment where we must stand united. Keep your ammo for you real foes.
There are some days when you would think that the free software world is not that 'free as in freedom'...Regards,
JDif
Let's overcome our weakness.
If this were Microsoft, we'd call it "Tuesday"
LilMikey.com... I'll stop doing it when you sto
You are describing how Debian's web of trust works today. Each key should be (not all are, but most are) signed by at least one other Debian developer. If you take a look at the graphing of the Debian keyring, you will see that it is well-connected. (Note that this graph is old; from august 2000, but the same holds today, and it's probably even better connected).
(look at sig2dot for the tool used to generate the graph.
There is also nothing stopping you from signing keys used for advisories and such, which can then be cross-vendor, and everybody will be happy.
This news made me realize how much I depend on Debian. At the moment, every one of my machines (four servers, three workstations, and a laptop) runs Debian. I've been running it as my primary OS for... two years? So far I haven't paid a dime for it. It is a nice advantage of Free Software to be able to use it for free, but given the fact that I'm way out of "try-before-you-buy" mode, I'm going to send them a check today. Software in the Public Interest was founded by and is the current funding source for Debian.
One server compromise in the two years that I've been watching by a company with zero product sales revenue is pretty impressive. An OS that is (IMO) dramatically superior to any commercial offering for free? They've earned my respect, and have clearly earned my cash.
Stop-Prism.org: Opt Out of Surveillance
may be the matrix said it right when the agent said "nothing this weak is meant to survive". linux sucks scum... i love to see my man billy gates gets the last laugh...
If these projects are open and both admit to what happened and describe how their systems were compromised, then other people can learn from their mistakes.
It's one of the things which contributes to the secure nature of the software - if it turns out that, say, version 1.337 of the Foobar daemon was compromised, I bet a lot of sysadmins will be double-checking to make sure that they're not running that particular vulnerable version.
I'd rather there was honesty that people can learn from than the permanent claim that it's the best software ever and can never go wrong - by acknowledging errors and mistakes, things can be made better.
This is simply not an option for Debian or a large number of other self-hosting open source projects. The Debian sysadmin team has people located all over the world. Additionally, while you may consider sshd to be a service used only by sysadmins, that's certainly not the case in the Debian project. There are a number of machines that are accessable to all Debian developers for various reasons. These all run sshd, which is very likely the entry vector used by the attacker, if it was indeed a compromised password that allowed their entry.
noah
It's not a hole, though. So far we only know it as a login/password that was comprimised. Any system no matter how secure is susceptible to that. Most of Microsoft's holes are much different - they're exploitable and are available from the default recommended installation, meaning the computer grandma bought for Bobby is susceptible and will probably never be patched.
Hey, hold on just as second. That's out of line and inappropriate.
The phrase you were looking for was "Take that, dirty stinky GNU hippies."
Hope this helps.
Actually it got owned by code red. What made it truely hilarious was the fact that microsoft was putting all of the blame of the worm's success on the users that didn't patch their systems. Not only did microsoft not apply the patch, but they didn't apply the patch on the very servers that were hosting the patch. The compromised server was seen by many people, and mentioned in this article's comments. A screenshot is here.
I wonder if someone really believes that Debian make the stable releases for stability and security rather than incapacity of releasing and supporting an up to date system.
First, I don't think anyone in Debian is saying that. We'd be happy to release more often. Note that people running Debian on servers would then complain that we wouldn't support releases for three years if we did that. There's no way we'd have the resources to do that.
Even the so-called "unstable" distro that you are supposed to run to get "up to date" software is always 3 months to a year behind depending on the package.
I'd believe you if you said from 0 days old to a year. I release a lot of packages on the same day as upstream.
The packages that are very old are usually much more complicated, like X. Debian packages must compile and run on around 10 different architectures, so it's not uncommon for pristine upstream packages designed on i386 hardware to fail to build correctly on all Debian-supported arches. Did you know that the Debian team that handles X must do a lot of patching to get X to work on all these arches?
I like it
Stroking Female Geek
yeah, but he said it wouldn't be long...
I'm a strong advocate of and adherent to free and open source software. I don't think the issue is beating Windows zealots in any sense.
In my estimation, what's important isn't an ideology but an orientation to software use and development. Assuming that a utilitarian perspective applies to software development, and assuming you buy in to some limited form of democratic values, it software use and development consists in creating and using tools that effectively do a job while upholding values of widespread social good via transparency, diversity of choice, an appropriate level of propriety, and reasonable cost. If this applies anywhere the most strongly, it is probably to operating systems.
To tie it back in to what just happened: it's astonishingly principled of the Debian team to admit the compromise and carefully proceed. This is what the software world needs, forget the zealots of any stripe and all the noise they make.
Online citizen journalism from the inner city: The View From The Ground
We all know the posibility of having 100% secure systems is improbable if not impossible. Clearly the linux community as a whole strives toward this, and I think having a 'break' in like this just shows how the community has allready setup safe checks and has a quality security system. The break-in was detected by the sounds of it right away, and they have allready verified the packages and will I'm sure be running a double check. They've announced it to the community and I for one am not worried about a trojan of any kind. If this was another OS that was closed source. The checks are far standard I believe to these security checks. The OS developers may not even know that the system has been compromised... I never feel safe using Windows Update, and yet I type apt-get update; apt-get upgrade whenever I feel like it. This quick response, release of information and verification of packages just re-affirms my trust in the linux community.
No, this is
I doubt that Microsoft (or any commercial software company) would publically annouce that it had been compromised.
;))
Valve comes to mind... (run by 2 ex-MS employees
Never underestimate the relief of true separation of Religion and State.
