Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

81 of 349 comments (clear)

  1. Oh no by Anonymous Coward · · Score: 5, Funny

    Oh no, now they have access to all the Debian source!

    1. Re:Oh no by NadNad · · Score: 5, Funny

      Maybe it's SCO, trying to find their code buried in linux...

    2. Re:Oh no by eeg3 · · Score: 5, Insightful

      More like, now they have to verify that no backdoors or other malicious code were inserted.

    3. Re:Oh no by Anonymous Coward · · Score: 5, Funny

      Forget running Debian Unstable. Debian Compromised is where it's at.

    4. Re:Oh no by Aranth+Brainfire · · Score: 4, Funny

      It doesn't matter, just email them to whoever you like and the maintainer will get them anyway.

      --
      "Quoting yourself is stupid." -Me
    5. Re:Oh no by kdemetter · · Score: 2, Funny

      no need . if the backdoor was installed , your machine can be patched remotely.

      Now that's easy :-)

      --
      Slipping shoelaces ?
    6. Re:Oh no by rolfwind · · Score: 3, Funny

      They should look under /dev/null, it happens to be the same place their case is headed soon:)

    7. Re:Oh no by DMNT · · Score: 2, Funny

      No, it was SCO trying to bury their code in linux...

      --
      ?SYNTAX ERROR
    8. Re:Oh no by creepynut · · Score: 2, Funny

      "They got into our machine sir, but all they did was run apt-get update and apt-get upgrade. Phew, that was close!"

    9. Re:Oh no by erichschubert · · Score: 2, Insightful

      The bad news is:
      they'll eventually find all their source code in there. Verbatim.
      In /dev/random

      Fortunately, we still have some thousand years until they're done with sighting that data.

      --
      Debian GNU/Linux - apt-get into it.
    10. Re:Oh no by walstib · · Score: 2, Informative

      In related stories: Microsoft Windows Servers remain secure.

      --
      The most dangerous strategy is to jump a chasm in two leaps. - Benjamin Disraeli
  2. Once is ok, but twice is too much... by ModernGeek · · Score: 3, Insightful

    ...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.

    --
    Sig: I stole this sig.
    1. Re:Once is ok, but twice is too much... by lawpoop · · Score: 5, Insightful

      You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

      How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

      So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.

      --
      Computers are useless. They can only give you answers.
      -- Pablo Picasso
    2. Re:Once is ok, but twice is too much... by The+Bungi · · Score: 4, Insightful
      That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

    3. Re:Once is ok, but twice is too much... by Josh+Triplett · · Score: 5, Informative
      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

      No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
    4. Re:Once is ok, but twice is too much... by sqlrob · · Score: 3, Interesting

      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

      Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?

    5. Re:Once is ok, but twice is too much... by YU+Nicks+NE+Way · · Score: 5, Informative

      You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

    6. Re:Once is ok, but twice is too much... by B3ryllium · · Score: 3, Funny

      Mwuahahahha! Perfect place to ply the first-ever Carrier Pigeon Protocol hack!

    7. Re:Once is ok, but twice is too much... by winkydink · · Score: 2, Insightful

      Diverting attention from a problem by pointing out the flaws of others is not really helpful.

      Yeah, "we know what's going on", just as soon as somebody diffs a bazillion lines of code against a known-good repository. Until the Debian team announces that tidbit of info, the only security you have is the "false sense of" kind.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    8. Re:Once is ok, but twice is too much... by Waffle+Iron · · Score: 3, Interesting

      If you remember, the incident in question involved someone loose for weeks or months on Microsoft's internal networks before they were discovered. It's wouldn't have been impossible for them to modify the code before it got signed. Microsoft had to spend a great deal of effort to try to verify that such a thing didn't actually happen.

    9. Re:Once is ok, but twice is too much... by SnowZero · · Score: 3, Informative

      You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right?

      Btw, Debian also does digital signatures for every package installed (see here). I don't think they have gone as far as having an air-gap, but it does mean that a regular hacking won't be able to silently corrupt packages.

      Debian's system is actually quite cool, since it can check *every* program installed, and not just core OS updates (courtesy of apt controlling 99% of software installation). In fact, you can add additional keys for other package sources (I run some unofficial packages, but those developers also sign their packages with their own keys, so it is covered as well).

    10. Re:Once is ok, but twice is too much... by flacco · · Score: 4, Informative

      but with a compromised dev machine, one could patch in back door code that gets signed as valid.

