More Info on Debian.org Security Breach

mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."

Human Error

[jefbed]

This incident reminds us of the importance of password security. It is sad to see one weak password responsible for such a breach. I think that it would be a good idea for the future to move away from the traditional unix password. An appropriate replacement would be something similar to RSA passphrase mechanism used by secure shell. A random passphrase with a minimum lenght would be idea. The user is the greatest security hole.

Re:Human Error

[ctr2sprt]

Clearly we need some way to move away from traditional passwords, but RSA keys isn't the way to go. They're impossible to remember, which means you need to store them on a computer. That makes them vulnerable to copying. You can password-protect them, of course, but then you're in the same situation as before (actually worse, for the same reason /etc/passwd is less secure than /etc/shadow).

That's not to say that RSA or some similar system won't be part of a good solution... but there definitely needs to be some other component. (For example, the private key might be encrypted by a biometric signature or keycard or similar. While that still leaves the system vulnerable to physical attacks, it more or less eliminates network-based ones as long as you use secure protocols.)

Re:Human Error

Uhh, I dunno if you noticed, but it wasn't a password alone that did this much damage. The account broken into was unprivellaged, meaning it was just a simple user account.

In theory, a secured system can have this happen to it and the attacker will have fun deleting a single home directory before they run out of damage to do.

In practice, a single local privelage escalation attack is all it takes. Maybe this will end up being a good thing in the end, we get to find a previously unknown local root exploit, fix it and improve the Debian security practices, all in one move.

Re:Human Error

[jkrise]

While that still leaves the system vulnerable to physical attacks, it more or less eliminates network-based ones as long as you use secure protocols.

In other words, you've achieved nothing. The issue here is the protocols, NOT passwords. Since these are not unnder the control of users, we should assume that any netwroked resource is insecure by design.

-

Re: Human Error

[Black+Parrot]

> Random passphrase? Repeat after me: The best password is the one that isn't stikie'd to the monitor and/or keyboard.

When it comes to internet-based attacks, my yellow stickies are the securest files on my system!

Re:Human Error

[blanks]

It wasn't a weak password, it was from a sniffed password. But then again no matter how good your password is, if your not encrypted (and in some cases even if) your password is weak.

Re:Human Error

[pkaral]

Where information security work really breaks down is when password theory meets the average user. Personally, I had to try approx. 15 times to come up with a password that would be accepted by the system at my university, and by then it was so complex that I had to write it down to remember it. (As usual, there had to be 3 types of characters, but in addition, there where heaps of rules saying such things as "caps at the start or end of the word don't count".

We must find a systemic solution that includes the users as part of the system. The main requirement for a new password regime is therefore that it must work within the bounds of users' bad habits and limited capacity for recalling a gazillion passwords which change regularly.

Re:Human Error

[God!+Awful+2]

(For example, the private key might be encrypted by a biometric signature or keycard or similar.

I have yet to see a biometric signature that would solve this problem. Generally speaking, in biometric identification, information about the fingerprint/retina is stored on the disk and then compared against the data that is read in. The biometric information is not used *AS* the encryption key. So a biometric signature is just like a really big password, except that if someone cracks your password you can change it, but you can't (easily) change your fingerprints.

-a

Re:Human Error

So when an exploit is found in Windows, it is considered a bad thing that shows how lame of an OS it is.. but when it is found (or not?) in Linux it is a good thing?

Yes. In the past, Windows exploits get found one of two ways. The first way is when a virus is found in the wild. The virus is deconstructed, then Microsoft does a cost analysis to determine if it's worth patching the vulnerability that enables the virus. If so, then a binary only patch will be issued. The first you'll hear of it is when you're able to download the patch. The second way is when a white hat hacker or security analysis team at some college find an exploit. If they go public with it, they're criticised for not giving time for Microsoft to develop a patch. If they go to Microsoft with it first, then the cost analysis process starts, only because the public at large doesn't know a problem exists, there's a much smaller chance a patch will be issued. In either case, the patch may or may not work, and it may or may not break your system. Caveat emptor.

When an exploit is found in Linux, it gets fixed. The cause of the exploit gets scrutinized world over, and other developers privately consider whether their software might have the capacity to be exploited in the same way.