They name themselves as the developers of the most secure linux version out there, and they get compromised just before the 3.0r2 release. That's got to hurt their credibility.
Open Source Java Web Forum with LDAP authentication
It's not possible to kill the Free Software business model directly because of its global nature -- so more underground, guerrilla methods are required. Keep your eyes open and watch them go. They're determined little buggers. But then again, to retain ownership of what will be a trillion dollar market over the next 20 years, I would be too.
Follow the money. Who benefits from rooting Debian, trojaning the Linux kernel, hacking Slashdot, then massively astroturfing against Free Software here on its home turf? Yes, you are correct, my twin former employers - whose technology sharing initiative is largely based around mutual self-defense...
Granted I don't know exactly what was entailed here... But no matter what your OS, if someone gets the password or other pieces needed for authentication, you are in trouble. Not all hacking involves exploiting actual holes in the OS.
Won't argue with you about the general tone of the people at Slashdot, though.
Obviously this ends the debate as to why Gentoo is obviously better than Debian. The compromised packages probably wouldn't even be finished compiling by the time the compromise was discovered.
(I run Gentoo on my laptop... don't flame me either way)
I just switched to Debian a couple of days ago, and am thinking I should reinstall.
Damn.
Stating on Slashdot that I like cheese since 1997.
Gentoo isn't even stable enough for my desktop.
This is pure FUD. Fud, fud fud fud fud. Also add a bit of technical ignorance. Care to qualify this ridiculous statement?
>> Password stealing is pretty OS independent. So this compromise, whilst undenyably bad,
>> isn't really going to show much about Debian, or Windows
it does make me nervous about the whole organization, on which the distro and my OS depend
Thank heavens you guys were smart enough to host your signatures/checksums on a different machine, unlike some other projects I could mention. I know it's early, but do you know anything yet regarding how the machines became compromised? It'd be nice to have an early warning in case I'm running the same software at work.
Fred
"A fool and his freedom are soon parted"
-RMS
No more publicly than displaying "Welcome to www.worm.com, Hacked by Chinese" on Windows Update machines... :-)
My point is this. Linux is not the be all end all of existence. Its a great OS, with problems just like anything else. Lets keep this in its proper perspective and try to ignore the hysterical ranting of the Debian wackos.
What does this have to do with the "quality" of Debian? AFAIK, the vulnerability that lead to the compromising hasn't been revealed yet. I could have been something as simple as a guessed password.
Fred
"A fool and his freedom are soon parted"
-RMS
Once is happenstance; twice is coincidence; three times is enemy action.
Once is the gnu/ftp compromise mentioned here on Slashdot.
Twice is this incident.
The third time should convince us all that someone is out to get Open Source specifically! Tighten up your security, gentlemen! The gloves are off and someone out there is trying any means, fair or foul, to discredit Open Source.
If you switch to SCO|M$ then the terrorists have already won =(
How open about it are they. I noticed yesterday that apt was choking, then www.debian.org was inaccessible so I assumed an upgrade or some other issue.
www.debian.org is up now, but the last news I see on there is from Nov 10:
Debian wins several Readers' Choice Awards
Not to be too picky, but a little more info on the main page *would* have been great. Thankfully I have slashdot and some others to back me up.
Thats why you shouldnt automatically run apt-get update and apt-get upgrade.
On a stable installation theres so little change that theres no gain doing automatic updates anyway. And as I found out about this through half a dozen sources on the morning of its discovery there was little risk of my servers getting infected (should a compromise of the archive have been made).
The openness and swiftness of the response to it should be upheld as the right way to do things. The FUD and scare mongering that follows is an unfortunate by-product.
You know what... encrypt your SSH connection at 1024-bit... lock your webserver in a vault, 2km underground, with triple combinations... post armed guards... lock down all ports except port 80 and SSH/whatever.
Then, have your password stolen, and oh shit, you're compromised. It's not about the OS being insecure, it's about a lost password. NOTHING can protect against this, short of one instance I heard where updates required 3 user passwords (from 3 users), but what a pain that would be.
You cannot achieve perfect security. It is impossible. You can only aim for it.
The Debian project will not only retain their credibility, but I'd suggest they'll improve it by
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
> Is apt-get such a great idea?
Try it once !
I've tried guite many updating tools. I think apt-get is among the very best. The GPG-key checking should be automatic though.
> Its a great OS, with problems just like anything else.
I haven't ever had security problems with Linux. With some other OS'es several times.
Good point... He should have said any commercial software company that wasn't looking for an excuse to delay release so they could finish the product... ;-)
The source code processes at Microsoft are opaque -- nobody knows exactly who is putting what into the source code.
Actually, nobody _outside Microsoft_ knows who is putting what in the source code, as well it should be. Since (let's assume) Microsoft wrote it, paid for it, and owns it, it is their business how they handle it. I have no doubt that within microsoft they have a coherent source control system, and they are quite careful that nobody can slip in a back door. Of course there's plenty of other bugs that might as well be back doors, but admitting to being hacked would be bad for business, and if they can resolve it internally and no-one is the wiser, i think that's fine.
-S
Correct me if I am wrong, but could this mean that Yellow Dog Linux 3.01 (YDL) is also affected? I got several 404-errors when running apt-get update, hours before I read this message.
"Honey, I feel a certain distance between us..." "Really? A 31ms ping ain't that bad..."
Valve got arse-raped by their proprietary source being widely available on the Internet. If the person or persons who had cracked them open hadn't posted the source, I highly doubt that you would have seen anything. After they had been publically humiliated, it was a better marketing strategy to go for sympathy.