      --
      pr0n - keeping monitor glass spotless since 1981.
    11. Re:Once is ok, but twice is too much... by Mathinker · · Score: 2, Insightful

      Your point about non-OSS being more of a "black box" because of commercial disincentives is OK, but you compared a Debian development machine to windowsupdate.microsoft.com which is stupid considering both that Debian and Microsoft sign their releases.

      This compromise is more like Microsoft's internal development network being compromised, which has happened.

      Unless, of course, the current compromise includes Debian's private key, which I doubt.

    12. Re:Once is ok, but twice is too much... by The+Bungi · · Score: 2, Funny

      So? The last time GNU.org was rooted they didn't get wind of the break-in until a month after it happened.

    13. Re:Once is ok, but twice is too much... by ComputerizedYoga · · Score: 2, Informative

      Yes. But it really really sucks. A lot. If you're a major control freak (or just like avoiding auto-updates and such) you could probably go that route. Useful for people on dialup ... download important updates, maybe dump them to a jumpdrive or burn a cd when you've got a couple of them.

      I think they also do monthly iso-images that are just compilations of all the update installers in a given month, for the same reason -- not everyone's got a good net connection at home.

    14. Re:Once is ok, but twice is too much... by dzym · · Score: 2, Insightful

      If the server actually holding the code is compromised a hacked apt-get that accepts bogus keys is probably going to be the least of your worries.

    15. Re:Once is ok, but twice is too much... by _Sprocket_ · · Score: 5, Insightful

      The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.

      And yes - that goes for closed, proprietary software houses as well as the public, open groups.

    16. Re:Once is ok, but twice is too much... by rawtatoor · · Score: 2, Funny

      Moderation.... gone... awry

    17. Re:Once is ok, but twice is too much... by asuffield · · Score: 5, Insightful
      If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


      The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

      The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

      Goodness knows what this one was.
    18. Re:Once is ok, but twice is too much... by Nik+Picker · · Score: 4, Insightful

      Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.

      So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.

      it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.

      --
      And thats why Firecrackers and kittens don't mix.
    19. Re:Once is ok, but twice is too much... by redcane · · Score: 3, Informative

      You can import the appropriate keys using PGP. If I recall correctly a google search for the error messages apt is emitting will find you some discussions on this matter, including fixes.

    20. Re:Once is ok, but twice is too much... by zCyl · · Score: 4, Insightful

      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...

    21. Re:Once is ok, but twice is too much... by mverwijs · · Score: 2, Interesting

      ...only attempted to run x86 code.

      So they hacked in, and only ran x86 code? Sounds like a script kiddie to me.

      /me ponders on the enormity of that thought.

    22. Re:Once is ok, but twice is too much... by Josh+Triplett · · Score: 2, Informative
      Of course, this [1] tells me that it, in fact, *is* a i386 machine. So parent is *wrong*:
      Yes, gluck, the machine compromised recently, uses x86 hardware. My post responded to someone mentioning the 2003 break-in and claiming the archive server got compromised, while in fact the archive server didn't get compromised because it ran on non-x86 hardware.
    23. Re:Once is ok, but twice is too much... by wertarbyte · · Score: 2, Informative
      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

      So are Debian packages. Check "man apt-key" about that.

      --
      Life is just nature's way of keeping meat fresh.
    24. Re:Once is ok, but twice is too much... by Barbwired · · Score: 2, Insightful

      > Even better, on the hacked *dev* machine one just needs to hack the compilers

      AFAIK, gluck.debian.org is not a developement machine, it is mainly a webserver that hosts web pages.

      --
      Geeks aren't made, we are born like that by default
  3. No fear... by gravyface · · Score: 5, Funny

    It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*

    --
    body massage!
    1. Re:No fear... by the_humeister · · Score: 5, Funny

      And after recovering the DAT tape from the safe-deposit box at the bank, they went to the ATM machine and entered their PIN numbers to get some money.

    2. Re:No fear... by chill · · Score: 3, Informative

      Well, considering that DAT stands for Digital Audio Tape, I find that a bit unlikely...

      How old are you? Gotta be under 25, easy.

      4mm helical scan DAT tapes were very, very popular for enterprise data backup. Do a quick google on "dat tape backup" and enlighten yourself.

        -Charles

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re:No fear... by identity0 · · Score: 2, Funny

      See, if they'd kept the source code on an Microsoft MS Windows machine with NT Technology and NTFS Filesystem, they would have been completely safe. Heck, they could have even placed it on a IBM Machine on a Wireless Wi-Fi hotspot at a Starbucks, with all the code on a USB Bus memory stick, and no one would have been able to touch it!