Re: Human Error

[cperciva]

When it comes to internet-based attacks, my yellow stickies are the securest files on my system!

Well, you'd want to make sure they weren't stuck somewhere visible to random passers-by.

But you always have to keep in mind that any form of security is only as strong as its user interface; if someone can access a password stickied to the bottom of your keyboard, they can probably attach a keylogger as well.

Re:Human Error

[Cthefuture]

Meh, nothing is perfect. There's no point in arguing that. There's always a way to get into a system.

I can't remember the last time somebody on the Internet teleported beside me to look over my shoulder.

Instead you need to worry about what level of expense and trouble you want to go through for your particular needs. A smartcard is fairly simple, cheap, and provides decent security. If you go with one of the newer USB cards then you don't even need a reader, the card plugs right into your USB port. It's perfect for storing SSH keys and using that for authentication.

In a nutshell - somehow

[evil_roy]

Quote from the article:

"Somehow they got root on klecker and installed
suckit."

What follows is an interesting read - but the guts are in that 'somehow'.

Re:In a nutshell - somehow

[Kulic]

You're absolutely right. For some reason, everyone else seems to be overlooking the fact that there is (or appears to be) an unknown root exploit out there.

Yes, you can probably guess/crack/social engineer a password if you try hard enough. That's why security is about layers, compartmentalisation and multiple types of protection, not just a single password.

If this was your box, would you be more worried that someone had managed to sniff an (unprivileged) password? Or that any one of your users can now root your box? I know which one I would lose sleep over.

Here's to hoping that the root exploit is found and patched nice and quick. Even better if it something else that's been missed and is fixed in the latest patch.

Re:In a nutshell - somehow

[jkrise]

If you lose sleep over these so-callled 'Security Vulns' you can never sleep at all - unless you're running a box that's not hooked onto the net. Do you know how many 'root-attacks' are possible with Windows? 95,98,NT,2K,ME, XP - whichever version you're on? Can you even bet that after applying the latest fix from Microsoft, your system is free of vulns?

The best way to enjoy 8 hrs of sleep every night is to backup all files onto CDs / disks before going to the net. No matter what, you can get back live in about 30 mins next morning. With Windows, it could be 6 hours PLUS $600 for softtware.

Most of us choose the 30 mins option.

-

Re:In a nutshell - somehow

[unixbob]

It's worth bearing in mind tho that this may not necessarily be a bug in the OS. The wrong permissions on a sudoer's file for example could have caused this. The assumption going around here is that there is an unknown root exploit going around which involves buffer over runs, kernel exploits, etc. It's just as likely that someone has made a mistake with their config and mistakenly left their server wide open

Re:In a nutshell - somehow

[Basje]

Your conclusions are absolutely right. In a corporate setting, this may be more of a hazard than it is now, because Debian can afford the downtime.

Yet you may have overlooked detail: development has not stopped. People keep working on updated packages, they just cannot submit them. If the problem can be solved, the productivity lost won't be that great.

This is actually one of the great benefits that open source offers, at least for succesful OS projects. It is not just a benefit of the excellent project management in this case.

Diebold, take note

[RealProgrammer]

All vendors and site administrators should take note of the openness with which the problem was dealt.

When I go to buy a car, a computer, or a stereo, and the saleslizard is cagey about any problems that come up, my trust level goes down. If they tell me all about all the problems with the thing they're selling before I even notice them, my trust level goes up. It's like a cool drink on a hot summer day.

Contrasting with Debian, how long did it take to find out that Diebold ATMs had been hit by the Nachi worm?

I'm now more inclined to trust Debian, and less inclined to trust Diebold.

Re:Diebold, take note

[jkrise]

More importantly, the openness of Debian is a much more important factor here. When I read these lines in the article:
The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.
I got the distinct impression that Slashdot is transformig into a FUD channel for unsuspecting readers.

The fact that a 'clean' Linux system can be backed up and restored from any media, is of more relevance and importance to users. EVERY system connected to the internet has potential unknown vulns, those running Windows are often unpatched and have no disaster control system as well.

Viewed from this perspective, I don't think we need to keep an eye on our boxen just the backup tapes / disks/ CDs.

-

This attack has obviosly shocked the comunity.

