Slashdot Mirror
Debian Server Compromised
Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."
You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.
How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?
So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.
Computers are useless. They can only give you answers.
-- Pablo Picasso
Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.
More like, now they have to verify that no backdoors or other malicious code were inserted.
I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).
I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.
Can You Say Linux? I Knew That You Could.
Well I suppose you probably know this but for the others out there who may miss the subtlety ---
Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.
Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!
The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.
And yes - that goes for closed, proprietary software houses as well as the public, open groups.
The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.
The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.
Goodness knows what this one was.
Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.
So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.
it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.
And thats why Firecrackers and kittens don't mix.
first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs
If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...