Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Project Servers Compromised

Posted by jamie on from the batten-down-hatches dept.

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

21 of 666 comments (clear)

  1. SCO Again!... by isoga · · Score: 5, Funny
    Obviously SCO are trying to break in and steal the source to prove once and for all that Linux has stolen their patents!

    ;)

    dave

    Tech stuff

    1. Re:SCO Again!... by Urkki · · Score: 5, Funny

      No no. They are trying to break in to *insert* patented code into Linux code, so they'd have a leg to stand on in the court ;)

  2. Re:Not on debian-announce archive by cjwatson · · Score: 5, Informative

    Yes, lists.debian.org runs on one of the compromised machines and is, er, not quite running on all cylinders just at the moment.

  3. Digital Signing of Packages? by Chris_Jefferson · · Score: 5, Interesting

    This is the second time this has happened to a big open-source project (the first being the GNU servers a while ago). All packages by both groups are "md5" signed, which is supposed to protect against malicous hacking. However if the root server is comprimised, this doesn't help. Companies (including at least Microsoft, and the people who make ad-aware) who distribute files over the internet sign them with an RSA (or similar) key, and the computer which does this signing is kept disconnected from the internet. For such large projects which are installed by millions of people, might a similar system not be a good idea?

    --
    Combination - fun iPhone puzzling
    1. Re:Digital Signing of Packages? by stevey · · Score: 5, Informative

      MD5 sums are used for the contents of packages, but packages may only be uploaded and processed by the build system if they're correctly signed.

      So yes it's not trivial to backdoor a package - unless you're already a Debian Developer...

    2. Re:Digital Signing of Packages? by samjam · · Score: 5, Insightful

      Don't be certain that digital signing is such a cure.

      The person operating the non-networked signing machine still needs to be sure that what-it-is-that-they-are-signing is what-it-is-supposed-to-be.

      Now how does digitial signing on a non-connected machine help you know the source wasn't tampered with?

      --
      blog.sam.liddicott.com
  4. Re:How long will it take? by stevey · · Score: 5, Insightful

    Password stealing is pretty OS independent.

    So this compromise, whilst undenyably bad, isn't really going to show much about Debian, or Windows.

  5. Makes you wonder by bigberk · · Score: 5, Insightful

    It really is impressive for me how honest some organizations have been about admitting system compromises (Debian, ProFTP, GNU.org).

    As someone who works with networking security, I know lots of business servers get compromised regularly. Everyone hides it because it's embarassing for a business.

    This makes you wonder how often other 'critical systems' get compromised, and get fixed without any public reports. Government computer systems get regularly compromised after all. But I'm sure so do vital Microsoft, IBM, systems, etc. Windows Update, anyone?

  6. Re:How in the world... by stevey · · Score: 5, Informative

    Yes Debian's machines run Debian, this breakin wasn't anything to do with the software installed upon the box, as it was due to a password compromise.

    If anything it's more embaressing that somebody lost their password than that the software wasn't up to date.

  7. Grumble, grumble by Anonymous Coward · · Score: 5, Insightful

    What's interesting about your comment is that when a M$ compromise comes to light, the focus is on how big a bozo BillyG is for letting his insecure crap out into the world. When something like this happens, its those nasty little hackers or script kiddies and their deep dark motives or a cabal led by M$/SCO to "discredit" Linux. Face it, the main servers for a major distro was hacked into at a very sensitive time. Ouch. Regardless of the whys of who did it, it was done. Yeah, kudos for them coming public, but if I joe CTO and looking at purchasing some puters, I'm thinking to myself, hey, what's up with this, they told me that M$ stuff sucked and this Linux stuff was secure. This wasn't some ma and pa website that got defaced after all.

  8. Re:Where's the confirmation from debian people? by tfheen · · Score: 5, Informative

    At least cjwatson and myself are Debian developers. I wish I could say it's a hoax, but it's not. However, as you've already read: the archive doesn't seem to be compromised at all.

  9. Everything's a tradeoff by buddha42 · · Score: 5, Interesting
    On the one hand stuff like this scare's the hell out of me, but on the other hand I'm very reasurred by how the debian community handles it. Full disclosure, detailed explanations, and very conservative thinking (exibited by the "3.0r2 is fine, but we're not releasing it anyway just to be anally sure").

    At this point I would like to see the debian team develop some written policies and procedures for how they intend to prevent this sort of thing in the future. I checked the site and while there's security info for how to secure your box, there's no policies on 'how does the debian project secure itself'.

    Lastly, one concept you have to keep in mind, we have no idea how often other OS's key servers are cracked because they'd never tell us.

  10. Re:OpenBSD by Ascender · · Score: 5, Insightful

    If Debian ran OpenBSD, this wouldn't have happened! Theo runs a tight ship over there.
    I also think that Gentoo would have prevented this tragedy.
    Not really. The vast majority of break-ins are through misconfiguration or human error. Gentoo, OpenBSD, nor anything else, can prevent these factors. I would be very surprised if this was due to a security hole or vulnerability. More likely someone wasn't secure enough with their SSH keys or something like that.

  11. Re:Where's the confirmation from debian people? by stevey · · Score: 5, Informative

    --- snip here ---
    This is a truthful report.

    You may validate this message against the key for skx@debian.org.

    Steve
    --
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    owGbwMvMwCR44PyxzWd9eOcyns5PYrDfJ7EiJCOzWAGIEhVK ik pLMtJKcxSKUgvy
    i0r0uLgi80sVchMrFcoSczJTEktSFUpAin NTi4sT01MVEtMTM/ OKS4CCqQrZqZUK
    aflFCsXZFQ4pqUmZiXl6+UXpQCO4gktSy1 K5dHW5OuyZWUE27o M5QZDp9w6GBQtO
    SLxI+1madnvjbIZVrZu0HcTnzGdY0LBFy+ hFp+fRBXM7HXcYc1 6Xj5A9DwA=
    =xVtr
    -----END PGP MESSAGE-----

  12. OH NO!!!! by HungWeiLo · · Score: 5, Funny

    Was any code stolen? OH wait...