[GNUALMAFUERTE]

Since Debian (even for those smart ones out there using slackware, like i do) is really considered one of the real distros, if we hear that redhat has been atacked, we would just say that they diserve it and go on, it would be delivered in the respective mail list, and that was it.
But this attack has a psicological impact. Debian itself has been attacked, and it seems to be a bug exploited just in part, on the other side, there are updates that the compromised machines never got aplied, and other big mistakes like a non-tared backup lying arround, with the original owner / permissions mask. This is really more that enough to get any netadmin running Debian to get paranoid.

One recommendation

[heironymouscoward]

Off-site logging of all accesses.

One of the first things that get wiped in an intrusion are the logs. All access logs should be copied in as near real-time as possible to a remote server that is not accessible from the machine being logged, i.e. a drop-box.

Re:One recommendation

or a printer.

Re:One recommendation

[larien]

With physical access, all bets are off at the best of times.

Printing logs is a good idea in some circumstances; you will have a record of all actions and a remote intruder has no method of editing those logs. The main downside is the amount of paper it could use, plus it has to be kept supplied with paper & ink.

Re:Password was *sniffed*

[TheRedHorse]

Why assume it was a cleartext password? It could of been encrypted, captured and crack via brute force or some other method.

Proof that Windows is more secure

[Qrlx]

Not really, just thought it needed to be said.

#1 on Ten Immutable Laws of Security

[Saint+Stephen]

I worked at Microsoft, so Microsoft's list is my frame of reference:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

Re:#1 on Ten Immutable Laws of Security

[Gleef]

Not that I even like Microsoft's security list, since it's very Windows-centric, I'll bite.

Law #1 doesn't apply here. The intruder sniffed a password, and ran his own software. As far as I know, nobody was tricked into running malicious software. Law #1 should read, for real OS's
"Law #1: If a bad guy can persuade you to run his program on your account, its not your account anymore."

The first failure, as per this list was Law #5 "Weak passwords trump strong security." Someone didn't properly protect their password, this gave the attacker their foot in the door.

The second failure was the unidentified privilege escalation. This doesn't appear to fit any of the laws (they appear to be written assuming privilege escallation is trivial, I guess that says something about Windows). Except perhaps, Law #10: "Technology is not a panacaea". Just because we run well designed software that has few security holes doesn't mean that we run perfectly designed software that has no security holes.

Occasionally something slips through the cracks, like here, and it's good to know that real people are paying real attention, and that there are effective ways of bringing necessary systems back up in a trusted fashion. Eventually, this escallation will be found, fixed, and machines patched.

A simple disaster-mgmnt starrtegy...

[jkrise]

Since Linux has no use for hidden files, registry, active directory, complicated booting procecdures and other useless features that come standard with Windows - I see no point getting worked up about these so-called Security Warnings.

99% of Slashdot readers, I believe, treat viruses, worms and other 'security' attacks as a NUISANCE rather than a PRIVACY hazard. A Service Pack or bug fix a week for Windows merely highlights the fact that data privacy on a 'personal' computer is a joke. The nuisance of reinstalling the Windows OS from CD, and reinstalling each and every app with the zillions of settings OR buying expensive, uunreliable 3rd party s/w for disaster recovery can be intolerable.

With Linux, OTOH, simple tools exist that can take backups of disk data (not disk images, just the files), AFTRER installing the apps. A simple restore of these files gets the system back, with all settings and screen-savers intact.

To sum up, 99% of Slashdot readers do not need to care about these security risks, if they choose Linux for their personal or office systems.Those with Windows - a switch to Linux is cheaper than anti-virus s/w PLUS OS cost PLUS frequent updates PLUS frequent reinstalls PLUS loss of data PLUS nuisance.

-

Human Error or faulty security models?

SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.

I think that it's time for the big names like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines. It's being incorporated into the stock kernel for a reason. Use it!

What could be done better...

[rxed]

Quote: "All the compromised machines were running recent kernels[1] and were
up-to-date with almost all security updates[2]."

Well, it seems that 'almost' just isn't good enough. Perhaps there is more to the break in (like unknown holes)?

Sniffing passwords? They must be using 'almost patched' version of SSHd.

local root != remote root

[placeclicker]

Huge diffrence.