      I know people around here swear by the GPL Licenced Linux Unix or the BSD Distribution, but we must admit we have been defeated. I, for one, welcome our Debian-cracking overlords.

    4. Re:No fear... by Aneurysm · · Score: 2, Funny

      The poster was referring to redundant acronyms. DAT stands for Digital Audio Tape, so saying that they backed up from a DAT tape is really saying Digital Audio Tape Tape. The poster also lists common redundant acronyms that people use, Personal Identification Number Number and Automated Teller Machine Machine. PIN is the worst, I often hear people talking about their Personal PIN Numbers.

  4. You have my sympathies by Anonymous Coward · · Score: 3, Funny

    Aw man, that's too bad. I think we should all wish the Debian team g'luck.

  5. Perhaps now. by DAldredge · · Score: 2, Insightful

    Perhaps now they will spend less time griping about Ubuntu and more time working on their security.

  6. Question by Frogbert · · Score: 4, Interesting

    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

    1. Re:Question by Nutria · · Score: 5, Informative
      I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

      http://www.debian.org/security/

      Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:Question by macemoneta · · Score: 4, Insightful

      I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

      I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.

      --

      Can You Say Linux? I Knew That You Could.

  7. This has been said before... by ModernGeek · · Score: 2, Insightful

    ...but with your high UID, I'm going to assume you don't know this already. The attitude that you posses is what used to plague the old open source world to the point that no utility or tool would be used in the enterprise. After a while, the open source maturity matured and everyone came to the realization that these things need to be taken care of, and that even though the open source software is free, you need to treat the users of that software as if they are paying customers. There is reward. Donations and other things can up your credibility to the point of a serious career. Soon enough, a history in the world of open source will guarantee one a job in the enterprise, because university diplomas don't seem to be working when it comes to judging ones capabilities. Change your perspective.

    --
    Sig: I stole this sig.
    1. Re:This has been said before... by kashani · · Score: 4, Funny

      Ahem.

      As a Gentoo user over the age of 30 I'd like to apologize for the under 20 Gentoo user's previous post. I'll slap him around on IRC later. ;-)

      kashani

      --
      - Why is the ninja... so deadly?
    2. Re:This has been said before... by ComputerizedYoga · · Score: 4, Informative

      I've got a lot of other problems with debian which prevent me from using it. However, their security track record is not really one of them. Given the huge project with a very large number of machines and developers, and their long track record with very few incidents, I don't think it's fair to pick too much on this one.

      That, and Gentoo is hardly immune to this sort of thing either.

    3. Re:This has been said before... by Apro+im · · Score: 4, Informative

      That's why, as a l337 hax0r, you can run a mixed system. Nobody stops you from installing unstable packages, right from apt, even! (Check out that -t flag!) Or even better, you can actually build your own source.

      The argument for Gentoo that "I like the idea of building my own source" in the sense of "I like getting down and dirty into my system" is really kind of bull. I ran Gentoo for a while, and I thought they had done some amazing work. Portage/emerge is just amazingly well done, and it's nice to have code that's been optimized for my hardware requirements. It's not exactly scalable (maintaining a large set of diverse hardware is a lot harder), and it can lead to untenable situations and instability, but it's still damn cool. And you know what's really cool about it? It's the convenience of apt, for source packages! Please disabuse yourself of the notion that you are "building your own source" -- the Gentoo maintainers are very diligently, very cleverly packaging the source so that you can specify a set of system parameters and then let it build. If you really want to get nitty gritty, run Slackware (although, I guess they have package management now, too). Gentoo has lots of merits, but the truth is, most Gentoo users know no more or less about how things work than an average Liinux user.

      For me, in the end, the speedup I was getting just wasn't making up for the hours it would take each time I ran a system-wide upgrade and the unexpected conflicts because the USE flags that made each package special for MY computer were screwing up MY computer something fierce.

    4. Re:This has been said before... by Spliffster · · Score: 3, Insightful

      i second that and would add: any commercial os vendor would just never tell you wenn this happens (except the stolen source code is beeing published on the net, heh).

    5. Re:This has been said before... by vadim_t · · Score: 2, Interesting

      Gentoo, IMO, is nice for many reasons that have nothing to do with speed:

      First, USE flags allow precise control of what you want to be installed. If a package supports gnome, and I don't want gnome stuff, I just add "-gnome" in the USE flags. Debian would either force me to install Gnome libraries, or have to provide several versions.

