Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Project Servers Compromised

Posted by jamie on from the batten-down-hatches dept.

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

18 of 666 comments (clear)

  1. Not on debian-announce archive by Anonymous Coward · · Score: 3, Informative

    The debian-announce archive [ http://lists.debian.org/debian-announce/debian-ann ounce-2003/threads.html ] doesn't list this message. Of course with the number of machines affected it's possible that the mailing list archive is somehow affected.

    -JohnF

    1. Re:Not on debian-announce archive by cjwatson · · Score: 5, Informative

      Yes, lists.debian.org runs on one of the compromised machines and is, er, not quite running on all cylinders just at the moment.

    2. Re:Not on debian-announce archive by jamie · · Score: 4, Informative
      As other readers have pointed out, that machine was apparently affected.

      I got the email too, and I checked its Received: headers against a debian-announce message in my mail archives from about a year ago. They both came from the same source. So there's no way this is a hoax ...unless the murphy.debian.org machine that emailed it to me is compromised, in which case it's not an inaccurate hoax :/

  2. That explains by jav1231 · · Score: 3, Informative

    Why my apt-get was failing from people.debian.org last nite. Not to mention why debian.org was down. :(

  3. Re:Digital Signing of Packages? by stevey · · Score: 5, Informative

    MD5 sums are used for the contents of packages, but packages may only be uploaded and processed by the build system if they're correctly signed.

    So yes it's not trivial to backdoor a package - unless you're already a Debian Developer...

  4. Re:apt by tfheen · · Score: 3, Informative

    Which is why using something similar to ajt's apt-check-sigs. (google cache, since people.d.o is down.)

  5. Re:apt by psamuels · · Score: 3, Informative
    Of course this raises the whole issue of apt-get.

    Indeed, that's one of the few areas where the Debian Project has lagged behind other distribution vendors technically - cryptographic signature verification for packages.

    This infrastructure has been kind of long in coming, but as of a few months ago, you can now verify Debian package signatures with debsig-verify. Might I suggest everyone install and use that?

    --
    "How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
  6. Re:Running Debian-Stable? by wouterke · · Score: 3, Informative

    Security is much much more than "just keeping your system up-to-date".

    - accounts can be compromised
    - unknown bugs may have been exploited (although that's unlikely in this particular case)
    - crackers could have been cracking a developer's system, and using information they find on that developer's hard disk (ssh key, gpg key, ...) to log in to one of the servers
    - also of importance in general is the competence of the administrators (which surely is *not* at the cause of the problem here).

    Of course these systems are running debian stable; but that's most likely not the problem.

  7. Re:How in the world... by stevey · · Score: 5, Informative

    Yes Debian's machines run Debian, this breakin wasn't anything to do with the software installed upon the box, as it was due to a password compromise.

    If anything it's more embaressing that somebody lost their password than that the software wasn't up to date.

  8. Re:Where's the confirmation from debian people? by tfheen · · Score: 5, Informative

    At least cjwatson and myself are Debian developers. I wish I could say it's a hoax, but it's not. However, as you've already read: the archive doesn't seem to be compromised at all.

  9. Re:Signatures? by Fembot · · Score: 4, Informative

    yep, GPG signed... the public keys of all the developers are avalible on http://keyring.debian.org normaly, and it still appears to be up anyway. There is also a debian package which contains all the keys too

  10. Re:Where's the confirmation from debian people? by stevey · · Score: 5, Informative

    --- snip here ---
    This is a truthful report.

    You may validate this message against the key for skx@debian.org.