You still need a local account to make use of a local root exploit.

You don't for remote root exploits.

Remote root exploits can be used in worms, local (for the most part) cannot.

Not to say that local root exploits should be overlooked, especially when they seem realtivly simple to create (e.g., bad symlinks)

Besides, this is supposedly an *UNKNOWN* local root exploit..

Re:local root != remote root

[pikkumyy]

You're missing parent's point entirely. Local exploit becomes a remote exploit becouse of user stupidity. You can't trust your users to keep their accounts safe.

Of course there are unknown exploits

[Animats]

The serious attackers don't publicize the ones they develop. They save them for use on worthwhile targets.

This is why security by patching is fundamentally ineffective against enemies, as opposed to nusances.

Re:Password was *sniffed*

[TheDarkener]

Thank you. I was reading parent posts going, "Umm, I don't remember hearing anything about any pw cracking being possible since it was an encrypted connection or whatever, so if it was sniffed it obviously was done in clear-text. The people who did the foresnics on those boxes (and who wrote the paper) simply would have stated that. I have the utmost faith in said Debian.org sysadmins. And I applaud their open-source approach to the attack. You really wouldn't ever see something like that coming anyone else.

That's a lot, coming from me... I'm usually pretty pessimistic .. ;)

Re:Sad day for Debian

So it's ok to attack things you consider immoral but not to consider things you consider moral.

I'll pass that on to the people who shoot abortion clinic doctors and crash passenger jets into tall buildings containing civilians.

Um, what?

[bonch]

They said the password was sniffed.

Try to shunt this off to a "weak password" all you want, but let's face facts here. A beloved Linux network was clobbered.

Yes, Virgina, Linux is not invincible. You have rootkits and exploits too. Just see Linuxsecurity sometime.

And, yes, it makes all the Linux loonies who rail on about Microsoft insecurities look like religious hypocrites.

Karma Bonus unchecked, because I don't expect this to be well-received by biased moderators.

Re:Um, what?

[Yottabyte84]

My box was 0wned a while ago. They got my password when I ssh'd out from a shell account on a compromized machine (that'll teach me to trust other admins) and got root by using 'sudo bash --login' and entering my password. They installed suckit, and then started scping something from somewhere while I was logged in to X. I noticed, and promptly powered off my DSL modem, and got to work cleaning up.

So much for unbiased Slashdot

[bonch]

Look at all the posts...excuses and rationalizations. "Well, this serves as an example of weak passwords" or "non-root privileges," etc.

You never see that level of rational explanation when it comes to a user-transmitted e-mail Outlook worm. In fact, in those cases it magically becomes a "Microsoft hole," even though it's users running the executable!

I know this won't be well-recevied, so Karma Bonus is unchecked accordingly. Nonetheless, it's my opinion and I believe it. Slashdotters are hypocrites and hold double-standards.

Re:So much for unbiased Slashdot

[ishark]

Look at all the posts...excuses and rationalizations. "Well, this serves as an example of weak passwords" or "non-root privileges," etc.

Actually, what I see is people warning of a possible security hole in the wild.

You never see that level of rational explanation when it comes to a user-transmitted e-mail Outlook worm. In fact, in those cases it magically becomes a "Microsoft hole," even though it's users running the executable!

This is because one of the "strong" points which is claimed by windows is that it's designed to be used by non-tech experts, while at the same time it offers NO protection from mistakes. If outlook were modified so that it cannot execute anything and you must manually save to disk and execute whatever you would see (beside a drop in virus infections) fingers pointed at the users instead of Microsoft.

Re:So much for unbiased Slashdot

Microsoft designed Outlook to have scripting and its related insecurities. In comparison, weak passwords are very easily taken out by things like cracklib.

In the first case, Microsoft designed something to be insecure, in the latter case, the system can be made more secure.

Now, if a Microsoft system were compromised because of weak passwords, I would agree with you, but the very design of Outlook is designed to encourage these sort of mistakes.

Re:So much for unbiased Slashdot

[jadavis]

Slashdotters are hypocrites and hold double-standards.

You're saying slashdot posters are inconsistant, but they're just different people who all happen to read slashdot. If you want to make a real argument, pick one person and attack their inconsistancies.