    --
    There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
  13. Nobody's asking you to trust the keyserver by psamuels · · Score: 5, Informative
    Then the next point of failure becomes the keyservers. How do you know you imported a good key, and that the keyserver hadn't been compromised when you did it?

    PGP keyservers (unlike, say, Kerberos KDCs) are completely untrusted. Anyone can upload any key to a keyserver. And downloading a key from a keyserver implies nothing about that key.

    To verify that you have a valid key, you have to rely on the web of trust. Basically, if a key is signed by someone whose key is signed by someone [recurse through however many levels you are comfortable with] whose key you have personally inspected, then the key can be assigned a trust metric based on how reliable you consider that chain of signatures to be. (Basically, how much you trust the integrity and acuity of the people controlling the chain of signatures.)

    PGP and GnuPG have supported this infrastructure from Day 1. Asking people to trust an arbitrary third-party public keyserver was never in the plans.

    --
    "How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
  14. Re:Double Standard on /. by TiggsPanther · · Score: 5, Insightful

    You're right, up to a point. But you've also got to compare the other factors that tend to crop up...

    Windows Box Compromised: Someone exploited a flaw.
    Linux Box Compromised: Insecure password.

    or, if it IS due to a flaw exploit...

    Linux: Box compromised because machine wasn't carrying latest patches.
    Windows: Box compromised even though machine was updated last week.

    Linux: Exploit found. Exploit gets fixed. Publically. Usually the same month - with a temp-patch available within the week.
    Windows: Exploit found. Exploit gets fixed. Eventually. As a part of the next service pack. Newsgroups, Slashdot and third-party sites suggest workaround. MSKB just says "Problem is under investigation"

    Oh, and there's always...:

    Windows exploited: /. crowd too busy laughing to make sensible posts.
    Linux exploited: /. crowd too busy downloading, testing, and installing the various patches and workarounds that are flying around.
    (Or sending "Use a good password" memos around the office, stating that if an organisation like Debian can be compromised by a password, then Joe Average in accounts hasn't got a hope in hell if his password it the cat's name.)

    --
    Tiggs
    "120 chars should be enough for everyone..."
  15. Common sense snippets by jdifool · · Score: 5, Insightful
    Hi,

    218 posts and some rare appropriate reactions.

    • I thought Linux was secure... Guess not. Who told you that Linux was secure ? Your grandma ? Linux is more secure than Windows, of course. But it's not immunized against cracker. The computer world is based on a set of rules that can be broken. The better you are mastering these rules, the more secure your boxes are. But these rules can be broken, which means that, given human nature, they are bound to be broken occasionnaly. Furthermore, you will have noticed that if often relies on human use mistakes (password cracking for instance).
    • Free software sucks, Microsoft rules. Here I can almost physically feel the frustration of advocates of the proprietary world that can do nothing but bash any free software flaw they might encounter. However they deserve a clear, sound, and honest answer. My dears fellows, the free software world never proclamed himself the embodiment of security. We do our best to ensure it. And don't mix things up : our main problem with Redmond handling of security is about post-treatment. We do not appreciate the culture of hiding ; you can see here how coherent we are with ourselves.
    • Gentto is better than Debian ; oh no it's Redhat ; oh no it's Slackware. Hey guys, are you really part of the free software world ? Can you just realize these are the precise sentences that led to proprietary software/world ? And don't you think that you should adopt a more conservative stance ? Don't you think that the moral of this sad story is that nobody is preserved from crackers ? Wake up men, this is the very crucial moment where we must stand united. Keep your ammo for you real foes.
    There are some days when you would think that the free software world is not that 'free as in freedom'...

    Regards,
    JDif

    --
    Let's overcome our weakness.
  16. I Haven't Paid for Debian by Bob9113 · · Score: 5, Interesting

    This news made me realize how much I depend on Debian. At the moment, every one of my machines (four servers, three workstations, and a laptop) runs Debian. I've been running it as my primary OS for... two years? So far I haven't paid a dime for it. It is a nice advantage of Free Software to be able to use it for free, but given the fact that I'm way out of "try-before-you-buy" mode, I'm going to send them a check today. Software in the Public Interest was founded by and is the current funding source for Debian.

    One server compromise in the two years that I've been watching by a company with zero product sales revenue is pretty impressive. An OS that is (IMO) dramatically superior to any commercial offering for free? They've earned my respect, and have clearly earned my cash.

    --
    Stop-Prism.org: Opt Out of Surveillance
  17. Re:apt by jrexilius · · Score: 5, Insightful

    After RedHat dropped their free line (I was just paying for RHN access) I have been contemplating going to Debian for my servers and suse for desktops or some other scenario. Debian packages and apt-get were primary reasons for considering that distro as my next platform. I dont want to say I am scared off by this but it does remind me that I have to put more thought into how to deal with these things. I had simply trusted RHN and the PGP signing of their RPMs, which may have been a little foolish.

    I do have to say that I am still happier with Debian broadcasting this incident as loudly as possible rather than the corporate tactic of hushing it up (I know of a few companys that have done just that). Thanks for the open honesty Debian!

  18. Re:Where's the confirmation from debian people? by frenetic3 · · Score: 5, Informative
    Not to be pedantic, but the signature actually does contain a date:
    gpg: Signature made 11/21/03 08:53:02 using DSA key ID CD4C0D9D
    -fren
    --
    "Where are we going, and why am I in this handbasket?"