      Second, compiling from source means I can get a benefit from things like stack protection in GCC instead of having to wait for Debian to rebuild every package, which may never happen.

      Third, since Gentoo builds everything from source, if you want to build something yourself, especially things like KDE, you already have all the tools in place. In comparison, in Debian it requires hunting for -dev packages and running ./configure 20 times until it works. There's apt-run, but it's not perfect, and tends to install completely unnecessary compatibility packages and such.

      Also, you can often get versions not in the official repository by simply bumping the ebuild's version number manually.

  8. Things are chaning... by ModernGeek · · Score: 5, Funny

    ...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.

    --
    Sig: I stole this sig.
  9. Maybe Debian devs will finally come around by b3x · · Score: 5, Funny

    and move that source repository to a more secure Windows 2003 Server platform.

  10. obligatory: by Anonymous Coward · · Score: 5, Funny

    I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.

  11. What was exploited..? by paulmer2003 · · Score: 3, Interesting

    Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.

    1. Re:What was exploited..? by Anonymous Coward · · Score: 2, Informative
      Does anyone know what in particular was exploited?

      Not public information yet. If you're subscribed to debian-devel-announce, you'll be the first to know.

    2. Re:What was exploited..? by keeboo · · Score: 2, Informative

      The announcement says:

      We're still investigating exactly what happened and the extent of the damage.
      We'll post more info as soon as we reasonably can.

      If the ones affected can't say, who can then.
      (yeah, yeah... "the ones who attacked the server").

  12. Re:Good thing... by GoRK · · Score: 4, Insightful

    Well I suppose you probably know this but for the others out there who may miss the subtlety ---

    Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.

  13. Re:Changelogs by uhoreg · · Score: 4, Informative

    Changelogs don't provide any form of security, and package changelogs have been standard in Debian since many, many years ago. (Long before Ubuntu was a gleam in Mark Shuttleworth's eye.) Changelogs should only be treated as a convenience to the user.

    And apt supports GPG signing of the Release file, which contains an MD5 and SHA-1 hash of the Packages file, which contains MD5 hashes of the packages. (In other words, apt already does package integrity checking.)

    --

    To get something done, a committee should consist of no more than three persons, two of them absent.

  14. Re:Changelogs by SnowZero · · Score: 3, Informative

    It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades.

    Debian has been checking digital signatures on every package installed for almost a year now. See here.

    Of course, I run testing, so I have no idea when this got into stable.

  15. Dear Hackers by SnowZero · · Score: 3, Interesting

    Dear Hackers,

    If you manage to hack into the main repository, please fix this bug. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.

    If you hack, do it for the right reasons.

  16. At risk of stating the obvious... by MostAwesomeDude · · Score: 2, Informative

    ...Anybody who didn't understand the real meaning of "compromise" needs to re-read the article, substituting "compromised" with "rooted." The attackers didn't kill the server or knock out a service. They rooted the box, and the Debian devs are trying to cover themselves somewhat by ambiguating the exact nature of the attack.

    --
    ~ C.
    1. Re:At risk of stating the obvious... by Anonymous Coward · · Score: 2, Insightful

      Yes, at risk of stating the obvious, you stated the obvious. It's unfair to claim that Debian developers are "trying to cover themselves somewhat" just because they didn't state the obvious.

  17. Re:I refuse to belive this by CaptainTux · · Score: 4, Insightful

    Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.

    --
    Anthony Papillion
    Advanced Data Concepts, Inc.
    "Quality Custom Software and IT Services"
  18. Why all the flak? by Dryanta · · Score: 5, Insightful

    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!

    1. Re:Why all the flak? by HiThere · · Score: 2, Insightful

      Why all the flak?

      Because heros aren't allowed to have flaws. Read your Greek myths. If a hero is found to have a flaw, he will be destroyed. (P.S.: They are all found to be flawed.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  19. Re:RSA auth to blame? by uhoreg · · Score: 2, Informative
    DSA = Debian Security Admins
    Actually, it's Debian System Administrators. (Not to be confused with Debian Security Advisory.)
    --

    To get something done, a committee should consist of no more than three persons, two of them absent.

  20. Re:Changelogs by uhoreg · · Score: 2, Informative
    As I pointed out, faking changelogs is just an inconvenience to an attacker, but it is more than "nothing".
    It may be slightly better than nothing, but it isn't that much better that it's worth mentioning. Any attacker who knows enough to build a fake .deb package will know enough to put something in the changelog, and it may add maybe a minute to the attack.
    If you were less smug about the apt features you might be more interested in the lack of their implementation in Ubuntu
    Ubuntu uses apt for updates. apt will not upgrade a package if the signature/hash doesn't verify properly, and it currently complains if the signature doesn't exist, and asks the user to confirm. I highly doubt that checking the signature is not done at all in Ubuntu Update Manager, because if that were the case, Ubuntu would have to specifically tell apt to ignore the security features.