Another example is the political parties. You can't say that Democrats are inconsistant because of this, that, and the other. Democrats are a varied group, and they have many different perspectives and form their arguments in different, often contradictary ways. They just see a common means to their end, and each individual may be 100% consistant. (note: I'm not a democrat, I just used them as an example. This works with any political party that I can think of.)

Ultimately what you're doing is grouping variety of people together (slashdot readers) and then attacking the group as a whole for being inconsistant with respect to a separate issue (their perspectives about computer security).

You can do that to anyone. For example: "Blondes are so inconsistant. First they complain that the environment is being damaged, then the next week they're complaining about too much government regulation." Well, being blonde obviously has nothing to do with the topic, so of course you find inconsistancies in their viewpoint.

That type of reasoning is very simple-minded. The world is a complicated place with myriad possible groupings of people. Analogies that relate nations, corporations, SIGs, etc. to people often confuse the issue beyond repair. Microsoft isn't a "bully," it's just that the shareholders elect people that are likely to use aggressive business tactics and leverage the monopoly that they have to gain shareholder value. You can't punish MS in any way analogous to punishing a bully, because the shareholders could be long gone by now (however many years it takes to settle an antitrust lawsuit), because it's simply not a person, it's a group. Same with nations, it's a group and should not be personified. Think how much time the media has wasted talking about Bush as though he "doesn't play well with others." Nations are groups, not people.

Re:So much for unbiased Slashdot

[thenextpresident]

Well, no, your wrong, even if you think it's your opinion. Opinions can be wrong when they are based on misplaced fact.

First, we aren't talking about a desktop system getting hacked, we are talking about a server getting hacked. Secondly, a hack is a hack. If people at Debian let this slip, then it's their fault in the end. Whether it was MS or Debian, it would be the same thing: they screwed up.

Secondly, Debian doesn't develop all the software they distribute, or even use. Microsoft, however, developed Outlook. So, if a cracker gets into Debian because of an insecure application, it's not Debian coders at fault. However, a cracker that gets in via Outlook, well, it's MS's fault because they developed Outlook. (One could argue it was neither's fault, and rather the crackers fault, but that's another story).

Thirdly, you can't compare these two because of the open/closed source nature of either company. If MS were hacked into, how much information would they provide? How about Debian? What concerns me more isn't that Debian was hacked, but how many times has MS been hacked, and we haven't known about it.

Fourthly, you want to blame the user for the foul up when they execute a worm. First, a cracker and a work are two different things, and really can't be compared. However, looking at the work, it merely executes on Windows. The problem is that the security model for Windows sucks (it does, and any belief to the contrary is the same thing as admitting you don't care about security, and know nothing about it), that it allows all of this.

Finally, you say there are a bunch of excuses and rationalizations with all of these posts. This happens, whether it's Linux or Microsoft. The difference is that with Linux, we can check, while with Microsoft, we can't check. We have to go with what they tell us. If they say "Oh, it's merely a small problem," is their any way for us to actually verify this? No. But with Linux, it's usually open and verifiable. And what would you have the people do if they found out the crack was because of a bad password? Lie and say it was something worse. If it was a bad password, it was a bad password, nothing more. But with Linux, this can be verified, whereas with MS, this can't be.

Maybe you enjoy being lied to. I don't.

Re:Password was *sniffed*

[Wyzard]

That's a good reason to use public-key authentication with SSH, rather than password authentication. That way, the attacker looking at SucKIT's logfile only sees a challenge-response exchange, which can't be replayed thanks to timestamping.

the linux attitude prevents real security...

[a_hofmann]

it's a sad thing that everyone seems to be so confident in their latest super secure linux setup, the power of fast and often patched open source software or the openess in such issues - so much that nobody takes these problems serious enough.

for every exploit known (and fixed) publically you can bet there are two yet undisclosed and maybe in the hands of the wrong people...

concepts like public key crypto (ssh, ssl), stack guarding (say no to buffer overflows) or process jail (try to escalate privileges from there) are thus essential to implement real security. still ease of setup or performance seems to be more important than safe networking.

perhaps the big desaster has to happen before people understand that projects like openbsd or selinux are not your tinfoil-hat wearing neighbor's business but the only serious choice for any public, responsible service provider.