    Steve
    --
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    owGbwMvMwCR44PyxzWd9eOcyns5PYrDfJ7EiJCOzWAGIEhVK ik pLMtJKcxSKUgvy
    i0r0uLgi80sVchMrFcoSczJTEktSFUpAin NTi4sT01MVEtMTM/ OKS4CCqQrZqZUK
    aflFCsXZFQ4pqUmZiXl6+UXpQCO4gktSy1 K5dHW5OuyZWUE27o M5QZDp9w6GBQtO
    SLxI+1madnvjbIZVrZu0HcTnzGdY0LBFy+ hFp+fRBXM7HXcYc1 6Xj5A9DwA=
    =xVtr
    -----END PGP MESSAGE-----

  11. Re:Has a Microsoft release ever been compromised? by jamie · · Score: 3, Informative
    "a Microsoft release has never been delayed because one of their servers were compromised."

    I don't know if this delayed a release, but -- in October 2000, the news broke that Microsoft's internal network had been cracked for three months.

    (Debian made this announcement in 24 hours.)

    Read for yourself:

    Microsoft Cracked

    ...the Wall Street Journal article which apparently broke the news - it's the most complete. What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.

    "LONDON (CNNfn) - Hackers gained access to some of Microsoft Corp.'s essential product secrets, the world's most powerful technology company said Friday, acknowledging a security breach that is a major embarrassment for the software company..."

    "The Wall Street Journal said security employees had discovered that passwords used to transfer the source code behind Microsoft's software were being sent from the company's computer network in Redmond, Washington, to an e-mail account in St. Petersburg, Russia. Microsoft said it was making sure hackers could not use the stolen source code to change commercial software used by businesses, governments and consumers."

  12. Nobody's asking you to trust the keyserver by psamuels · · Score: 5, Informative
    Then the next point of failure becomes the keyservers. How do you know you imported a good key, and that the keyserver hadn't been compromised when you did it?

    PGP keyservers (unlike, say, Kerberos KDCs) are completely untrusted. Anyone can upload any key to a keyserver. And downloading a key from a keyserver implies nothing about that key.

    To verify that you have a valid key, you have to rely on the web of trust. Basically, if a key is signed by someone whose key is signed by someone [recurse through however many levels you are comfortable with] whose key you have personally inspected, then the key can be assigned a trust metric based on how reliable you consider that chain of signatures to be. (Basically, how much you trust the integrity and acuity of the people controlling the chain of signatures.)

    PGP and GnuPG have supported this infrastructure from Day 1. Asking people to trust an arbitrary third-party public keyserver was never in the plans.

    --
    "How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
  13. Re:Honestly... by spektr · · Score: 4, Informative

    I hate to say it, but Microsoft's haven't been compromised, and they're the bigger target.

    Not true.

    Everyone here knows if windowsupdate.microsoft.com had been compromised, people would be droning on about how it's some sort of illustration of Microsoft's security.

    Their update server wasn't compromised, but the debian archive also wasn't compromised in this case. But, yes, we have to work harder to make our servers secure. And we will never reach the point were our systems will be unvulnerable. So what is your point? You complain that there aren't enough anti-oss-trolls here?

  14. Re:...not the archive. by GammaTau · · Score: 4, Informative

    How does this change the fact that Debian is just not good enough, and has compromised thousands of machines across the globe? Sheesh, the denial... This is just like the Mandrake frying standard PC hardware story.

    As far as I understand, no machines apart from the several Debian computers have been compromised. Compromising a machine that hosts the central Debian APT repositories is a perfect opportunity for backdooring thousands of machines In this case, that didn't happen. "Thousands of machines across the globe" have not been compromised. I guess it's only good luck but Debian users were not affected by this security breach.

  15. Re:Where's the confirmation from debian people? by frenetic3 · · Score: 5, Informative
    Not to be pedantic, but the signature actually does contain a date:
    gpg: Signature made 11/21/03 08:53:02 using DSA key ID CD4C0D9D
    -fren
    --
    "Where are we going, and why am I in this handbasket?"
  16. Re:Sign, sign, sign, sign. by jemfinch · · Score: 3, Informative

    Redhat, +1, Already doing it. -1, not failing to install if the packages don't verify.

    Which is exactly the state in Debian, too.

    Jeremy

    --
    Looking for a Python IRC bot?