Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Project Servers Compromised

Posted by jamie on from the batten-down-hatches dept.

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

11 of 666 comments (clear)

  1. Re:Not on debian-announce archive by cjwatson · · Score: 5, Informative

    Yes, lists.debian.org runs on one of the compromised machines and is, er, not quite running on all cylinders just at the moment.

  2. Re:Digital Signing of Packages? by stevey · · Score: 5, Informative

    MD5 sums are used for the contents of packages, but packages may only be uploaded and processed by the build system if they're correctly signed.

    So yes it's not trivial to backdoor a package - unless you're already a Debian Developer...

  3. Re:Not on debian-announce archive by jamie · · Score: 4, Informative
    As other readers have pointed out, that machine was apparently affected.

    I got the email too, and I checked its Received: headers against a debian-announce message in my mail archives from about a year ago. They both came from the same source. So there's no way this is a hoax ...unless the murphy.debian.org machine that emailed it to me is compromised, in which case it's not an inaccurate hoax :/

  4. Re:How in the world... by stevey · · Score: 5, Informative

    Yes Debian's machines run Debian, this breakin wasn't anything to do with the software installed upon the box, as it was due to a password compromise.

    If anything it's more embaressing that somebody lost their password than that the software wasn't up to date.

  5. Re:Where's the confirmation from debian people? by tfheen · · Score: 5, Informative

    At least cjwatson and myself are Debian developers. I wish I could say it's a hoax, but it's not. However, as you've already read: the archive doesn't seem to be compromised at all.

  6. Re:Signatures? by Fembot · · Score: 4, Informative

    yep, GPG signed... the public keys of all the developers are avalible on http://keyring.debian.org normaly, and it still appears to be up anyway. There is also a debian package which contains all the keys too

  7. Re:Where's the confirmation from debian people? by stevey · · Score: 5, Informative

    --- snip here ---
    This is a truthful report.

    You may validate this message against the key for skx@debian.org.

    Steve
    --
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    owGbwMvMwCR44PyxzWd9eOcyns5PYrDfJ7EiJCOzWAGIEhVK ik pLMtJKcxSKUgvy
    i0r0uLgi80sVchMrFcoSczJTEktSFUpAin NTi4sT01MVEtMTM/ OKS4CCqQrZqZUK
    aflFCsXZFQ4pqUmZiXl6+UXpQCO4gktSy1 K5dHW5OuyZWUE27o M5QZDp9w6GBQtO
    SLxI+1madnvjbIZVrZu0HcTnzGdY0LBFy+ hFp+fRBXM7HXcYc1 6Xj5A9DwA=
    =xVtr
    -----END PGP MESSAGE-----

  8. Nobody's asking you to trust the keyserver by psamuels · · Score: 5, Informative
    Then the next point of failure becomes the keyservers. How do you know you imported a good key, and that the keyserver hadn't been compromised when you did it?

    PGP keyservers (unlike, say, Kerberos KDCs) are completely untrusted. Anyone can upload any key to a keyserver. And downloading a key from a keyserver implies nothing about that key.

    To verify that you have a valid key, you have to rely on the web of trust. Basically, if a key is signed by someone whose key is signed by someone [recurse through however many levels you are comfortable with] whose key you have personally inspected, then the key can be assigned a trust metric based on how reliable you consider that chain of signatures to be. (Basically, how much you trust the integrity and acuity of the people controlling the chain of signatures.)

    PGP and GnuPG have supported this infrastructure from Day 1. Asking people to trust an arbitrary third-party public keyserver was never in the plans.

    --
    "How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
  9. Re:Honestly... by spektr · · Score: 4, Informative

    I hate to say it, but Microsoft's haven't been compromised, and they're the bigger target.

    Not true.

    Everyone here knows if windowsupdate.microsoft.com had been compromised, people would be droning on about how it's some sort of illustration of Microsoft's security.

    Their update server wasn't compromised, but the debian archive also wasn't compromised in this case. But, yes, we have to work harder to make our servers secure. And we will never reach the point were our systems will be unvulnerable. So what is your point? You complain that there aren't enough anti-oss-trolls here?

  10. Re:...not the archive. by GammaTau · · Score: 4, Informative

    How does this change the fact that Debian is just not good enough, and has compromised thousands of machines across the globe? Sheesh, the denial... This is just like the Mandrake frying standard PC hardware story.

    As far as I understand, no machines apart from the several Debian computers have been compromised. Compromising a machine that hosts the central Debian APT repositories is a perfect opportunity for backdooring thousands of machines In this case, that didn't happen. "Thousands of machines across the globe" have not been compromised. I guess it's only good luck but Debian users were not affected by this security breach.

  11. Re:Where's the confirmation from debian people? by frenetic3 · · Score: 5, Informative
    Not to be pedantic, but the signature actually does contain a date:
    gpg: Signature made 11/21/03 08:53:02 using DSA key ID CD4C0D9D
    -fren
    --
    "Where are we going, and why am I in this handbasket?"