-30-
There are a number of machines that are accessable to all Debian developers for various reasons. These all run sshd, which is very likely the entry vector used by the attacker
IMHO, this is and has been debian's weakest link. Ssh is used by debian in a whole lot of places where systems which do not entail shell access would have been appropriate. Shell access to a system is not necessary to insert a package into the build system or to push the archive down to the mirrors.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Who needs to be shot on live television and the body burnt.
Gentoo users leik teh penix rorl hahahahahahha jesus christ
Someone's already gotten close enough to pie that smarmy little shit in the face. Next time use a grenade.
Yikes, I'd figure it's the latest infusion of 6/700,000 user accounts, but your number is really low, so I might as well respond to you.
In case you haven't noticed, Slashdot has, and always has had, an editorial bias towards OSS, and against Microsoft. So do the bulk of the Slashdot readership. This is nothing new. This is a geek website, and the plain truth is, most people who call themselves geeks don't just sit blindy clicking away in Windows all the time. We like to play with our toys, we like experiment, we like to open it up and see what makes this baby tick. With something like Linux, you can do this. With Windows, you can't. Those are simply the facts. So of course people here will look upon OSS in a more favorable light.
Yet today, we have comments such as "hysterical ranting of the Debian wackos" being modded up as Insightful and Interesting? Hello people, that's called flaming. If it was more subtle, as yours is, it's called trolling. Walking into a Britney Spears fan club meeting and shouting "Britney SUCKS!!!" is also an example of trolling/flaming. So when you come to a website with an obvious and open slant towards something, and constantly try to point out that slant...
Well, I guess I just don't see why you're bothering. I mean really. If you really think the OSS community is full of shit, why on Earth do you come to one of their main websites/blogs/message boards/whatever?
As far as a double standard goes, I honestly don't get your point. Slashdot has never had a policy of reporting every single hack of a Windows-based system. However, pretty much every major OSS hole/exploit/hack gets a story here. Considering how many Windows machines there are in the world, you'd think there would be a lot MORE exploiting going on (hey, I'll use the "Linux would get hacked too if it was on 90% of computers" line for a change). And yet, we hear more often about Linux machines being compromised.
Well, except for things like Code Red/Nimda/Slammer/Blaster/etc, which, I'm sorry, but you'd have a hard time convincing me that this DOESN'T prove the case of Microsoft being just slightly less secure than Linux. Or else we'd be seeing Apache worms flooding the Internet on a daily basis, because "Microsoft only gets hacked because it's on 90% of computers", right?
Oh, and for the record, password compromises are OS-independant, and have nothing (read: zero) to do with the OS, design paradigm of the OS, colour of the developer's underwear, or whether we use a penguin or a flying box to represent ourselves. Only trolls would be saying "Ha ha ha ! Serves 'em right for running Bill Gates' Satanic OS. Let the jokes begin. Moderators, get ready !" if Microsoft had a machine get hacked because of a password compromise.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
This is much worse than one of Microsoft's normal problems. With Microsoft you expect the problems, and therefore you maintain constant vigilance. This is a perfect example of why linux users and admins need to also be wary at all times. As linux becomes more and more mainstream, the number of security holes shown will increase as well. More people will use linux and more "hackers" will then be attracted to developing viruses and worms that exploit the system. Regardless of what anyone thinks about Windows vs. Linux, everyone must admit that part of the reason more security holes are found in Windows is because there are many more people looking for them. My advice to linux users is to drop any pretense of Linux being infallible and to start using the same caution running a linux-based server as you would running a windows-based server.
Until recently, openbsd.org was running on Solaris box(es).
So much for Linux security.
We prefer the term eccentric to wacko's
....
Although
It might make a good name for an os
WhackOS?
Help! help!, the termites are eating my DRAM!!!
When are they going to force everyone to sign the package with GPG and have a warning like ssh when a key has changed when you dist-upgrade?
It's about time will all the server compromised these days...
It's exactly this attitude of the Gentoo developers that keep me off Gentoo. Every other day it's OMG and STFU and LOLOL and 2K. I'd much rather use a distribution like Fedora, that doesn't contaminate every other tool with smileys and caps lock and what have you. Feels more secure.
(Posted anonymously due to Unpopular Opinion)
Actually, nobody _outside Microsoft_ knows who is putting what in the source code, as well it should be.
While that's a perfectly normal way of doing software business, I'm not sure I'd agree that it is necessarily the way it should be. Having your name associated with something gives you an extra incentive to sweat the quality of it. As long as there was no implied ownership of the code involved, I don't see why there'd be any harm in seeing who contributed what.
So instead of 'shutdown', would the command be 'whackoff'?
-- If you can't laugh at yourself, someone else will do it for you.
In the days before the Pure Food and Drug Act, it was considered "nobody's business" what was in the food we eat, either; you just opened the can and accepted whatever was in there. Times change.
"This is a fact: most people are anti-Linux, not anti-MS."
I'm not convinced. People may appear 'anti-Linux', but I'm not convinced that they really are. You may be right in how 'people' respond to this news, and Windows/IIS security breaches, but that may not be because they are anti-Linux, it may simply be because they hold Linux to higher standards. They may not even expect Windows/IIS to be secure anymore, but hope Linux can save the day.
On a side note, I'm a Debian user, and I really hope that they get to the bottom of this soon and fix the cause of the breach, because I am worried, disappointed and also embarrassed. It's good that they found it withing 24 hours, but it's not good that it happened. So I hope they recover quickly, and put things in place to do their best to make sure it doesn't happen again. If this happens more often, then the Windows-zealots will have won...
Besides all that, it's not very hard to make a case that actually the reason why most people are not Linux users is not because they are anti-Linux, but because they either don't care, don't know, or are simply pro-MS. Neither of which requires them to be anti-Linux.
