Slashdot Mirror


Debian Project Servers Compromised

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

13 of 666 comments (clear)

  1. SCRUBS!!! by Anonymous Coward · · Score: -1, Flamebait

    I don't want no fuckin' scrubs. Your mommie is a scrub and your daddie is a crum-bumb!

  2. Running Debian-Stable? by Anonymous Coward · · Score: -1, Flamebait

    And this because they should be running only "proven software". (Read: Old crap).

    I wonder if someone really believes that Debian make the stable releases for stability and security rather than incapacity of releasing and supporting an up to date system.

  3. Windowsupdate.microsoft.com by Anonymous Coward · · Score: -1, Flamebait

    Never gets compromised. Take that, hippies.

  4. Re:apt by Anonymous Coward · · Score: -1, Flamebait

    Wow, you noticed.

    But then, all it ever required was someone to compromise any Debian Developer's sign+upload machine and do something subtle enough that it got into testing. Or worse, unstable, if you're stupid enough to run that.

  5. If this were Microsoft... by mr.+mulder · · Score: -1, Flamebait

    ...the world would have jumped onto the anti-MS bandwagon proclaiming bug-striken software and the lack of security attentiveness. Instead, this is Open Source...let's just slap their wrists and shrug it off again...

  6. Re:How in the world... by BESTouff · · Score: -1, Flamebait

    All Debian server run W2K3 (to avoid SCO licence costs) regularly patched with Windows Update, so they should be totally immune to h4k3rZ. IMHO the problem comes from their inhouse perl scripts running on top of IIS. That's what you get for not using professionally developped software.

  7. Re:Linux is dying... by bonch · · Score: -1, Flamebait

    Slashdot ran an article a while back linking to a study that showed that Linux is the most compromised operating system on the Internet.

    Just saying, even Slashdot reported on it.

  8. Re:Grumble, grumble by Anonymous Coward · · Score: -1, Flamebait

    The difference is that Microsoft products are known to be as insecure as products can get. The Microsoft patch system is horrid, and the point of the Microsoft breaks was to show that even Microsoft's own web admins didn't patch their own servers.

    Apache on Linux (I assume this is what Debian was using, I didn't bother to check) on the other hand is thought to be secure. For it to get hacked, it's news. Probably in a week or two, the Debian team will come back and tell everybody exactly how and why it happened. Microsoft doesn't even always tell you why they want you to patch your computer.

    but if I joe CTO and looking at purchasing some puters, I'm thinking to myself, hey, what's up with this, they told me that M$ stuff sucked and this Linux stuff was secure.

    I imagine the average Joe CTO knows exactly what the situation is. This just means that you're dumber than the average CTO.

  9. GREAT WORK OF FICTION! by Anonymous Coward · · Score: -1, Flamebait


    I mean, it must be, right? Linux is secure and rock-solid and invulnerable to attack! Especially Debian, they spend so much time on their distro. So, there's no way this could possibly be a true story.


    Your days are numbered fuckers. We're tired of hearing you tout your superiority. As we increase our attacks, the world will see through your lies. The world will stop even considering Linux an alternative. It will die.

  10. Why Gentoo is Better by BigJimSlade · · Score: 0, Flamebait

    Obviously this ends the debate as to why Gentoo is obviously better than Debian. The compromised packages probably wouldn't even be finished compiling by the time the compromise was discovered.

    (I run Gentoo on my laptop... don't flame me either way)

  11. Re:That explains by floodo1 · · Score: -1, Flamebait

    yeah well lick his balls cuz his obvious statement was the answer that i had been looking for as to why my apt-get was funky as well!

    --
    I KUT J00 M4NG!!!
  12. Re:Would Microsoft announce that it was compromise by ScottKin · · Score: 0, Flamebait

    If this was some kind of attempt at a scale-of-economics exercize, it failed miserably.

    Microsoft spends HUNDRESDS OF MILLIONS OF DOLLARS on Software Development. They have an economic drive to produce superior code. The Open Source "Community" does not. Who has a bigger liability? Who stands to lose BILLIONS of dollars?

    If you're a programmer/developer at Microsoft and write crappy code or act as a "saboteur", you're fired - and in the case of the "saboteur" angle, you're arrested and charged with Felony Larceny.

    In the "Open Source" community, if you write crappy code you're laughed at, and asked not to contribute code. BIG DEAL. If you're a "saboteur" in the Open Source "commune" (yes, I said "commune") you can't be arrested and charged with anything because by it's own definition the "Open Source" projects have no intrinsic value.

    There is no economic imputus within the "Open Source" community, so any perceived "worth of work" is imaginary at best and hallucinatory at worst (and it looks like RMS has had at least 5 times his fair share of Hallucinations)

    Your comments about "changes to the code" is hillarious - how did the backdoors get into OpenSSH; did they get there on their own?

    The world should be vastly more sceptical of a software product that was produced virtually in an ad-hoc manner, and where any yutz who wanted to pass themselves off as a "c0d3r" could contribute code to such an important project than one where Interviews, background checks (including Law Enforcement) and security checks can identify potential troublemakers.

    Apparently, no one ever remembers code compromises like those of the OpenSSH backdoor

    This post is proof-positive that the Open Source community is run by hapless idiots who have NO concept of the world outside of their parent's basement and are either mentally stuck in writing code like they did in College ("d00d - can I borrow that piece of code??") or pine-away for those College days.

    This is why all Open Software projects are doomed.

    ScottKin

    --
    I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
  13. This didnt happen by t0ny · · Score: 0, Flamebait

    This didnt really happen, because Linux is so secure it puts Windows to shame!

    --

    Manipulate the moderator system! Mod someone as "overrated" today.