    Note that the security features will only be noticeable when a check fails. If all the checks pass, then you'll never notice the features at all (unless you notice that it downloads the Release.gpg files, if Ubuntu shows what files it downloads).

    --

    To get something done, a committee should consist of no more than three persons, two of them absent.

  21. No by laptop006 · · Score: 2, Informative

    DSA = Debian Systems Administration (team)

    --
    /* FUCK - The F-word is here so that you can grep for it */
  22. Det som inte dödar, härdar by bunbuntheminilop · · Score: 2
    Or, for everyone else

    That which does not kill you, makes you stronger

    --Friedrich Nietzsche

  23. Re:Again? by stevey · · Score: 2, Insightful

    It happened once in 2003, but I can't recall any other incidents. That time it was a previously unkown Linux kernel hole which was used to gain root along with a sniffed password.

    This time it looks like another kernel hole - but we've not had public confirmation. Could have been been an exploit for CVE-2006-2451...

  24. Gluck is not the core machine by NoGoodNicks · · Score: 2, Insightful

    Gluck is not a "core" machine, not even a special development system. It has been abandoned as CVS server by most subprojects since they moved to the Alioth service. The most important task was the homepage server.

  25. "...with your high UID"... by beh · · Score: 2, Informative

    Oh boy... Low UIDs hardly instill authority!

    Take it from someone with a waaaaaaayyyyy lower UID as yours! ;-)

    But to your original point - I'm not too sure you can rule out future break-ins at all. It would only be REALLY stupid, if both breakins happened through the same setup fault.

    But I don't think debian has a full time security admin who constantly and ACTIVELY monitors every debian.org box, like other big name companies might be able to afford to.

    Secondly, the sheer multitude of packages, and frequent updates/upgrades of packages will make it fairly impossible to keep a machine 100% break-in proof.

    Of course, I don't like break-ins - especially on servers of a distribution I'm actively using; but I think it's wrong to panic about it either.

    More importantly - while I see the need to reinstall quickly, has anyone there found out HOW the break-in occured? Has the hole been located? (...and is it known how to fix this particular one, before the same guy just uses the same "back door" again?)

    1. Re:"...with your high UID"... by monsted · · Score: 2, Interesting

      He was lying!

      I wonder if i could sell a 4-digit /. UID on eBay just like they did with ICQ numbers years ago (where 5-digit IDs sold for small fortunes).

  26. I have a physical airgap by kliese · · Score: 2, Funny
    Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

    I have a physical airgap between my wireless router and laptop. Does that mean I'm safe?

  27. WikiDebian? by femto · · Score: 4, Funny

    Maybe we need WikiDebian? "The free operating system that anyone can edit."

    I'm not joking. If it works for Wikipedia, why not Debian??

  28. Declouding some FUD by cortana · · Score: 2, Informative
    first [in 2003] we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

    http://www.debian.org/News/2003/20031121

    The archive is not affected by this compromise!

    The vulnerability they were hit by was a previously unknown vulnerability in the kernel.

  29. All releases are signed. by gnuman99 · · Score: 2, Informative

    apt-get archives are now signed too. In Etch (testing) and Sid (unstable) apt will check the integrity of the packages for you, but the entire archive is signed. Just look at woody or sarge,

    http://http.us.debian.org/debian/dists/woody/
    http://http.us.debian.org/debian/dists/sarge/

    Then locate the file Release.gpg. That is the signature for the release file.

  30. It was a local root exploit by Urban+Garlic · · Score: 2, Informative

    For anyone still following this story all these hours later, there's a new post on debian-news with a bit more detail about what happened here.

    The short version is, it was a privilege-escalation exploit triggered from a compromised user account, the server in question is now restored, but several others are locked down pending inspection. Also, it says the regular and security archives were not in danger. The exploit was a known issue in the 2.6.16.18 kernel running on gluck at the time of the exploit.

    Interestingly, the window between the compromise and the lockdown was less than two hours.

    --
    2*3*3*3*3*11*251
    1. Re:It was a local root exploit by uhoreg · · Score: 3, Informative

      See also this posting on debian-project for more technical details.

      --

      To get something done, a committee should consist of no more than three persons, two of them absent.