There is a lot of don't know/don't care or just plain lazyness out there. For people to be pro-Linux, they have to care first, because the easy route is to just do what most other people do, and to use computers/laptops as-is as they arrive from the store where you bought them.
Then, if somebody tells you that you should switch to Linux because it is 'better', or 'more secure', then it is a lot easier to find reasons to say that 'linux sux' and the 'linux zealots are wrong' than it is to throw away all your effort to learn Windows, and to switch to/install, and learn to use Linux. Lazyness...
And that is what is happening in this forum amongst the non-Linux users, they are just unwilling to invest the time learn Linux, and want to feel justified in that choice. Hence the bashing...
--- Hindsight is 20/20, but walking backwards is not the answer.
Since (let's assume) Microsoft wrote it, paid for it, and owns it, it is their business how they handle it.
Good point. I am not saying that Microsoft has no rights to keep its source code secret, only that their exercise of those rights has consequences for the trustworthiness of their product. I also fear that Microsoft's interests are not well aligned with the interests of computer users and that opaque code helps them maintain that imbalance.
Microsoft is in the business of selling software -- the more copies they sell and the less they spend on developing that software, the better the company will do financially. One strategy is to be innovative (it costs more) and secure (also costs more) and sell a truly superior product. But a second strategy is to leverage a near-monopolistic position that forces ongoing upgrades (e.g., by refusing to sell more licenses to old versions to expanding businesses), preventing competitors from gaining a toe-hold (by creating proprietary, closed platforms and regulating who gets prefered pricing or access to technical documention), capturing more of the revenues of add-on functionality (by bundling applications into the operating system) and by pushing for the use of non-backwards compatible formats and interconnection architectures. I fear that Microsoft is using the second strategy more than the first strategy and that software quality is less important under that strategy.
I have no doubt that within microsoft they have a coherent source control system, and they are quite careful that nobody can slip in a back door.
I'm sure that you are right about this. But such controls only work to a point. They do nothing to prevent coercive changes to the code (i.e., Microsoft acceding to a government demand to add some bit of code). They do nothing to prevent internal saboteurs. Moreover, I also suspect that Microsoft would not let a major launch date slip, even if a last-minute hack were discovered in the finalized code. I suspect that would ship the hacked code, and then release a service pack, but not reveal the true level of vulnerability that its customers faced.
Microsoft has every right to be opaque, and consumers have every right to be sceptical of opaque systems.
Two wrongs don't make a right, but three lefts do.
this had no bearing on debians security, save the ability of the developers to keep there passwords in their head instead of on post-its on the monitor, hehe
i sell illegal drugs
Hahaha I posted grandparent to make fun of the Gentoo users and I agree with you, the reasons you said are the same ones I don't use Gentoo, the immature attitude of the developers.
Where is the information about the password leak published? It would be nice if some official statement with that was on the debian.org website.
This is America, damnit. Speak Spanish!
Welcome to debian, the most hackz0red distribution on the planet.
You're absolutely right, and for some reason I hadn't made that little connection in my mind between using GPG keys to sign packages or MD5s and the traditional web of trust.
But there's a problem here from the 'simple consumer' perspective. For the web of trust to really work well, you've got to join it and participate. I don't argue at all that that works well for the developers. But I can see a problem if 'simple consumers' join in.
Simple consumers won't participate well in a web of trust. Joe Sixpak will trust his friend Colin Compu-nerd, without checking on Colin's trust-path. Mike Modem is a friend of Joe and Colin, and trusts them. Before long you have a small pool of trust, completely disconnected from the real web of trust. One or more of those guys chooses to blindly trust some keys off of a website, and the others trust them, too.
To really work well, the web of trust needs members, not clients who feign membership to gain some capability or access. That's why I proposed some sort of key-publisher-with-votes, to allow non-participating clients. Forcing would-be clients to become feigning members weakens the web, too. Allowing them to remain clients allows the web to consist of true members, keeping it strong.
We can't all be Kevin Bacon.
The web of trust graphs are neat, but another neat thing would be an Oracle of Bacon, showing the trust hops that connect me to another person, or list of people.
The living have better things to do than to continue hating the dead.
Why was this moderated overrated?! Overrated is for posts which have gone up to +5 and shouldn't have. Zero is about right for a borderline troll like this; troll or flamebait would have been reasonable, too.
;)
Why the fuck is Slashdot's moderation so broken? Would it really be that difficult to, say, make it so that "overrated" can only be used to reverse positive moderation or cancel a karma bonus? I can't think of a single case in which a post at +1 or below deserves an "overrated" mod - anything that wants to have a lower rating is already covered by "troll", "flamebait", or "offtopic".
Posted anonymously because I know that this one is covered by all three.
.deb files are not signed directly; the only signing that happens is the .changes and .dsc files involved in an upload. (These are the messages you see if you monitor the lists debian-changes or debian-devel-changes) (*)
.deb files with a signature chain going back to private keys on individual developer machines, you'd need a debian-changes or debian-devel-changes archive which you then matched against the md5 listed in the Packages file (and complain like hell if there's a discrepancy). There is to my knowledge no automated tool to do this. (Then there's the issue that even if there were such tool, you'd likely be completely screwed if you're running one of the architectures served by an automated build daemon and someone cracked the buildd)
What apt-get does check files against is the md5 sums in the Packages file. The packages file, however, is only signed at each release. Not helpful in the case of a theoretical archive compromise.
To verify
(*) Then there's also security announcements, which are signed and also include package md5sums, but to my knowledge there's no tool for checking them automatically either.
is that some Debian systems get cracked....
