Debian Project Servers Compromised

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

Those slackers!

[prisoner-of-enigma]

Here we have yet another example of how Microsoft's shoddy programming is causing no end of trouble. Microsoft's products are well known throughout the world to have poor security and they get hacked all the time. We should all boycott Microsoft products and sue Bill Gates for false advertising! If Debian were using open source software, this would not have happened!

Huh? What's that you say? Debian was using open source? Linux, you say? Their own product, you say?

Oh, well...then that's all different now, isn't it? This is now an example of why open source is so much BETTER than Microsoft's stuff! Yeah, that's it! Yeah, there's a silver lining to this cloud somewhere...yeah, just give me a minute and I'll come up with a dandy excuse that totally absolves any open source code bug from fault while at the same time finding a way to slam Microsoft.

After all, isn't that the Slashdot way?

Re:...not the archive.

[Knights+who+say+'INT]

Let's hypothetically assume that this compromise is the result of a malicious attack by either an immature script-kiddie/cracker or an evil conspiracy from the corporate software world.

How does this change the fact that Debian is just not good enough, and has compromised thousands of machines across the globe? Sheesh, the denial... This is just like the Mandrake frying standard PC hardware story. Yes, the LG drives weren't compliant to the de jure standards, but in the real world, standards are de facto, not de jure.

Open Source has gone a long way and produced a lot of software that's up there with its commercial counterparts (Latex, The GIMP, Audacity, Firebird, Miranda/GAIM/SIM, Gretl, Python) but the Linux distros available are still not industrial-strength. And denial isn't really gonna help making it work.

Screaming denial, hissy fits or throwing protocols and RFC's across the room aren't gonna convince the nonhacker world. Walk a mile in their shoes, and then rethink the way you deal with events.

Wow

[bonch]

You summed up all the posts I've read so far in this article. Nice job.

"Wow, Debian is so great because they're openly saying that the compromise happened! I'm so proud of Debian for its honesty, as other companies wouldn't have done the same. Wait, we were discussing the compromise itself? No, I don't want to think about it..."

Is Microsoft paying for this?

[Zapdos]

With the upcoming FUDstorm, this is just what M$ needs, I am willing to bet that either a overzealous M$ employee, or a purpose paid consultant did this.

I think those are only the intrusions they noticed

[melted]

Which means the hacker either didn't care of covering his tracks or needed constant access or just wasn't qualified enough to clean up the mess. Good hackers don't work like that. They get in, deploy a bunch of crap, take what they need, clean up and get out. Maybe a month later they announce a "newly discovered" vulnerability. So a couple of five thousand packets in debian _may_ contain unintended code which uses not yet announced vulnerabilities in linux kernel (or in the upcoming 2.6.x). Will anybody do a full code reivew on the entire codebase now?

The point is, just because it's Linux doesn't mean it's any more secure than Windows. In both cases a decent admin is necessary to fend off the attacks. Not many Linux servers are attacked (except for script kiddies) because attacking them is not (yet) in vogue. Guess what, this is changing. And remove those cron jobs which update your systems. They may be downloading trojans from the compromised distribution servers. Test before you deploy in other words. Or SIGN THE FUCKING CODE like Microsoft does.

Now who was responsible?

[scharkalvin]

Lets see, could be the RIAA, or the MPAA,
or SCO! Maybe even M$!

Tell me...

[np_bernstein]

that the OpenBSD servers were compromised and I'll start to worry. :)

Re:Password security is not OS security

[prisoner-of-enigma]

And to be honest, your post so too lacking in any substantive thought to be worth much of a response, but I'll try anyway.

Slashdot, being somewhat overrun by liberals and left-leaning "thinkers" are often champions of diversity -- so long as the diversity goes along with what the crowd wants. Quite often it's posted that we should accept the racial, sexual, and national diversity without question, but when it comes to ideological differences, no diversity is to be tolerated. Toe the line. Say the right things. Nod like everyone else. Linux good, Microsoft Bad. Open source good, anything else bad. Naysayers are trolls who pollute the purity of our collective brilliance. What a bunch of hypocritical hogwash, and I'm not the only one who notices it here.

You don't feel the need to go anywhere near things you disagree with? So, how is it, living in a conflict-free world? Kind of nice, isn't it? No worries, no challenges, no need to really exercise your debating or rational thinking skills. Your brain can enjoy a nice, peaceful, vegetative state where nothing bad ever happens and all thought agree with whatever preconceived notions you've already arrived at. Oh, and the world is flat, the Sun revolves around the Earth, and there's absolutely no way that man can ever fly or travel faster than the speed of sound.

Lots of great things came from people who did not participate in groupthink. You shy away from adversity? Fine, enjoy yourself. You're doing very little to advance yourself if all you do is surround yourself with an agreeable environment, and you're doing nothing to advance the state of the human species. It's too bad you're taking up space and consuming resources, though, because it appears you're more or less a waste of genetic material.

Oops! Sorry! I exposed you to a disagreeable thought! I know that must be traumatizing you right about now, so I'll leave you to meditate, or burn incense, or whatever else it is you do when the abrasive world called reality bumps uncomfortably up against that delicate cranium of yours. Now run on and play. No need to read more boring posts anymore. I'm sure there's a nice post elsewhere that only says nice things that you already agree with. Now run on and play and don't splash in the puddles.