Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

13 of 349 comments (clear)

  1. Once is ok, but twice is too much... by ModernGeek · · Score: 3, Insightful

    ...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.

    --
    Sig: I stole this sig.
    1. Re:Once is ok, but twice is too much... by lawpoop · · Score: 5, Insightful

      You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

      How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

      So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.

      --
      Computers are useless. They can only give you answers.
      -- Pablo Picasso
    2. Re:Once is ok, but twice is too much... by The+Bungi · · Score: 4, Insightful
      That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

    3. Re:Once is ok, but twice is too much... by _Sprocket_ · · Score: 5, Insightful

      The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.

      And yes - that goes for closed, proprietary software houses as well as the public, open groups.

    4. Re:Once is ok, but twice is too much... by asuffield · · Score: 5, Insightful
      If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


      The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

      The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

      Goodness knows what this one was.
    5. Re:Once is ok, but twice is too much... by Nik+Picker · · Score: 4, Insightful

      Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.

      So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.

      it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.

      --
      And thats why Firecrackers and kittens don't mix.
    6. Re:Once is ok, but twice is too much... by zCyl · · Score: 4, Insightful

      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...

  2. Re:Oh no by eeg3 · · Score: 5, Insightful

    More like, now they have to verify that no backdoors or other malicious code were inserted.

  3. Re:Question by macemoneta · · Score: 4, Insightful

    I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

    I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.

    --

    Can You Say Linux? I Knew That You Could.

  4. Re:Good thing... by GoRK · · Score: 4, Insightful

    Well I suppose you probably know this but for the others out there who may miss the subtlety ---

    Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.

  5. Re:I refuse to belive this by CaptainTux · · Score: 4, Insightful

    Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.

    --
    Anthony Papillion
    Advanced Data Concepts, Inc.
    "Quality Custom Software and IT Services"
  6. Why all the flak? by Dryanta · · Score: 5, Insightful

    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!

  7. Re:This has been said before... by Spliffster · · Score: 3, Insightful

    i second that and would add: any commercial os vendor would just never tell you wenn this happens (except the stolen source code is beeing published on the net, heh).