They discover it withing 24 hours and no real damage seems to have happened.
Windows get cracked... huge fortune 500 companies lose millions of dollars. Russians get access to the NSA's secret back door to windows (ok I made that up but the NSA could have a backdoor and the Russians could have figured it out in the three months that they had access to the windows source)
Kudos to the Debian guys for catching this so quickly.
Sorry, but .deb packages are not signed - that is, they contain nothing inside the .deb package which can be used to check a package's integrity.
.changes and .dsc files which are used when the file is uploaded. The only way to verify binary deb packages at the moment is to have an archive of the debian-changes and debian-devel-changes mailing lists to use as a basis for comparison.
What is signed are the
Valve got arse-raped by their proprietary source being widely available on the Internet.
No, they lost some credibility and probably a bit of money. I do not recall hearing about any physical violation, and would appreciate it if you didn't cheapen other peoples' suffering by using clumsy and dirty metaphors.
And DDT was an invention once too. That change went well.
For me, it has a valid signature and I fully trust the key.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Which means the hacker either didn't care of covering his tracks or needed constant access or just wasn't qualified enough to clean up the mess. Good hackers don't work like that. They get in, deploy a bunch of crap, take what they need, clean up and get out. Maybe a month later they announce a "newly discovered" vulnerability. So a couple of five thousand packets in debian _may_ contain unintended code which uses not yet announced vulnerabilities in linux kernel (or in the upcoming 2.6.x). Will anybody do a full code reivew on the entire codebase now?
The point is, just because it's Linux doesn't mean it's any more secure than Windows. In both cases a decent admin is necessary to fend off the attacks. Not many Linux servers are attacked (except for script kiddies) because attacking them is not (yet) in vogue. Guess what, this is changing. And remove those cron jobs which update your systems. They may be downloading trojans from the compromised distribution servers. Test before you deploy in other words. Or SIGN THE FUCKING CODE like Microsoft does.
It's obviously a metaphor, as Valve (the corporation) does not have an arse. Obviously there was no physical violation. Are you saying that no other trauma can possibly compare to physical violation in terms of the damage done?
You're quite right, but do you expect him to acknowledge that?
;)
Maybe you could phrase it better, though. Call them values - "young" is the value of the variable $AGE, "cool" is the value of the variable $GEEKINESS, and Linux is the value of the variable $OS_OF_CHOICE.
But I'm afraid "facetious" definitely wasn't the right word.
Sir, you appear to have been brainwashed. Please report to your nearest LUG for immediate treatment. Alternatively you make take two Debian CDs and call me in the morning.
Lets see, could be the RIAA, or the MPAA,
or SCO! Maybe even M$!
This shows how utterly naive the "Open Source" community is in regards to how "Commercial" software is developed.
Within Microsoft:
Weekly code reviews by peers & Management.
Weekly bug bashes (going over current, unresolved bugs)
Reviews with Program Managers
Code check-in & check-out that is *significantly* more advanced than the kluge known as CVS.
Total Ownership & Responsibility of your portion of code - including your screw-ups.
Note: This is all firsthand information. If you want info on how I know this, go visit my URL and learn a little about my background.
ScottKin
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
For those of you saying "this shows Linux is just as insecure as Windoze", look before you speak...
It's obvious that M$ knows just how secure linux is...
However, I'ld just like to point out that this is a result of social engineering. The only thing this proves is that someone on the debian project doesn't know how to keep their passwords safe...
As for those who are asking for answers...just wait...they are dealing with the problem at hand (cleaning their servers)...you can bet that there will be more than one interview/article on this topic as soon as everything is restored...at least they took time out from what I'm sure has become a pretty eventful day to inform everyone what was going on...
If this was some kind of attempt at a scale-of-economics exercize, it failed miserably.
Microsoft spends HUNDRESDS OF MILLIONS OF DOLLARS on Software Development. They have an economic drive to produce superior code. The Open Source "Community" does not. Who has a bigger liability? Who stands to lose BILLIONS of dollars?
If you're a programmer/developer at Microsoft and write crappy code or act as a "saboteur", you're fired - and in the case of the "saboteur" angle, you're arrested and charged with Felony Larceny.
In the "Open Source" community, if you write crappy code you're laughed at, and asked not to contribute code. BIG DEAL. If you're a "saboteur" in the Open Source "commune" (yes, I said "commune") you can't be arrested and charged with anything because by it's own definition the "Open Source" projects have no intrinsic value.
There is no economic imputus within the "Open Source" community, so any perceived "worth of work" is imaginary at best and hallucinatory at worst (and it looks like RMS has had at least 5 times his fair share of Hallucinations)
Your comments about "changes to the code" is hillarious - how did the backdoors get into OpenSSH; did they get there on their own?
The world should be vastly more sceptical of a software product that was produced virtually in an ad-hoc manner, and where any yutz who wanted to pass themselves off as a "c0d3r" could contribute code to such an important project than one where Interviews, background checks (including Law Enforcement) and security checks can identify potential troublemakers.
Apparently, no one ever remembers code compromises like those of the OpenSSH backdoor
This post is proof-positive that the Open Source community is run by hapless idiots who have NO concept of the world outside of their parent's basement and are either mentally stuck in writing code like they did in College ("d00d - can I borrow that piece of code??") or pine-away for those College days.
This is why all Open Software projects are doomed.
ScottKin
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
I'd like to point out that the systems are still working, and it's only because of good security practices that they know they were compromised.
Windows security flaws cause RPC crashes which by default restarts the computer.
Note, of course, what signed binary packages protect you against: a root compromise of the central servers, or of the local ftp archive that you pull from. What they do not protect you against is a compromise of j. random developer's personal machine.