Re:What's up with these anti-Linux attacks?

[marcello_dl]

The timing of the attack (just before the release of 3.0r2 and almost coincidental with the discovery of an OSX remote vulnerability) is interesting, too.

A resourceful black-hat hacker hitting debian just to boast "its" ego would have probably "signed" the attack somehow. On the other side, if i were trying to spread FUD about Linux with an attack, i'd do the same: pretending that a single immature highschooler could hax0r Debian would add insult to damage and hide the real motive.

Re:What's up with these anti-Linux attacks?

[Ogerman]

FYI if you took some vitamin clue you would know Linux is not that far behind MS on security exploits. Now now now, before the Linux zealots bash get real and look it up. Linux is the second most attacked machine ... but you'd be looking for an excuse to justify the shoddy security put into Linux.

FYI, this has nothing to do with "shoddy security put into Linux". Fact is, a properly secured Linux server is overall more secure than a properly secured Windows server. The problem is that most *distros* (and yes, this includes Debian) have fairly shoddy security by default. Then you have a lot of people who don't know what they're doing trying to use these distros to run real-world sites. Therefore, they are an easy target. (and generally more "interesting" to crackers.. what fun/glory is a compromised Windows box?) From the explanation given, it does not sound like the Debian admins had enough security experience (or paranoia :). You simply DO NOT run a high-profile site without an ACL-protected kernel (ie. LIDS, SELinux, etc.) This is not because Linux itself cannot be trusted, but because some of your services may not be. Even better is to also use kernel stack protection. But anyhow, the Debian admins will learn from their mistakes and the project will be stronger as a result.

now I won't go into the BSD's, because I just won't nor will I go into Solaris, but do your homework, Linux `used to be` all that, nowadays I look at it as LiNuX vErSiOn v.666... A toy nothing more and don't even use it anymore, nor will I advocate it. It went from something cool into the new MS'like farce

Now you're really blowing a lot of random hot air. Either you're a silly troll or you're one of those trendy anti-trend folks who thinks anything popular can't be cool/good. I guess IBM has decided to refocus its corporate vision around selling toys, eh? Riiight..

Re:Debian physical site security?

[wichert]

Most machines are in colocation facilities and all the normal colo access rules apply to them. That is why I could immediately get to klecker physically (luckily its colo is moving to a new site and we'll get our own access pass for the colo). The only machines that are in locations like peoples homes or dorms are those for which regular physical access is required, for example to experiment with new (or old) architectures.

Re:Isn't it obvious?

[Wudbaer]

You don't need to be a Microsoft or SCO to have fun vandalizing other people's systems. This is the same mentality like when someone destroys bus stops, telephone booths and other public property or the flower beds in the park some volunteers put up the week before on their own time and money. It is against the common good, but being an asshole that person just doesn't care.

Doesn't seem very logical..

[naitro]

An attacker who has access to unpublic local root exploits probably won't use a public kiddie-rootkit like Suckit.

And I hardly believe that an experienced cracker would backdoor the boxes in such an uncareful manner. Weird..

No OS can ever be 100% secure, but.........

[DFJA]

Proprietary OSes will ultimately be left behind Open Source OSes in terms of security for the following reason. In the fight against proprietary OS's such as Microshaft's, there is a big propaganda war with both sides saying "Look, your OS is insecure". Both OS's will have security holes discovered, and hopefully fixed, from time to time. That is a fact we have to live with. The rate at which they are discovered and fixed is roughly proportional to the number of people actively investigating holes in the OS (ignoring the fact that there might be other, political reasons to look for security holes one OS rather than another). However as time goes on, we should expect the number of users of Debian (and GNU/Linux in general) to increase, hence the number of people discovering and fixing security holes will go up in proportion. This is the 'many eyeballs' effect. this will lead to GNU/Linux becoming ultimately very secure. In contrast the number of people actively looking for security holes in, say windows, is proportional to the amount of money their perpetraitors (sic) are willing to spend in this task. This does not go up in proportion to the number of users. In fact as competition pushes prices down for proprietary offerings, the perpetrators find they have progressively _less_ money to spend on looking for security holes. Ultimately they will get left behind. So we should see that Open Source OSes such as GNU/Linux will become more and more secure at a rate which accelerates much faster than for proprietary OSes. At the moment, we have one OS which is used by 95% of the world's desktops, and scores fairly low on security (although it is improving). On the other hand, we have GNU/Linux which is used on something like 2% of the world's desktops (more on servers), and scores fairly high on security (although it's not perfect). So from this small user-base, we have already benefitted from the 'many eyeballs' effect of Open Source to gain an advantage over the competition in this respect. This advantage can only accelerate, for the reasons I have outlined above. Ultimately we should expect to see Open Source winning on all fronts in terms of reliability, functionality and security. It will never be perfect and there will always be crackers trying to spoil the party, but it will be a lot better than today's situation. We just need to work hard to make this happen sooner rather than later, as it will be a long haul...........

