Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

29 of 349 comments (clear)

  1. Once is ok, but twice is too much... by ModernGeek · · Score: 3, Insightful

    ...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.

    --
    Sig: I stole this sig.
    1. Re:Once is ok, but twice is too much... by lawpoop · · Score: 5, Insightful

      You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

      How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

      So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.

      --
      Computers are useless. They can only give you answers.
      -- Pablo Picasso
    2. Re:Once is ok, but twice is too much... by The+Bungi · · Score: 4, Insightful
      That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

    3. Re:Once is ok, but twice is too much... by winkydink · · Score: 2, Insightful

      Diverting attention from a problem by pointing out the flaws of others is not really helpful.

      Yeah, "we know what's going on", just as soon as somebody diffs a bazillion lines of code against a known-good repository. Until the Debian team announces that tidbit of info, the only security you have is the "false sense of" kind.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    4. Re:Once is ok, but twice is too much... by Mathinker · · Score: 2, Insightful

      Your point about non-OSS being more of a "black box" because of commercial disincentives is OK, but you compared a Debian development machine to windowsupdate.microsoft.com which is stupid considering both that Debian and Microsoft sign their releases.

      This compromise is more like Microsoft's internal development network being compromised, which has happened.

      Unless, of course, the current compromise includes Debian's private key, which I doubt.

    5. Re:Once is ok, but twice is too much... by dzym · · Score: 2, Insightful

      If the server actually holding the code is compromised a hacked apt-get that accepts bogus keys is probably going to be the least of your worries.

    6. Re:Once is ok, but twice is too much... by _Sprocket_ · · Score: 5, Insightful

      The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.

      And yes - that goes for closed, proprietary software houses as well as the public, open groups.

    7. Re:Once is ok, but twice is too much... by asuffield · · Score: 5, Insightful
      If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


      The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

      The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

      Goodness knows what this one was.
    8. Re:Once is ok, but twice is too much... by Nik+Picker · · Score: 4, Insightful

      Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.

      So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.

      it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.

      --
      And thats why Firecrackers and kittens don't mix.
    9. Re:Once is ok, but twice is too much... by zCyl · · Score: 4, Insightful

      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...

    10. Re:Once is ok, but twice is too much... by Barbwired · · Score: 2, Insightful

      > Even better, on the hacked *dev* machine one just needs to hack the compilers

      AFAIK, gluck.debian.org is not a developement machine, it is mainly a webserver that hosts web pages.

      --
      Geeks aren't made, we are born like that by default
    11. Re:Once is ok, but twice is too much... by Anonymous Coward · · Score: 1, Insightful

      >but with a compromised dev machine, one could patch in back door code that gets signed as valid.

      Assuming that the only copy of the source was on that one machine. It's pretty easy to tell if two copies of the source are different and I reckon it would be pretty easy to tell which one was suspect, probably the one on the box that was hacked. Now this might be totally different if the development took place in a closed environment but in this case I can't see how it could possibly be a problem.

    12. Re:Once is ok, but twice is too much... by LWATCDR · · Score: 1, Insightful

      Ummm... How was it hacked? I thought Debian was an ultra stable distro that placed security and stablity over cutting edge?
      Yes this does worry me a good deal.

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    13. Re:Once is ok, but twice is too much... by GmAz · · Score: 1, Insightful

      Oh look, a linux fanboy defends linux by saying that it was bold that the admins told us they were hacked. Now its ok because we know. A Windows server gets hacked and its laughter and pointing of fingers with more laughing to continue. I have a feeling this is just one of the first linux hacking jobs. Hackers have realized that Windows is hackable and they are moving their attention to linux.

      --
      Click Click Bloody Click PANCAKES!
  2. Try an alternative by Anonymous Coward · · Score: 0, Insightful

    http://www.openbsd.org/

  3. Perhaps now. by DAldredge · · Score: 2, Insightful

    Perhaps now they will spend less time griping about Ubuntu and more time working on their security.

  4. This has been said before... by ModernGeek · · Score: 2, Insightful

    ...but with your high UID, I'm going to assume you don't know this already. The attitude that you posses is what used to plague the old open source world to the point that no utility or tool would be used in the enterprise. After a while, the open source maturity matured and everyone came to the realization that these things need to be taken care of, and that even though the open source software is free, you need to treat the users of that software as if they are paying customers. There is reward. Donations and other things can up your credibility to the point of a serious career. Soon enough, a history in the world of open source will guarantee one a job in the enterprise, because university diplomas don't seem to be working when it comes to judging ones capabilities. Change your perspective.

    --
    Sig: I stole this sig.
    1. Re:This has been said before... by Spliffster · · Score: 3, Insightful

      i second that and would add: any commercial os vendor would just never tell you wenn this happens (except the stolen source code is beeing published on the net, heh).

  5. Re:Oh no by eeg3 · · Score: 5, Insightful

    More like, now they have to verify that no backdoors or other malicious code were inserted.

  6. Re:So what does that mean? by dbcad7 · · Score: 1, Insightful
    Considering the times posted.., not sure if redundant was justified mod. Maybe a "jinks owe me a coke" mod would be more appropriate, when identical posts are within 2 minutes.

    oops.. now I'll get modded offtopic.

    --
    waiting for ad.doubleclick.net
  7. Re:Question by macemoneta · · Score: 4, Insightful

    I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

    I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.

    --

    Can You Say Linux? I Knew That You Could.

  8. Re:Good thing... by GoRK · · Score: 4, Insightful

    Well I suppose you probably know this but for the others out there who may miss the subtlety ---

    Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.

  9. Re:I refuse to belive this by CaptainTux · · Score: 4, Insightful

    Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.

    --
    Anthony Papillion
    Advanced Data Concepts, Inc.
    "Quality Custom Software and IT Services"
  10. Why all the flak? by Dryanta · · Score: 5, Insightful

    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!

    1. Re:Why all the flak? by HiThere · · Score: 2, Insightful

      Why all the flak?

      Because heros aren't allowed to have flaws. Read your Greek myths. If a hero is found to have a flaw, he will be destroyed. (P.S.: They are all found to be flawed.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  11. Re:At risk of stating the obvious... by Anonymous Coward · · Score: 2, Insightful

    Yes, at risk of stating the obvious, you stated the obvious. It's unfair to claim that Debian developers are "trying to cover themselves somewhat" just because they didn't state the obvious.

  12. Re:Again? by stevey · · Score: 2, Insightful

    It happened once in 2003, but I can't recall any other incidents. That time it was a previously unkown Linux kernel hole which was used to gain root along with a sniffed password.

    This time it looks like another kernel hole - but we've not had public confirmation. Could have been been an exploit for CVE-2006-2451...

  13. Gluck is not the core machine by NoGoodNicks · · Score: 2, Insightful

    Gluck is not a "core" machine, not even a special development system. It has been abandoned as CVS server by most subprojects since they moved to the Alioth service. The most important task was the homepage server.

  14. Re:Oh no by erichschubert · · Score: 2, Insightful

    The bad news is:
    they'll eventually find all their source code in there. Verbatim.
    In /dev/random

    Fortunately, we still have some thousand years until they're done with sighting that data.

    --
    Debian GNU/Linux - apt-get into it.