Now, if you were hired to do evil, which job would you consider the easier one? Break into the highly monitored central server and stay undetected long enough to infect people who download rpms from that server, or break into some developer machine somewhere (many of which are not monitored nearly as carefully as the central servers) and remain undetected long enough for the next minor update of gnome-red-widget-factory to be built and uploaded? Remember, either way you only have to get into one machine, and with one of those methods you have many more targets to choose from...
Whenever signed binary packages (or the less strong version, automatically signed Packages files) are brought up on debian-devel, the desire to implement something ends up stalling with arguments similar to the above. People see little point in putting extra steel-reinforcing on the front door when the back door's still just barely locked.
This shows how utterly naive the "Open Source" community is in regards to how "Commercial" software is developed.
How does my opinion that it would be a plus not to hide the info about who contributed what to commercial software projects show that, exactly? Since I work in that environment I am aware that that information is available internally already.
I mean, I realize you were just going to bust a gut if you didn't present the ideal picture of the commercial software development process for some reason, but couldn't you have at least waited for a post that somehow questioned the existence of that process first? That's usu considered a prerequisite before you get to pull of strike-a-pose openers like "This shows how blah-blah-blah".
As it is you come off like Captain Boilerplate...
Blah blah blah Microsoft blah blah blah Windows sucks blah blah blah ha ha ha it happened to a Linux distro blah blah blah...this has nothing to do with M$, it is an Info Security issue.
man rtfm
karma burn...::inhales deepy::
mmmm now that's smooth flavor.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Yet, hospitals run Linux. A portion of Air Traffic Control runs Linux. Banks run Linux. Investment firms run Linux. Trading companys run Linux. The Military runs Linux. The Department of Homeland Security runs Linux by preference. Oracle pushes Linux as it's preferred platform. It doesn't look like you really have a point there. Thank you for playing. Please try again! :)
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
$ curl -sI http://intranet/ | grep Server
Server: Netscape-Enterprise/4.1
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
there goes debian's security.
But security holes exist, there is no getting around this, no matter how paranoid you are...
trust me..
I am a sitting in a faraday cage right now...I built it in my apartment to keep those pesky NSA spooks from uplinking with the nano-chips they implanted in my brain....
most of us are now implanted...you can't dig them out...i've tried....
Yeah an official statement of what happened would be nice. I could swear I read a substantiated claim somewhere in the thread but it seems to be lost in a sea of other comments now.
If it were Microsoft, they'd be foaming at the mouth.
Right. If a multi-billion dollar corporation who tries everything in their power to force their software down our throats can't do better than a bunch of rag-tag hackers who don't, they deserve to be called out. Now, if they didn't try to cram their stuff down our throats, and they didn't have billions of our dollars in the bank (that were earned questionably), perhaps we'd give them a little slack.
Stupid microsoft, so easy to hack, so many security holes...
oh yea... wait...
never mind.
-n
Hmmm... I guess I wasn't thinking about DDT when I said this. Maybe it was a foolish mistake to leave the Microsoft nest, after all! Software is like sausage: the less we know about how it's made and what's in it, the better.
that the OpenBSD servers were compromised and I'll start to worry. :)
RandomAndInteresting.comdefending the world from stupidity since 1979
When you download packages(security updates) from windowsupdate they are integrity checked. I dont know how, but I guess its the usuall signature way (not really into this)
I like your suggestion, that would improve security( I would at least feel it that way )
to this compromise as it occured on a wednesday of an odd month, and was devised by a malicious user who never even worked at Apple, in the hopes that this would prod Debian users to cross-grade to 10.3...and then buy the PDA that Apple are developing with the help of a homeless guy who has been dumpster diving...and they are not even going to support the 'compromise' on anything before 10.4...CONSPIRACY!!!
;)
or so says CNet
Sorry...
We apologise for the fault in this post. Those responsible have been sacked. -- Signed RICHARD M. NIXON
There is still plenty of room for things in your food and/or drugs that are deemed "none of your business", either because they're in tiny quantity, or because they're in a defined catch-all category like "spices".
And then there are cigarettes.
This didnt really happen, because Linux is so secure it puts Windows to shame!
Manipulate the moderator system! Mod someone as "overrated" today.
Debian sucks, that's the reason for this.
Thanks for following up on this. Your other post went on to describe why signatures haven't caught on.
On the later point, I can't help thinking that every little helps - take firewalls for example. You can argue that you shouldn't need a firewall if you keep your software up to date and configure the softwareto only listen and respond to appropriate network requests. Having a firewall as an extra layer may help cover or detect a slip up elsewherem helping to cut back on a particular type of incident. Signatures on packages could help detect intrusions such as the one that occured and help automate part of the verification step.
Another argument for signatures could be that the debian servers are simply bigger targets than a debian developer's box. As such they will draw more fire and surely the extra time spent watching the server may be better spent watching developers...
Probably just a weak password...
Steve from Debian Security Audit project says this occurred due to a password goofup so this doesn't necessarily apply here but it easily could have:
Machine as important as these should be running some sort of Mandatory Access Control system like SE Linux. I have done an evaluation of all of the root exploits I could find over the last few years and SE Linux would have prevented every one of them because the MAC system prevents unauthorized priviledge escalations. You can test drive my SE Linux box by telnetting (not ssh) to selinux.copilotconsulting.com with user root and password root.
Why do you think that? A while back weren't FreeBSD and Sourceforge hacked by vulnerabilities in SSH(Sourceforge) and the Kernel(FreeBSD)? No 'misconfigurations' there.