Other distros affected???

[Malc]

Everybody here is talking about an unknown exploit in Debian. What I haven't seen is a discussion on the probability that this might affect other distros too. Is it Debian specific, or Linux, or even UNIX (based on an app) specific? Let's not be complacent here.

Re:Sad day for Debian

but why crack Debian in the first place? here I am stumped, but then I've never fully understood the cracker mentality.

I think it is just part of something bigger. There have been more cracking incidents regarding Free Software.

Somebody tried to insert a backdoor on Linux recently and the GNU repository was attacked too. IMHO, whoever did this was trying to get a backdoor on debian (just in case this exploit is closed, or maybe a more powerful/remote or subtler one) or at least waiting for an oportunity to do so without being detected. I wouldn't be surprised if this local root exploit happened to be used to gain access to the kernel.org repositories.

By inserting one hole in only one piece of software (linux, debian installer, init, etc) it would be possible to 0wn a BIG amount of machines. It makes perfect sense to me.

the unknown

[maximilln]

This is really the heart of the issue: the unknown exploits. I've often been at the forefront of theorizing about possible vectors for unknown exploits. I'm usually flamed severely for it. The fact of the matter is that these unknown exploits exist and people need to be ready to deal with them.

If a "bad" hacker comes up with a new root exploit he's not going to e-mail all of the "good" hackers and let them know. He's going to make use of it mercilessly until he's noticed and caught. Microsoft ignores this issue outright and the OSS community tends to skate around it. If the computing public as a whole knew the facts about security then McAfee and Norton wouldn't even be in business. "Updating virus definitions" twice a week is still going to be ten weeks behind the hardcore caffeinated malicious hacker.

The OSS community has dealt with this issue in the most productive manner possible: complete openness and timely notice. Microsoft, on the other hand, would happily allow millions of users to remain compromised for months or years until their internal programmers manage to find the "unknown local root exploit". This could easily result in identities and credit card numbers stolen, bank accounts infiltrated, and possibly even malicious interference with real life relationships and employers just for fun.

Should the software manufacturer be liable? No. Should the user be entitled to know? Yes.

The OSS community is the only solution which addresses this situation correctly.

What debian's not said, clarifications speculation

[fw3]

I beleive the additional details of this exploit are roughly:

A debian developer (who I'm not going to name but it's not exactly a secret) revealed his password by logging into some machine that had been rooted. Shame on him for using the same password, and the Debian project for not policing that kind of thing. (That said, people do this all the time, even people who do/ought to know better.)

The password 'sniffing' being referenced is not sniffing network packets but rather session IO. If you read the 'developer cleanup' instructions it will be clear that they beleive that the 4 dev boxes that were rooted were being used to collect account and password info from developer's sessions. (Another procedure error, the systems in question probably should not be allowing users with shell access to ssh out to other machines.)

There has been a LOT of speculation that there's a privilege-escalation vulnerability in the kernel version running on the target systems and/or up to the 2.4.22 kernel (I'm dubious, however 2.4.23 has just been released today so who knows).

As many here and elsewhere have wondered, it seems unlikely that a 'kiddie would have access to somthing not yet observed in the wild, and if this is the work of more capable 'bad guys' then it seems equally unlikely that they would have been so noisy as to have been caught in less than a day.

Leaving us really not knowing much about the state of either debian or the kernel at this time. I certainly hope that a more complete complete 'explantaion' will be coming, hopefully soon.