It's now been loading for several minutes, so I'm giving up without learning a little of your background.
101% text's console
0% X-Window
If passwords are at fault and sshd was the service that was comprimised then get rid of the passwords and use RSA challenge-response authentication.
-==-
Unfortunately, I believe that that's already the case, and has been for as long as I've been a Debian developer. I believe what really happened is that somebody's home account or something was compromised, and they did the stupid passwordless ssh key thing (instructions for which are even on the Debian devel web site!). Even if they didn't use passwordless keys, rootkits with tty-loggers make it pretty easy to sniff a key's password if it's typed over the network.
noah
MS Windows crackers don't NEED a hacked-in-the-source backdoor, as there's enough buggy crap already in there that they can find one without a whole lot of trouble. I would find it telling that some crackers out there have apparently found cracking Linux difficult to the point they feel the need to covertly modify the source trees.
The point of such things might be just to try to get some PR to help make the argument that open source is inherently unsecure because there are so many fingers in it, and these attempts NOT really being a sign that hackers can't find ways to get into Linux without a hidden hack...
Though it is kind of interesting that we haven't seen much in the way of mass-exploits of Linux servers, so maybe it is pretty hard to hack without special help...
erm.. i don't believe there is any such evidence (which i would accept) that Gentoo or *bsd would be any more secure than Debian.. OpenBSD can't be compromised is what you're trying to say?.. there does not need to be a "bug" or "unpatched security hole" for a system to be compromised, nor even user error, but i say this doesn't have just it's negative sides.. nothing is 100% secure, there's no way to "completely stop" "exploits", surely things like this will make people think "hmm, so maybe i'm not secure" instead of the elitist "yeah i'm secure, try your worst!" attitude.. consider this.. if debian is now not secure, then all linux distro's are insecure, because the GNU servers have been previously compromised.... surely we know better than the childish "This is more secure!" "this is better! all other distro's are just obselete" besides.. we don't even know what it was that caused the problem, so i don't think we can comment on it with *any* accuracy at all.
"This day will live in infamy!"
O well...time to apt-get some updates.
Everyone hides it because it's embarassing for a business.
From my perspective, hiding it is embarassing for business. A major part of the reason I use Debian is exactly this announcement. I could have guaranteed as a fact that the Debian servers would be compromised, it was just a matter of time. What's important to me is that it's easy to detect when it happens, and that everyone is told about it as soon as it happens.
I have one of my machines which I updated during the compromised period. Now I know that when this investigation is complete, I need to check the details to see if the machine needs treatment.
That's how full disclosure is supposed to work.
So how else am i supposed to smoke the ganga? Cooking with it just tastes nasty, and those nice 18" water pipes have some beautiful artwork.
AC
--- snip here ---
n NTi4sT01MVEtMTM/ OKS4CCqQrZqZUK1 K5dHW5OuyZWUE27o M5QZDp9w6GBQtO+ hFp+fRBXM7HXcYc1 6Xj5A9DwA=
This is a truthful report.
You may validate this message against the key for skx@debian.org.
Steve
--
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.3 (GNU/Linux)
owGbwMvMwCR44PyxzWd9eOcyns5PYrDfJ7E iJCOzWAGIEhVKik pLMtJKcxSKUgvy
i0r0uLgi80sVchMrFcoSczJTEktSFUpAi
aflFCsXZFQ4pqUmZiXl6+UXpQCO4gktSy
SLxI+1madnvjbIZVrZu0HcTnzGdY0LBFy
=xVtr
-----END PGP MESSAGE-----
he was right :)
i just like to bullshit around now and then
and indeed 'facetious' didn't quite impress me he he
funny isn't it?
:)
*big wide grin*
ah time for another ciggy
A couple of points. First, I very strongly doubt that the machine that Red Hat uses to sign packages and internally archive packages on is anywhere near the machine that exposes packages to the outside world. The worst an attacker could do is make a bunch of packages that would fail signature checks. Note that a malicious RH employee with key access might still be able to sign the package -- not sure what RH policy is WRT this.
A worse hole is the fact that someone could go after the software itself. AFAIK, aside from random folks who might read diffs or CVS, software authors are trusted -- not only not to be malicious, but to keep their Sourceforge accounts secure, etc. If I maintain, say, ftp and a Trojan gets inserted in a clever way, who would notice it immediately? Would RH review a full diff of all changes? Would RH ship it?
Remember the closed-source Borland Interbase that had a backdoor for most of its lifetime. It got fixed once it was open-sourced, but not immediately.
As automated network-based updates become standard, this is a growing problem for the computer world.
May we never see th
Some good questions. However, my question is "Why is Bill Gates allowed to post at Slashdot anyways?".
The truth is NOTHING can be trusted. Humans, computers, public/private keys, crypto, etc. What we all need is GUNS!!! Muh4h4h4h4h4h4!
So if debians site had been running solaris and it got hacked it wouldn't be a big deal?
I think you completely miss the point of this incident...
Actually, I originally thought that that person who began the thread was joking about OpenBSD and Gentoo, tongue in cheek, but a later reply by him seemed to show that he was serious. I used Gentoo for about 6 months, but an update as often as not would break something somewhaere. I cannot live with that in a desktop that I use every day, and would fear to put it into real production work where I had to depend on it.
Put identity in the browser.
I think the difference is, with Microsoft's vulnerabilities, hundreds and thousands of sites get affected in one week. Meanwhile one Debian site gets defaced... big deal.
Karma: It's all a bunch of tree-huggin' hippy crap!
Microsoft spends HUNDRESDS OF MILLIONS OF DOLLARS on Software Development.
And they get worms.
There is no economic imputus within the "Open Source" community, so any perceived "worth of work" is imaginary at best and hallucinatory at worst
Same could be said of the America's Cup, Grand Prix, etc. Some people just like good code.
Apparently, no one ever remembers code compromises like those of the OpenSSH backdoor
I would far more trust the "trojaned" OpenSSH than the "untrojaned" Passport.
where any yutz who wanted to pass themselves off as a "c0d3r" could contribute code to such an important project than one where Interviews, background checks (including Law Enforcement) and security checks can identify potential troublemakers.
You seem to have an idea that it's easy to get code accepted into anything that matters. It's not.
While you were obviously responding to a troll, here's another food for thought.
Should the Debian project run on software which is exclusively Debian? If diversity is good for security, then shouldn't the Debian project run a OpenBSD server replicating (but not necessarily replacing) the role of a Debian box.
Let's say a cracker found an remote expliot against all Debian stable, gee is the Debian project rooted (pun intended).
Obviously, one can extend this idea within the spirit of the Debian social contract to include a SE-Linux harden version of Debian, a potato version of Debian, Red Hat Enterprise, FreeBSD as well as multiple different architectures.
You know, an enterprising attacker could just pull the trust network down. Someone with sufficient skill could very easily just work on Debian for five or six months, get trusted, and embed a subtle bug into a remote point.
I mean, we can't find the unintentional ones. What makes you think we could find one chosen for its obscurity?
StoneCypher is Full of BS
Thank you, Bill Gates. We've heard your story, now you can go home. De facto standards indeed...
In the case of the LG drives, these were also fried by some flavours of Gentoo and at least one of SuSE (although not a variety which would normally be exposed to such crappy hardware, it must be said) and some MS-Windows-based CD writer software. So who's at fault? Mandrake? The Linux kernel developers? They all adhered to the standards, LG didn't. More than that, now that the Liunux crew know some drives suck they have a kernel blacklist for them Just In Case. One of many kernel blacklists for morons who carelessly make everyone else's lives harder for their own convenience.
Some LG technician needs to be dragged out and fired before he does any more damage. He re-used a well-known FLUSH command to implement firmware uploads (I guess because he didn't want to make a jump table bigger). Bad enough, but the firmware upload command does no parameter checking. It wasn't just a weird extension to the ATAPI standard, it broke the standard.
Think along the lines of re-using the extra bolt length on your radiator fan pully wheel as a convenient place to mount a spare tyre and what happens when the driver floors it? Better hope that sucker's well balanced. Or consider updating the design of an automatic rifle including removal of the trigger guard and safety catch - who's at fault when it goes off?
He may be the same bloke who got their drives to spit hot, spinning, damaged CD media at people when they were still called Goldstar some years ago. Either way, the drives are repairable on the spot.
- Rotate the master/slave jumper 270 degrees so it crosses the top half of the "SL" and "MA" pin pairs.
- Hold in the Eject button
- Power up the drive
- Upload new firmware without the bug
Meanwhile, back at the standards... your telephone system works because of standards. Your tyres fit your car because of standards. Your CD player fails to shower the inside of your card with burning components because of standards. The vast majority of aeroplanes end their journeys neatly on the apron rather than scattered about the countryside because of standards.When people violate the standards, things break. I don't know why you should be in favour of things breaking. Perhaps it's time to strip your life down to the bare bones and find out what the personality flaw is that could lead you to favour a standard-breaker over a standard-keeper.
Got time? Spend some of it coding or testing
FOR GREAT GOOD.
Got time? Spend some of it coding or testing
How do you know this hasn't happend multiple times at M$ etc, would they tell us, not if they can help it, which adds an extra security issue or two on top don't it.
in my life God comes first.... but Linux is pretty high after that
Francis Smit
So how else am i supposed to smoke the ganga? Cooking with it just tastes nasty, and those nice 18" water pipes have some beautiful artwork.
I understand your dilemma. Except for the part about it tastes nasty. The cookies I bake taste just like regular cookies, you wouldn't even be able to tell the difference. Though, I'll admit, if you just take weed butter and put it on some toast, it can taste a little weird.
Here's what I do to make the cookies:
1. Break weed up into small pieces (like you're rolling a joint)
2. Simmer in butter and water for 2 hours. The water is used to prevent the butter from burning. Add just a little water, if it evaporates, add more.
3. After 2 hours, kick up the heat slowly. Eventually, let the water boil away so that you're basically sauteeing the weed in the butter. You don't have to do this for too long.
(An optional step here is to strain out the weed. I don't do this, as I feel you lose some of the goods by doing this. It might be a good idea if you're worried about getting caught with these though, as little specks of weed in your cookies will give you away.)
4. Let butter cool, since you don't want to put hot butter in cookie dough.
5. Make your cookies (or whatever recipe) like you normally would.
6. Eat
7. ???
8. Profit
Also note that the best time to eat it is with a meal. I usually eat one before a meal. The idea is when you eat a full meal, your body is digesting faster than it normally would, so the cookie gets digested faster as well. When I do this, it comes on a little quicker. Though eating it as a snack without eating a meal can be good too, though you may not feel it until later (sometimes 2 hours later). It just really depends on how digestive system handles it. They are great for movies. Your typical stoner will have sobered up by the end of a 2 hour movie. By eating these things, you can stay high through an entire movie (and even afterwords), even a 3 hour movie like Lord of the Rings.
Enjoy!
Zoot!
Have NONE of you noticed, the attackers got access to an unprivileged account, a USER account. They got root from that! There's obviously a local root exploit in the wild.
It wasn't just an insecure password, but something more serious. Please read before you all post the 'insecure password' issues, it was worse than that...